Apache HTTPD
ssl_engine_init.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* _ _
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
22 * |_____|
23 * ssl_engine_init.c
24 * Initialization of Servers
25 */
26 /* ``Recursive, adj.;
27 see Recursive.''
28 -- Unknown */
29#include "ssl_private.h"
30
31#include "mpm_common.h"
32#include "mod_md.h"
33
34static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *,
35 STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *);
36
37APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
38 (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
39 (s,p,is_proxy,ctx), OK, DECLINED)
40
41APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_cert_files,
42 (server_rec *s, apr_pool_t *p,
43 apr_array_header_t *cert_files, apr_array_header_t *key_files),
44 (s, p, cert_files, key_files),
45 OK, DECLINED)
46
47APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_fallback_cert_files,
48 (server_rec *s, apr_pool_t *p,
49 apr_array_header_t *cert_files, apr_array_header_t *key_files),
50 (s, p, cert_files, key_files),
51 OK, DECLINED)
52
53APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, answer_challenge,
54 (conn_rec *c, const char *server_name,
55 X509 **pcert, EVP_PKEY **pkey),
56 (c, server_name, pcert, pkey),
57 DECLINED, DECLINED)
58
59
60/* _________________________________________________________________
61**
62** Module Initialization
63** _________________________________________________________________
64*/
65
66#ifdef HAVE_ECC
67#define KEYTYPES "RSA, DSA or ECC"
68#else
69#define KEYTYPES "RSA or DSA"
70#endif
71
72#if MODSSL_USE_OPENSSL_PRE_1_1_API
73/* OpenSSL Pre-1.1.0 compatibility */
74/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
75static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
76{
77 /* q is optional */
78 if (p == NULL || g == NULL)
79 return 0;
80 BN_free(dh->p);
81 BN_free(dh->q);
82 BN_free(dh->g);
83 dh->p = p;
84 dh->q = q;
85 dh->g = g;
86
87 if (q != NULL) {
88 dh->length = BN_num_bits(q);
89 }
90
91 return 1;
92}
93
94/*
95 * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
96 * functions in <openssl/bn.h> for all available primes.
97 */
98static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *))
99{
100 DH *dh = DH_new();
101 BIGNUM *p, *g;
102
103 if (!dh) {
104 return NULL;
105 }
106 p = prime(NULL);
107 g = BN_new();
108 if (g != NULL) {
109 BN_set_word(g, 2);
110 }
111 if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
112 DH_free(dh);
113 BN_free(p);
114 BN_free(g);
115 return NULL;
116 }
117 return dh;
118}
119
120/* Storage and initialization for DH parameters. */
121static struct dhparam {
122 BIGNUM *(*const prime)(BIGNUM *); /* function to generate... */
123 DH *dh; /* ...this, used for keys.... */
124 const unsigned int min; /* ...of length >= this. */
125} dhparams[] = {
126 { BN_get_rfc3526_prime_8192, NULL, 6145 },
127 { BN_get_rfc3526_prime_6144, NULL, 4097 },
128 { BN_get_rfc3526_prime_4096, NULL, 3073 },
129 { BN_get_rfc3526_prime_3072, NULL, 2049 },
130 { BN_get_rfc3526_prime_2048, NULL, 1025 },
131 { BN_get_rfc2409_prime_1024, NULL, 0 }
132};
133
134static void init_dh_params(void)
135{
136 unsigned n;
137
138 for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++)
139 dhparams[n].dh = make_dh_params(dhparams[n].prime);
140}
141
142static void free_dh_params(void)
143{
144 unsigned n;
145
146 /* DH_free() is a noop for a NULL parameter, so these are harmless
147 * in the (unexpected) case where these variables are already
148 * NULL. */
149 for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++) {
150 DH_free(dhparams[n].dh);
151 dhparams[n].dh = NULL;
152 }
153}
154
155/* Hand out the same DH structure though once generated as we leak
156 * memory otherwise and freeing the structure up after use would be
157 * hard to track and in fact is not needed at all as it is safe to
158 * use the same parameters over and over again security wise (in
159 * contrast to the keys itself) and code safe as the returned structure
160 * is duplicated by OpenSSL anyway. Hence no modification happens
161 * to our copy. */
162DH *modssl_get_dh_params(unsigned keylen)
163{
164 unsigned n;
165
166 for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++)
167 if (keylen >= dhparams[n].min)
168 return dhparams[n].dh;
169
170 return NULL; /* impossible to reach. */
171}
172#endif
173
174static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
175 server_rec *s)
176{
177 char *modver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_INTERFACE");
178 char *libver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_LIBRARY");
179 char *incver = ssl_var_lookup(ptemp, s, NULL, NULL,
180 "SSL_VERSION_LIBRARY_INTERFACE");
181
182 ap_add_version_component(pconf, libver);
183
184 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01876)
185 "%s compiled against Server: %s, Library: %s",
186 modver, AP_SERVER_BASEVERSION, incver);
187}
188
189/* _________________________________________________________________
190**
191** Let other answer special connection attempts.
192** Used in ACME challenge handling by mod_md.
