|
Packit |
90a5c9 |
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
Packit |
90a5c9 |
* contributor license agreements. See the NOTICE file distributed with
|
|
Packit |
90a5c9 |
* this work for additional information regarding copyright ownership.
|
|
Packit |
90a5c9 |
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
Packit |
90a5c9 |
* (the "License"); you may not use this file except in compliance with
|
|
Packit |
90a5c9 |
* the License. You may obtain a copy of the License at
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit |
90a5c9 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit |
90a5c9 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit |
90a5c9 |
* See the License for the specific language governing permissions and
|
|
Packit |
90a5c9 |
* limitations under the License.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _ _
|
|
Packit |
90a5c9 |
* _ __ ___ ___ __| | ___ ___| | mod_ssl
|
|
Packit |
90a5c9 |
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
|
|
Packit |
90a5c9 |
* | | | | | | (_) | (_| | \__ \__ \ |
|
|
Packit |
90a5c9 |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
|
|
Packit |
90a5c9 |
* |_____|
|
|
Packit |
90a5c9 |
* mod_ssl.c
|
|
Packit |
90a5c9 |
* Apache API interface structures
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "ssl_private.h"
|
|
Packit |
90a5c9 |
#include "mod_ssl.h"
|
|
Packit |
90a5c9 |
#include "mod_ssl_openssl.h"
|
|
Packit |
90a5c9 |
#include "util_md5.h"
|
|
Packit |
90a5c9 |
#include "util_mutex.h"
|
|
Packit |
90a5c9 |
#include "ap_provider.h"
|
|
Packit |
90a5c9 |
#include "http_config.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "mod_proxy.h" /* for proxy_hook_section_post_config() */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include <assert.h>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int modssl_running_statically = 0;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
|
|
Packit |
90a5c9 |
(conn_rec *c,SSL *ssl,int is_proxy),
|
|
Packit |
90a5c9 |
(c,ssl,is_proxy), OK, DECLINED);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* the table of configuration directives we provide
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#define SSL_CMD_ALL(name, args, desc) \
|
|
Packit |
90a5c9 |
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
|
|
Packit |
90a5c9 |
NULL, RSRC_CONF|OR_AUTHCFG, desc),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#define SSL_CMD_SRV(name, args, desc) \
|
|
Packit |
90a5c9 |
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
|
|
Packit |
90a5c9 |
NULL, RSRC_CONF, desc),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#define SSL_CMD_PXY(name, args, desc) \
|
|
Packit |
90a5c9 |
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
|
|
Packit |
90a5c9 |
NULL, RSRC_CONF|PROXY_CONF, desc),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#define SSL_CMD_DIR(name, type, args, desc) \
|
|
Packit |
90a5c9 |
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
|
|
Packit |
90a5c9 |
NULL, OR_##type, desc),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#define AP_END_CMD { NULL }
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const command_rec ssl_config_cmds[] = {
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Global (main-server) context configuration directives
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(PassPhraseDialog, TAKE1,
|
|
Packit |
90a5c9 |
"SSL dialog mechanism for the pass phrase query "
|
|
Packit |
90a5c9 |
"('builtin', '|/path/to/pipe_program', "
|
|
Packit |
90a5c9 |
"or 'exec:/path/to/cgi_program')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(SessionCache, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Session Cache storage "
|
|
Packit |
90a5c9 |
"('none', 'nonenotnull', 'dbm:/path/to/file')")
|
|
Packit |
90a5c9 |
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CryptoDevice, TAKE1,
|
|
Packit |
90a5c9 |
"SSL external Crypto Device usage "
|
|
Packit |
90a5c9 |
"('builtin', '...')")
