Apache HTTPD
ssl_engine_config.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* _ _
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
22 * |_____|
23 * ssl_engine_config.c
24 * Apache Configuration Directives
25 */
26 /* ``Damned if you do,
27 damned if you don't.''
28 -- Unknown */
29#include "ssl_private.h"
30
31#include "util_mutex.h"
32#include "ap_provider.h"
33
34/* _________________________________________________________________
35**
36** Support for Global Configuration
37** _________________________________________________________________
38*/
39
40#define SSL_MOD_CONFIG_KEY "ssl_module"
41
42SSLModConfigRec *ssl_config_global_create(server_rec *s)
43{
44 apr_pool_t *pool = s->process->pool;
45 SSLModConfigRec *mc;
46 void *vmc;
47
48 apr_pool_userdata_get(&vmc, SSL_MOD_CONFIG_KEY, pool);
49 if (vmc) {
50 return vmc; /* reused for lifetime of the server */
51 }
52
53 /*
54 * allocate an own subpool which survives server restarts
55 */
56 mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
57 mc->pPool = pool;
58 mc->bFixed = FALSE;
59
60 /*
61 * initialize per-module configuration
62 */
63 mc->sesscache_mode = SSL_SESS_CACHE_OFF;
64 mc->sesscache = NULL;
65 mc->pMutex = NULL;
66 mc->aRandSeed = apr_array_make(pool, 4,
67 sizeof(ssl_randseed_t));
68 mc->tVHostKeys = apr_hash_make(pool);
69 mc->tPrivateKey = apr_hash_make(pool);
70#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
71 mc->szCryptoDevice = NULL;
72#endif
73#ifdef HAVE_OCSP_STAPLING
74 mc->stapling_cache = NULL;
75 mc->stapling_cache_mutex = NULL;
76 mc->stapling_refresh_mutex = NULL;
77#endif
78
79#ifdef HAVE_OPENSSL_KEYLOG
80 mc->keylog_file = NULL;
81#endif
82#ifdef HAVE_FIPS
83 mc->fips = UNSET;
84#endif
85
86 apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
87 apr_pool_cleanup_null,
88 pool);
89
90 return mc;
91}
92
93void ssl_config_global_fix(SSLModConfigRec *mc)
94{
95 mc->bFixed = TRUE;
96}
97
98BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
99{
100 return mc->bFixed;
101}
102
103/* _________________________________________________________________
104**
105** Configuration handling
106** _________________________________________________________________
107*/
108
109#ifdef HAVE_SSL_CONF_CMD
110static apr_status_t modssl_ctx_config_cleanup(void *ctx)
111{
112 SSL_CONF_CTX_free(ctx);
113 return APR_SUCCESS;
114}
115#endif
116
117static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
118{
119 mctx->sc = NULL; /* set during module init */
120
121 mctx->ssl_ctx = NULL; /* set during module init */
122
123 mctx->pks = NULL;
124 mctx->pkp = NULL;
125
126#ifdef HAVE_TLS_SESSION_TICKETS
127 mctx->ticket_key = NULL;
128#endif
129
130 mctx->protocol = SSL_PROTOCOL_DEFAULT;
131 mctx->protocol_set = 0;
132
133 mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
134 mctx->pphrase_dialog_path = NULL;
135
136 mctx->cert_chain = NULL;
137
138 mctx->crl_path = NULL;
139 mctx->crl_file = NULL;
140 mctx->crl_check_mask = UNSET;
141
142 mctx->auth.ca_cert_path = NULL;
143 mctx->auth.ca_cert_file = NULL;
144 mctx->auth.cipher_suite = NULL;
145 mctx->auth.verify_depth = UNSET;
146 mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
147 mctx->auth.tls13_ciphers = NULL;
148
149 mctx->ocsp_mask = UNSET;
150 mctx->ocsp_force_default = UNSET;
151 mctx->ocsp_responder = NULL;
152 mctx->ocsp_resptime_skew = UNSET;
153 mctx->ocsp_resp_maxage = UNSET;
154 mctx->ocsp_responder_timeout = UNSET;
155 mctx->ocsp_use_request_nonce = UNSET;
156 mctx->proxy_uri = NULL;
157
158/* Set OCSP Responder Certificate Verification variable */
159 mctx->ocsp_noverify = UNSET;
160/* Set OCSP Responder File variables */
161 mctx->ocsp_verify_flags = 0;
162 mctx->ocsp_certs_file = NULL;
163 mctx->ocsp_certs = NULL;
164
165#ifdef HAVE_OCSP_STAPLING
166 mctx->stapling_enabled = UNSET;
167 mctx->stapling_resptime_skew = UNSET;
168 mctx->stapling_resp_maxage = UNSET;
169 mctx->stapling_cache_timeout = UNSET;
170 mctx->stapling_return_errors = UNSET;
171 mctx->stapling_fake_trylater = UNSET;
172 mctx->stapling_errcache_timeout = UNSET;
173 mctx->stapling_responder_timeout = UNSET;
174 mctx->stapling_force_url = NULL;
175#endif
176
177#ifdef HAVE_SRP
178 mctx->srp_vfile = NULL;
179 mctx->srp_unknown_user_seed = NULL;
180 mctx->srp_vbase = NULL;
181#endif
182#ifdef HAVE_SSL_CONF_CMD
183 mctx->ssl_ctx_config = SSL_CONF_CTX_new();
184 apr_pool_cleanup_register(p, mctx->ssl_ctx_config,
185 modssl_ctx_config_cleanup,
186 apr_pool_cleanup_null);
187 SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_FILE);
188 SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_SERVER);
189 SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
190 mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
191#endif
192
193 mctx->ssl_check_peer_cn = UNSET;
194 mctx->ssl_check_peer_name = UNSET;
195 mctx->ssl_check_peer_expire = UNSET;
196}
197
198static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
199 apr_pool_t *p)
200{
201 modssl_ctx_t *mctx;
202
203 mctx = sc->server = apr_palloc(p, sizeof(*sc->server));
204
205 modssl_ctx_init(mctx, p);
206
207 mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
208
209 mctx->pks->cert_files = apr_array_make(p, 3, sizeof(char *));
210 mctx->pks->key_files = apr_array_make(p, 3, sizeof(char *));
211
212#ifdef HAVE_TLS_SESSION_TICKETS
213 mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));
214#endif
215}
216
217static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
218{
219 SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
220
221 sc->mc = NULL;
222 sc->enabled = SSL_ENABLED_UNSET;
223 sc->vhost_id = NULL; /* set during module init */
224 sc->vhost_id_len = 0; /* set during module init */
225 sc->session_cache_timeout = UNSET;
226 sc->cipher_server_pref = UNSET;
227 sc->insecure_reneg = UNSET;
228#ifdef HAVE_TLSEXT
229 sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
230#endif
231#ifndef OPENSSL_NO_COMP
232 sc->compression = UNSET;
233#endif
234 sc->session_tickets = UNSET;
235
236 modssl_ctx_init_server(sc, p);
237
238 return sc;
239}
240
241/*
242 * Create per-server SSL configuration
243 */
244void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
245{
246 SSLSrvConfigRec *sc = ssl_config_server_new(p);
247
248 sc->mc = ssl_config_global_create(s);
249
250 return sc;
251}
252
253#define cfgMerge(el,unset) mrg->el = (add->el == (unset)) ? base->el : add->el
254#define cfgMergeArray(el) mrg->el = apr_array_append(p, base->el, add->el)
255#define cfgMergeString(el) cfgMerge(el, NULL)
256#define cfgMergeBool(el) cfgMerge(el, UNSET)
257#define cfgMergeInt(el) cfgMerge(el, UNSET)
258
259/*
260 * Merge per-server SSL configurations
261 */
262
263static void modssl_ctx_cfg_merge(apr_pool_t *p,
264 modssl_ctx_t *base,
265 modssl_ctx_t *add,
266 modssl_ctx_t *mrg)
267{
268 if (add->protocol_set) {
269 mrg->protocol_set = 1;
270 mrg->protocol = add->protocol;
271 }
272 else {
273 mrg->protocol_set = base->protocol_set;
274 mrg->protocol = base->protocol;
275 }
276
277 cfgMerge(pphrase_dialog_type, SSL_PPTYPE_UNSET);
278 cfgMergeString(pphrase_dialog_path);
279
280 cfgMergeString(cert_chain);
281
282 cfgMerge(crl_path, NULL);
283 cfgMerge(crl_file, NULL);
284 cfgMergeInt(crl_check_mask);
285
286 cfgMergeString(auth.ca_cert_path);
287 cfgMergeString(auth.ca_cert_file);
288 cfgMergeString(auth.cipher_suite);
289 cfgMergeInt(auth.verify_depth);
290 cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
291 cfgMergeString(auth.tls13_ciphers);
292
293 cfgMergeInt(ocsp_mask);
294 cfgMergeBool(ocsp_force_default);
295 cfgMerge(ocsp_responder, NULL);
296 cfgMergeInt(ocsp_resptime_skew);
297 cfgMergeInt(ocsp_resp_maxage);
298 cfgMergeInt(ocsp_responder_timeout);
299 cfgMergeBool(ocsp_use_request_nonce);
300 cfgMerge(proxy_uri, NULL);
301
302/* Set OCSP Responder Certificate Verification directive */
303 cfgMergeBool(ocsp_noverify);
304/* Set OCSP Responder File directive for importing */
305 cfgMerge(ocsp_certs_file, NULL);
306
307#ifdef HAVE_OCSP_STAPLING
308 cfgMergeBool(stapling_enabled);
309 cfgMergeInt(stapling_resptime_skew);
310 cfgMergeInt(stapling_resp_maxage);
311 cfgMergeInt(stapling_cache_timeout);
312 cfgMergeBool(stapling_return_errors);
313 cfgMergeBool(stapling_fake_trylater);
314 cfgMergeInt(stapling_errcache_timeout);
315 cfgMergeInt(stapling_responder_timeout);
316 cfgMerge(stapling_force_url, NULL);
317#endif
318
319#ifdef HAVE_SRP
320 cfgMergeString(srp_vfile);
321 cfgMergeString(srp_unknown_user_seed);
322#endif
323
324#ifdef HAVE_SSL_CONF_CMD
325 cfgMergeArray(ssl_ctx_param);
326#endif
327
328 cfgMergeBool(ssl_check_peer_cn);
329 cfgMergeBool(ssl_check_peer_name);
330 cfgMergeBool(ssl_check_peer_expire);
331}
332
333static void modssl_ctx_cfg_merge_certkeys_array(apr_pool_t *p,
334 apr_array_header_t *base,
335 apr_array_header_t *add,
336 apr_array_header_t *mrg)
337{
338 int i;
339
340 /*
341 * pick up to CERTKEYS_IDX_MAX+1 entries from "add" (in which case they
342 * they "knock out" their corresponding entries in "base", emulating
343 * the behavior with cfgMergeString in releases up to 2.4.7)
344 */
345 for (i = 0; i < add->nelts && i <= CERTKEYS_IDX_MAX; i++) {
346 APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *);
347 }
348
349 /* add remaining ones from "base" */
350 while (i < base->nelts) {
351 APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(base, i, const char *);
352 i++;
353 }
354
355 /* and finally, append the rest of "add" (if there are any) */
356 for (i = CERTKEYS_IDX_MAX+1; i < add->nelts; i++) {
357 APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *);
358 }
359}
360
361static void modssl_ctx_cfg_merge_server(apr_pool_t *p,
362 modssl_ctx_t *base,
363 modssl_ctx_t *add,
364 modssl_ctx_t *mrg)
365{
366 modssl_ctx_cfg_merge(p, base, add, mrg);
367
368 /*
369 * For better backwards compatibility with releases up to 2.4.7,
370 * merging global and vhost-level SSLCertificateFile and
371 * SSLCertificateKeyFile directives needs special treatment.