193** _________________________________________________________________
194*/
195
196int ssl_is_challenge(conn_rec *c, const char *servername,
197 X509 **pcert, EVP_PKEY **pkey,
198 const char **pcert_pem, const char **pkey_pem)
199{
200 *pcert = NULL;
201 *pkey = NULL;
202 *pcert_pem = *pkey_pem = NULL;
203 if (ap_ssl_answer_challenge(c, servername, pcert_pem, pkey_pem)) {
204 return 1;
205 }
206 else if (OK == ssl_run_answer_challenge(c, servername, pcert, pkey)) {
207 return 1;
208 }
209 return 0;
210}
211
212#ifdef HAVE_FIPS
213static apr_status_t modssl_fips_cleanup(void *data)
214{
215 modssl_fips_enable(0);
216 return APR_SUCCESS;
217}
218#endif
219
220static APR_INLINE unsigned long modssl_runtime_lib_version(void)
221{
222#if MODSSL_USE_OPENSSL_PRE_1_1_API
223 return SSLeay();
224#else
225 return OpenSSL_version_num();
226#endif
227}
228
229
230/*
231 * Per-module initialization
232 */
233apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
234 apr_pool_t *ptemp,
235 server_rec *base_server)
236{
237 unsigned long runtime_lib_version = modssl_runtime_lib_version();
238 SSLModConfigRec *mc = myModConfig(base_server);
239 SSLSrvConfigRec *sc;
240 server_rec *s;
241 apr_status_t rv;
242 apr_array_header_t *pphrases;
243
244 AP_DEBUG_ASSERT(mc);
245
246 if (runtime_lib_version < MODSSL_LIBRARY_VERSION) {
247 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
248 "Init: this version of mod_ssl was compiled against "
249 "a newer library (%s (%s), version currently loaded is 0x%lX)"
250 " - may result in undefined or erroneous behavior",
251 MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT,
252 runtime_lib_version);
253 }
254
255 /* We initialize mc->pid per-process in the child init,
256 * but it should be initialized for startup before we
257 * call ssl_rand_seed() below.
258 */
259 mc->pid = getpid();
260
261 /*
262 * Let us cleanup on restarts and exits
263 */
264 apr_pool_cleanup_register(p, base_server,
265 ssl_init_ModuleKill,
266 apr_pool_cleanup_null);
267
268 /*
269 * Any init round fixes the global config
270 */
271 ssl_config_global_create(base_server); /* just to avoid problems */
272 ssl_config_global_fix(mc);
273
274 /*
275 * try to fix the configuration and open the dedicated SSL
276 * logfile as early as possible
277 */
278 for (s = base_server; s; s = s->next) {
279 sc = mySrvConfig(s);
280
281 if (sc->server) {
282 sc->server->sc = sc;
283 }
284
285 /*
286 * Create the server host:port string because we need it a lot
287 */
288 if (sc->vhost_id) {
289 /* already set. This should only happen if this config rec is
290 * shared with another server. Argh! */
291 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10104)
292 "%s, SSLSrvConfigRec shared from %s",
293 ssl_util_vhostid(p, s), sc->vhost_id);
294 }
295 sc->vhost_id = ssl_util_vhostid(p, s);
296 sc->vhost_id_len = strlen(sc->vhost_id);
297
298 /* Default to enabled if SSLEngine is not set explicitly, and
299 * the protocol is https. */
300 if (ap_get_server_protocol(s)
301 && strcmp("https", ap_get_server_protocol(s)) == 0
302 && sc->enabled == SSL_ENABLED_UNSET
303 && (!apr_is_empty_array(sc->server->pks->cert_files))) {
304 sc->enabled = SSL_ENABLED_TRUE;
305 }
306
307 /* Fix up stuff that may not have been set. If sc->enabled is
308 * UNSET, then SSL is disabled on this vhost. */
309 if (sc->enabled == SSL_ENABLED_UNSET) {
310 sc->enabled = SSL_ENABLED_FALSE;
311 }
312
313 if (sc->session_cache_timeout == UNSET) {
314 sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
315 }
316
317 if (sc->server && sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
318 sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
319 }
320 }
321
322#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
323 ssl_util_thread_setup(p);
324#endif
325
326 /*
327 * SSL external crypto device ("engine") support
328 */
329 if ((rv = ssl_init_Engine(base_server, p)) != APR_SUCCESS) {
330 return rv;
331 }
332
333 ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, APLOGNO(01883)
334 "Init: Initialized %s library", MODSSL_LIBRARY_NAME);
335
336 /*
337 * Seed the Pseudo Random Number Generator (PRNG)
338 * only need ptemp here; nothing inside allocated from the pool
339 * needs to live once we return from ssl_rand_seed().
340 */
341 ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
342
343#ifdef HAVE_FIPS
344 if (!modssl_fips_is_enabled() && mc->fips == TRUE) {
345 if (!modssl_fips_enable(1)) {
346 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885)
347 "Could not enable FIPS mode");
348 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
349 return ssl_die(base_server);
350 }
351
352 apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
353 apr_pool_cleanup_null);
354 }
355
356 /* Log actual FIPS mode which the SSL library is operating under,
357 * which may have been set outside of the mod_ssl
358 * configuration. */
359 if (modssl_fips_is_enabled()) {
360 ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
361 MODSSL_LIBRARY_NAME " has FIPS mode enabled");
362 }
363 else {
364 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(01886)
365 MODSSL_LIBRARY_NAME " has FIPS mode disabled");
366 }
367#endif
368
369 /*
370 * initialize the mutex handling
371 */
372 if (!ssl_mutex_init(base_server, p)) {
373 return HTTP_INTERNAL_SERVER_ERROR;
374 }
375#ifdef HAVE_OCSP_STAPLING
376 ssl_stapling_certinfo_hash_init(p);
377#endif
378
379 /*
380 * initialize session caching
381 */
382 if ((rv = ssl_scache_init(base_server, p)) != APR_SUCCESS) {
383 return rv;
384 }
385
386 pphrases = apr_array_make(ptemp, 2, sizeof(char *));
387
388 /*
389 * initialize servers
390 */
391 ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, APLOGNO(01887)
392 "Init: Initializing (virtual) servers for SSL");
393
394 for (s = base_server; s; s = s->next) {
395 sc = mySrvConfig(s);
396 /*
397 * Either now skip this server when SSL is disabled for
398 * it or give out some information about what we're
399 * configuring.