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(RandomSeed, TAKE23,
|
|
Packit |
90a5c9 |
"SSL Pseudo Random Number Generator (PRNG) seeding source "
|
|
Packit |
90a5c9 |
"('startup|connect builtin|file:/path|exec:/path [bytes]')")
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Per-server context configuration directives
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(Engine, TAKE1,
|
|
Packit |
90a5c9 |
"SSL switch for the protocol engine "
|
|
Packit |
90a5c9 |
"('on', 'off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(FIPS, FLAG,
|
|
Packit |
90a5c9 |
"Enable FIPS-140 mode "
|
|
Packit |
90a5c9 |
"(`on', `off')")
|
|
Packit |
90a5c9 |
SSL_CMD_ALL(CipherSuite, TAKE12,
|
|
Packit |
90a5c9 |
"Colon-delimited list of permitted SSL Ciphers, optional preceeded "
|
|
Packit |
90a5c9 |
"by protocol identifier ('XXX:...:XXX' - see manual)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CertificateFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Server Certificate file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM or DER encoded)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CertificateKeyFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Server Private Key file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM or DER encoded)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CertificateChainFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Server CA Certificate Chain file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM encoded)")
|
|
Packit |
90a5c9 |
#ifdef HAVE_TLS_SESSION_TICKETS
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
|
|
Packit |
90a5c9 |
"TLS session ticket encryption/decryption key file (RFC 5077) "
|
|
Packit |
90a5c9 |
"('/path/to/file' - file with 48 bytes of random data)")
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
SSL_CMD_ALL(CACertificatePath, TAKE1,
|
|
Packit |
90a5c9 |
"SSL CA Certificate path "
|
|
Packit |
90a5c9 |
"('/path/to/dir' - contains PEM encoded files)")
|
|
Packit |
90a5c9 |
SSL_CMD_ALL(CACertificateFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL CA Certificate file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM encoded)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CADNRequestPath, TAKE1,
|
|
Packit |
90a5c9 |
"SSL CA Distinguished Name path "
|
|
Packit |
90a5c9 |
"('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CADNRequestFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL CA Distinguished Name file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM encoded to derive acceptable CA names to request)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CARevocationPath, TAKE1,
|
|
Packit |
90a5c9 |
"SSL CA Certificate Revocation List (CRL) path "
|
|
Packit |
90a5c9 |
"('/path/to/dir' - contains PEM encoded files)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CARevocationFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL CA Certificate Revocation List (CRL) file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM encoded)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(CARevocationCheck, RAW_ARGS,
|
|
Packit |
90a5c9 |
"SSL CA Certificate Revocation List (CRL) checking mode")
|
|
Packit |
90a5c9 |
SSL_CMD_ALL(VerifyClient, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Client verify type "
|
|
Packit |
90a5c9 |
"('none', 'optional', 'require', 'optional_no_ca')")
|
|
Packit |
90a5c9 |
SSL_CMD_ALL(VerifyDepth, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Client verify depth "
|
|
Packit |
90a5c9 |
"('N' - number of intermediate certificates)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Session Cache object lifetime "
|
|
Packit |
90a5c9 |
"('N' - number of seconds)")
|
|
Packit |
90a5c9 |
#ifdef OPENSSL_NO_SSL3
|
|
Packit |
90a5c9 |
#define SSLv3_PROTO_PREFIX ""
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
#define SSLv3_PROTO_PREFIX "SSLv3|"
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
#ifdef HAVE_TLSV1_X
|
|
Packit |
90a5c9 |
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(Protocol, RAW_ARGS,
|
|
Packit |
90a5c9 |
"Enable or disable various SSL protocols "
|
|
Packit |
90a5c9 |
"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(HonorCipherOrder, FLAG,
|
|
Packit |
90a5c9 |
"Use the server's cipher ordering preference")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(Compression, FLAG,
|
|
Packit |
90a5c9 |
"Enable SSL level compression "
|
|
Packit |
90a5c9 |
"(`on', `off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(SessionTickets, FLAG,
|
|
Packit |
90a5c9 |
"Enable or disable TLS session tickets"
|
|
Packit |
90a5c9 |
"(`on', `off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
|
|
Packit |
90a5c9 |
"Enable support for insecure renegotiation")
|
|
Packit |
90a5c9 |
SSL_CMD_ALL(UserName, TAKE1,
|
|
Packit |
90a5c9 |
"Set user name to SSL variable value")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
|
|
Packit |
90a5c9 |
"Strict SNI virtual host checking")
