mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP
is defined. PR 61206.
Submitted by: Michael Schlenker <msc contact.de>
mod_ssl, ab: compatibility with LibreSSL. PR 61184.
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
Follow up to r1803396: CHANGES entry.
Reviewed by: ylavic, jim, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1807734 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
Merge r1796343 from trunk:
mod_ssl: fix ctx passed to ssl_io_filter_error()
Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().
Submitted by: ylavic, covener
Reviewed by: covener, ylavic, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68
ssl: clear the error queue before SSL_read/write/accept()
If other modules or libraries do not clear the OpenSSL error queue after
a failed operation, other code that relies on SSL_get_error() -- in
particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will
malfunction later on. To prevent this, explicitly clear the error queue
before calls like SSL_read/write/accept().
PR: 60223
Submitted by: Paul Spangler <paul.spangler ni.com>
Submitted by: jchampion
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770673 13f79535-47bb-0310-9956-ffa450edef68
such that disabling either disables both, and that enabling either will
trigger the more comprehensive SSLProxyCheckPeerName behavior.
Only a single configuration remains to enable the legacy behavior, which
is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.
Changes to the proxy config directives leads us to a different 2.4 fix...
https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch
Backports: 1746647
Reviewed by: wrowe, icing, rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1747069 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h.
This is enough to allow implementation of Certificate Transparency
outside of mod_ssl.
Initialize post_handshake_rc for case where a failure has
already occurred (doesn't change execution but avoids warning
with some levels of gcc).
Pointed out by: kbrand
Submitted by: trawick
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735886 13f79535-47bb-0310-9956-ffa450edef68
Added many log numbers to log statements that
had none.
Those were not detected by the coccinelle script.
Submitted by: rjung
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1731085 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: forward EOR (only) brigades to the core_output_filter().
mod_ssl: don't FLUSH output (blocking) on read.
This defeats deferred write (and pipelining), eg. check_pipeline() is not
expecting the pipe to be flushed under it.
So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
are known to not handle all the cases, so we keep flushing with those).
mod_ssl: follow up to r1705823.
Oups, every #if needs a #endif...
mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(),
the core output filter needs them.
Proposed by: jorton
mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828.
Add CHANGES entry, and restore ap_process_request_after_handler()'s comment
as prior to r1705194 (the change makes no sense now).
mod_ssl: follow up to r1705823.
We still need to flush in the middle of a SSL/TLS handshake.
mod_ssl: follow up to r1705823.
Flush SSL/TLS handshake data when writing (instead of before reading),
and only when necessary (openssl < 0.9.8m or proxy/client side).
mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init().
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1715014 13f79535-47bb-0310-9956-ffa450edef68
Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.
Proposed by: kbrand
Reviewed by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,
r1677834, r1677835 from trunk
mod_ssl namespacing
Proposed by: kbrand
Reviewed by: ylavic, jorton
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.
mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey
mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown
mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC
mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.
mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.
mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string
mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN
mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the
file ssl_util_ssl.c (no outside callers). Rename to just getIDs().
mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name
mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file
mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand
mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().
mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().
mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get
changed Protocols to let vhosts override servers, removed old H2Engine example from readme
creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment
removed unnecessary lingering_close and sbh update on end of protocol upgrade handling
introducing ap_array_index in util, used in protocol and mod_h2
fixes existing protocol missing in selection if not explicitly proposed
new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging
removed accidental code
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.
* server/util.c (ap_parse_token_list_strict): New function.
* modules/proxy/proxy_util.c (find_conn_headers): Use it here.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
Send a 400 for a malformed Connection header.
Submitted by: Edward Lu, breser, covener
http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
for clients requesting a hostname on a reused connection whose SNI (from the
TLS handshake) does not match.
PR 5802.
This allows HTTP/2 clients to fall back to a new connection as per:
https://tools.ietf.org/html/rfc7540#section-9.1.2
Proposed by: Stefan Eissing <stefan eissing.org>
Reviewed by: ylavic
c89
Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com
giving ap_array_index a start parameter, adding ap_array_contains
ap_process_request needs exportation for use in mod_h2 on Windows
final final change to the new ap_array_str_* functions after review
changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon
mod_ssl: fix compiler warning (bad cast).
improvements in ap_select_protocol(), supplied by yann ylavic
Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705672 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: dump SSL IO/state for the write side of the connection(s), like reads.
mod_ssl: follow up to r1601919.
Likewise when set from SNI callback.
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1651078 13f79535-47bb-0310-9956-ffa450edef68
ssl: Axe needless string duplication in setup for call to apr_proc_create()
Fix sscanf format spotted by cppcheck
fix indent.
fix style
Private function doesn't need ap_ prefix.
tab vs space
rename variables: s should be the server_rec
Submitted by: trawick, jailletc36, jailletc36, jailletc36, takashi, jailletc36, sf
Reviewed by: jailletc36, ylavic, covener
Backported by: jailletc36
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642403 13f79535-47bb-0310-9956-ffa450edef68
Streamline ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
Follow-up fixes for r1526168:
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite
Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):
- remove obsolete #defines / macros
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC and SRP support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
PR 55616 (add missing APLOGNO), part 2
Submitted by: kbrand
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
core, mod_ssl: Lift the restriction that prevents mod_ssl taking
full advantage of the event MPM. Enable the ability for a module
to reverse the sense of a poll event from a read to a write or vice
versa.
Update the docs to note that SSL now works with the event MPM as per r1470679.
Submitted by: minfrin
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1515476 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: add support for subjectAltName-based host name checking in proxy mode
(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY
Fix warning about discarding 'const' qualifier from pointer
Submitted by: kbrand, sf
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1485667 13f79535-47bb-0310-9956-ffa450edef68
When receiving http on https, send the error response with http 1.0
It is important that we send a proper error status, or search engines
may index the error message.
Remove the link in the speaking-http-on-https error message.
With SNI, the link will usually be wrong. So better send no link at all.
PR: 50823
Reviewed by: sf, jorton, trawick
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1334346 13f79535-47bb-0310-9956-ffa450edef68
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68
"coalesce" filter which buffers the plaintext, and remove buffering
of the SSL records -- i.e. buffer before the SSL output filter,
rather than after it. This aims to reduce the network overhead
imposed by the output of many small brigades (such as produced by
chunked HTTP response), which can now be transformed into a few
large TLS records rather than many small ones.
(ssl_filter_ctx_t): Remove "nobuffer" field.
(bio_filter_out_ctx_t): Remove length, buffer, blen fields.
(bio_filter_out_pass): Split from bio_filter_out_flush.
(bio_filter_out_write): Remove handling of buffer.
(bio_filter_out_ctrl): Adjust to reflect lack of buffer.
(ssl_io_filter_coalesce): Add new filter...
(ssl_io_filter_init): ...add it to the filter chain...
(ssl_io_filter_register): ...and register it.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1059910 13f79535-47bb-0310-9956-ffa450edef68
failed such that mod_proxy can put the worker in error state.
PR: 50332
Submitted by: Daniel Ruggeri <DRuggeri primary.net>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1039304 13f79535-47bb-0310-9956-ffa450edef68