400 */
401
402 /*
403 * Read the server certificate and key
404 */
405 if ((rv = ssl_init_ConfigureServer(s, p, ptemp, sc, pphrases))
406 != APR_SUCCESS) {
407 return rv;
408 }
409 }
410
411 if (pphrases->nelts > 0) {
412 memset(pphrases->elts, 0, pphrases->elt_size * pphrases->nelts);
413 pphrases->nelts = 0;
414 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02560)
415 "Init: Wiped out the queried pass phrases from memory");
416 }
417
418 /*
419 * Configuration consistency checks
420 */
421 if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
422 return rv;
423 }
424
425 for (s = base_server; s; s = s->next) {
426 SSLDirConfigRec *sdc = ap_get_module_config(s->lookup_defaults,
427 &ssl_module);
428
429 sc = mySrvConfig(s);
430 if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) {
431 if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) {
432 return rv;
433 }
434 }
435
436 if (sdc->proxy_enabled) {
437 rv = ssl_run_init_server(s, p, 1, sdc->proxy->ssl_ctx);
438 if (rv != APR_SUCCESS) {
439 return rv;
440 }
441 }
442 }
443
444 /*
445 * Announce mod_ssl and SSL library in HTTP Server field
446 * as ``mod_ssl/X.X.X OpenSSL/X.X.X''
447 */
448 ssl_add_version_components(ptemp, p, base_server);
449
450 modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
451
452#if MODSSL_USE_OPENSSL_PRE_1_1_API
453 init_dh_params();
454#else
455 init_bio_methods();
456#endif
457
458#ifdef HAVE_OPENSSL_KEYLOG
459 {
460 const char *logfn = getenv("SSLKEYLOGFILE");
461
462 if (logfn) {
463 rv = apr_file_open(&mc->keylog_file, logfn,
464 APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE,
465 APR_FPROT_UREAD|APR_FPROT_UWRITE,
466 mc->pPool);
467 if (rv) {
468 ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226)
469 "Could not open log file '%s' configured via SSLKEYLOGFILE",
470 logfn);
471 return rv;
472 }
473
474 ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227)
475 "Init: Logging SSL private key material to %s", logfn);
476 }
477 }
478#endif
479
480 return OK;
481}
482
483/*
484 * Support for external a Crypto Device ("engine"), usually
485 * a hardware accelerator card for crypto operations.
486 */
487apr_status_t ssl_init_Engine(server_rec *s, apr_pool_t *p)
488{
489#if MODSSL_HAVE_ENGINE_API
490 SSLModConfigRec *mc = myModConfig(s);
491 ENGINE *e;
492
493 if (mc->szCryptoDevice) {
494 if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
495 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01888)
496 "Init: Failed to load Crypto Device API `%s'",
497 mc->szCryptoDevice);
498 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
499 return ssl_die(s);
500 }
501
502#ifdef ENGINE_CTRL_CHIL_SET_FORKCHECK
503 if (strEQ(mc->szCryptoDevice, "chil")) {
504 ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
505 }
506#endif
507
508 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
509 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01889)
510 "Init: Failed to enable Crypto Device API `%s'",
511 mc->szCryptoDevice);
512 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
513 return ssl_die(s);
514 }
515 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01890)
516 "Init: loaded Crypto Device API `%s'",
517 mc->szCryptoDevice);
518
519 ENGINE_free(e);
520 }
521#endif
522 return APR_SUCCESS;
523}
524
525#ifdef HAVE_TLSEXT
526static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
527 apr_pool_t *p,
528 apr_pool_t *ptemp,
529 modssl_ctx_t *mctx)
530{
531 apr_status_t rv;
532
533 /*
534 * Configure TLS extensions support
535 */
536 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01893)
537 "Configuring TLS extension handling");
538
539 /*
540 * The Server Name Indication (SNI) provided by the ClientHello can be
541 * used to select the right (name-based-)vhost and its SSL configuration
542 * before the handshake takes place.
543 */
544 if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
545 ssl_callback_ServerNameIndication) ||
546 !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
547 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01894)
548 "Unable to initialize TLS servername extension "
549 "callback (incompatible OpenSSL version?)");
550 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
551 return ssl_die(s);
552 }
553
554#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
555 /*
556 * The ClientHello callback also allows to retrieve the SNI, but since it
557 * runs at the earliest possible connection stage we can even set the TLS
558 * protocol version(s) according to the selected (name-based-)vhost, which
559 * is not possible at the SNI callback stage (due to OpenSSL internals).
560 */
561 SSL_CTX_set_client_hello_cb(mctx->ssl_ctx, ssl_callback_ClientHello, NULL);
562#endif
563
564#ifdef HAVE_OCSP_STAPLING
565 /*
566 * OCSP Stapling support, status_request extension
567 */
568 if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {
569 if ((rv = modssl_init_stapling(s, p, ptemp, mctx)) != APR_SUCCESS) {
570 return rv;
571 }
572 }
573#endif
574
575#ifdef HAVE_SRP
576 /*
577 * TLS-SRP support
578 */
579 if (mctx->srp_vfile != NULL) {
580 int err;
581 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02308)
582 "Using SRP verifier file [%s]", mctx->srp_vfile);
583
584 if (!(mctx->srp_vbase = SRP_VBASE_new(mctx->srp_unknown_user_seed))) {
585 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02309)
586 "Unable to initialize SRP verifier structure "
587 "[%s seed]",
588 mctx->srp_unknown_user_seed ? "with" : "without");
589 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
590 return ssl_die(s);
591 }
592
593 err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
594 if (err != SRP_NO_ERROR) {
595 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02310)
596 "Unable to load SRP verifier file [error %d]", err);
597 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
598 return ssl_die(s);
599 }
600
601 SSL_CTX_set_srp_username_callback(mctx->ssl_ctx,
602 ssl_callback_SRPServerParams);
603 SSL_CTX_set_srp_cb_arg(mctx->ssl_ctx, mctx);
604 }
605#endif
606 return APR_SUCCESS;
607}
608#endif
609
610static apr_status_t ssl_init_ctx_protocol(server_rec *s,
611 apr_pool_t *p,
612 apr_pool_t *ptemp,
613 modssl_ctx_t *mctx)
614{
615 SSL_CTX *ctx = NULL;
616 MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
617 char *cp;
618 int protocol = mctx->protocol;
619 SSLSrvConfigRec *sc = mySrvConfig(s);
620#if OPENSSL_VERSION_NUMBER >= 0x10100000L
621 int prot;
622#endif
623
624 /*
625 * Create the new per-server SSL context
626 */
627 if (protocol == SSL_PROTOCOL_NONE) {
628 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
629 "No SSL protocols available [hint: SSLProtocol]");
630 return ssl_die(s);
631 }
632
633 cp = apr_pstrcat(p,
634#ifndef OPENSSL_NO_SSL3
635 (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
636#endif
637 (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
638#ifdef HAVE_TLSV1_X
639 (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
640 (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
641#if SSL_HAVE_PROTOCOL_TLSV1_3
642 (protocol & SSL_PROTOCOL_TLSV1_3 ? "TLSv1.3, " : ""),
643#endif
644#endif
645 NULL);
646 cp[strlen(cp)-2] = NUL;
647
648 ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
649 "Creating new SSL context (protocols: %s)", cp);
650
651#if OPENSSL_VERSION_NUMBER < 0x10100000L
652#ifndef OPENSSL_NO_SSL3
653 if (protocol == SSL_PROTOCOL_SSLV3) {
654 method = mctx->pkp ?
