|
Apache HTTPD
|
Modules | |
| Private | |
| Utilities | |
Classes | |
| struct | ssl_LINK_add_cert_files_t |
| struct | ssl_LINK_add_fallback_cert_files_t |
| struct | ssl_LINK_init_server_t |
| struct | ssl_LINK_pre_handshake_t |
| struct | ssl_LINK_proxy_post_handshake_t |
| struct | ssl_LINK_answer_challenge_t |
| struct | ssl_LINK_init_stapling_status_t |
| struct | ssl_LINK_get_stapling_status_t |
Macros | |
| #define | SSL_DECLARE(type) type |
| #define | SSL_DECLARE_NONSTD(type) type |
| #define | SSL_DECLARE_DATA |
| #define | SSL_CERT_HOOKS |
| typedef apr_array_header_t *() apr_OFN_ssl_ext_list_t(apr_pool_t *p, conn_rec *c, int peer, const char *extension) |
The ssl_ext_list() optional function attempts to build an array of all the values contained in the named X.509 extension. The returned array will be created in the supplied pool. The client certificate is used if peer is non-zero; the server certificate is used otherwise. Extension specifies the extensions to use as a string. This can be one of the "known" long or short names, or a numeric OID, e.g. "1.2.3.4", 'nsComment' and 'DN' are all valid. A pointer to an apr_array_header_t structure is returned if at least one matching extension is found, NULL otherwise.
The ssl_proxy_enable() and ssl_engine_{set,disable}() optional functions are used by mod_proxy to enable use of SSL for outgoing connections.
| typedef char *() apr_OFN_ssl_var_lookup_t(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *) |
The ssl_var_lookup() optional function retrieves SSL environment variables.
| typedef int ssl_HOOK_add_cert_files_t(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files) |
| typedef int ssl_HOOK_add_fallback_cert_files_t(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files) |
In case no certificates are available for a server, this lets other modules add a fallback certificate for the time being. Regular requests against this server will be answered with a 503.
| cert_file | and array of const char* with the path to the certificate chain |
| key_file | and array of const char* with the path to the private key file |
| typedef int ssl_HOOK_answer_challenge_t(conn_rec *c, const char *server_name, X509 **pcert, EVP_PKEY **pkey) |
On TLS connections that do not relate to a configured virtual host, allow other modules to provide a X509 certificate and EVP_PKEY to be used on the connection. This first hook which does not return DECLINED will determine the outcome.
Definition at line 81 of file mod_ssl_openssl.h.
| typedef int ssl_HOOK_get_stapling_status_t(unsigned char **pder, int *pderlen, conn_rec *c, server_rec *s, X509 *cert) |
Anyone answering positive to ssl_init_stapling_status for a certificate, needs to register here and supply the actual OCSP stapling status data (OCSP_RESP) for a new connection. A hook supplying the response data must return APR_SUCCESS. The data is returned in DER encoded bytes via pder and pderlen. The returned pointer may be NULL, which indicates that data is (currently) unavailable. If DER data is returned, it MUST come from a response with status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means errors in OCSP retrieval are to be handled/logged by the hook and are not done by mod_ssl. Any DER bytes returned MUST be allocated via malloc() and ownership passes to mod_ssl. Meaning, the hook must return a malloced copy of the data it has. mod_ssl (or OpenSSL) will free it.
Definition at line 113 of file mod_ssl_openssl.h.
| typedef int ssl_HOOK_init_server_t(server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx) |
init_server hook – allow SSL_CTX-specific initialization to be performed by a module for each SSL-enabled server (one at a time)
| s | SSL-enabled [virtual] server |
| p | pconf pool |
| is_proxy | 1 if this server supports backend connections over SSL/TLS, 0 if it supports client connections over SSL/TLS |
| ctx | OpenSSL SSL Context for the server |
Definition at line 55 of file mod_ssl_openssl.h.
| typedef int ssl_HOOK_init_stapling_status_t(server_rec *s, apr_pool_t *p, X509 *cert, X509 *issuer) |
During post_config phase, ask around if someone wants to provide OCSP stapling status information for the given cert (with the also provided issuer certificate). The first hook which does not return DECLINED promises to take responsibility (and respond in later calls via hook ssl_get_stapling_status). If no hook takes over, mod_ssl's own stapling implementation will be applied (if configured).
