VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-13 14:40:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
30,082 Commits 62 Branches 304 Tags
a68a39d321f20bc79d1628f60468346d5f5c5458
Commit Graph

316 Commits

Author SHA1 Message Date
Stefan Eissing
a68a39d321 log tags for mod_ssl changes and new mod_md 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1804531 13f79535-47bb-0310-9956-ffa450edef68
 2017-08-09 13:59:26 +00:00
Stefan Eissing
266f140fa8 mod_ssl uses now mod_md header file for optional function declaration 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/trunk-md@1804422 13f79535-47bb-0310-9956-ffa450edef68
 2017-08-08 13:33:45 +00:00
Stefan Eissing
e7a858c2bd branch for integrating mod_md into trunk 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/trunk-md@1804087 13f79535-47bb-0310-9956-ffa450edef68
 2017-08-04 09:52:04 +00:00
Yann Ylavic
31a4103652 mod_ssl, ab: compatibility with LibreSSL. PR 61184. 
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
 2017-07-29 23:05:02 +00:00
William A. Rowe Jr
84d078e64c Thanks to Rüdiger, Yann and Jacob for catches and verification 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1783438 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-17 17:39:59 +00:00
William A. Rowe Jr
08e986a8aa Revert it part r1783317, 'avoid _free()ing NULL references.' 
OpenSSL team is committed to preserving safe _free(NULL) behaviors, and the
overhead of these calls in the context setup path is inconsequential. 



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1783434 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-17 17:32:26 +00:00
William A. Rowe Jr
5004e381b2 Fix #cpp bug in prior commit, follow up to r1783317. 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1783318 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-16 22:30:50 +00:00
William A. Rowe Jr
915c1b7087 Avoid unnecessary code (the deprecation macro wrapper itself emits unused args 
warnings) in OpenSSL 1.1.0 and avoid _free()ing NULL references.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1783317 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-16 22:27:24 +00:00
Jean-Frederic Clere
f6146b725c Add Configuration for trusted OCSP responder certificates 
Fix for PR 46037


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781575 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-03 16:19:17 +00:00
Yann Ylavic
5054dfbb96 mod_ssl: follow up to r1740928: fix memory leaks from merged proxy_ctx. 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781313 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-01 21:25:26 +00:00
Yann Ylavic
c98a1699b0 mod_ssl: follow up to r1781187. 
Address SSL_CTX leak in (merged) proxy_ctx.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781312 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-01 21:23:17 +00:00
Yann Ylavic
7e95870837 mod_ssl: revert r1781299 r1781188. 
Need to separate follow up related to r1740928 and co from the one related to
r1781187.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781311 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-01 21:17:20 +00:00
Yann Ylavic
f82a8bdc2b mod_ssl: follow up to r1781187. 
The ssl_util_thread_*() functions are not necessary with openssl-1.1+



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781190 13f79535-47bb-0310-9956-ffa450edef68
 2017-02-01 00:32:59 +00:00
Yann Ylavic
ad6088c88d mod_ssl: follow up to r1740928: fix memory leaks. 
[Reverted by r1781311]


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781188 13f79535-47bb-0310-9956-ffa450edef68
 2017-01-31 23:39:58 +00:00
Rainer Jung
d79b514c4b Fix spelling in comments and text files. 
No functional change.
PR 59990


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1756038 13f79535-47bb-0310-9956-ffa450edef68
 2016-08-11 19:50:02 +00:00
Yann Ylavic
039212b23e mod_ssl: follow up to r1734561. 
Don't enable CRL checks/flags by default.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1748368 13f79535-47bb-0310-9956-ffa450edef68
 2016-06-14 09:35:13 +00:00
Yann Ylavic
f9ad2754f7 mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections, 
allowing per backend TLS configuration.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1740928 13f79535-47bb-0310-9956-ffa450edef68
 2016-04-26 00:04:57 +00:00
Rainer Jung
6ba30d2c2b Support for OpenSSL 1.1.0: 
- symbols get_rfc..._prime_... have been
  renamed to BN_get_rfc..._prime_...