655 SSLv3_client_method() : /* proxy */
656 SSLv3_server_method(); /* server */
657 }
658 else
659#endif
660 if (protocol == SSL_PROTOCOL_TLSV1) {
661 method = mctx->pkp ?
662 TLSv1_client_method() : /* proxy */
663 TLSv1_server_method(); /* server */
664 }
665#ifdef HAVE_TLSV1_X
666 else if (protocol == SSL_PROTOCOL_TLSV1_1) {
667 method = mctx->pkp ?
668 TLSv1_1_client_method() : /* proxy */
669 TLSv1_1_server_method(); /* server */
670 }
671 else if (protocol == SSL_PROTOCOL_TLSV1_2) {
672 method = mctx->pkp ?
673 TLSv1_2_client_method() : /* proxy */
674 TLSv1_2_server_method(); /* server */
675 }
676#if SSL_HAVE_PROTOCOL_TLSV1_3
677 else if (protocol == SSL_PROTOCOL_TLSV1_3) {
678 method = mctx->pkp ?
679 TLSv1_3_client_method() : /* proxy */
680 TLSv1_3_server_method(); /* server */
681 }
682#endif
683#endif
684 else { /* For multiple protocols, we need a flexible method */
685 method = mctx->pkp ?
686 SSLv23_client_method() : /* proxy */
687 SSLv23_server_method(); /* server */
688 }
689#else
690 method = mctx->pkp ?
691 TLS_client_method() : /* proxy */
692 TLS_server_method(); /* server */
693#endif
694 ctx = SSL_CTX_new(method);
695
696 mctx->ssl_ctx = ctx;
697
698 SSL_CTX_set_options(ctx, SSL_OP_ALL);
699
700#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
701 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
702 /* always disable SSLv2, as per RFC 6176 */
703 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
704
705#ifndef OPENSSL_NO_SSL3
706 if (!(protocol & SSL_PROTOCOL_SSLV3)) {
707 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
708 }
709#endif
710
711 if (!(protocol & SSL_PROTOCOL_TLSV1)) {
712 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
713 }
714
715#ifdef HAVE_TLSV1_X
716 if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
717 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
718 }
719
720 if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
721 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
722 }
723#if SSL_HAVE_PROTOCOL_TLSV1_3
724 ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
725 protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
726#endif
727#endif
728
729#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
730 /* We first determine the maximum protocol version we should provide */
731#if SSL_HAVE_PROTOCOL_TLSV1_3
732 if (protocol & SSL_PROTOCOL_TLSV1_3) {
733 prot = TLS1_3_VERSION;
734 } else
735#endif
736 if (protocol & SSL_PROTOCOL_TLSV1_2) {
737 prot = TLS1_2_VERSION;
738 } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
739 prot = TLS1_1_VERSION;
740 } else if (protocol & SSL_PROTOCOL_TLSV1) {
741 prot = TLS1_VERSION;
742#ifndef OPENSSL_NO_SSL3
743 } else if (protocol & SSL_PROTOCOL_SSLV3) {
744 prot = SSL3_VERSION;
745#endif
746 } else {
747 SSL_CTX_free(ctx);
748 mctx->ssl_ctx = NULL;
749 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
750 "No SSL protocols available [hint: SSLProtocol]");
751 return ssl_die(s);
752 }
753 SSL_CTX_set_max_proto_version(ctx, prot);
754
755 /* Next we scan for the minimal protocol version we should provide,
756 * but we do not allow holes between max and min */
757#if SSL_HAVE_PROTOCOL_TLSV1_3
758 if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
759 prot = TLS1_2_VERSION;
760 }
761#endif
762 if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
763 prot = TLS1_1_VERSION;
764 }
765 if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
766 prot = TLS1_VERSION;
767 }
768#ifndef OPENSSL_NO_SSL3
769 if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
770 prot = SSL3_VERSION;
771 }
772#endif
773 SSL_CTX_set_min_proto_version(ctx, prot);
774#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
775
776#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
777 if (sc->cipher_server_pref == TRUE) {
778 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
779 }
780#endif
781
782
783#ifndef OPENSSL_NO_COMP
784 if (sc->compression != TRUE) {
785#ifdef SSL_OP_NO_COMPRESSION
786 /* OpenSSL >= 1.0 only */
787 SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
788#else
789 sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
790#endif
791 }
792#endif
793
794#ifdef SSL_OP_NO_TICKET
795 /*
796 * Configure using RFC 5077 TLS session tickets
797 * for session resumption.
798 */
799 if (sc->session_tickets == FALSE) {
800 SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
801 }
802#endif
803
804#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
805 if (sc->insecure_reneg == TRUE) {
806 SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
807 }
808#endif
809
810 SSL_CTX_set_app_data(ctx, s);
811
812 /*
813 * Configure additional context ingredients
814 */
815 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
816#ifdef HAVE_ECC
817 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
818#endif
819
820#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
821 /*
822 * Disallow a session from being resumed during a renegotiation,
823 * so that an acceptable cipher suite can be negotiated.