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#ifdef HAVE_SRP
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(SRPVerifierFile, TAKE1,
|
|
Packit |
90a5c9 |
"SRP verifier file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - created by srptool)")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
|
|
Packit |
90a5c9 |
"SRP seed for unknown users (to avoid leaking a user's existence) "
|
|
Packit |
90a5c9 |
"('some secret text')")
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Proxy configuration for remote SSL connections
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyEngine, FLAG,
|
|
Packit |
90a5c9 |
"SSL switch for the proxy protocol engine "
|
|
Packit |
90a5c9 |
"('on', 'off')")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
|
|
Packit |
90a5c9 |
"SSL Proxy: enable or disable SSL protocol flavors "
|
|
Packit |
90a5c9 |
"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCipherSuite, TAKE12,
|
|
Packit |
90a5c9 |
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
|
|
Packit |
90a5c9 |
", optionally preceeded by protocol specifier ('XXX:...:XXX' - see manual)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyVerify, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: whether to verify the remote certificate "
|
|
Packit |
90a5c9 |
"('on' or 'off')")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyVerifyDepth, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: maximum certificate verification depth "
|
|
Packit |
90a5c9 |
"('N' - number of intermediate certificates)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCACertificateFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: file containing server certificates "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM encoded certificates)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCACertificatePath, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: directory containing server certificates "
|
|
Packit |
90a5c9 |
"('/path/to/dir' - contains PEM encoded certificates)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCARevocationPath, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: CA Certificate Revocation List (CRL) path "
|
|
Packit |
90a5c9 |
"('/path/to/dir' - contains PEM encoded files)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCARevocationFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: CA Certificate Revocation List (CRL) file "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM encoded)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCARevocationCheck, RAW_ARGS,
|
|
Packit |
90a5c9 |
"SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyMachineCertificateFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: file containing client certificates "
|
|
Packit |
90a5c9 |
"('/path/to/file' - PEM encoded certificates)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyMachineCertificatePath, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: directory containing client certificates "
|
|
Packit |
90a5c9 |
"('/path/to/dir' - contains PEM encoded certificates)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyMachineCertificateChainFile, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Proxy: file containing issuing certificates "
|
|
Packit |
90a5c9 |
"of the client certificate "
|
|
Packit |
90a5c9 |
"(`/path/to/file' - PEM encoded certificates)")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCheckPeerExpire, FLAG,
|
|
Packit |
90a5c9 |
"SSL Proxy: check the peer certificate's expiration date")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCheckPeerCN, FLAG,
|
|
Packit |
90a5c9 |
"SSL Proxy: check the peer certificate's CN")
|
|
Packit |
90a5c9 |
SSL_CMD_PXY(ProxyCheckPeerName, FLAG,
|
|
Packit |
90a5c9 |
"SSL Proxy: check the peer certificate's name "
|
|
Packit |
90a5c9 |
"(must be present in subjectAltName extension or CN")
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Per-directory context configuration directives
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
|
|
Packit |
90a5c9 |
"Set one or more options to configure the SSL engine"
|
|
Packit |
90a5c9 |
"('[+-]option[=value] ...' - see manual)")
|
|
Packit |
90a5c9 |
SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
|
|
Packit |
90a5c9 |
"Require the SSL protocol for the per-directory context "
|
|
Packit |
90a5c9 |
"(no arguments)")
|
|
Packit |
90a5c9 |
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
|
|
Packit |
90a5c9 |
"Require a boolean expression to evaluate to true for granting access"
|
|
Packit |
90a5c9 |
"(arbitrary complex boolean expression - see manual)")
|
|
Packit |
90a5c9 |
SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
|
|
Packit |
90a5c9 |
"Configure the amount of memory that will be used for buffering the "
|
|
Packit |
90a5c9 |
"request body if a per-location SSL renegotiation is required due to "
|
|
Packit |
90a5c9 |
"changed access control requirements")
