mirror of
https://github.com/apache/httpd.git
synced 2025-08-10 02:56:11 +00:00
b0dc766b75
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832, r1677834, r1677835 from trunk mod_ssl namespacing Proposed by: kbrand Reviewed by: ylavic, jorton mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo. For related discussion, see the dev@ thread starting at: http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2, and SSL_set_app_data2 from SSL_* to modssl_*. Update references in README.dsov.* files. Rename static variable SSL_app_data2_idx to just app_data2_idx since the symbol is internal to ssl_util_ssl.c. mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside ssl_util_ssl.c (no callers outside this file). The new static function name chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_ nor ASN1_ are safe prefixes to use without potential future overlap. mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to modssl_X509_NAME_ENTRY_to_string. mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the file ssl_util_ssl.c (no outside callers). Rename to just getIDs(). mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller ssl_init_proxy_certs() in ssl_engine_init.c. No functional change. Review by: kbrand mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c and make it a static function called load_x509_info(). mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c and make it a static function called use_certificate_chain(). mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz(). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
SYNOPSIS
This Apache module provides strong cryptography for the Apache 2 webserver
via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols by the help of the SSL/TLS implementation library OpenSSL which
is based on SSLeay from Eric A. Young and Tim J. Hudson.
The mod_ssl package was created in April 1998 by Ralf S. Engelschall
and was originally derived from software developed by Ben Laurie for
use in the Apache-SSL HTTP server project. The mod_ssl implementation
for Apache 1.3 continues to be supported by the modssl project
<http://www.modssl.org/>.
SOURCES
See the top-level LAYOUT file for file descriptions.
The source files are written in clean ANSI C and pass the ``gcc -O -g
-ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
-Wmissing-declarations -Wnested-externs -Winline'' compiler test
(assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
you make changes or additions make sure the source still passes this
compiler test.
FUNCTIONS
Inside the source code you will be confronted with the following types of
functions which can be identified by their prefixes:
ap_xxxx() ............... Apache API function
ssl_xxxx() .............. mod_ssl function
SSL_xxxx() .............. OpenSSL function (SSL library)
OpenSSL_xxxx() .......... OpenSSL function (SSL library)
X509_xxxx() ............. OpenSSL function (Crypto library)
PEM_xxxx() .............. OpenSSL function (Crypto library)
EVP_xxxx() .............. OpenSSL function (Crypto library)
RSA_xxxx() .............. OpenSSL function (Crypto library)
DATA STRUCTURES
Inside the source code you will be confronted with the following
data structures:
server_rec .............. Apache (Virtual) Server
conn_rec ................ Apache Connection
request_rec ............. Apache Request
SSLModConfig ............ mod_ssl (Global) Module Configuration
SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
SSLDirConfig ............ mod_ssl Directory Configuration
SSLConnConfig ........... mod_ssl Connection Configuration
SSLFilterRec ............ mod_ssl Filter Context
SSL_CTX ................. OpenSSL Context
SSL_METHOD .............. OpenSSL Protocol Method
SSL_CIPHER .............. OpenSSL Cipher
SSL_SESSION ............. OpenSSL Session
SSL ..................... OpenSSL Connection
BIO ..................... OpenSSL Connection Buffer
For an overview how these are related and chained together have a look at the
page in README.dsov.{fig,ps}. It contains overview diagrams for those data
structures. It's designed for DIN A4 paper size, but you can easily generate
a smaller version inside XFig by specifing a magnification on the Export
panel.
INCOMPATIBILITIES
The following intentional incompatibilities exist between mod_ssl 2.x
from Apache 1.3 and this mod_ssl version for Apache 2:
o The complete EAPI-based SSL_VENDOR stuff was removed.
o The complete EAPI-based SSL_COMPAT stuff was removed.
o The <IfDefine> variable MOD_SSL is no longer provided automatically
MAJOR CHANGES
For a complete history of changes for Apache 2 mod_ssl, see the
CHANGES file in the top-level directory. The following
is a condensed summary of the major changes were made between
mod_ssl 2.x from Apache 1.3 and this mod_ssl version for Apache 2:
o The DBM based session cache is now based on APR's DBM API only.
o The shared memory based session cache is now based on APR's APIs.
o SSL I/O is now implemented in terms of filters rather than BUFF
o Eliminated ap_global_ctx. Storing Persistant information in
process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
ssl_config_global_* () functions have an extra parameter now -
"server_rec *" - which is used to retrieve the SSLModConfigRec.
o Properly support restarts, allowing mod_ssl to be added to a server
that is already running and to change server certs/keys on restart
o Various performance enhancements
o proxy support is no longer an "extension", much of the mod_ssl core
was re-written (ssl_engine_{init,kernel,config}.c) to be generic so
it could be re-used in proxy mode.
- the optional function ssl_proxy_enable is provide for mod_proxy
to enable proxy support
- proxy support now requires 'SSLProxyEngine on' to be configured
- proxy now supports SSLProxyCARevocation{Path,File} in addition to
the original SSLProxy* directives
o per-directory SSLCACertificate{File,Path} is now thread-safe but
requires SSL_set_cert_store patch to OpenSSL
o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
exist
TODO
See the top-level STATUS file for current efforts and goals.