stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760866 13f79535-47bb-0310-9956-ffa450edef68
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68
interface.
(ssl_io_filter_input): For GETLINE mode, pull lines directly from
the char_buffer if possible, to avoid unnecessarily copying the
entire buffer once per invocation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@683283 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_io.c: Define new error codes in the APR status
code range, MODSSL_ERROR_BAD_GATEWAY and MODSSL_ERROR_HTTP_ON_HTTPS;
use these HTTP_* constants directly as apr_status_t values.
(ssl_io_filter_error): Use new constants.
(ssl_io_filter_handshake): Return purely an APR status value rather
than a mixture of HTTP_* constants, OpenSSL error codes, and APR
status values.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645549 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_init): Don't clear f->r here after adding connection
filters since ap_add_*_filter now guarantee to do it internally.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@600477 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_connect since the function performs a handshake in
either client or server mode, not a "connect". No functional change.
(both callers updated)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@592552 13f79535-47bb-0310-9956-ffa450edef68
in the post_read_request hook rather than in a filter, and fix the
filter insertion issue:
* modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function,
mostly moved from ssl_io_filter_Upgrade.
(ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if
required.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove
function.
(ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec
pointer and pass to ap_add_*_filter to ensure the filter chain
is modified correctly; remove it from the filter afterwards.
(ssl_io_filter_register): Drop UPGRADE_FILTER registration.
* modules/ssl/mod_ssl.c (ssl_init_ssl_connection): Take a request_rec
pointer, pass to ssl_io_filter_init.
(ssl_hook_pre_connection): Pass NULL request_rec pointer to above.
(ssl_hook_Insert_Filter): Remove function.
(ssl_register_hooks): Drop insert_filter hook.
* modules/ssl/ssl_private.h: Update prototypes.
PR: 41231
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@592446 13f79535-47bb-0310-9956-ffa450edef68
renegotiation when an internal redirect occurs:
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Remove
protocol-level filters before inserting the buffering filter.
(ssl_io_filter_buffer): Return an EOS if invoked with an empty
brigade; do not remove the filter after exhausting the buffer.
(ssl_io_filter_buffer): Increase the type of the buffer filter to be
AP_FTYPE_PROTOCOL.
PR: 43738
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@591393 13f79535-47bb-0310-9956-ffa450edef68
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
The default is none as this is far greater debugging resolution than
the typical administrator is prepared to untangle.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@416265 13f79535-47bb-0310-9956-ffa450edef68
but safe fix for the mod_ssl renegotiation-vs-requests-with-bodies
bug:
* modules/ssl/ssl_private.h (ssl_io_buffer_fill): Add prototype.
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill,
ssl_io_filter_buffer): New functions.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): If a
renegotiation is needed, and the request has a non-zero
content-length, or a t-e header (and 100-continue was not requested),
call ssl_io_buffer_fill to set aside the request body data if
possible, then proceed with the negotiation.
PR: 12355
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@290965 13f79535-47bb-0310-9956-ffa450edef68
change to mod_proxy_http):
* modules/ssl/ssl_engine_io.c (bio_filter_in_read): Return an error if
the read would block so that the SSL_read() caller checks for
SSL_ERROR_WANT_READ, rather than 0, which is treated like EOF.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105768 13f79535-47bb-0310-9956-ffa450edef68
modules/mod_ssl.c: Switch to using ap_log_cerror() in place of
ap_log_error() everywhere that the conn_rec * is available.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105739 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
required creating a new EOC (End-Of-Connection) bucket type to notify mod_ssl
that the connection is about to be closed.
Reviewed by: Joe Orton, Justin Erenkrantz
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102793 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.
* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.
PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100720 13f79535-47bb-0310-9956-ffa450edef68