824 */
825 SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
826#endif
827
828#ifdef SSL_MODE_RELEASE_BUFFERS
829 /* If httpd is configured to reduce mem usage, ask openssl to do so, too */
830 if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED)
831 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
832#endif
833
834#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
835 /* For OpenSSL >=1.1.1, disable auto-retry mode so it's possible
836 * to consume handshake records without blocking for app-data.
837 * https://github.com/openssl/openssl/issues/7178 */
838 SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
839#endif
840
841#ifdef HAVE_OPENSSL_KEYLOG
842 if (mctx->sc->mc->keylog_file) {
843 SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
844 }
845#endif
846
847#ifdef SSL_OP_NO_RENEGOTIATION
848 /* For server-side SSL_CTX, disable renegotiation by default.. */
849 if (!mctx->pkp) {
850 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
851 }
852#endif
853
854#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
855 /* For server-side SSL_CTX, enable ignoring unexpected EOF */
856 /* (OpenSSL 1.1.1 behavioural compatibility).. */
857 if (!mctx->pkp) {
858 SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
859 }
860#endif
861
862 return APR_SUCCESS;
863}
864
881
882#ifdef SSL_OP_NO_RENEGOTIATION
883/* OpenSSL-level renegotiation protection. */
884#define MODSSL_BLOCKS_RENEG (0)
885#else
886/* mod_ssl-level renegotiation protection. */
887#define MODSSL_BLOCKS_RENEG (1)
888#endif
889
890static void ssl_init_ctx_callbacks(server_rec *s,
891 apr_pool_t *p,
892 apr_pool_t *ptemp,
893 modssl_ctx_t *mctx)
894{
895 SSL_CTX *ctx = mctx->ssl_ctx;
896
897#if MODSSL_USE_OPENSSL_PRE_1_1_API
898 /* Note that for OpenSSL>=1.1, auto selection is enabled via
899 * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
900 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
901#endif
902
903 /* The info callback is used for debug-level tracing. For OpenSSL
904 * versions where SSL_OP_NO_RENEGOTIATION is not available, the
905 * callback is also used to prevent use of client-initiated
906 * renegotiation. Enable it in either case. */
907 if (APLOGdebug(s) || MODSSL_BLOCKS_RENEG) {
908 SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
909 }
910
911#ifdef HAVE_TLS_ALPN
912 SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
913#endif
914}
915
916static APR_INLINE
917int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
918 const char *file,
919 const char *path)
920{
921#if OPENSSL_VERSION_NUMBER < 0x30000000L
922 if (!SSL_CTX_load_verify_locations(ctx, file, path))
923 return 0;
924#else
925 if (file && !SSL_CTX_load_verify_file(ctx, file))
926 return 0;
927 if (path && !SSL_CTX_load_verify_dir(ctx, path))
928 return 0;
929#endif
930 return 1;
931}
932
933static apr_status_t ssl_init_ctx_verify(server_rec *s,
934 apr_pool_t *p,
935 apr_pool_t *ptemp,
936 modssl_ctx_t *mctx)
937{
938 SSL_CTX *ctx = mctx->ssl_ctx;
939
940 int verify = SSL_VERIFY_NONE;
941 STACK_OF(X509_NAME) *ca_list;
942
943 if (mctx->auth.verify_mode == SSL_CVERIFY_UNSET) {
944 mctx->auth.verify_mode = SSL_CVERIFY_NONE;
945 }
946
947 if (mctx->auth.verify_depth == UNSET) {
948 mctx->auth.verify_depth = 1;
949 }
950
951 /*
952 * Configure callbacks for SSL context
953 */
954 if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
955 verify |= SSL_VERIFY_PEER_STRICT;
956 }
957
958 if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
959 (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
960 {
961 verify |= SSL_VERIFY_PEER;
962 }
963
964 SSL_CTX_set_verify(ctx, verify, ssl_callback_SSLVerify);
965
966 /*
967 * Configure Client Authentication details
968 */
969 if (mctx->auth.ca_cert_file || mctx->auth.ca_cert_path) {
970 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
971 "Configuring client authentication");
972
973 if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
974 mctx->auth.ca_cert_path)) {
975 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
976 "Unable to configure verify locations "
977 "for client authentication");
978 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
979 return ssl_die(s);
980 }
981
982 if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
983 ca_list = ssl_init_FindCAList(s, ptemp,
984 mctx->pks->ca_name_file,
985 mctx->pks->ca_name_path);
986 } else
987 ca_list = ssl_init_FindCAList(s, ptemp,
988 mctx->auth.ca_cert_file,
989 mctx->auth.ca_cert_path);
990 if (sk_X509_NAME_num(ca_list) <= 0) {
991 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01896)
992 "Unable to determine list of acceptable "
993 "CA certificates for client authentication");
994 return ssl_die(s);
995 }
996
997 SSL_CTX_set_client_CA_list(ctx, ca_list);
998 }
999
1000 /*
1001 * Give a warning when no CAs were configured but client authentication
1002 * should take place. This cannot work.
1003 */
1004 if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
1005 ca_list = SSL_CTX_get_client_CA_list(ctx);
1006
1007 if (sk_X509_NAME_num(ca_list) == 0) {
1008 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01897)
1009 "Init: Oops, you want to request client "
1010 "authentication, but no CAs are known for "
1011 "verification!? [Hint: SSLCACertificate*]");
1012 }
1013 }
1014
1015 return APR_SUCCESS;
1016}
1017
1018static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
1019 apr_pool_t *p,
1020 apr_pool_t *ptemp,
1021 modssl_ctx_t *mctx)
1022{
1023 SSL_CTX *ctx = mctx->ssl_ctx;
1024 const char *suite;
1025
1026 /*
1027 * Configure SSL Cipher Suite. Always disable NULL and export ciphers,
1028 * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
1029 * OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
1030 * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so append them while we support
1031 * earlier versions.