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPEnable, RAW_ARGS,
|
|
Packit |
90a5c9 |
"Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
|
|
Packit |
90a5c9 |
"URL of the default OCSP Responder")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
|
|
Packit |
90a5c9 |
"Force use of the default responder URL ('on', 'off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
|
|
Packit |
90a5c9 |
"Maximum time difference in OCSP responses")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
|
|
Packit |
90a5c9 |
"Maximum age of OCSP responses")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
|
|
Packit |
90a5c9 |
"OCSP responder query timeout")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
|
|
Packit |
90a5c9 |
"Whether OCSP queries use a nonce or not ('on', 'off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPProxyURL, TAKE1,
|
|
Packit |
90a5c9 |
"Proxy URL to use for OCSP requests")
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Define OCSP Responder Certificate Verification Directive */
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPNoVerify, FLAG,
|
|
Packit |
90a5c9 |
"Do not verify OCSP Responder certificate ('on', 'off')")
|
|
Packit |
90a5c9 |
/* Define OCSP Responder File Configuration Directive */
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,
|
|
Packit |
90a5c9 |
"Trusted OCSP responder certificates"
|
|
Packit |
90a5c9 |
"(`/path/to/file' - PEM encoded certificates)")
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#ifdef HAVE_OCSP_STAPLING
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* OCSP Stapling options
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingCache, TAKE1,
|
|
Packit |
90a5c9 |
"SSL Stapling Response Cache storage "
|
|
Packit |
90a5c9 |
"(`dbm:/path/to/file')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(UseStapling, FLAG,
|
|
Packit |
90a5c9 |
"SSL switch for the OCSP Stapling protocol " "(`on', `off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
|
|
Packit |
90a5c9 |
"SSL stapling option for maximum time difference in OCSP responses")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
|
|
Packit |
90a5c9 |
"SSL stapling option for OCSP responder timeout")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
|
|
Packit |
90a5c9 |
"SSL stapling option for maximum age of OCSP responses")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
|
|
Packit |
90a5c9 |
"SSL stapling option for normal OCSP Response Cache Lifetime")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
|
|
Packit |
90a5c9 |
"SSL stapling switch to return Status Errors Back to Client"
|
|
Packit |
90a5c9 |
"(`on', `off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
|
|
Packit |
90a5c9 |
"SSL stapling switch to send tryLater response to client on error "
|
|
Packit |
90a5c9 |
"(`on', `off')")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
|
|
Packit |
90a5c9 |
"SSL stapling option for OCSP Response Error Cache Lifetime")
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(StaplingForceURL, TAKE1,
|
|
Packit |
90a5c9 |
"SSL stapling option to Force the OCSP Stapling URL")
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#ifdef HAVE_SSL_CONF_CMD
|
|
Packit |
90a5c9 |
SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
|
|
Packit |
90a5c9 |
"OpenSSL configuration command")
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Deprecated directives. */
|
|
Packit |
90a5c9 |
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
|
|
Packit |
90a5c9 |
"SSLLog directive is no longer supported - use ErrorLog."),
|
|
Packit |
90a5c9 |
AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
|
|
Packit |
90a5c9 |
"SSLLogLevel directive is no longer supported - use LogLevel."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_END_CMD
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* the various processing hooks
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static int modssl_is_prelinked(void)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
apr_size_t i = 0;
|
|
Packit |
90a5c9 |
const module *mod;
|
|
Packit |
90a5c9 |
while ((mod = ap_prelinked_modules[i++])) {
|
|
Packit |
90a5c9 |
if (strcmp(mod->name, "mod_ssl.c") == 0) {
|
|
Packit |
90a5c9 |
return 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_status_t ssl_cleanup_pre_config(void *data)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Try to kill the internals of the SSL library.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
/* Corresponds to OBJ_create()s */
|
|
Packit |
90a5c9 |
OBJ_cleanup();
|
|
Packit |
90a5c9 |
/* Corresponds to OPENSSL_load_builtin_modules() */
|
|
Packit |
90a5c9 |
CONF_modules_free();
|
|
Packit |
90a5c9 |
/* Corresponds to SSL_library_init: */
|
|
Packit |
90a5c9 |
EVP_cleanup();
|
|
Packit |
90a5c9 |
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
|
|
Packit |
90a5c9 |
ENGINE_cleanup();
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
|
|
Packit |
90a5c9 |
#ifndef OPENSSL_NO_COMP
|