372 * See also PR 56306 and 56353.
373 */
374 modssl_ctx_cfg_merge_certkeys_array(p, base->pks->cert_files,
375 add->pks->cert_files,
376 mrg->pks->cert_files);
377 modssl_ctx_cfg_merge_certkeys_array(p, base->pks->key_files,
378 add->pks->key_files,
379 mrg->pks->key_files);
380
381 cfgMergeString(pks->ca_name_path);
382 cfgMergeString(pks->ca_name_file);
383
384#ifdef HAVE_TLS_SESSION_TICKETS
385 cfgMergeString(ticket_key->file_path);
386#endif
387}
388
389void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
390{
391 SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
392 SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
393 SSLSrvConfigRec *mrg = ssl_config_server_new(p);
394
395 cfgMerge(mc, NULL);
396 cfgMerge(enabled, SSL_ENABLED_UNSET);
397 cfgMergeInt(session_cache_timeout);
398 cfgMergeBool(cipher_server_pref);
399 cfgMergeBool(insecure_reneg);
400#ifdef HAVE_TLSEXT
401 cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
402#endif
403#ifndef OPENSSL_NO_COMP
404 cfgMergeBool(compression);
405#endif
406 cfgMergeBool(session_tickets);
407
408 modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server);
409
410 return mrg;
411}
412
413/*
414 * Create per-directory SSL configuration
415 */
416
417static void modssl_ctx_init_proxy(SSLDirConfigRec *dc,
418 apr_pool_t *p)
419{
420 modssl_ctx_t *mctx;
421
422 mctx = dc->proxy = apr_palloc(p, sizeof(*dc->proxy));
423
424 modssl_ctx_init(mctx, p);
425
426 mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));
427
428 mctx->pkp->cert_file = NULL;
429 mctx->pkp->cert_path = NULL;
430 mctx->pkp->ca_cert_file = NULL;
431 mctx->pkp->certs = NULL;
432 mctx->pkp->ca_certs = NULL;
433}
434
435void *ssl_config_perdir_create(apr_pool_t *p, char *dir)
436{
437 SSLDirConfigRec *dc = apr_palloc(p, sizeof(*dc));
438
439 dc->bSSLRequired = FALSE;
440 dc->aRequirement = apr_array_make(p, 4, sizeof(ssl_require_t));
441 dc->nOptions = SSL_OPT_NONE|SSL_OPT_RELSET;
442 dc->nOptionsAdd = SSL_OPT_NONE;
443 dc->nOptionsDel = SSL_OPT_NONE;
444
445 dc->szCipherSuite = NULL;
446 dc->nVerifyClient = SSL_CVERIFY_UNSET;
447 dc->nVerifyDepth = UNSET;
448
449 dc->szUserName = NULL;
450
451 dc->nRenegBufferSize = UNSET;
452
453 dc->proxy_enabled = UNSET;
454 modssl_ctx_init_proxy(dc, p);
455 dc->proxy_post_config = FALSE;
456
457 return dc;
458}
459
460/*
461 * Merge per-directory SSL configurations
462 */
463
464static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
465 modssl_ctx_t *base,
466 modssl_ctx_t *add,
467 modssl_ctx_t *mrg)
468{
469 modssl_ctx_cfg_merge(p, base, add, mrg);
470
471 cfgMergeString(pkp->cert_file);
472 cfgMergeString(pkp->cert_path);
473 cfgMergeString(pkp->ca_cert_file);
474 cfgMergeString(pkp->certs);
475 cfgMergeString(pkp->ca_certs);
476}
477
478void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
479{
480 SSLDirConfigRec *base = (SSLDirConfigRec *)basev;
481 SSLDirConfigRec *add = (SSLDirConfigRec *)addv;
482 SSLDirConfigRec *mrg = (SSLDirConfigRec *)apr_palloc(p, sizeof(*mrg));
483
484 cfgMerge(bSSLRequired, FALSE);
485 cfgMergeArray(aRequirement);
486
487 if (add->nOptions & SSL_OPT_RELSET) {
488 mrg->nOptionsAdd =
489 (base->nOptionsAdd & ~(add->nOptionsDel)) | add->nOptionsAdd;
490 mrg->nOptionsDel =
491 (base->nOptionsDel & ~(add->nOptionsAdd)) | add->nOptionsDel;
492 mrg->nOptions =
493 (base->nOptions & ~(mrg->nOptionsDel)) | mrg->nOptionsAdd;
494 }
495 else {
496 mrg->nOptions = add->nOptions;
497 mrg->nOptionsAdd = add->nOptionsAdd;
498 mrg->nOptionsDel = add->nOptionsDel;
499 }
500
501 cfgMergeString(szCipherSuite);
502 cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
503 cfgMergeInt(nVerifyDepth);
504
505 cfgMergeString(szUserName);
506
507 cfgMergeInt(nRenegBufferSize);
508
509 mrg->proxy_post_config = add->proxy_post_config;
510 if (!mrg->proxy_post_config) {
511 cfgMergeBool(proxy_enabled);
512 modssl_ctx_init_proxy(mrg, p);
513 modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
514
515 /* Since ssl_proxy_section_post_config() hook won't be called if there
516 * is no SSLProxy* in this dir config, the ssl_ctx may still be NULL
517 * here at runtime. Merging it is either a no-op (NULL => NULL) because
518 * we are still before post config, or we really want to reuse the one
519 * from the upper/server context (outside of <Proxy> sections).
520 */
521 cfgMerge(proxy->ssl_ctx, NULL);
522 }
523 else {
524 /* The post_config hook has already merged and initialized the
525 * proxy context, use it.
526 */
527 mrg->proxy_enabled = add->proxy_enabled;
528 mrg->proxy = add->proxy;
529 }
530
531 return mrg;
532}
533
534/* Simply merge conf with base into conf, no third party. */
535void ssl_config_proxy_merge(apr_pool_t *p,
536 SSLDirConfigRec *base,
537 SSLDirConfigRec *conf)
538{
539 if (conf->proxy_enabled == UNSET) {
540 conf->proxy_enabled = base->proxy_enabled;
541 }
542 modssl_ctx_cfg_merge_proxy(p, base->proxy, conf->proxy, conf->proxy);
543}
544
545/*
546 * Configuration functions for particular directives
547 */
548
549const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd,
550 void *dcfg,
551 const char *arg)
552{
553 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
554 const char *err;
555 int arglen = strlen(arg);
556
557 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
558 return err;
559 }
560
561 if (strcEQ(arg, "builtin")) {
562 sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
563 sc->server->pphrase_dialog_path = NULL;
564 }
565 else if ((arglen > 5) && strEQn(arg, "exec:", 5)) {
566 sc->server->pphrase_dialog_type = SSL_PPTYPE_FILTER;
567 sc->server->pphrase_dialog_path =
568 ap_server_root_relative(cmd->pool, arg+5);
569 if (!sc->server->pphrase_dialog_path) {
570 return apr_pstrcat(cmd->pool,
571 "Invalid SSLPassPhraseDialog exec: path ",
572 arg+5, NULL);
573 }
574 if (!ssl_util_path_check(SSL_PCM_EXISTS,
575 sc->server->pphrase_dialog_path,
576 cmd->pool))
577 {
578 return apr_pstrcat(cmd->pool,
579 "SSLPassPhraseDialog: file '",
580 sc->server->pphrase_dialog_path,
581 "' does not exist", NULL);
582 }
583
584 }
585 else if ((arglen > 1) && (arg[0] == '|')) {
586 sc->server->pphrase_dialog_type = SSL_PPTYPE_PIPE;
587 sc->server->pphrase_dialog_path = arg + 1;
588 }
589 else {
590 return "SSLPassPhraseDialog: Invalid argument";
591 }
592
593 return NULL;
594}
595
596const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
597 void *dcfg,
598 const char *arg)
599{
600 SSLModConfigRec *mc = myModConfig(cmd->server);
601 const char *err;
602#if MODSSL_HAVE_ENGINE_API
603 ENGINE *e;
604#endif
605
606 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
607 return err;
608 }
609
610 if (strcEQ(arg, "builtin")) {
611 mc->szCryptoDevice = NULL;
612 }
613#if MODSSL_HAVE_ENGINE_API
614 else if ((e = ENGINE_by_id(arg))) {
615 mc->szCryptoDevice = arg;
616 ENGINE_free(e);
617 }
618#endif
619 else {
620 err = "SSLCryptoDevice: Invalid argument; must be one of: "
621 "'builtin' (none)";
622#if MODSSL_HAVE_ENGINE_API
623 e = ENGINE_get_first();
624 while (e) {
625 err = apr_pstrcat(cmd->pool, err, ", '", ENGINE_get_id(e),
626 "' (", ENGINE_get_name(e), ")", NULL);
627 /* Iterate; this call implicitly decrements the refcount
628 * on the 'old' e, per the docs in engine.h. */
629 e = ENGINE_get_next(e);
630 }
631#endif
632 return err;
633 }
634
635 return NULL;
636}
637
638const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
639 void *dcfg,
640 const char *arg1,
641 const char *arg2,
642 const char *arg3)
643{
644 SSLModConfigRec *mc = myModConfig(cmd->server);
645 const char *err;
646 ssl_randseed_t *seed;
647 int arg2len = strlen(arg2);
648
649 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
650 return err;
651 }
652
653 if (ssl_config_global_isfixed(mc)) {
654 return NULL;
655 }
656
657 seed = apr_array_push(mc->aRandSeed);
658
659 if (strcEQ(arg1, "startup")) {
660 seed->nCtx = SSL_RSCTX_STARTUP;
661 }
662 else if (strcEQ(arg1, "connect")) {
663 seed->nCtx = SSL_RSCTX_CONNECT;
664 }
665 else {
666 return apr_pstrcat(cmd->pool, "SSLRandomSeed: "
667 "invalid context: `", arg1, "'",
668 NULL);
669 }
670
671 if ((arg2len > 5) && strEQn(arg2, "file:", 5)) {
672 seed->nSrc = SSL_RSSRC_FILE;
673 seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
674 }
675 else if ((arg2len > 5) && strEQn(arg2, "exec:", 5)) {
676 seed->nSrc = SSL_RSSRC_EXEC;
677 seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
678 }
679 else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {
680#ifdef HAVE_RAND_EGD
681 seed->nSrc = SSL_RSSRC_EGD;
682 seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
683#else
684 return apr_pstrcat(cmd->pool, "Invalid SSLRandomSeed entropy source `",
685 arg2, "': This version of " MODSSL_LIBRARY_NAME
686 " does not support the Entropy Gathering Daemon "
687 "(EGD).", NULL);
688#endif
689 }
690 else if (strcEQ(arg2, "builtin")) {
691 seed->nSrc = SSL_RSSRC_BUILTIN;
692 seed->cpPath = NULL;
693 }
694 else {
695 seed->nSrc = SSL_RSSRC_FILE;
696 seed->cpPath = ap_server_root_relative(mc->pPool, arg2);
697 }
698
699 if (seed->nSrc != SSL_RSSRC_BUILTIN) {
700 if (!seed->cpPath) {
701 return apr_pstrcat(cmd->pool,
702 "Invalid SSLRandomSeed path ",
703 arg2, NULL);
704 }
705 if (!ssl_util_path_check(SSL_PCM_EXISTS, seed->cpPath, cmd->pool)) {
706 return apr_pstrcat(cmd->pool,
707 "SSLRandomSeed: source path '",
708 seed->cpPath, "' does not exist", NULL);
709 }
710 }
711
712 if (!arg3) {
713 seed->nBytes = 0; /* read whole file */
714 }
715 else {
716 if (seed->nSrc == SSL_RSSRC_BUILTIN) {
717 return "SSLRandomSeed: byte specification not "
718 "allowed for builtin seed source";
719 }
720
721 seed->nBytes = atoi(arg3);
722
723 if (seed->nBytes < 0) {
724 return "SSLRandomSeed: invalid number of bytes specified";
725 }
726 }
727
728 return NULL;
729}
730
731const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
732{
733 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
734
735 if (!strcasecmp(arg, "On")) {
736 sc->enabled = SSL_ENABLED_TRUE;
737 return NULL;
738 }
739 else if (!strcasecmp(arg, "Off")) {
740 sc->enabled = SSL_ENABLED_FALSE;
741 return NULL;
742 }
743 else if (!strcasecmp(arg, "Optional")) {
744 sc->enabled = SSL_ENABLED_OPTIONAL;
745 return NULL;
746 }
747
748 return "Argument must be On, Off, or Optional";