1032 */
1033 suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
1034 apr_pstrcat(ptemp, SSL_DEFAULT_CIPHER_LIST, ":!aNULL:!eNULL:!EXP",
1035 NULL);
1036
1037 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
1038 "Configuring permitted SSL ciphers [%s]",
1039 suite);
1040
1041 if (!SSL_CTX_set_cipher_list(ctx, suite)) {
1042 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01898)
1043 "Unable to configure permitted SSL ciphers");
1044 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1045 return ssl_die(s);
1046 }
1047#if SSL_HAVE_PROTOCOL_TLSV1_3
1048 if (mctx->auth.tls13_ciphers
1049 && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
1050 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10127)
1051 "Unable to configure permitted TLSv1.3 ciphers");
1052 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1053 return ssl_die(s);
1054 }
1055#endif
1056 return APR_SUCCESS;
1057}
1058
1059static APR_INLINE
1060int modssl_X509_STORE_load_locations(X509_STORE *store,
1061 const char *file,
1062 const char *path)
1063{
1064#if OPENSSL_VERSION_NUMBER < 0x30000000L
1065 if (!X509_STORE_load_locations(store, file, path))
1066 return 0;
1067#else
1068 if (file && !X509_STORE_load_file(store, file))
1069 return 0;
1070 if (path && !X509_STORE_load_path(store, path))
1071 return 0;
1072#endif
1073 return 1;
1074}
1075
1076static apr_status_t ssl_init_ctx_crl(server_rec *s,
1077 apr_pool_t *p,
1078 apr_pool_t *ptemp,
1079 modssl_ctx_t *mctx)
1080{
1081 X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
1082 unsigned long crlflags = 0;
1083 char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
1084 int crl_check_mode;
1085
1086 if (mctx->ocsp_mask == UNSET) {
1087 mctx->ocsp_mask = SSL_OCSPCHECK_NONE;
1088 }
1089
1090 if (mctx->crl_check_mask == UNSET) {
1091 mctx->crl_check_mask = SSL_CRLCHECK_NONE;
1092 }
1093 crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
1094
1095 /*
1096 * Configure Certificate Revocation List (CRL) Details
1097 */
1098
1099 if (!(mctx->crl_file || mctx->crl_path)) {
1100 if (crl_check_mode == SSL_CRLCHECK_LEAF ||
1101 crl_check_mode == SSL_CRLCHECK_CHAIN) {
1102 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01899)
1103 "Host %s: CRL checking has been enabled, but "
1104 "neither %sCARevocationFile nor %sCARevocationPath "
1105 "is configured", mctx->sc->vhost_id, cfgp, cfgp);
1106 return ssl_die(s);
1107 }
1108 return APR_SUCCESS;
1109 }
1110
1111 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
1112 "Configuring certificate revocation facility");
1113
1114 if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
1115 mctx->crl_path)) {
1116 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
1117 "Host %s: unable to configure X.509 CRL storage "
1118 "for certificate revocation", mctx->sc->vhost_id);
1119 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1120 return ssl_die(s);
1121 }
1122
1123 switch (crl_check_mode) {
1124 case SSL_CRLCHECK_LEAF:
1125 crlflags = X509_V_FLAG_CRL_CHECK;
1126 break;
1127 case SSL_CRLCHECK_CHAIN:
1128 crlflags = X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
1129 break;
1130 default:
1131 crlflags = 0;
1132 }
1133
1134 if (crlflags) {
1135 X509_STORE_set_flags(store, crlflags);
1136 } else {
1137 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01902)
1138 "Host %s: X.509 CRL storage locations configured, "
1139 "but CRL checking (%sCARevocationCheck) is not "
1140 "enabled", mctx->sc->vhost_id, cfgp);
1141 }
1142
1143 return APR_SUCCESS;
1144}
1145
1146/*
1147 * Read a file that optionally contains the server certificate in PEM
1148 * format, possibly followed by a sequence of CA certificates that
1149 * should be sent to the peer in the SSL Certificate message.
1150 */
1151static int use_certificate_chain(
1152 SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
1153{
1154 BIO *bio;
1155 X509 *x509;
1156 unsigned long err;
1157 int n;
1158
1159 if ((bio = BIO_new(BIO_s_file())) == NULL)
1160 return -1;
1161 if (BIO_read_filename(bio, file) <= 0) {
1162 BIO_free(bio);
1163 return -1;
1164 }
1165 /* optionally skip a leading server certificate */
1166 if (skipfirst) {
1167 if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
1168 BIO_free(bio);
1169 return -1;
1170 }
1171 X509_free(x509);
1172 }
1173 /* free a perhaps already configured extra chain */
1174#ifdef OPENSSL_NO_SSL_INTERN
1175 SSL_CTX_clear_extra_chain_certs(ctx);
1176#else
1177 if (ctx->extra_certs != NULL) {
1178 sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
1179 ctx->extra_certs = NULL;
1180 }
1181#endif
1182
1183 /* create new extra chain by loading the certs */
1184 n = 0;
1185 ERR_clear_error();
1186 while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
1187 if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
1188 X509_free(x509);
1189 BIO_free(bio);
1190 return -1;
1191 }
1192 n++;
1193 }
1194 /* Make sure that only the error is just an EOF */
1195 if ((err = ERR_peek_error()) > 0) {
1196 if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
1197 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
1198 BIO_free(bio);
1199 return -1;
1200 }
1201 while (ERR_get_error() > 0) ;
1202 }
1203 BIO_free(bio);
1204 return n;
1205}
1206
1207static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
1208 apr_pool_t *p,
1209 apr_pool_t *ptemp,
1210 modssl_ctx_t *mctx)
1211{
1212 BOOL skip_first = FALSE;
1213 int i, n;
1214 const char *chain = mctx->cert_chain;
1215
1216 /*
1217 * Optionally configure extra server certificate chain certificates.
1218 * This is usually done by OpenSSL automatically when one of the
1219 * server cert issuers are found under SSLCACertificatePath or in
1220 * SSLCACertificateFile. But because these are intended for client
1221 * authentication it can conflict. For instance when you use a
1222 * Global ID server certificate you've to send out the intermediate
1223 * CA certificate, too. When you would just configure this with
1224 * SSLCACertificateFile and also use client authentication mod_ssl
1225 * would accept all clients also issued by this CA. Obviously this
1226 * isn't what we want in this situation. So this feature here exists
1227 * to allow one to explicitly configure CA certificates which are
1228 * used only for the server certificate chain.