|
Packit |
90a5c9 |
SSL_COMP_free_compression_methods();
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Usually needed per thread, but this parent process is single-threaded */
|
|
Packit |
90a5c9 |
#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
Packit |
90a5c9 |
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
|
|
Packit |
90a5c9 |
ERR_remove_thread_state(NULL);
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
ERR_remove_state(0);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
|
|
Packit |
90a5c9 |
* actually loaded the error strings once per process due to static
|
|
Packit |
90a5c9 |
* variable abuse in OpenSSL. */
|
|
Packit |
90a5c9 |
#if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
|
|
Packit |
90a5c9 |
ERR_free_strings();
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Also don't call CRYPTO_cleanup_all_ex_data when linked statically here;
|
|
Packit |
90a5c9 |
* any registered ex_data indices may have been cached in static variables
|
|
Packit |
90a5c9 |
* in OpenSSL; removing them may cause havoc. Notably, with OpenSSL
|
|
Packit |
90a5c9 |
* versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
|
|
Packit |
90a5c9 |
* could result in a per-connection memory leak (!). */
|
|
Packit |
90a5c9 |
if (!modssl_running_statically) {
|
|
Packit |
90a5c9 |
CRYPTO_cleanup_all_ex_data();
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* TODO: determine somewhere we can safely shove out diagnostics
|
|
Packit |
90a5c9 |
* (when enabled) at this late stage in the game:
|
|
Packit |
90a5c9 |
* CRYPTO_mem_leaks_fp(stderr);
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
return APR_SUCCESS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int ssl_hook_pre_config(apr_pool_t *pconf,
|
|
Packit |
90a5c9 |
apr_pool_t *plog,
|
|
Packit |
90a5c9 |
apr_pool_t *ptemp)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
modssl_running_statically = modssl_is_prelinked();
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Some OpenSSL internals are allocated per-thread, make sure they
|
|
Packit |
90a5c9 |
* are associated to the/our same thread-id until cleaned up.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
Packit |
90a5c9 |
ssl_util_thread_id_setup(pconf);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* We must register the library in full, to ensure our configuration
|
|
Packit |
90a5c9 |
* code can successfully test the SSL environment.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
|
|
Packit |
90a5c9 |
(void)CRYPTO_malloc_init();
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
OPENSSL_malloc_init();
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
ERR_load_crypto_strings();
|
|
Packit |
90a5c9 |
SSL_load_error_strings();
|
|
Packit |
90a5c9 |
SSL_library_init();
|
|
Packit |
90a5c9 |
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
|
|
Packit |
90a5c9 |
ENGINE_load_builtin_engines();
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
OpenSSL_add_all_algorithms();
|
|
Packit |
90a5c9 |
OPENSSL_load_builtin_modules();
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
|
|
Packit |
90a5c9 |
(void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
|
|
Packit |
90a5c9 |
"SRVName otherName form");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Start w/o errors (e.g. OBJ_txt2nid() above) */
|
|
Packit |
90a5c9 |
ERR_clear_error();
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Let us cleanup the ssl library when the module is unloaded
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
|
|
Packit |
90a5c9 |
apr_pool_cleanup_null);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Register us to handle mod_log_config %c/%x variables */
|
|
Packit |
90a5c9 |
ssl_var_log_config_register(pconf);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Register to handle mod_status status page generation */
|
|
Packit |
90a5c9 |
ssl_scache_status_register(pconf);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Register mutex type names so they can be configured with Mutex */
|
|
Packit |
90a5c9 |
ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
|
|
Packit |
90a5c9 |
#ifdef HAVE_OCSP_STAPLING
|
|
Packit |
90a5c9 |
ap_mutex_register(pconf, SSL_STAPLING_CACHE_MUTEX_TYPE, NULL,
|
|
Packit |
90a5c9 |
APR_LOCK_DEFAULT, 0);
|
|
Packit |
90a5c9 |
ap_mutex_register(pconf, SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL,
|
|
Packit |
90a5c9 |
APR_LOCK_DEFAULT, 0);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
|
|
Packit |
90a5c9 |
ap_conf_vector_t *per_dir_config)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLConnRec *sslconn = myConnConfig(c);
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sslconn) {
|
|
Packit |
90a5c9 |
return sslconn;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (per_dir_config) {
|
|
Packit |
90a5c9 |
sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sslconn->dc = ap_get_module_config(c->base_server->lookup_defaults,
|
|
Packit |