749}
750
751const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
752{
753#ifdef HAVE_FIPS
754 SSLModConfigRec *mc = myModConfig(cmd->server);
755#endif
756 const char *err;
757
758 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
759 return err;
760 }
761
762#ifdef HAVE_FIPS
763 if ((mc->fips != UNSET) && (mc->fips != (BOOL)(flag ? TRUE : FALSE)))
764 return "Conflicting SSLFIPS options, cannot be both On and Off";
765 mc->fips = flag ? TRUE : FALSE;
766#else
767 if (flag)
768 return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
769#endif
770
771 return NULL;
772}
773
774const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
775 void *dcfg,
776 const char *arg1, const char *arg2)
777{
778 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
779 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
780
781 if (arg2 == NULL) {
782 arg2 = arg1;
783 arg1 = "SSL";
784 }
785
786 if (!strcmp("SSL", arg1)) {
787 /* always disable null and export ciphers */
788 arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
789 if (cmd->path) {
790 dc->szCipherSuite = arg2;
791 }
792 else {
793 sc->server->auth.cipher_suite = arg2;
794 }
795 return NULL;
796 }
797#if SSL_HAVE_PROTOCOL_TLSV1_3
798 else if (!strcmp("TLSv1.3", arg1)) {
799 if (cmd->path) {
800 return "TLSv1.3 ciphers cannot be set inside a directory context";
801 }
802 sc->server->auth.tls13_ciphers = arg2;
803 return NULL;
804 }
805#endif
806 return apr_pstrcat(cmd->pool, "protocol '", arg1, "' not supported", NULL);
807}
808
809#define SSL_FLAGS_CHECK_FILE \
810 (SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO)
811
812#define SSL_FLAGS_CHECK_DIR \
813 (SSL_PCM_EXISTS|SSL_PCM_ISDIR)
814
815static const char *ssl_cmd_check_file(cmd_parms *parms,
816 const char **file)
817{
818 const char *filepath;
819
820 /* If only dumping the config, don't verify the paths */
821 if (ap_state_query(AP_SQ_RUN_MODE) == AP_SQ_RM_CONFIG_DUMP) {
822 return NULL;
823 }
824
825 filepath = ap_server_root_relative(parms->pool, *file);
826 if (!filepath) {
827 return apr_pstrcat(parms->pool, parms->cmd->name,
828 ": Invalid file path ", *file, NULL);
829 }
830 *file = filepath;
831
832 if (ssl_util_path_check(SSL_FLAGS_CHECK_FILE, *file, parms->pool)) {
833 return NULL;
834 }
835
836 return apr_pstrcat(parms->pool, parms->cmd->name,
837 ": file '", *file,
838 "' does not exist or is empty", NULL);
839
840}
841
842const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
843{
844#if !defined(OPENSSL_NO_COMP)
845 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
846#ifndef SSL_OP_NO_COMPRESSION
847 const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
848 if (err)
849 return "This version of OpenSSL does not support enabling "
850 "SSLCompression within <VirtualHost> sections.";
851#endif
852 if (flag) {
853 /* Some (packaged) versions of OpenSSL do not support
854 * compression by default. Enabling this directive would not
855 * have the desired effect, so fail with an error. */
856 STACK_OF(SSL_COMP) *meths = SSL_COMP_get_compression_methods();
857
858 if (sk_SSL_COMP_num(meths) == 0) {
859 return "This version of OpenSSL does not have any compression methods "
860 "available, cannot enable SSLCompression.";
861 }
862 }
863 sc->compression = flag ? TRUE : FALSE;
864#else
865 if (flag) {
866 return "Setting Compression mode unsupported; not implemented by the SSL library";
867 }
868#endif
869 return NULL;
870}
871
872const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
873{
874#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
875 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
876 sc->cipher_server_pref = flag?TRUE:FALSE;
877 return NULL;
878#else
879 return "SSLHonorCipherOrder unsupported; not implemented by the SSL library";
880#endif
881}
882
883const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
884{
885 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
886#ifndef SSL_OP_NO_TICKET
887 return "This version of OpenSSL does not support using "
888 "SSLSessionTickets.";
889#endif
890 sc->session_tickets = flag ? TRUE : FALSE;
891 return NULL;
892}
893
894const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
895{
896#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
897 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
898 sc->insecure_reneg = flag?TRUE:FALSE;
899 return NULL;
900#else
901 return "The SSLInsecureRenegotiation directive is not available "
902 "with this SSL library";
903#endif
904}
905
906
907static const char *ssl_cmd_check_dir(cmd_parms *parms,
908 const char **dir)
909{
910 const char *dirpath = ap_server_root_relative(parms->pool, *dir);
911
912 if (!dirpath) {
913 return apr_pstrcat(parms->pool, parms->cmd->name,
914 ": Invalid dir path ", *dir, NULL);
915 }
916 *dir = dirpath;
917
918 if (ssl_util_path_check(SSL_FLAGS_CHECK_DIR, *dir, parms->pool)) {
919 return NULL;
920 }
921
922 return apr_pstrcat(parms->pool, parms->cmd->name,
923 ": directory '", *dir,
924 "' does not exist", NULL);
925
926}
927
928const char *ssl_cmd_SSLCertificateFile(cmd_parms *cmd,
929 void *dcfg,
930 const char *arg)
931{
932 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
933 const char *err;
934
935 /* Only check for non-ENGINE based certs. */
936 if (!modssl_is_engine_id(arg)
937 && (err = ssl_cmd_check_file(cmd, &arg))) {
938 return err;
939 }
940
941 *(const char **)apr_array_push(sc->server->pks->cert_files) = arg;
942
943 return NULL;
944}
945
946const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,
947 void *dcfg,
948 const char *arg)
949{
950 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
951 const char *err;
952
953 /* Check keyfile exists for non-ENGINE keys. */
954 if (!modssl_is_engine_id(arg)
955 && (err = ssl_cmd_check_file(cmd, &arg))) {
956 return err;
957 }
958
959 *(const char **)apr_array_push(sc->server->pks->key_files) = arg;
960
961 return NULL;
962}
963
964const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd,
965 void *dcfg,
966 const char *arg)
967{
968 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
969 const char *err;
970
971 if ((err = ssl_cmd_check_file(cmd, &arg))) {
972 return err;
973 }
974
975 sc->server->cert_chain = arg;
976
977 return NULL;
978}
979
980#ifdef HAVE_TLS_SESSION_TICKETS
981const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
982 void *dcfg,
983 const char *arg)
984{
985 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
986 const char *err;
987
988 if ((err = ssl_cmd_check_file(cmd, &arg))) {
989 return err;
990 }
991
992 sc->server->ticket_key->file_path = arg;
993
994 return NULL;
995}
996#endif
997
998#define NO_PER_DIR_SSL_CA \
999 "Your SSL library does not have support for per-directory CA"
1000
1001const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd,
1002 void *dcfg,
1003 const char *arg)
1004{
1005 /*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/
1006 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1007 const char *err;
1008
1009 if ((err = ssl_cmd_check_dir(cmd, &arg))) {
1010 return err;
1011 }
1012
1013 if (cmd->path) {
1014 return NO_PER_DIR_SSL_CA;
1015 }
1016
1017 /* XXX: bring back per-dir */
1018 sc->server->auth.ca_cert_path = arg;
1019
1020 return NULL;
1021}
1022
1023const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd,
1024 void *dcfg,
1025 const char *arg)
1026{
1027 /*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/
1028 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1029 const char *err;
1030
1031 if ((err = ssl_cmd_check_file(cmd, &arg))) {
1032 return err;
1033 }
1034
1035 if (cmd->path) {
1036 return NO_PER_DIR_SSL_CA;
1037 }
1038
1039 /* XXX: bring back per-dir */
1040 sc->server->auth.ca_cert_file = arg;
1041
1042 return NULL;
1043}
1044
1045const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg,
1046 const char *arg)
1047{
1048 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1049 const char *err;
1050
1051 if ((err = ssl_cmd_check_dir(cmd, &arg))) {
1052 return err;
1053 }
1054
1055 sc->server->pks->ca_name_path = arg;
1056
1057 return NULL;
1058}
1059
1060const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg,
1061 const char *arg)
1062{
1063 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1064 const char *err;
1065
1066 if ((err = ssl_cmd_check_file(cmd, &arg))) {
1067 return err;
1068 }
1069
1070 sc->server->pks->ca_name_file = arg;
1071
1072 return NULL;
1073}
1074
1075const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd,
1076 void *dcfg,
1077 const char *arg)
1078{
1079 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1080 const char *err;
1081
1082 if ((err = ssl_cmd_check_dir(cmd, &arg))) {
1083 return err;
1084 }
1085
1086 sc->server->crl_path = arg;
1087
1088 return NULL;
1089}
1090
1091const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd,
1092 void *dcfg,
1093 const char *arg)
1094{
1095 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1096 const char *err;
1097
1098 if ((err = ssl_cmd_check_file(cmd, &arg))) {
1099 return err;
1100 }
1101
1102 sc->server->crl_file = arg;
1103
1104 return NULL;
1105}
1106
1107static const char *ssl_cmd_crlcheck_parse(cmd_parms *parms,
1108 const char *arg,
1109 int *mask)
1110{
1111 const char *w;
1112
1113 w = ap_getword_conf(parms->temp_pool, &arg);
1114 if (strcEQ(w, "none")) {
1115 *mask = SSL_CRLCHECK_NONE;
1116 }
1117 else if (strcEQ(w, "leaf")) {
1118 *mask = SSL_CRLCHECK_LEAF;
1119 }
1120 else if (strcEQ(w, "chain")) {
1121 *mask = SSL_CRLCHECK_CHAIN;
1122 }
1123 else {
1124 return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1125 ": Invalid argument '", w, "'",
1126 NULL);
1127 }
1128
1129 while (*arg) {
1130 w = ap_getword_conf(parms->temp_pool, &arg);
1131 if (strcEQ(w, "no_crl_for_cert_ok")) {
1132 *mask |= SSL_CRLCHECK_NO_CRL_FOR_CERT_OK;
1133 }
1134 else {
1135 return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1136 ": Invalid argument '", w, "'",
1137 NULL);
1138 }
1139 }
1140
1141 return NULL;
1142}
1143
1144const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *cmd,
1145 void *dcfg,
1146 const char *arg)
1147{
1148 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1149
1150 return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mask);
1151}
1152
