|
Packit |
90a5c9 |
SYNOPSIS
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This Apache module provides strong cryptography for the Apache 2 webserver
|
|
Packit |
90a5c9 |
via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
|
|
Packit |
90a5c9 |
v1) protocols by the help of the SSL/TLS implementation library OpenSSL which
|
|
Packit |
90a5c9 |
is based on SSLeay from Eric A. Young and Tim J. Hudson.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The mod_ssl package was created in April 1998 by Ralf S. Engelschall
|
|
Packit |
90a5c9 |
and was originally derived from software developed by Ben Laurie for
|
|
Packit |
90a5c9 |
use in the Apache-SSL HTTP server project. The mod_ssl implementation
|
|
Packit |
90a5c9 |
for Apache 1.3 continues to be supported by the modssl project
|
|
Packit |
90a5c9 |
<http://www.modssl.org/>.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
SOURCES
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See the top-level LAYOUT file for file descriptions.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The source files are written in clean ANSI C and pass the ``gcc -O -g
|
|
Packit |
90a5c9 |
-ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
|
|
Packit |
90a5c9 |
-Wmissing-declarations -Wnested-externs -Winline'' compiler test
|
|
Packit |
90a5c9 |
(assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
|
|
Packit |
90a5c9 |
you make changes or additions make sure the source still passes this
|
|
Packit |
90a5c9 |
compiler test.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
FUNCTIONS
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Inside the source code you will be confronted with the following types of
|
|
Packit |
90a5c9 |
functions which can be identified by their prefixes:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_xxxx() ............... Apache API function
|
|
Packit |
90a5c9 |
ssl_xxxx() .............. mod_ssl function
|
|
Packit |
90a5c9 |
SSL_xxxx() .............. OpenSSL function (SSL library)
|
|
Packit |
90a5c9 |
OpenSSL_xxxx() .......... OpenSSL function (SSL library)
|
|
Packit |
90a5c9 |
X509_xxxx() ............. OpenSSL function (Crypto library)
|
|
Packit |
90a5c9 |
PEM_xxxx() .............. OpenSSL function (Crypto library)
|
|
Packit |
90a5c9 |
EVP_xxxx() .............. OpenSSL function (Crypto library)
|
|
Packit |
90a5c9 |
RSA_xxxx() .............. OpenSSL function (Crypto library)
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
DATA STRUCTURES
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Inside the source code you will be confronted with the following
|
|
Packit |
90a5c9 |
data structures:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
server_rec .............. Apache (Virtual) Server
|
|
Packit |
90a5c9 |
conn_rec ................ Apache Connection
|
|
Packit |
90a5c9 |
request_rec ............. Apache Request
|
|
Packit |
90a5c9 |
SSLModConfig ............ mod_ssl (Global) Module Configuration
|
|
Packit |
90a5c9 |
SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
|
|
Packit |
90a5c9 |
SSLDirConfig ............ mod_ssl Directory Configuration
|
|
Packit |
90a5c9 |
SSLConnConfig ........... mod_ssl Connection Configuration
|
|
Packit |
90a5c9 |
SSLFilterRec ............ mod_ssl Filter Context
|
|
Packit |
90a5c9 |
SSL_CTX ................. OpenSSL Context
|
|
Packit |
90a5c9 |
SSL_METHOD .............. OpenSSL Protocol Method
|
|
Packit |
90a5c9 |
SSL_CIPHER .............. OpenSSL Cipher
|
|
Packit |
90a5c9 |
SSL_SESSION ............. OpenSSL Session
|
|
Packit |
90a5c9 |
SSL ..................... OpenSSL Connection
|
|
Packit |
90a5c9 |
BIO ..................... OpenSSL Connection Buffer
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
For an overview how these are related and chained together have a look at the
|
|
Packit |
90a5c9 |
page in README.dsov.{fig,ps}. It contains overview diagrams for those data
|
|
Packit |
90a5c9 |
structures. It's designed for DIN A4 paper size, but you can easily generate
|
|
Packit |
90a5c9 |
a smaller version inside XFig by specifying a magnification on the Export
|
|
Packit |
90a5c9 |
panel.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
INCOMPATIBILITIES
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following intentional incompatibilities exist between mod_ssl 2.x
|
|
Packit |
90a5c9 |
from Apache 1.3 and this mod_ssl version for Apache 2:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
o The complete EAPI-based SSL_VENDOR stuff was removed.
|
|
Packit |
90a5c9 |
o The complete EAPI-based SSL_COMPAT stuff was removed.
|
|
Packit |
90a5c9 |
o The <IfDefine> variable MOD_SSL is no longer provided automatically
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
MAJOR CHANGES
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
For a complete history of changes for Apache 2 mod_ssl, see the
|
|
Packit |
90a5c9 |
CHANGES file in the top-level directory. The following
|
|
Packit |
90a5c9 |
is a condensed summary of the major changes were made between
|
|
Packit |
90a5c9 |
mod_ssl 2.x from Apache 1.3 and this mod_ssl version for Apache 2:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
o The DBM based session cache is now based on APR's DBM API only.
|
|
Packit |
90a5c9 |
o The shared memory based session cache is now based on APR's APIs.
|
|
Packit |
90a5c9 |
o SSL I/O is now implemented in terms of filters rather than BUFF
|
|
Packit |
90a5c9 |
o Eliminated ap_global_ctx. Storing Persistent information in
|
|
Packit |
90a5c9 |
process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
|
|
Packit |
90a5c9 |
ssl_config_global_* () functions have an extra parameter now -
|
|
Packit |
90a5c9 |
"server_rec *" - which is used to retrieve the SSLModConfigRec.
|
|
Packit |
90a5c9 |
o Properly support restarts, allowing mod_ssl to be added to a server
|
|
Packit |
90a5c9 |
that is already running and to change server certs/keys on restart
|
|
Packit |
90a5c9 |
o Various performance enhancements
|
|
Packit |
90a5c9 |
o proxy support is no longer an "extension", much of the mod_ssl core
|
|
Packit |
90a5c9 |
was re-written (ssl_engine_{init,kernel,config}.c) to be generic so
|
|
Packit |
90a5c9 |
it could be re-used in proxy mode.
|
|
Packit |
90a5c9 |
- the optional function ssl_proxy_enable is provide for mod_proxy
|
|
Packit |
90a5c9 |
to enable proxy support
|
|
Packit |
90a5c9 |
- proxy support now requires 'SSLProxyEngine on' to be configured
|
|
Packit |
90a5c9 |
- proxy now supports SSLProxyCARevocation{Path,File} in addition to
|
|
Packit |
90a5c9 |
the original SSLProxy* directives
|
|
Packit |
90a5c9 |
o per-directory SSLCACertificate{File,Path} is now thread-safe but
|
|
Packit |
90a5c9 |
requires SSL_set_cert_store patch to OpenSSL
|
|
Packit |
90a5c9 |
o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
|
|
Packit |
90a5c9 |
exist
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
TODO
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See the top-level STATUS file for current efforts and goals.
|