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1740652 13f79535-47bb-0310-9956-ffa450edef68
 2016-04-23 12:36:43 +00:00
Stefan Fritsch
57230dc7f0 fix compiler warning about missing prototype 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1738461 13f79535-47bb-0310-9956-ffa450edef68
 2016-04-10 20:26:12 +00:00
Rainer Jung
89db09bb58 Support for OpenSSL 1.1.0: 
- DH was made opaque


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1738410 13f79535-47bb-0310-9956-ffa450edef68
 2016-04-10 09:02:15 +00:00
Rainer Jung
f31ec0318d Support for OpenSSL 1.1.0: 
- BIO was made opaque after OpenSSL 1.1.0pre4.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1737657 13f79535-47bb-0310-9956-ffa450edef68
 2016-04-04 11:33:31 +00:00
Yann Ylavic
973b98f879 Follow up to r1735882: fill in APLOGNO(). 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735941 13f79535-47bb-0310-9956-ffa450edef68
 2016-03-21 10:21:52 +00:00
Rainer Jung
8bcf9ed952 Support for OpenSSL 1.1.0: 
- Followup to r1735875:
    ssl_util_thread_setup() is gone.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735925 13f79535-47bb-0310-9956-ffa450edef68
 2016-03-21 08:47:15 +00:00
Rainer Jung
10ef9761a0 Support for OpenSSL 1.1.0: 
- use new API SSL_CTX_set_max_proto_version()
  and SSL_CTX_set_min_proto_version() instead
  of SSL_CTX_set_options()
- use new methods TLS_client_method() and
  TLS_server_method()


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735882 13f79535-47bb-0310-9956-ffa450edef68
 2016-03-20 14:20:52 +00:00
Yann Ylavic
5bc7c3ca2d mod_ssl: follow up to r1734561. 
Simplify CRL check mode and flags handling/merging by using a single mask (int).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735337 13f79535-47bb-0310-9956-ffa450edef68
 2016-03-16 22:54:27 +00:00
Yann Ylavic
bafafe600b mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive 
to opt-in previous behaviour (2.2) with CRLs verification when checking
certificate(s) with no corresponding CRL.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1734561 13f79535-47bb-0310-9956-ffa450edef68
 2016-03-11 13:51:17 +00:00
Rainer Jung
d7639a5ad0 Support OpenSSL 1.1.0. 
- use common code for OpenSSL pre-1.1.0 and
  1.1.0 where possible.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730422 13f79535-47bb-0310-9956-ffa450edef68
 2016-02-14 22:40:07 +00:00
Rainer Jung
9b4551dea9 Add remark about backport obstacle. 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730351 13f79535-47bb-0310-9956-ffa450edef68
 2016-02-14 16:36:04 +00:00
Rainer Jung
f80ac38222 Support for OpenSSL 1.1.0: 
- don't check for SSLeay_version() in configure
  The function no longer exists in 1.1.0.
  It was replaced by OpenSSL_version().
- Switch between SSLeay_version(U) and
  OpenSSL_version() depending on version
  in modules/ssl/ssl_util_ssl.h.
- Use MODSSL_LIBRARY_DYNTEXT everywhere.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1728981 13f79535-47bb-0310-9956-ffa450edef68
 2016-02-07 16:12:34 +00:00
Rainer Jung
8bc4871c57 Support for OpenSSL 1.1.0: 
- mod_ssl
Look out for "XXX: OpenSSL 1.1.0:" for a few
open problems.

Not tested with test suite yet.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1728909 13f79535-47bb-0310-9956-ffa450edef68
 2016-02-07 01:20:37 +00:00
Rainer Jung
44ce30494e Added many log numbers to log statements that 
had none.

Handled all files in modules/.