90a5c9 |
&ssl_module);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sslconn->server = c->base_server;
|
|
Packit |
90a5c9 |
sslconn->verify_depth = UNSET;
|
|
Packit |
90a5c9 |
sc = mySrvConfig(c->base_server);
|
|
Packit |
90a5c9 |
sslconn->cipher_suite = sc->server->auth.cipher_suite;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
myConnConfigSet(c, sslconn);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return sslconn;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
if (c->master) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (sslconn) {
|
|
Packit |
90a5c9 |
if (sslconn->disabled) {
|
|
Packit |
90a5c9 |
return SUSPENDED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (sslconn->is_proxy) {
|
|
Packit |
90a5c9 |
if (!sslconn->dc->proxy_enabled) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
if (mySrvConfig(sslconn->server)->enabled != SSL_ENABLED_TRUE) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int ssl_engine_set(conn_rec *c,
|
|
Packit |
90a5c9 |
ap_conf_vector_t *per_dir_config,
|
|
Packit |
90a5c9 |
int proxy, int enable)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLConnRec *sslconn;
|
|
Packit |
90a5c9 |
int status;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (proxy) {
|
|
Packit |
90a5c9 |
sslconn = ssl_init_connection_ctx(c, per_dir_config);
|
|
Packit |
90a5c9 |
sslconn->is_proxy = 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sslconn = myConnConfig(c);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
status = ssl_engine_status(c, sslconn);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (proxy && status == DECLINED) {
|
|
Packit |
90a5c9 |
if (enable) {
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
|
|
Packit |
90a5c9 |
"SSL Proxy requested for %s but not enabled "
|
|
Packit |
90a5c9 |
"[Hint: SSLProxyEngine]", sc->vhost_id);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
sslconn->disabled = 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (sslconn) {
|
|
Packit |
90a5c9 |
sslconn->disabled = !enable;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return status != DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int ssl_proxy_enable(conn_rec *c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
return ssl_engine_set(c, NULL, 1, 1);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int ssl_engine_disable(conn_rec *c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
return ssl_engine_set(c, NULL, 0, 0);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc;
|
|
Packit |
90a5c9 |
SSL *ssl;
|
|
Packit |
90a5c9 |
SSLConnRec *sslconn;
|
|
Packit |
90a5c9 |
char *vhost_md5;
|
|
Packit |
90a5c9 |
int rc;
|
|
Packit |
90a5c9 |
modssl_ctx_t *mctx;
|
|
Packit |
90a5c9 |
server_rec *server;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Create or retrieve SSL context
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
|
|
Packit |
90a5c9 |
server = sslconn->server;
|
|
Packit |
90a5c9 |
sc = mySrvConfig(server);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Seed the Pseudo Random Number Generator (PRNG)
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
|
|
Packit |
90a5c9 |
sslconn->is_proxy ? "Proxy: " : "Server: ");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
mctx = myCtxConfig(sslconn, sc);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Create a new SSL connection with the configured server SSL context and
|
|
Packit |
90a5c9 |
* attach this to the socket. Additionally we register this attachment
|
|
Packit |
90a5c9 |
* so we can detach later.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (!(sslconn->ssl = ssl = SSL_new(mctx->ssl_ctx))) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962)
|
|
Packit |
90a5c9 |
"Unable to create a new SSL connection from the SSL "
|
|
Packit |
90a5c9 |
"context");
|
|
Packit |
90a5c9 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
c->aborted = 1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return DECLINED; /* XXX */
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
|
|
Packit |
90a5c9 |
if (rc != OK && rc != DECLINED) {
|
|
Packit |
90a5c9 |
return rc;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
|
|
Packit |
90a5c9 |
sc->vhost_id_len);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
|
|
Packit |
90a5c9 |
APR_MD5_DIGESTSIZE*2))
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
|
|
Packit |
90a5c9 |
"Unable to set session id context to '%s'", vhost_md5);
|
|
Packit |
90a5c9 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
c->aborted = 1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return DECLINED; /* XXX */
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
SSL_set_app_data(ssl, c);
|
|
Packit |
90a5c9 |
modssl_set_app_data2(ssl, NULL); /* will be request_rec */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