1153static const char *ssl_cmd_verify_parse(cmd_parms *parms,
1154 const char *arg,
1155 ssl_verify_t *id)
1156{
1157 if (strcEQ(arg, "none") || strcEQ(arg, "off")) {
1158 *id = SSL_CVERIFY_NONE;
1159 }
1160 else if (strcEQ(arg, "optional")) {
1161 *id = SSL_CVERIFY_OPTIONAL;
1162 }
1163 else if (strcEQ(arg, "require") || strcEQ(arg, "on")) {
1164 *id = SSL_CVERIFY_REQUIRE;
1165 }
1166 else if (strcEQ(arg, "optional_no_ca")) {
1167 *id = SSL_CVERIFY_OPTIONAL_NO_CA;
1168 }
1169 else {
1170 return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1171 ": Invalid argument '", arg, "'",
1172 NULL);
1173 }
1174
1175 return NULL;
1176}
1177
1178const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd,
1179 void *dcfg,
1180 const char *arg)
1181{
1182 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1183 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1184 ssl_verify_t mode = SSL_CVERIFY_NONE;
1185 const char *err;
1186
1187 if ((err = ssl_cmd_verify_parse(cmd, arg, &mode))) {
1188 return err;
1189 }
1190
1191 if (cmd->path) {
1192 dc->nVerifyClient = mode;
1193 }
1194 else {
1195 sc->server->auth.verify_mode = mode;
1196 }
1197
1198 return NULL;
1199}
1200
1201static const char *ssl_cmd_verify_depth_parse(cmd_parms *parms,
1202 const char *arg,
1203 int *depth)
1204{
1205 if ((*depth = atoi(arg)) >= 0) {
1206 return NULL;
1207 }
1208
1209 return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1210 ": Invalid argument '", arg, "'",
1211 NULL);
1212}
1213
1214const char *ssl_cmd_SSLVerifyDepth(cmd_parms *cmd,
1215 void *dcfg,
1216 const char *arg)
1217{
1218 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1219 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1220 int depth;
1221 const char *err;
1222
1223 if ((err = ssl_cmd_verify_depth_parse(cmd, arg, &depth))) {
1224 return err;
1225 }
1226
1227 if (cmd->path) {
1228 dc->nVerifyDepth = depth;
1229 }
1230 else {
1231 sc->server->auth.verify_depth = depth;
1232 }
1233
1234 return NULL;
1235}
1236
1237const char *ssl_cmd_SSLSessionCache(cmd_parms *cmd,
1238 void *dcfg,
1239 const char *arg)
1240{
1241 SSLModConfigRec *mc = myModConfig(cmd->server);
1242 const char *err, *sep, *name;
1243 long enabled_flags;
1244
1245 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
1246 return err;
1247 }
1248
1249 /* The OpenSSL session cache mode must have both the flags
1250 * SSL_SESS_CACHE_SERVER and SSL_SESS_CACHE_NO_INTERNAL set if a
1251 * session cache is configured; NO_INTERNAL prevents the
1252 * OpenSSL-internal session cache being used in addition to the
1253 * "external" (mod_ssl-provided) cache, which otherwise causes
1254 * additional memory consumption. */
1255 enabled_flags = SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL;
1256
1257 if (strcEQ(arg, "none")) {
1258 /* Nothing to do; session cache will be off. */
1259 }
1260 else if (strcEQ(arg, "nonenotnull")) {
1261 /* ### Having a separate mode for this seems logically
1262 * unnecessary; the stated purpose of sending non-empty
1263 * session IDs would be better fixed in OpenSSL or simply
1264 * doing it by default if "none" is used. */
1265 mc->sesscache_mode = enabled_flags;
1266 }
1267 else {
1268 /* Argument is of form 'name:args' or just 'name'. */
1269 sep = ap_strchr_c(arg, ':');
1270 if (sep) {
1271 name = apr_pstrmemdup(cmd->pool, arg, sep - arg);
1272 sep++;
1273 }
1274 else {
1275 name = arg;
1276 }
1277
1278 /* Find the provider of given name. */
1279 mc->sesscache = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP,
1280 name,
1281 AP_SOCACHE_PROVIDER_VERSION);
1282 if (mc->sesscache) {
1283 /* Cache found; create it, passing anything beyond the colon. */
1284 mc->sesscache_mode = enabled_flags;
1285 err = mc->sesscache->create(&mc->sesscache_context, sep,
1286 cmd->temp_pool, cmd->pool);
1287 }
1288 else {
1289 apr_array_header_t *name_list;
1290 const char *all_names;
1291
1292 /* Build a comma-separated list of all registered provider
1293 * names: */
1294 name_list = ap_list_provider_names(cmd->pool,
1295 AP_SOCACHE_PROVIDER_GROUP,
1296 AP_SOCACHE_PROVIDER_VERSION);
1297 all_names = apr_array_pstrcat(cmd->pool, name_list, ',');
1298
1299 err = apr_psprintf(cmd->pool, "'%s' session cache not supported "
1300 "(known names: %s). Maybe you need to load the "
1301 "appropriate socache module (mod_socache_%s?).",
1302 name, all_names, name);
1303 }
1304 }
1305
1306 if (err) {
1307 return apr_psprintf(cmd->pool, "SSLSessionCache: %s", err);
1308 }
1309
1310 return NULL;
1311}
1312
1313const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *cmd,
1314 void *dcfg,
1315 const char *arg)
1316{
1317 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1318
1319 sc->session_cache_timeout = atoi(arg);
1320
1321 if (sc->session_cache_timeout < 0) {
1322 return "SSLSessionCacheTimeout: Invalid argument";
1323 }
1324
1325 return NULL;
1326}
1327
1328const char *ssl_cmd_SSLOptions(cmd_parms *cmd,
1329 void *dcfg,
1330 const char *arg)
1331{
1332 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1333 ssl_opt_t opt;
1334 int first = TRUE;
1335 char action, *w;
1336
1337 while (*arg) {
1338 w = ap_getword_conf(cmd->temp_pool, &arg);
1339 action = NUL;
1340
1341 if ((*w == '+') || (*w == '-')) {
1342 action = *(w++);
1343 }
1344 else if (first) {
1345 dc->nOptions = SSL_OPT_NONE;
1346 first = FALSE;
1347 }
1348
1349 if (strcEQ(w, "StdEnvVars")) {
1350 opt = SSL_OPT_STDENVVARS;
1351 }
1352 else if (strcEQ(w, "ExportCertData")) {
1353 opt = SSL_OPT_EXPORTCERTDATA;
1354 }
1355 else if (strcEQ(w, "FakeBasicAuth")) {
1356 opt = SSL_OPT_FAKEBASICAUTH;
1357 }
1358 else if (strcEQ(w, "StrictRequire")) {
1359 opt = SSL_OPT_STRICTREQUIRE;
1360 }
1361 else if (strcEQ(w, "OptRenegotiate")) {
1362 opt = SSL_OPT_OPTRENEGOTIATE;
1363 }
1364 else if (strcEQ(w, "LegacyDNStringFormat")) {
1365 opt = SSL_OPT_LEGACYDNFORMAT;
1366 }
1367 else {
1368 return apr_pstrcat(cmd->pool,
1369 "SSLOptions: Illegal option '", w, "'",
1370 NULL);
1371 }
1372
1373 if (action == '-') {
1374 dc->nOptionsAdd &= ~opt;
1375 dc->nOptionsDel |= opt;
1376 dc->nOptions &= ~opt;
1377 }
1378 else if (action == '+') {
1379 dc->nOptionsAdd |= opt;
1380 dc->nOptionsDel &= ~opt;
1381 dc->nOptions |= opt;
1382 }
1383 else {
1384 dc->nOptions = opt;
1385 dc->nOptionsAdd = opt;
1386 dc->nOptionsDel = SSL_OPT_NONE;
1387 }
1388 }
1389
1390 return NULL;
1391}
1392
1393const char *ssl_cmd_SSLRequireSSL(cmd_parms *cmd, void *dcfg)
1394{
1395 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1396
1397 dc->bSSLRequired = TRUE;
1398
1399 return NULL;
1400}
1401
1402const char *ssl_cmd_SSLRequire(cmd_parms *cmd,
1403 void *dcfg,
1404 const char *arg)
1405{
1406 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1407 ap_expr_info_t *info = apr_pcalloc(cmd->pool, sizeof(ap_expr_info_t));
1408 ssl_require_t *require;
1409 const char *errstring;
1410
1411 info->flags = AP_EXPR_FLAG_SSL_EXPR_COMPAT;
1412 info->filename = cmd->directive->filename;
1413 info->line_number = cmd->directive->line_num;
1414 info->module_index = APLOG_MODULE_INDEX;
1415 errstring = ap_expr_parse(cmd->pool, cmd->temp_pool, info, arg, NULL);
1416 if (errstring) {
1417 return apr_pstrcat(cmd->pool, "SSLRequire: ", errstring, NULL);
1418 }
1419
1420 require = apr_array_push(dc->aRequirement);
1421 require->cpExpr = arg;
1422 require->mpExpr = info;
1423
1424 return NULL;
1425}
1426
1427const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
1428{
1429 SSLDirConfigRec *dc = dcfg;
1430 int val;
1431
1432 val = atoi(arg);
1433 if (val < 0) {
1434 return apr_pstrcat(cmd->pool, "Invalid size for SSLRenegBufferSize: ",
1435 arg, NULL);
1436 }
1437 dc->nRenegBufferSize = val;
1438
1439 return NULL;
1440}
1441
1442static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
1443 const char *arg,
1444 ssl_proto_t *options)
1445{
1446 ssl_proto_t thisopt;
1447
1448 *options = SSL_PROTOCOL_NONE;
1449
1450 while (*arg) {
1451 char *w = ap_getword_conf(parms->temp_pool, &arg);
1452 char action = '\0';
1453
1454 if ((*w == '+') || (*w == '-')) {
1455 action = *(w++);
1456 }
1457
1458 if (strcEQ(w, "SSLv2")) {
1459 if (action == '-') {
1460 continue;
1461 }
1462 else {
1463 return "SSLProtocol: SSLv2 is no longer supported";
1464 }
1465 }
1466 else if (strcEQ(w, "SSLv3")) {
1467#ifdef OPENSSL_NO_SSL3
1468 if (action != '-') {
1469 return "SSLv3 not supported by this version of OpenSSL";
1470 }
1471 /* Nothing to do, the flag is not present to be toggled */
1472 continue;
1473#else
1474 thisopt = SSL_PROTOCOL_SSLV3;
1475#endif
1476 }
1477 else if (strcEQ(w, "TLSv1")) {
1478 thisopt = SSL_PROTOCOL_TLSV1;
1479 }
1480#ifdef HAVE_TLSV1_X
1481 else if (strcEQ(w, "TLSv1.1")) {
1482 thisopt = SSL_PROTOCOL_TLSV1_1;
1483 }
1484 else if (strcEQ(w, "TLSv1.2")) {
1485 thisopt = SSL_PROTOCOL_TLSV1_2;
1486 }
1487 else if (SSL_HAVE_PROTOCOL_TLSV1_3 && strcEQ(w, "TLSv1.3")) {
1488 thisopt = SSL_PROTOCOL_TLSV1_3;
1489 }
1490#endif
1491 else if (strcEQ(w, "all")) {
1492 thisopt = SSL_PROTOCOL_ALL;
1493 }
1494 else {
1495 return apr_pstrcat(parms->temp_pool,
1496 parms->cmd->name,
1497 ": Illegal protocol '", w, "'", NULL);
1498 }
1499
1500 if (action == '-') {
1501 *options &= ~thisopt;
1502 }
1503 else if (action == '+') {
1504 *options |= thisopt;
1505 }
1506 else {
1507 if (*options != SSL_PROTOCOL_NONE) {
1508 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, parms->server, APLOGNO(02532)
1509 "%s: Protocol '%s' overrides already set parameter(s). "
1510 "Check if a +/- prefix is missing.",
1511 parms->cmd->name, w);
1512 }
1513 *options = thisopt;
1514 }
1515 }
1516
1517 return NULL;
1518}
1519
1520const char *ssl_cmd_SSLProtocol(cmd_parms *cmd,
1521 void *dcfg,
1522 const char *arg)
1523{
1524 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1525
1526 sc->server->protocol_set = 1;
1527 return ssl_cmd_protocol_parse(cmd, arg, &sc->server->protocol);
1528}
1529
1530const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
1531{
1532 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1533
1534 dc->proxy_enabled = flag ? TRUE : FALSE;
1535
1536 return NULL;
1537}
1538
1539const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd,
1540 void *dcfg,
1541 const char *arg)
1542{
1543 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1544