I used the coccinelle script provided by Stefan.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1725392 13f79535-47bb-0310-9956-ffa450edef68
 2016-01-19 00:03:18 +00:00
Yann Ylavic
43b7db9c8c mod_ssl: follow up to r1720129. 
Free ecparams read from certificate file(s) on startup.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1723295 13f79535-47bb-0310-9956-ffa450edef68
 2016-01-06 12:11:36 +00:00
Jan Kaluža
51da86c0be * mod_ssl: Free dhparams when getting DH params. This fixes issue when 
SSLCryptoDevice does not get unregistered because of non-zero refcount
  during the mod_ssl unload happening on httpd startup.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1720129 13f79535-47bb-0310-9956-ffa450edef68
 2015-12-15 11:50:48 +00:00
Kaspar Brand
908587e75f deduplicate the code handling the directory traversal for the 
SSL[Proxy]CACertificatePath and SSLProxyMachineCertificatePath
directives


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1705539 13f79535-47bb-0310-9956-ffa450edef68
 2015-09-27 14:08:16 +00:00
Kaspar Brand
4c9b3c3b35 Support compilation against libssl built with OPENSSL_NO_SSL3, 
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1703952 13f79535-47bb-0310-9956-ffa450edef68
 2015-09-19 08:40:56 +00:00
Kaspar Brand
0a30649059 Append :!aNULL:!eNULL:!EXP to the cipher string settings, 
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1702643 13f79535-47bb-0310-9956-ffa450edef68
 2015-09-12 15:33:28 +00:00
Jan Kaluža
ce587ed02f mod_ssl: allow enabling of SSLProtocols even though they are disabled by OpenSSL 
by default. Show warning in that case.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1692258 13f79535-47bb-0310-9956-ffa450edef68
 2015-07-22 12:08:01 +00:00
Yann Ylavic
69081b3739 mod_ssl: follow up to r1527291. 
Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
not yet included by default.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1679470 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-14 22:38:20 +00:00
Stefan Sperling
a5c1e92732 mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c 
and make it a static function called use_certificate_chain().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677834 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-05 14:29:11 +00:00
Stefan Sperling
aa6037fa61 mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c 
and make it a static function called load_x509_info().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677832 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-05 14:20:19 +00:00
Stefan Sperling
2548969450 mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller 
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677830 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-05 14:09:35 +00:00
Stefan Sperling
8fd38131f9 mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677159 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-01 14:49:45 +00:00
Stefan Sperling
a5d078e9b8 mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677156 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-01 14:42:42 +00:00
Stefan Sperling
1e4c1e7fd2 mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677153 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-01 14:34:38 +00:00
Stefan Sperling
35296edace mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677146 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-01 14:15:22 +00:00
Stefan Sperling
c3f41f5e13 mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2, 
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677143 13f79535-47bb-0310-9956-ffa450edef68
 2015-05-01 14:03:04 +00:00
Kaspar Brand
8063d62287 Formatting and wording improvements for ALPN (no code changes) 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1676709 13f79535-47bb-0310-9956-ffa450edef68
 2015-04-29 10:27:32 +00:00
Kaspar Brand
6dd2a90084 Remove NPN support and focus on ALPN (RFC 7301) 
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop
  modssl_register_npn optional function and related declarations.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
  no longer set NPN advertisement callback.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove
  NPN handling.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
  remove callback.

* modules/ssl/ssl_private.h: remove NPN prototypes, set
  HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.

Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.

Previous commits related to NPN and ALPN, for reference purposes:

r1332643 - Add support for TLS Next Protocol Negotiation
r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API
           to avoid use of hooks API and inter-module hard linkage
r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set
r1670434 - More ALPN goodness

(plus some minor tweaks: r1670578, r1670440, r1670578,
 r1670738, r1675459, and r1675549)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1676004 13f79535-47bb-0310-9956-ffa450edef68
 2015-04-25 09:46:09 +00:00
Stefan Sperling
4c43036c9e mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo. 
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1674538 13f79535-47bb-0310-9956-ffa450edef68
 2015-04-18 16:43:34 +00:00
Eric Covener
de91f95a16 libressl fix for removed ENGINE_CTRL_CHIL_SET_FORKCHECK 
Submitted By: Stuart Henderson <sthen openbsd.org>
Commited By: covener




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1673455 13f79535-47bb-0310-9956-ffa450edef68
 2015-04-14 15:56:30 +00:00