SSL_set_verify_result(ssl, X509_V_OK);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ssl_io_filter_init(c, r, ssl);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return APR_SUCCESS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *ssl_hook_http_scheme(const request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc = mySrvConfig(r->server);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return "https";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_port_t ssl_hook_default_port(const request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc = mySrvConfig(r->server);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return 443;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc;
|
|
Packit |
90a5c9 |
SSLConnRec *sslconn = myConnConfig(c);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Immediately stop processing if SSL is disabled for this connection
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (ssl_engine_status(c, sslconn) != OK) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sslconn) {
|
|
Packit |
90a5c9 |
sc = mySrvConfig(sslconn->server);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sc = mySrvConfig(c->base_server);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Remember the connection information for
|
|
Packit |
90a5c9 |
* later access inside callback functions
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964)
|
|
Packit |
90a5c9 |
"Connection to child %ld established "
|
|
Packit |
90a5c9 |
"(server %s)", c->id, sc->vhost_id);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return ssl_init_ssl_connection(c, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int ssl_hook_process_connection(conn_rec* c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLConnRec *sslconn = myConnConfig(c);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sslconn && !sslconn->disabled) {
|
|
Packit |
90a5c9 |
/* On an active SSL connection, let the input filters initialize
|
|
Packit |
90a5c9 |
* themselves which triggers the handshake, which again triggers
|
|
Packit |
90a5c9 |
* all kinds of useful things such as SNI and ALPN.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
apr_bucket_brigade* temp;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
temp = apr_brigade_create(c->pool, c->bucket_alloc);
|
|
Packit |
90a5c9 |
ap_get_brigade(c->input_filters, temp,
|
|
Packit |
90a5c9 |
AP_MODE_INIT, APR_BLOCK_READ, 0);
|
|
Packit |
90a5c9 |
apr_brigade_destroy(temp);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* the module registration phase
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void ssl_register_hooks(apr_pool_t *p)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
|
|
Packit |
90a5c9 |
* run after mod_setenvif's post_read_request hook. */
|
|
Packit |
90a5c9 |
static const char *pre_prr[] = { "mod_setenvif.c", NULL };
|
|
Packit |
90a5c9 |
/* The ssl_init_Module post_config hook should run before mod_proxy's
|
|
Packit |
90a5c9 |
* for the ssl proxy main configs to be merged with vhosts' before being
|
|
Packit |
90a5c9 |
* themselves merged with mod_proxy's in proxy_hook_section_post_config.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static const char *b_pc[] = { "mod_proxy.c", NULL};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ssl_io_filter_register(p);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_process_connection(ssl_hook_process_connection,
|
|
Packit |
90a5c9 |
NULL, NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_post_config (ssl_init_Module, NULL,b_pc, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
ap_hook_check_access (ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_hook_check_authz (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
APR_OPTIONAL_HOOK(proxy, section_post_config,
|
|
Packit |
90a5c9 |
ssl_proxy_section_post_config, NULL, NULL,
|
|
Packit |
90a5c9 |
APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ssl_var_register(p);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
|
|
Packit |
90a5c9 |
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
|
|
Packit |
90a5c9 |
APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&ssl_authz_provider_require_ssl,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&ssl_authz_provider_verify_client,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
module AP_MODULE_DECLARE_DATA ssl_module = {
|
|
Packit |
90a5c9 |
STANDARD20_MODULE_STUFF,
|
|
Packit |
90a5c9 |
ssl_config_perdir_create, /* create per-dir config structures */
|
|
Packit |
90a5c9 |
ssl_config_perdir_merge, /* merge per-dir config structures */
|
|
Packit |
90a5c9 |
ssl_config_server_create, /* create per-server config structures */
|
|
Packit |
90a5c9 |
ssl_config_server_merge, /* merge per-server config structures */
|
|
Packit |
90a5c9 |
ssl_config_cmds, /* table of configuration directives */
|
|
Packit |
90a5c9 |
ssl_register_hooks /* register hooks */
|
|
Packit |
90a5c9 |
#if defined(AP_MODULE_HAS_FLAGS)
|
|
Packit |
90a5c9 |
,AP_MODULE_FLAG_ALWAYS_MERGE /* flags */
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
};
|