1545 dc->proxy->protocol_set = 1;
1546 return ssl_cmd_protocol_parse(cmd, arg, &dc->proxy->protocol);
1547}
1548
1549const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
1550 void *dcfg,
1551 const char *arg1, const char *arg2)
1552{
1553 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1554
1555 if (arg2 == NULL) {
1556 arg2 = arg1;
1557 arg1 = "SSL";
1558 }
1559
1560 if (!strcmp("SSL", arg1)) {
1561 /* always disable null and export ciphers */
1562 arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
1563 dc->proxy->auth.cipher_suite = arg2;
1564 return NULL;
1565 }
1566#if SSL_HAVE_PROTOCOL_TLSV1_3
1567 else if (!strcmp("TLSv1.3", arg1)) {
1568 dc->proxy->auth.tls13_ciphers = arg2;
1569 return NULL;
1570 }
1571#endif
1572 return apr_pstrcat(cmd->pool, "protocol '", arg1, "' not supported", NULL);
1573}
1574
1575const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
1576 void *dcfg,
1577 const char *arg)
1578{
1579 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1580 ssl_verify_t mode = SSL_CVERIFY_NONE;
1581 const char *err;
1582
1583 if ((err = ssl_cmd_verify_parse(cmd, arg, &mode))) {
1584 return err;
1585 }
1586
1587 dc->proxy->auth.verify_mode = mode;
1588
1589 return NULL;
1590}
1591
1592const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *cmd,
1593 void *dcfg,
1594 const char *arg)
1595{
1596 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1597 int depth;
1598 const char *err;
1599
1600 if ((err = ssl_cmd_verify_depth_parse(cmd, arg, &depth))) {
1601 return err;
1602 }
1603
1604 dc->proxy->auth.verify_depth = depth;
1605
1606 return NULL;
1607}
1608
1609const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *cmd,
1610 void *dcfg,
1611 const char *arg)
1612{
1613 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1614 const char *err;
1615
1616 if ((err = ssl_cmd_check_file(cmd, &arg))) {
1617 return err;
1618 }
1619
1620 dc->proxy->auth.ca_cert_file = arg;
1621
1622 return NULL;
1623}
1624
1625const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *cmd,
1626 void *dcfg,
1627 const char *arg)
1628{
1629 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1630 const char *err;
1631
1632 if ((err = ssl_cmd_check_dir(cmd, &arg))) {
1633 return err;
1634 }
1635
1636 dc->proxy->auth.ca_cert_path = arg;
1637
1638 return NULL;
1639}
1640
1641const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *cmd,
1642 void *dcfg,
1643 const char *arg)
1644{
1645 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1646 const char *err;
1647
1648 if ((err = ssl_cmd_check_dir(cmd, &arg))) {
1649 return err;
1650 }
1651
1652 dc->proxy->crl_path = arg;
1653
1654 return NULL;
1655}
1656
1657const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *cmd,
1658 void *dcfg,
1659 const char *arg)
1660{
1661 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1662 const char *err;
1663
1664 if ((err = ssl_cmd_check_file(cmd, &arg))) {
1665 return err;
1666 }
1667
1668 dc->proxy->crl_file = arg;
1669
1670 return NULL;
1671}
1672
1673const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *cmd,
1674 void *dcfg,
1675 const char *arg)
1676{
1677 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1678
1679 return ssl_cmd_crlcheck_parse(cmd, arg, &dc->proxy->crl_check_mask);
1680}
1681
1682const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,
1683 void *dcfg,
1684 const char *arg)
1685{
1686 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1687 const char *err;
1688
1689 if ((err = ssl_cmd_check_file(cmd, &arg))) {
1690 return err;
1691 }
1692
1693 dc->proxy->pkp->cert_file = arg;
1694
1695 return NULL;
1696}
1697
1698const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *cmd,
1699 void *dcfg,
1700 const char *arg)
1701{
1702 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1703 const char *err;
1704
1705 if ((err = ssl_cmd_check_dir(cmd, &arg))) {
1706 return err;
1707 }
1708
1709 dc->proxy->pkp->cert_path = arg;
1710
1711 return NULL;
1712}
1713
1714const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *cmd,
1715 void *dcfg,
1716 const char *arg)
1717{
1718 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1719 const char *err;
1720
1721 if ((err = ssl_cmd_check_file(cmd, &arg))) {
1722 return err;
1723 }
1724
1725 dc->proxy->pkp->ca_cert_file = arg;
1726
1727 return NULL;
1728}
1729
1730const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg,
1731 const char *arg)
1732{
1733 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1734 dc->szUserName = arg;
1735 return NULL;
1736}
1737
1738static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms,
1739 const char *arg,
1740 int *mask)
1741{
1742 const char *w;
1743
1744 w = ap_getword_conf(parms->temp_pool, &arg);
1745 if (strcEQ(w, "off")) {
1746 *mask = SSL_OCSPCHECK_NONE;
1747 }
1748 else if (strcEQ(w, "leaf")) {
1749 *mask = SSL_OCSPCHECK_LEAF;
1750 }
1751 else if (strcEQ(w, "on")) {
1752 *mask = SSL_OCSPCHECK_CHAIN;
1753 }
1754 else {
1755 return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1756 ": Invalid argument '", w, "'",
1757 NULL);
1758 }
1759
1760 while (*arg) {
1761 w = ap_getword_conf(parms->temp_pool, &arg);
1762 if (strcEQ(w, "no_ocsp_for_cert_ok")) {
1763 *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK;
1764 }
1765 else {
1766 return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1767 ": Invalid argument '", w, "'",
1768 NULL);
1769 }
1770 }
1771
1772 return NULL;
1773}
1774
1775const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
1776{
1777 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1778
1779#ifdef OPENSSL_NO_OCSP
1780 if (flag) {
1781 return "OCSP support disabled in SSL library; cannot enable "
1782 "OCSP validation";
1783 }
1784#endif
1785
1786 return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask);
1787}
1788
1789const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
1790{
1791 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1792
1793 sc->server->ocsp_force_default = flag ? TRUE : FALSE;
1794
1795 return NULL;
1796}
1797
1798const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)
1799{
1800 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1801
1802 sc->server->ocsp_responder = arg;
1803
1804 return NULL;
1805}
1806
1807const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
1808{
1809 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1810 sc->server->ocsp_resptime_skew = atoi(arg);
1811 if (sc->server->ocsp_resptime_skew < 0) {
1812 return "SSLOCSPResponseTimeSkew: invalid argument";
1813 }
1814 return NULL;
1815}
1816
1817const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
1818{
1819 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1820 sc->server->ocsp_resp_maxage = atoi(arg);
1821 if (sc->server->ocsp_resp_maxage < 0) {
1822 return "SSLOCSPResponseMaxAge: invalid argument";
1823 }
1824 return NULL;
1825}
1826
1827const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
1828{
1829 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1830 sc->server->ocsp_responder_timeout = apr_time_from_sec(atoi(arg));
1831 if (sc->server->ocsp_responder_timeout < 0) {
1832 return "SSLOCSPResponderTimeout: invalid argument";
1833 }
1834 return NULL;
1835}
1836
1837const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
1838{
1839 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1840
1841 sc->server->ocsp_use_request_nonce = flag ? TRUE : FALSE;
1842
1843 return NULL;
1844}
1845
1846const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg,
1847 const char *arg)
1848{
1849 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1850 sc->server->proxy_uri = apr_palloc(cmd->pool, sizeof(apr_uri_t));
1851 if (apr_uri_parse(cmd->pool, arg, sc->server->proxy_uri) != APR_SUCCESS) {
1852 return apr_psprintf(cmd->pool,
1853 "SSLOCSPProxyURL: Cannot parse URL %s", arg);
1854 }
1855 return NULL;
1856}
1857
1858/* Set OCSP responder certificate verification directive */
1859const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
1860{
1861 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1862
1863 sc->server->ocsp_noverify = flag ? TRUE : FALSE;
1864
1865 return NULL;
1866}
1867
1868const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
1869{
1870 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1871
1872 dc->proxy->ssl_check_peer_expire = flag ? TRUE : FALSE;
1873
1874 return NULL;
1875}
1876
1877const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
1878{
1879 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1880
1881 dc->proxy->ssl_check_peer_cn = flag ? TRUE : FALSE;
1882
1883 return NULL;
1884}
1885
1886const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)
1887{
1888 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1889
1890 dc->proxy->ssl_check_peer_name = flag ? TRUE : FALSE;
1891
1892 return NULL;
1893}
1894
1895const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
1896{
1897#ifdef HAVE_TLSEXT
1898 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1899
1900 sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
1901
1902 return NULL;
1903#else
1904 return "SSLStrictSNIVHostCheck failed; OpenSSL is not built with support "
1905 "for TLS extensions and SNI indication. Refer to the "
1906 "documentation, and build a compatible version of OpenSSL.";
1907#endif
1908}
1909
1910#ifdef HAVE_OCSP_STAPLING
1911
1912const char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd,
1913 void *dcfg,
1914 const char *arg)
1915{
1916 SSLModConfigRec *mc = myModConfig(cmd->server);
1917 const char *err, *sep, *name;
1918
1919 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
1920 return err;
1921 }
1922
1923 /* Argument is of form 'name:args' or just 'name'. */
1924 sep = ap_strchr_c(arg, ':');
1925 if (sep) {
1926 name = apr_pstrmemdup(cmd->pool, arg, sep - arg);
1927 sep++;
1928 }
1929 else {
1930 name = arg;
1931 }
1932
1933 /* Find the provider of given name. */
1934 mc->stapling_cache = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP,
1935 name,
1936 AP_SOCACHE_PROVIDER_VERSION);
1937 if (mc->stapling_cache) {
1938 /* Cache found; create it, passing anything beyond the colon. */
1939 err = mc->stapling_cache->create(&mc->stapling_cache_context,
1940 sep, cmd->temp_pool,
1941 cmd->pool);
1942 }
1943 else {
1944 apr_array_header_t *name_list;