1229 */
1230 if (!chain) {
1231 return APR_SUCCESS;
1232 }
1233
1234 for (i = 0; (i < mctx->pks->cert_files->nelts) &&
1235 APR_ARRAY_IDX(mctx->pks->cert_files, i, const char *); i++) {
1236 if (strEQ(APR_ARRAY_IDX(mctx->pks->cert_files, i, const char *), chain)) {
1237 skip_first = TRUE;
1238 break;
1239 }
1240 }
1241
1242 n = use_certificate_chain(mctx->ssl_ctx, (char *)chain, skip_first, NULL);
1243 if (n < 0) {
1244 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
1245 "Failed to configure CA certificate chain!");
1246 return ssl_die(s);
1247 }
1248
1249 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01904)
1250 "Configuring server certificate chain "
1251 "(%d CA certificate%s)",
1252 n, n == 1 ? "" : "s");
1253
1254 return APR_SUCCESS;
1255}
1256
1257static apr_status_t ssl_init_ctx(server_rec *s,
1258 apr_pool_t *p,
1259 apr_pool_t *ptemp,
1260 modssl_ctx_t *mctx)
1261{
1262 apr_status_t rv;
1263
1264 if ((rv = ssl_init_ctx_protocol(s, p, ptemp, mctx)) != APR_SUCCESS) {
1265 return rv;
1266 }
1267
1268 ssl_init_ctx_session_cache(s, p, ptemp, mctx);
1269
1270 ssl_init_ctx_callbacks(s, p, ptemp, mctx);
1271
1272 if ((rv = ssl_init_ctx_verify(s, p, ptemp, mctx)) != APR_SUCCESS) {
1273 return rv;
1274 }
1275
1276 if ((rv = ssl_init_ctx_cipher_suite(s, p, ptemp, mctx)) != APR_SUCCESS) {
1277 return rv;
1278 }
1279
1280 if ((rv = ssl_init_ctx_crl(s, p, ptemp, mctx)) != APR_SUCCESS) {
1281 return rv;
1282 }
1283
1284 if (mctx->pks) {
1285 /* XXX: proxy support? */
1286 if ((rv = ssl_init_ctx_cert_chain(s, p, ptemp, mctx)) != APR_SUCCESS) {
1287 return rv;
1288 }
1289#ifdef HAVE_TLSEXT
1290 if ((rv = ssl_init_ctx_tls_extensions(s, p, ptemp, mctx)) !=
1291 APR_SUCCESS) {
1292 return rv;
1293 }
1294#endif
1295 }
1296
1297 return APR_SUCCESS;
1298}
1299
1300static void ssl_check_public_cert(server_rec *s,
1301 apr_pool_t *ptemp,
1302 X509 *cert,
1303 const char *key_id)
1304{
1305 int is_ca, pathlen;
1306
1307 if (!cert) {
1308 return;
1309 }
1310
1311 /*
1312 * Some information about the certificate(s)
1313 */
1314
1315 if (modssl_X509_getBC(cert, &is_ca, &pathlen)) {
1316 if (is_ca) {
1317 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01906)
1318 "%s server certificate is a CA certificate "
1319 "(BasicConstraints: CA == TRUE !?)", key_id);
1320 }
1321
1322 if (pathlen > 0) {
1323 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01907)
1324 "%s server certificate is not a leaf certificate "
1325 "(BasicConstraints: pathlen == %d > 0 !?)",
1326 key_id, pathlen);
1327 }
1328 }
1329
1330 if (modssl_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
1331 TRUE, s) == FALSE) {
1332 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01909)
1333 "%s server certificate does NOT include an ID "
1334 "which matches the server name", key_id);
1335 }
1336}
1337
1338/* prevent OpenSSL from showing its "Enter PEM pass phrase:" prompt */
1339static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
1340 void *userdata) {
1341 return 0;
1342}
1343
1344/* SSL_CTX_use_PrivateKey_file() can fail either because the private
1345 * key was encrypted, or due to a mismatch between an already-loaded
1346 * cert and the key - a common misconfiguration - from calling
1347 * X509_check_private_key(). This macro is passed the last error code
1348 * off the OpenSSL stack and evaluates to true only for the first
1349 * case. With OpenSSL < 3 the second case is identifiable by the
1350 * function code, but function codes are not used from 3.0. */
1351#if OPENSSL_VERSION_NUMBER < 0x30000000L
1352#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
1353#else
1354#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB(ec) != ERR_LIB_X509 \
1355 || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
1356 && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
1357 && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
1358#endif
1359
1360static apr_status_t ssl_init_server_certs(server_rec *s,
1361 apr_pool_t *p,
1362 apr_pool_t *ptemp,
1363 modssl_ctx_t *mctx,
1364 apr_array_header_t *pphrases)
1365{
1366 SSLModConfigRec *mc = myModConfig(s);
1367 const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
1368 int i;
1369 EVP_PKEY *pkey;
1370 int custom_dh_done = 0;
1371#ifdef HAVE_ECC
1372 EC_GROUP *ecgroup = NULL;
1373 int curve_nid = 0;
1374#endif
1375
1376 /* no OpenSSL default prompts for any of the SSL_CTX_use_* calls, please */
1377 SSL_CTX_set_default_passwd_cb(mctx->ssl_ctx, ssl_no_passwd_prompt_cb);
1378
1379 /* Iterate over the SSLCertificateFile array */
1380 for (i = 0; (i < mctx->pks->cert_files->nelts) &&
1381 (certfile = APR_ARRAY_IDX(mctx->pks->cert_files, i,
1382 const char *));
1383 i++) {
1384 X509 *cert = NULL;
1385 const char *engine_certfile = NULL;
1386
1387 key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i);
1388
1389 ERR_clear_error();
1390
1391 /* first the certificate (public key) */
1392 if (modssl_is_engine_id(certfile)) {
1393 engine_certfile = certfile;
1394 }
1395 else if (mctx->cert_chain) {
1396 if ((SSL_CTX_use_certificate_file(mctx->ssl_ctx, certfile,
1397 SSL_FILETYPE_PEM) < 1)) {
1398 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02561)
1399 "Failed to configure certificate %s, check %s",
1400 key_id, certfile);
1401 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1402 return APR_EGENERAL;
1403 }
1404 } else {
1405 if ((SSL_CTX_use_certificate_chain_file(mctx->ssl_ctx,
1406 certfile) < 1)) {
1407 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02562)
1408 "Failed to configure certificate %s (with chain),"
1409 " check %s", key_id, certfile);
1410 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1411 return APR_EGENERAL;
1412 }
1413 }
1414
1415 /* and second, the private key */
1416 if (i < mctx->pks->key_files->nelts) {
1417 keyfile = APR_ARRAY_IDX(mctx->pks->key_files, i, const char *);
1418 } else {
1419 keyfile = certfile;
1420 }
1421
1422 ERR_clear_error();
1423
1424 if (modssl_is_engine_id(keyfile)) {
1425 apr_status_t rv;
1426
1427 if ((rv = modssl_load_engine_keypair(s, p, ptemp, vhost_id,
1428 engine_certfile, keyfile,
1429 &cert, &pkey))) {
1430 return rv;
1431 }
1432
1433 if (cert) {
1434 if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) {
1435 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137)
1436 "Failed to configure certificate %s from %s, check %s",
1437 key_id, mc->szCryptoDevice ?
