Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables
* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
"id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
adapt modssl_X509_getSAN to take an optional otherName form
argument for the GEN_OTHERNAME case
* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype
* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table
Proposed by: kbrand
Reviewed by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,
r1677834, r1677835 from trunk
mod_ssl namespacing
Proposed by: kbrand
Reviewed by: ylavic, jorton
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.
mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey
mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown
mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC
mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.
mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.
mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string
mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN
mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the
file ssl_util_ssl.c (no outside callers). Rename to just getIDs().
mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name
mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file
mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand
mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().
mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().
mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes
Proposed by: kbrand
Reviewed by: ylavic, druggeri
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1676087 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
PR54998.
Submitted By: Tim Kosse <tim.kosse filezilla-project.org>, ylavic
Committed By: ylavic
mod_ssl: SSL_smart_shutdown(): follow up to r1601184.
Use SSL_get_wbio() to comply with OPENSSL_NO_SSL_INTERN.
Stop SSL shutdown loop when flush fails.
mpm_event[opt]: Send the SSL close notify alert when the KeepAliveTimeout
expires. PR54998.
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1651077 13f79535-47bb-0310-9956-ffa450edef68
Throw away the myCtxVar{Set,Get} abomination and introduce
a pphrase_cb_arg_t struct instead, for passing stuff between
ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct
members instead of using additional local variables, to make
the data flow more transparent. (Doesn't "vastly simplify"
the code yet, but hopefully we'll get there when further
stripping down ssl_pphrase_Handle.)
Remove the hardcoded algorithm-type dependency for the SSLCertificateFile
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile
Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:
ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants
ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
and keys (in theory; currently OpenSSL does not support more than
one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile
ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx
ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
make it only load a single (encrypted) private key, and rename
to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
passphrase prompting programs
ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
and ssl_asn1_table_keyfmt
ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey
CodeWarrior compiler doesnt allow vars as struct inits.
Remove per-certificate chain handling code (obsoleted by
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)
make the ppcb_arg initialization a bit more uniform and easier to read
Followup fix for r1553824:
also pass the file name to ssl_load_encrypted_pkey, to make sure that we
retry with the same filename we used for SSL_CTX_use_PrivateKey_file first
With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on
SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.
update APLOGNO for r1564760
Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573360 13f79535-47bb-0310-9956-ffa450edef68
Streamline ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
Follow-up fixes for r1526168:
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite
Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):
- remove obsolete #defines / macros
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC and SRP support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
PR 55616 (add missing APLOGNO), part 2
Submitted by: kbrand
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: add support for subjectAltName-based host name checking in proxy mode
(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY
Fix warning about discarding 'const' qualifier from pointer
Submitted by: kbrand, sf
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1485667 13f79535-47bb-0310-9956-ffa450edef68
According top my testing 'SSL_SESSION_id2sz' is 4x faster with the use 'ap_bin2hex' instead of
apr_snprintf(..., "%02X" for each character.
Output is the same.
I have left the uppercase conversion, because I'm unsure if it is usefull or not.
SSL_SESSION_id2sz is only used for logging, having it in lowercase shouldn't be an issue.
Submitted by: jailletc36
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1455223 13f79535-47bb-0310-9956-ffa450edef68
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1222920 13f79535-47bb-0310-9956-ffa450edef68
extension into account when checking the cert against the configured
ServerName. PR 32652, PR 47051.
Replace SSL_X509_getCN() by SSL_X509_getIDs(), which returns an array
of a cert's DNS-IDs and CN-IDs (terms as coined by RFC 6125).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1176752 13f79535-47bb-0310-9956-ffa450edef68
Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name
to an RFC 2253 formatted string.
Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1172797 13f79535-47bb-0310-9956-ffa450edef68
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
when the nextUpdate field of a CRL is in the past
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1165056 13f79535-47bb-0310-9956-ffa450edef68
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1054323 13f79535-47bb-0310-9956-ffa450edef68
- suggest braces around empty body in an 'if' statement
- comparison of unsigned expression >= 0 is always true
- comparison of unsigned expression < 0 is always false
Please review carefully.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@954641 13f79535-47bb-0310-9956-ffa450edef68
and the functions that manipulate it. Make httpd trunk compile against OpenSSL HEAD
as well as OpenSSL 0.9.8j. Also, get rid of some warnings.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@748396 13f79535-47bb-0310-9956-ffa450edef68
returned by X509_LOOKUP_add_dir or X509_LOOKUP_load_file to detect
malformed or misconfigured CRLs. Clear error stack beforehand to
ensure reported errors are relevant.
PR: 36438
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@265702 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
type overrides;
MODSSL_CLIENT_CERT_CB_ARG_TYPE
MODSSL_PCHAR_CAST (for a host of non-void/const sslc values)
modssl_read_bio_cb_fn (for several callbacks with same prototypes)
Declare callback functions appropriately.
And protect us from indetermineant toolkits with
#error "Unrecognized SSL Toolkit!"
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99183 13f79535-47bb-0310-9956-ffa450edef68