Definition at line 93 of file mod_ssl_openssl.h.
pre_handshake hook
| c | conn_rec for new connection from client or to backend server |
| ssl | OpenSSL SSL Connection for the client or backend server |
| is_proxy | 1 if this handshake is for a backend connection, 0 otherwise |
Definition at line 64 of file mod_ssl_openssl.h.
proxy_post_handshake hook – allow module to abort after successful handshake with backend server and subsequent peer checks
| c | conn_rec for connection to backend server |
| ssl | OpenSSL SSL Connection for the client or backend server |
Definition at line 73 of file mod_ssl_openssl.h.
| void ssl_hook_add_cert_files | ( | ssl_HOOK_add_cert_files_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| void ssl_hook_add_fallback_cert_files | ( | ssl_HOOK_add_fallback_cert_files_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| void ssl_hook_answer_challenge | ( | ssl_HOOK_answer_challenge_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| apr_array_header_t * ssl_hook_get_add_cert_files | ( | void | ) |
| apr_array_header_t * ssl_hook_get_add_fallback_cert_files | ( | void | ) |
| apr_array_header_t * ssl_hook_get_answer_challenge | ( | void | ) |
| apr_array_header_t * ssl_hook_get_get_stapling_status | ( | void | ) |
| apr_array_header_t * ssl_hook_get_init_server | ( | void | ) |
| apr_array_header_t * ssl_hook_get_init_stapling_status | ( | void | ) |
| apr_array_header_t * ssl_hook_get_pre_handshake | ( | void | ) |
| apr_array_header_t * ssl_hook_get_proxy_post_handshake | ( | void | ) |
| void ssl_hook_get_stapling_status | ( | ssl_HOOK_get_stapling_status_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| void ssl_hook_init_server | ( | ssl_HOOK_init_server_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| void ssl_hook_init_stapling_status | ( | ssl_HOOK_init_stapling_status_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| void ssl_hook_pre_handshake | ( | ssl_HOOK_pre_handshake_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| void ssl_hook_proxy_post_handshake | ( | ssl_HOOK_proxy_post_handshake_t * | pf, |
| const char *const * | aszPre, | ||
| const char *const * | aszSucc, | ||
| int | nOrder | ||
| ) |
| int ssl_run_add_cert_files | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| apr_array_header_t * | cert_files, | ||
| apr_array_header_t * | key_files | ||
| ) |
< Module has handled this stage.
< Module has handled this stage.
< Module declines to handle
< Module has handled this stage.
Definition at line 45 of file ssl_engine_init.c.
| int ssl_run_add_fallback_cert_files | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| apr_array_header_t * | cert_files, | ||
| apr_array_header_t * | key_files | ||
| ) |
< Module has handled this stage.
< Module has handled this stage.
< Module declines to handle
< Module has handled this stage.
Definition at line 51 of file ssl_engine_init.c.
| int ssl_run_answer_challenge | ( | conn_rec * | c, |
| const char * | server_name, | ||
| X509 ** | pcert, | ||
| EVP_PKEY ** | pkey | ||
| ) |
< Module declines to handle
< Module declines to handle
< Module declines to handle
< Module declines to handle
Definition at line 57 of file ssl_engine_init.c.
| int ssl_run_get_stapling_status | ( | unsigned char ** | pder, |
| int * | pderlen, | ||
| conn_rec * | c, | ||
| server_rec * | s, | ||
| X509 * | cert | ||
| ) |
< Module declines to handle
< Module declines to handle
< Module declines to handle
< Module declines to handle
Definition at line 46 of file ssl_util_stapling.c.
| int ssl_run_init_server | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| int | is_proxy, | ||
| SSL_CTX * | ctx | ||
| ) |
< Module has handled this stage.
< Module has handled this stage.
< Module declines to handle
< Module has handled this stage.
Definition at line 39 of file ssl_engine_init.c.
| int ssl_run_init_stapling_status | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| X509 * | cert, | ||
| X509 * | issuer | ||
| ) |
< Module declines to handle
< Module declines to handle
< Module declines to handle
< Module declines to handle
Definition at line 40 of file ssl_util_stapling.c.
< Module has handled this stage.
< Module has handled this stage.
< Module declines to handle
< Module has handled this stage.
Definition at line 36 of file ssl_engine_io.c.
1.9.8