1945 const char *all_names;
1946
1947 /* Build a comma-separated list of all registered provider
1948 * names: */
1949 name_list = ap_list_provider_names(cmd->pool,
1950 AP_SOCACHE_PROVIDER_GROUP,
1951 AP_SOCACHE_PROVIDER_VERSION);
1952 all_names = apr_array_pstrcat(cmd->pool, name_list, ',');
1953
1954 err = apr_psprintf(cmd->pool, "'%s' stapling cache not supported "
1955 "(known names: %s) Maybe you need to load the "
1956 "appropriate socache module (mod_socache_%s?)",
1957 name, all_names, name);
1958 }
1959
1960 if (err) {
1961 return apr_psprintf(cmd->pool, "SSLStaplingCache: %s", err);
1962 }
1963
1964 return NULL;
1965}
1966
1967const char *ssl_cmd_SSLUseStapling(cmd_parms *cmd, void *dcfg, int flag)
1968{
1969 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1970 sc->server->stapling_enabled = flag ? TRUE : FALSE;
1971 return NULL;
1972}
1973
1974const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *cmd, void *dcfg,
1975 const char *arg)
1976{
1977 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1978 sc->server->stapling_resptime_skew = atoi(arg);
1979 if (sc->server->stapling_resptime_skew < 0) {
1980 return "SSLStaplingResponseTimeSkew: invalid argument";
1981 }
1982 return NULL;
1983}
1984
1985const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *cmd, void *dcfg,
1986 const char *arg)
1987{
1988 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1989 sc->server->stapling_resp_maxage = atoi(arg);
1990 if (sc->server->stapling_resp_maxage < 0) {
1991 return "SSLStaplingResponseMaxAge: invalid argument";
1992 }
1993 return NULL;
1994}
1995
1996const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *cmd, void *dcfg,
1997 const char *arg)
1998{
1999 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2000 sc->server->stapling_cache_timeout = atoi(arg);
2001 if (sc->server->stapling_cache_timeout < 0) {
2002 return "SSLStaplingStandardCacheTimeout: invalid argument";
2003 }
2004 return NULL;
2005}
2006
2007const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *cmd, void *dcfg,
2008 const char *arg)
2009{
2010 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2011 sc->server->stapling_errcache_timeout = atoi(arg);
2012 if (sc->server->stapling_errcache_timeout < 0) {
2013 return "SSLStaplingErrorCacheTimeout: invalid argument";
2014 }
2015 return NULL;
2016}
2017
2018const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *cmd,
2019 void *dcfg, int flag)
2020{
2021 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2022 sc->server->stapling_return_errors = flag ? TRUE : FALSE;
2023 return NULL;
2024}
2025
2026const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *cmd,
2027 void *dcfg, int flag)
2028{
2029 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2030 sc->server->stapling_fake_trylater = flag ? TRUE : FALSE;
2031 return NULL;
2032}
2033
2034const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *cmd, void *dcfg,
2035 const char *arg)
2036{
2037 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2038 sc->server->stapling_responder_timeout = atoi(arg);
2039 sc->server->stapling_responder_timeout *= APR_USEC_PER_SEC;
2040 if (sc->server->stapling_responder_timeout < 0) {
2041 return "SSLStaplingResponderTimeout: invalid argument";
2042 }
2043 return NULL;
2044}
2045
2046const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg,
2047 const char *arg)
2048{
2049 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2050 sc->server->stapling_force_url = arg;
2051 return NULL;
2052}
2053
2054#endif /* HAVE_OCSP_STAPLING */
2055
2056#ifdef HAVE_SSL_CONF_CMD
2057const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
2058 const char *arg1, const char *arg2)
2059{
2060 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2061 SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
2062 int value_type = SSL_CONF_cmd_value_type(cctx, arg1);
2063 const char *err;
2064 ssl_ctx_param_t *param;
2065
2066 if (value_type == SSL_CONF_TYPE_UNKNOWN) {
2067 return apr_psprintf(cmd->pool,
2068 "'%s': invalid OpenSSL configuration command",
2069 arg1);
2070 }
2071
2072 if (value_type == SSL_CONF_TYPE_FILE) {
2073 if ((err = ssl_cmd_check_file(cmd, &arg2)))
2074 return err;
2075 }
2076 else if (value_type == SSL_CONF_TYPE_DIR) {
2077 if ((err = ssl_cmd_check_dir(cmd, &arg2)))
2078 return err;
2079 }
2080
2081 if (strcEQ(arg1, "CipherString")) {
2082 /* always disable null and export ciphers */
2083 arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
2084 }
2085
2086 param = apr_array_push(sc->server->ssl_ctx_param);
2087 param->name = arg1;
2088 param->value = arg2;
2089 return NULL;
2090}
2091#endif
2092
2093#ifdef HAVE_SRP
2094
2095const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
2096 const char *arg)
2097{
2098 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2099 const char *err;
2100
2101 if ((err = ssl_cmd_check_file(cmd, &arg)))
2102 return err;
2103 /* SRP_VBASE_init takes char*, not const char* */
2104 sc->server->srp_vfile = apr_pstrdup(cmd->pool, arg);
2105 return NULL;
2106}
2107
2108const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,
2109 const char *arg)
2110{
2111 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2112 /* SRP_VBASE_new takes char*, not const char* */
2113 sc->server->srp_unknown_user_seed = apr_pstrdup(cmd->pool, arg);
2114 return NULL;
2115}
2116
2117#endif /* HAVE_SRP */
2118
2119/* OCSP Responder File Function to read in value */
2120const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg,
2121 const char *arg)
2122{
2123 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
2124 const char *err;
2125
2126 if ((err = ssl_cmd_check_file(cmd, &arg))) {
2127 return err;
2128 }
2129
2130 sc->server->ocsp_certs_file = arg;
2131 return NULL;
2132}
2133
2134void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
2135{
2136 apr_file_t *out = NULL;
2137 if (!ap_exists_config_define("DUMP_CERTS")) {
2138 return;
2139 }
2140 apr_file_open_stdout(&out, pconf);
2141 apr_file_printf(out, "Server certificates:\n");
2142
2143 /* Dump the filenames of all configured server certificates to
2144 * stdout. */
2145 while (s) {
2146 SSLSrvConfigRec *sc = mySrvConfig(s);
2147
2148 if (sc && sc->server && sc->server->pks) {
2149 modssl_pk_server_t *const pks = sc->server->pks;
2150 int i;
2151
2152 for (i = 0; (i < pks->cert_files->nelts) &&
2153 APR_ARRAY_IDX(pks->cert_files, i, const char *);
2154 i++) {
2155 apr_file_printf(out, " %s\n",
2156 APR_ARRAY_IDX(pks->cert_files,
2157 i, const char *));
2158 }
2159 }
2160
2161 s = s->next;
2162 }
2163
2164}
2165
ap_provider.h
Apache Provider API.
TRUE
#define TRUE
Definition abts.h:38
FALSE
#define FALSE
Definition abts.h:35
pconf
static apr_pool_t * pconf
Definition event.c:441
base
ap_conf_vector_t * base
Definition http_config.h:1125
ap_server_root_relative
char * ap_server_root_relative(apr_pool_t *p, const char *fname)
Definition config.c:1594
AP_SQ_RM_CONFIG_DUMP
#define AP_SQ_RM_CONFIG_DUMP
Definition http_core.h:1065
ap_exists_config_define
int ap_exists_config_define(const char *name)
Definition core.c:2896
ap_state_query
int ap_state_query(int query_code)
Definition core.c:5378
AP_SQ_RUN_MODE
#define AP_SQ_RUN_MODE
Definition http_core.h:1032
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
ap_log_error
#define ap_log_error
Definition http_log.h:370
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_WARNING
#define APLOG_WARNING
Definition http_log.h:68
APLOG_MODULE_INDEX
#define APLOG_MODULE_INDEX
Definition http_log.h:168
ap_list_provider_names
apr_array_header_t * ap_list_provider_names(apr_pool_t *pool, const char *provider_group, const char *provider_version)
Definition provider.c:127
ap_lookup_provider
void * ap_lookup_provider(const char *provider_group, const char *provider_name, const char *provider_version)
Definition provider.c:99
arg
void const char * arg
Definition http_vhost.h:63
enabled
int enabled
Definition apr_buckets.h:1580
e
apr_bucket * e
Definition apr_buckets.h:699
ctx
apr_brigade_flush void * ctx
Definition apr_buckets.h:802
mode
apr_dbd_transaction_t int mode
Definition apr_dbd.h:261
mask
const char * mask
Definition apr_date.h:60
mc
apr_memcache_t * mc
Definition apr_memcache.h:161
AP_EXPR_FLAG_SSL_EXPR_COMPAT
#define AP_EXPR_FLAG_SSL_EXPR_COMPAT
Definition ap_expr.h:59
ap_expr_parse
const char * ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp, ap_expr_info_t *info, const char *expr, ap_expr_lookup_fn_t *lookup_fn)
Definition util_expr_eval.c:379
AP_SOCACHE_PROVIDER_GROUP
#define AP_SOCACHE_PROVIDER_GROUP
Definition ap_socache.h:218
AP_SOCACHE_PROVIDER_VERSION
#define AP_SOCACHE_PROVIDER_VERSION
Definition ap_socache.h:220
ssl_cmd_SSLCADNRequestFile
const char * ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1060
ssl_cmd_SSLProxyVerify
const char * ssl_cmd_SSLProxyVerify(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1575
ssl_cmd_SSLCACertificateFile
const char * ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1023
modssl_is_engine_id
int modssl_is_engine_id(const char *name)
Definition ssl_util.c:477
ssl_cmd_SSLOCSPResponseMaxAge
const char * ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1817
ssl_cmd_SSLCertificateFile
const char * ssl_cmd_SSLCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:928
ssl_cmd_SSLOCSPUseRequestNonce
const char * ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1837
ssl_cmd_SSLVerifyDepth
const char * ssl_cmd_SSLVerifyDepth(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1214
SSL_OPT_OPTRENEGOTIATE
#define SSL_OPT_OPTRENEGOTIATE
Definition ssl_private.h:411
ssl_util_path_check
unsigned int ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *)
Definition ssl_util.c:175
ssl_cmd_SSLProxyCARevocationPath
const char * ssl_cmd_SSLProxyCARevocationPath(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1641
ssl_cmd_SSLInsecureRenegotiation
const char * ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:894
ssl_config_global_create
SSLModConfigRec * ssl_config_global_create(server_rec *s)
Definition ssl_engine_config.c:42
ssl_config_perdir_merge
void * ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
Definition ssl_engine_config.c:478
ssl_cmd_SSLProxyCipherSuite
const char * ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2)
Definition ssl_engine_config.c:1549
ssl_cmd_SSLSessionCache
const char * ssl_cmd_SSLSessionCache(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1237
ssl_cmd_SSLVerifyClient
const char * ssl_cmd_SSLVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1178
SSL_PROTOCOL_DEFAULT
#define SSL_PROTOCOL_DEFAULT
Definition ssl_private.h:446
SSL_OPT_STRICTREQUIRE
#define SSL_OPT_STRICTREQUIRE
Definition ssl_private.h:410
ssl_cmd_SSLRandomSeed
const char * ssl_cmd_SSLRandomSeed(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2, const char *arg3)
Definition ssl_engine_config.c:638
ssl_cmd_SSLCARevocationFile
const char * ssl_cmd_SSLCARevocationFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1091
mySrvConfig
#define mySrvConfig(srv)
Definition ssl_private.h:358
ssl_cmd_SSLOCSPResponseTimeSkew
const char * ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1807
ssl_cmd_SSLProxyMachineCertificateFile
const char * ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1682
ssl_cmd_SSLCARevocationCheck
const char * ssl_cmd_SSLCARevocationCheck(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1144
ssl_cmd_SSLCertificateChainFile
const char * ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:964
SSL_PROTOCOL_TLSV1
#define SSL_PROTOCOL_TLSV1
Definition ssl_private.h:422
ssl_proto_t
int ssl_proto_t
Definition ssl_private.h:450
ssl_cmd_SSLRequire
const char * ssl_cmd_SSLRequire(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1402
ssl_verify_t
ssl_verify_t
Definition ssl_private.h:455
ssl_cmd_SSLOCSPOverrideResponder
const char * ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1789
ssl_config_server_create
void * ssl_config_server_create(apr_pool_t *p, server_rec *s)
Definition ssl_engine_config.c:244
ssl_cmd_SSLProxyMachineCertificateChainFile
const char * ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1714
SSL_OPT_RELSET
#define SSL_OPT_RELSET
Definition ssl_private.h:406
ssl_cmd_SSLProxyCheckPeerCN
const char * ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1877
ssl_cmd_SSLProxyCACertificateFile
const char * ssl_cmd_SSLProxyCACertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1609
ssl_cmd_SSLProxyMachineCertificatePath
const char * ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1698
ssl_cmd_SSLProxyCheckPeerExpire
const char * ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1868
ssl_cmd_SSLSessionCacheTimeout
const char * ssl_cmd_SSLSessionCacheTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1313
ssl_cmd_SSLOCSPResponderTimeout
const char * ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1827
ssl_cmd_SSLProxyCACertificatePath
const char * ssl_cmd_SSLProxyCACertificatePath(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1625
ssl_cmd_SSLSessionTickets
const char * ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:883
ssl_cmd_SSLProxyCARevocationCheck
const char * ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1673
ssl_config_proxy_merge
void ssl_config_proxy_merge(apr_pool_t *p, SSLDirConfigRec *base, SSLDirConfigRec *conf)
Definition ssl_engine_config.c:535
ssl_cmd_SSLRenegBufferSize
const char * ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1427
ssl_cmd_SSLProxyEngine
const char * ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1530
ssl_cmd_SSLOCSPNoVerify
const char * ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1859
ssl_opt_t
int ssl_opt_t
Definition ssl_private.h:413
myModConfig
#define myModConfig(srv)
Definition ssl_private.h:364
ssl_cmd_SSLHonorCipherOrder
const char * ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:872
ssl_cmd_SSLOCSPDefaultResponder
const char * ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1798
ssl_cmd_SSLCertificateKeyFile
const char * ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:946
ssl_cmd_SSLRequireSSL
const char * ssl_cmd_SSLRequireSSL(cmd_parms *cmd, void *dcfg)
Definition ssl_engine_config.c:1393
ssl_cmd_SSLCompression
const char * ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:842
ssl_config_perdir_create
void * ssl_config_perdir_create(apr_pool_t *p, char *dir)
Definition ssl_engine_config.c:435
ssl_cmd_SSLCARevocationPath
const char * ssl_cmd_SSLCARevocationPath(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1075
ssl_cmd_SSLPassPhraseDialog
const char * ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:549
ssl_cmd_SSLProxyVerifyDepth
const char * ssl_cmd_SSLProxyVerifyDepth(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1592
ssl_cmd_SSLProxyProtocol
const char * ssl_cmd_SSLProxyProtocol(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1539
ssl_cmd_SSLOCSPEnable
const char * ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1775
ssl_cmd_SSLProtocol
const char * ssl_cmd_SSLProtocol(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1520
SSL_OPT_NONE
#define SSL_OPT_NONE
Definition ssl_private.h:405
ssl_cmd_SSLCACertificatePath
const char * ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1001
ssl_cmd_SSLProxyCheckPeerName
const char * ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1886
ssl_cmd_SSLFIPS
const char * ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:751
SSL_OPT_LEGACYDNFORMAT
#define SSL_OPT_LEGACYDNFORMAT
Definition ssl_private.h:412
SSL_OPT_STDENVVARS
#define SSL_OPT_STDENVVARS
Definition ssl_private.h:407
ssl_cmd_SSLUserName
const char * ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1730
ssl_cmd_SSLEngine
const char * ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:731
ssl_cmd_SSLCADNRequestPath
const char * ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1045
SSL_OPT_EXPORTCERTDATA
#define SSL_OPT_EXPORTCERTDATA
Definition ssl_private.h:408
ssl_cmd_SSLCryptoDevice
const char * ssl_cmd_SSLCryptoDevice(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:596
ssl_cmd_SSLOptions
const char * ssl_cmd_SSLOptions(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1328
SSL_PCM_EXISTS
#define SSL_PCM_EXISTS
Definition ssl_private.h:508
ssl_cmd_SSLOCSPProxyURL
const char * ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1846
SSL_PROTOCOL_ALL
#define SSL_PROTOCOL_ALL
Definition ssl_private.h:443
ssl_cmd_SSLCipherSuite
const char * ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2)
Definition ssl_engine_config.c:774
ssl_cmd_SSLOCSPResponderCertificateFile
const char * ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:2120
ssl_cmd_SSLStrictSNIVHostCheck
const char * ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
Definition ssl_engine_config.c:1895
ssl_cmd_SSLProxyCARevocationFile
const char * ssl_cmd_SSLProxyCARevocationFile(cmd_parms *cmd, void *dcfg, const char *arg)
Definition ssl_engine_config.c:1657
BOOL
#define BOOL
Definition ssl_private.h:81
SSL_PROTOCOL_NONE
#define SSL_PROTOCOL_NONE
Definition ssl_private.h:418
ssl_config_server_merge
void * ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
Definition ssl_engine_config.c:389
NUL
#define NUL
Definition ssl_private.h:325
ssl_config_global_isfixed
unsigned int ssl_config_global_isfixed(SSLModConfigRec *mc)
Definition ssl_engine_config.c:98
CERTKEYS_IDX_MAX
#define CERTKEYS_IDX_MAX
Definition ssl_private.h:399
SSL_PROTOCOL_SSLV3
#define SSL_PROTOCOL_SSLV3
Definition ssl_private.h:420
SSL_OPT_FAKEBASICAUTH
#define SSL_OPT_FAKEBASICAUTH
Definition ssl_private.h:409
ssl_hook_ConfigTest
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
Definition ssl_engine_config.c:2134
ssl_config_global_fix
void ssl_config_global_fix(SSLModConfigRec *mc)
Definition ssl_engine_config.c:93
SSL_OCSPCHECK_CHAIN
@ SSL_OCSPCHECK_CHAIN
Definition ssl_private.h:491
SSL_OCSPCHECK_LEAF
@ SSL_OCSPCHECK_LEAF
Definition ssl_private.h:490
SSL_OCSPCHECK_NONE
@ SSL_OCSPCHECK_NONE
Definition ssl_private.h:489
SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK
@ SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK
Definition ssl_private.h:492
SSL_ENABLED_TRUE
@ SSL_ENABLED_TRUE
Definition ssl_private.h:520
SSL_ENABLED_UNSET
@ SSL_ENABLED_UNSET
Definition ssl_private.h:518
SSL_ENABLED_FALSE
@ SSL_ENABLED_FALSE
Definition ssl_private.h:519
SSL_ENABLED_OPTIONAL
@ SSL_ENABLED_OPTIONAL
Definition ssl_private.h:521
SSL_RSCTX_CONNECT
@ SSL_RSCTX_CONNECT
Definition ssl_private.h:537
SSL_RSCTX_STARTUP
@ SSL_RSCTX_STARTUP
Definition ssl_private.h:536
SSL_CVERIFY_OPTIONAL
@ SSL_CVERIFY_OPTIONAL
Definition ssl_private.h:458
SSL_CVERIFY_OPTIONAL_NO_CA
@ SSL_CVERIFY_OPTIONAL_NO_CA
Definition ssl_private.h:460
SSL_CVERIFY_UNSET
@ SSL_CVERIFY_UNSET
Definition ssl_private.h:456
SSL_CVERIFY_NONE
@ SSL_CVERIFY_NONE
Definition ssl_private.h:457
SSL_CVERIFY_REQUIRE
@ SSL_CVERIFY_REQUIRE
Definition ssl_private.h:459
SSL_CRLCHECK_NO_CRL_FOR_CERT_OK
@ SSL_CRLCHECK_NO_CRL_FOR_CERT_OK
Definition ssl_private.h:482
SSL_CRLCHECK_LEAF
@ SSL_CRLCHECK_LEAF
Definition ssl_private.h:478
SSL_CRLCHECK_NONE
@ SSL_CRLCHECK_NONE
Definition ssl_private.h:477
SSL_CRLCHECK_CHAIN
@ SSL_CRLCHECK_CHAIN
Definition ssl_private.h:479
SSL_RSSRC_EGD
@ SSL_RSSRC_EGD
Definition ssl_private.h:543
SSL_RSSRC_BUILTIN
@ SSL_RSSRC_BUILTIN
Definition ssl_private.h:540
SSL_RSSRC_FILE
@ SSL_RSSRC_FILE
Definition ssl_private.h:541
SSL_RSSRC_EXEC
@ SSL_RSSRC_EXEC
Definition ssl_private.h:542
SSL_PPTYPE_PIPE
@ SSL_PPTYPE_PIPE
Definition ssl_private.h:502
SSL_PPTYPE_BUILTIN
@ SSL_PPTYPE_BUILTIN
Definition ssl_private.h:500
SSL_PPTYPE_FILTER
@ SSL_PPTYPE_FILTER
Definition ssl_private.h:501
SSL_PPTYPE_UNSET
@ SSL_PPTYPE_UNSET
Definition ssl_private.h:499
MODSSL_LIBRARY_NAME
#define MODSSL_LIBRARY_NAME
Definition ssl_util_ssl.h:42
ap_strchr_c
#define ap_strchr_c(s, c)
Definition httpd.h:2353
ap_getword_conf
char * ap_getword_conf(apr_pool_t *p, const char **line)
Definition util.c:833
GLOBAL_ONLY
#define GLOBAL_ONLY
Definition http_config.h:970
ap_check_cmd_context
const char * ap_check_cmd_context(cmd_parms *cmd, unsigned forbidden)
Definition core.c:1301
size
apr_size_t size
Definition apr_allocator.h:115
val
apr_uint32_t val
Definition apr_atomic.h:66
pool
const char int apr_pool_t * pool
Definition apr_cstr.h:84
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
flag
const char apr_int32_t flag
Definition apr_file_io.h:251
file
const char apr_file_t * file
Definition apr_file_io.h:823
filepath
const char ** filepath
Definition apr_file_info.h:337
strcasecmp
int strcasecmp(const char *a, const char *b)
Definition apr_cpystrn.c:248
opt
apr_int32_t opt
Definition apr_network_io.h:696
apr_pcalloc
#define apr_pcalloc(p, size)
Definition apr_pools.h:465
dir
apr_dir_t * dir
Definition apr_portable.h:240
sep
const char * sep
Definition apr_strings.h:247
s
const char * s
Definition apr_strings.h:95
APR_ARRAY_PUSH
#define APR_ARRAY_PUSH(ary, type)
Definition apr_tables.h:150
nelts
int nelts
Definition apr_tables.h:122
APR_ARRAY_IDX
#define APR_ARRAY_IDX(ary, i, type)
Definition apr_tables.h:141
first
const apr_array_header_t * first
Definition apr_tables.h:207
err
apr_int32_t apr_int32_t apr_int32_t err
Definition apr_thread_proc.h:418
cmd
apr_cmdtype_e cmd
Definition apr_thread_proc.h:495
APR_USEC_PER_SEC
#define APR_USEC_PER_SEC
Definition apr_time.h:60
apr_time_from_sec
#define apr_time_from_sec(sec)
Definition apr_time.h:78
p
apr_pool_t * p
Definition md_event.c:32
UNSET
#define UNSET
Definition mod_authz_core.c:92
out
static apr_file_t * out
Definition mod_info.c:85
param
struct param_s param
strEQn
#define strEQn(s1, s2, n)
Definition mod_nw_ssl.c:90
strcEQ
#define strcEQ(s1, s2)
Definition mod_nw_ssl.c:93
NULL
return NULL
Definition mod_so.c:359
i
int i
Definition mod_so.c:347
ssl_cmd_verify_depth_parse
static const char * ssl_cmd_verify_depth_parse(cmd_parms *parms, const char *arg, int *depth)
Definition ssl_engine_config.c:1201
SSL_MOD_CONFIG_KEY
#define SSL_MOD_CONFIG_KEY
Definition ssl_engine_config.c:40
cfgMergeInt
#define cfgMergeInt(el)
Definition ssl_engine_config.c:257
SSL_FLAGS_CHECK_FILE
#define SSL_FLAGS_CHECK_FILE
Definition ssl_engine_config.c:809
ssl_config_server_new
static SSLSrvConfigRec * ssl_config_server_new(apr_pool_t *p)
Definition ssl_engine_config.c:217
cfgMergeString
#define cfgMergeString(el)
Definition ssl_engine_config.c:255
cfgMerge
#define cfgMerge(el, unset)
Definition ssl_engine_config.c:253
cfgMergeArray
#define cfgMergeArray(el)
Definition ssl_engine_config.c:254
modssl_ctx_cfg_merge_proxy
static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p, modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg)
Definition ssl_engine_config.c:464
modssl_ctx_init_proxy
static void modssl_ctx_init_proxy(SSLDirConfigRec *dc, apr_pool_t *p)
Definition ssl_engine_config.c:417
ssl_cmd_verify_parse
static const char * ssl_cmd_verify_parse(cmd_parms *parms, const char *arg, ssl_verify_t *id)
Definition ssl_engine_config.c:1153
modssl_ctx_init
static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
Definition ssl_engine_config.c:117
modssl_ctx_cfg_merge_server
static void modssl_ctx_cfg_merge_server(apr_pool_t *p, modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg)
Definition ssl_engine_config.c:361
modssl_ctx_cfg_merge_certkeys_array
static void modssl_ctx_cfg_merge_certkeys_array(apr_pool_t *p, apr_array_header_t *base, apr_array_header_t *add, apr_array_header_t *mrg)
Definition ssl_engine_config.c:333
ssl_cmd_crlcheck_parse
static const char * ssl_cmd_crlcheck_parse(cmd_parms *parms, const char *arg, int *mask)
Definition ssl_engine_config.c:1107
ssl_cmd_protocol_parse
static const char * ssl_cmd_protocol_parse(cmd_parms *parms, const char *arg, ssl_proto_t *options)
Definition ssl_engine_config.c:1442
ssl_cmd_check_dir
static const char * ssl_cmd_check_dir(cmd_parms *parms, const char **dir)
Definition ssl_engine_config.c:907
NO_PER_DIR_SSL_CA
#define NO_PER_DIR_SSL_CA
Definition ssl_engine_config.c:998
cfgMergeBool
#define cfgMergeBool(el)
Definition ssl_engine_config.c:256
modssl_ctx_init_server
static void modssl_ctx_init_server(SSLSrvConfigRec *sc, apr_pool_t *p)
Definition ssl_engine_config.c:198
ssl_cmd_check_file
static const char * ssl_cmd_check_file(cmd_parms *parms, const char **file)
Definition ssl_engine_config.c:815
ssl_cmd_ocspcheck_parse
static const char * ssl_cmd_ocspcheck_parse(cmd_parms *parms, const char *arg, int *mask)
Definition ssl_engine_config.c:1738
SSL_FLAGS_CHECK_DIR
#define SSL_FLAGS_CHECK_DIR
Definition ssl_engine_config.c:812
modssl_ctx_cfg_merge
static void modssl_ctx_cfg_merge(apr_pool_t *p, modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg)
Definition ssl_engine_config.c:263
STACK_OF
STACK_OF(X509_NAME)
Definition ssl_engine_init.c:2304
name
char * name
Definition ssl_engine_vars.c:563
ssl_private.h
Internal interfaces private to mod_ssl.
SSLDirConfigRec::proxy_enabled
unsigned int proxy_enabled
Definition ssl_private.h:864
SSLDirConfigRec::bSSLRequired
unsigned int bSSLRequired
Definition ssl_private.h:852
SSLDirConfigRec::nVerifyClient
ssl_verify_t nVerifyClient
Definition ssl_private.h:858
SSLDirConfigRec::nOptionsAdd
ssl_opt_t nOptionsAdd
Definition ssl_private.h:855
SSLDirConfigRec::proxy_post_config
unsigned int proxy_post_config
Definition ssl_private.h:865
SSLDirConfigRec::szCipherSuite
const char * szCipherSuite
Definition ssl_private.h:857
SSLDirConfigRec::nOptions
ssl_opt_t nOptions
Definition ssl_private.h:854
SSLDirConfigRec::nRenegBufferSize
apr_size_t nRenegBufferSize
Definition ssl_private.h:861
SSLDirConfigRec::aRequirement
apr_array_header_t * aRequirement
Definition ssl_private.h:853
SSLDirConfigRec::nOptionsDel
ssl_opt_t nOptionsDel
Definition ssl_private.h:856
SSLDirConfigRec::proxy
modssl_ctx_t * proxy
Definition ssl_private.h:863
SSLDirConfigRec::szUserName
const char * szUserName
Definition ssl_private.h:860
SSLSrvConfigRec::cipher_server_pref
unsigned int cipher_server_pref
Definition ssl_private.h:834
SSLSrvConfigRec::vhost_id
const char * vhost_id
Definition ssl_private.h:831
SSLSrvConfigRec::mc
SSLModConfigRec * mc
Definition ssl_private.h:829
SSLSrvConfigRec::session_tickets
unsigned int session_tickets
Definition ssl_private.h:843
SSLSrvConfigRec::server
modssl_ctx_t * server
Definition ssl_private.h:836
SSLSrvConfigRec::enabled
ssl_enabled_t enabled
Definition ssl_private.h:830
SSLSrvConfigRec::compression
unsigned int compression
Definition ssl_private.h:841
SSLSrvConfigRec::insecure_reneg
unsigned int insecure_reneg
Definition ssl_private.h:835
ap_expr_info_t
Definition ap_expr.h:41
apr_array_header_t
Definition apr_tables.h:62
apr_array_header_t::nelts
int nelts
Definition apr_tables.h:68
apr_dir_t::pool
apr_pool_t * pool
Definition apr_arch_file_io.h:125
apr_file_t
Definition apr_arch_file_io.h:97
apr_file_t::pool
apr_pool_t * pool
Definition apr_arch_file_io.h:98
apr_pool_t
Definition apr_pools.c:562
apr_uri_t
Definition apr_uri.h:85
cmd_parms_struct
Definition http_config.h:288
modssl_auth_ctx_t::verify_mode
ssl_verify_t verify_mode
Definition ssl_private.h:727
modssl_auth_ctx_t::cipher_suite
const char * cipher_suite
Definition ssl_private.h:723
modssl_auth_ctx_t::ca_cert_file
const char * ca_cert_file
Definition ssl_private.h:721
modssl_auth_ctx_t::verify_depth
int verify_depth
Definition ssl_private.h:726
modssl_auth_ctx_t::ca_cert_path
const char * ca_cert_path
Definition ssl_private.h:720
modssl_auth_ctx_t::tls13_ciphers
const char * tls13_ciphers
Definition ssl_private.h:732
modssl_ctx_t
Definition ssl_private.h:755
modssl_ctx_t::ocsp_resp_maxage
long ocsp_resp_maxage
Definition ssl_private.h:807
modssl_ctx_t::crl_check_mask
int crl_check_mask
Definition ssl_private.h:779
modssl_ctx_t::pphrase_dialog_type
ssl_pphrase_t pphrase_dialog_type
Definition ssl_private.h:771
modssl_ctx_t::ocsp_responder
const char * ocsp_responder
Definition ssl_private.h:805
modssl_ctx_t::ocsp_mask
int ocsp_mask
Definition ssl_private.h:802
modssl_ctx_t::protocol
ssl_proto_t protocol
Definition ssl_private.h:767
modssl_ctx_t::auth
modssl_auth_ctx_t auth
Definition ssl_private.h:800
modssl_ctx_t::ocsp_resptime_skew
long ocsp_resptime_skew
Definition ssl_private.h:806
modssl_ctx_t::protocol_set
int protocol_set
Definition ssl_private.h:768
modssl_ctx_t::ocsp_noverify
unsigned int ocsp_noverify
Definition ssl_private.h:812
modssl_ctx_t::crl_path
const char * crl_path
Definition ssl_private.h:777
modssl_ctx_t::ocsp_use_request_nonce
unsigned int ocsp_use_request_nonce
Definition ssl_private.h:809
modssl_ctx_t::ssl_check_peer_cn
unsigned int ssl_check_peer_cn
Definition ssl_private.h:823
modssl_ctx_t::pphrase_dialog_path
const char * pphrase_dialog_path
Definition ssl_private.h:772
modssl_ctx_t::ssl_check_peer_expire
unsigned int ssl_check_peer_expire
Definition ssl_private.h:825
modssl_ctx_t::ocsp_certs_file
const char * ocsp_certs_file
Definition ssl_private.h:815
modssl_ctx_t::ocsp_force_default
unsigned int ocsp_force_default
Definition ssl_private.h:803
modssl_ctx_t::pkp
modssl_pk_proxy_t * pkp
Definition ssl_private.h:761
modssl_ctx_t::pks
modssl_pk_server_t * pks
Definition ssl_private.h:760
modssl_ctx_t::crl_file
const char * crl_file
Definition ssl_private.h:778
modssl_ctx_t::ssl_check_peer_name
unsigned int ssl_check_peer_name
Definition ssl_private.h:824
modssl_ctx_t::cert_chain
const char * cert_chain
Definition ssl_private.h:774
modssl_ctx_t::ocsp_responder_timeout
apr_interval_time_t ocsp_responder_timeout
Definition ssl_private.h:808
modssl_ctx_t::proxy_uri
apr_uri_t * proxy_uri
Definition ssl_private.h:810
modssl_pk_proxy_t::cert_file
const char * cert_file
Definition ssl_private.h:705
modssl_pk_proxy_t::ca_cert_file
const char * ca_cert_file
Definition ssl_private.h:707
modssl_pk_proxy_t::cert_path
const char * cert_path
Definition ssl_private.h:706
modssl_pk_server_t
Definition ssl_private.h:689
modssl_pk_server_t::key_files
apr_array_header_t * key_files
Definition ssl_private.h:692
modssl_pk_server_t::cert_files
apr_array_header_t * cert_files
Definition ssl_private.h:691
modssl_pk_server_t::ca_name_path
const char * ca_name_path
Definition ssl_private.h:696
modssl_pk_server_t::ca_name_file
const char * ca_name_file
Definition ssl_private.h:697
param_s
Definition mod_mime.c:96
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
ssl_randseed_t
Definition ssl_private.h:545
ssl_randseed_t::cpPath
char * cpPath
Definition ssl_private.h:548
ssl_randseed_t::nBytes
int nBytes
Definition ssl_private.h:549
ssl_randseed_t::nSrc
ssl_rssrc_t nSrc
Definition ssl_private.h:547
ssl_randseed_t::nCtx
ssl_rsctx_t nCtx
Definition ssl_private.h:546
ssl_require_t
Definition ssl_private.h:527
util_mutex.h
Apache Mutex support library.
info
INT info
Definition apr_arch_misc.h:388
Generated by doxygen 1.9.8