1438 mc->szCryptoDevice : "provider",
1439 certfile);
1440 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1441 return APR_EGENERAL;
1442 }
1443
1444 /* SSL_CTX now owns the cert. */
1445 X509_free(cert);
1446 }
1447
1448 if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) {
1449 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130)
1450 "Failed to configure private key %s from %s",
1451 keyfile, mc->szCryptoDevice ?
1452 mc->szCryptoDevice : "provider");
1453 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1454 return APR_EGENERAL;
1455 }
1456
1457 /* SSL_CTX now owns the key */
1458 EVP_PKEY_free(pkey);
1459 }
1460 else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
1461 SSL_FILETYPE_PEM) < 1)
1462 && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
1463 ssl_asn1_t *asn1;
1464 const unsigned char *ptr;
1465
1466 ERR_clear_error();
1467
1468 /* perhaps it's an encrypted private key, so try again */
1469 ssl_load_encrypted_pkey(s, ptemp, i, keyfile, &pphrases);
1470
1471 if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id)) ||
1472 !(ptr = asn1->cpData) ||
1473 !(pkey = d2i_AutoPrivateKey(NULL, &ptr, asn1->nData)) ||
1474 (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1)) {
1475 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02564)
1476 "Failed to configure encrypted (?) private key %s,"
1477 " check %s", key_id, keyfile);
1478 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1479 return APR_EGENERAL;
1480 }
1481 }
1482
1483 if (SSL_CTX_check_private_key(mctx->ssl_ctx) < 1) {
1484 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02565)
1485 "Certificate and private key %s from %s and %s "
1486 "do not match", key_id, certfile, keyfile);
1487 return APR_EGENERAL;
1488 }
1489
1490#ifdef HAVE_SSL_CONF_CMD
1491 /*
1492 * workaround for those OpenSSL versions where SSL_CTX_get0_certificate
1493 * is not yet available: create an SSL struct which we dispose of
1494 * as soon as we no longer need access to the cert. (Strictly speaking,
1495 * SSL_CTX_get0_certificate does not depend on the SSL_CONF stuff,
1496 * but there's no reliable way to check for its existence, so we
1497 * assume that if SSL_CONF is available, it's OpenSSL 1.0.2 or later,
1498 * and SSL_CTX_get0_certificate is implemented.)
1499 */
1500 cert = SSL_CTX_get0_certificate(mctx->ssl_ctx);
1501#else
1502 {
1503 SSL *ssl = SSL_new(mctx->ssl_ctx);
1504 if (ssl) {
1505 /* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */
1506 SSL_set_connect_state(ssl);
1507 cert = SSL_get_certificate(ssl);
1508 SSL_free(ssl);
1509 }
1510 }
1511#endif
1512 if (!cert) {
1513 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566)
1514 "Unable to retrieve certificate %s", key_id);
1515 return APR_EGENERAL;
1516 }
1517
1518 /* warn about potential cert issues */
1519 ssl_check_public_cert(s, ptemp, cert, key_id);
1520
1521#if defined(HAVE_OCSP_STAPLING) && !defined(SSL_CTRL_SET_CURRENT_CERT)
1522 /*
1523 * OpenSSL up to 1.0.1: configure stapling as we go. In 1.0.2
1524 * and later, there's SSL_CTX_set_current_cert, which allows
1525 * iterating over all certs in an SSL_CTX (including those possibly
1526 * loaded via SSLOpenSSLConfCmd Certificate), so for 1.0.2 and
1527 * later, we defer to the code in ssl_init_server_ctx.
1528 */
1529 if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) {
1530 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
1531 "Unable to configure certificate %s for stapling",
1532 key_id);
1533 }
1534#endif
1535
1536 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02568)
1537 "Certificate and private key %s configured from %s and %s",
1538 key_id, certfile, keyfile);
1539 }
1540
1541 /*
1542 * Try to read DH parameters from the (first) SSLCertificateFile
1543 */
1544 certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
1545 if (certfile && !modssl_is_engine_id(certfile)) {
1546 int num_bits = 0;
1547#if OPENSSL_VERSION_NUMBER < 0x30000000L
1548 DH *dh = modssl_dh_from_file(certfile);
1549 if (dh) {
1550 num_bits = DH_bits(dh);
1551 SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
1552 DH_free(dh);
1553 custom_dh_done = 1;
1554 }
1555#else
1556 pkey = modssl_dh_pkey_from_file(certfile);
1557 if (pkey) {
1558 num_bits = EVP_PKEY_get_bits(pkey);
1559 if (!SSL_CTX_set0_tmp_dh_pkey(mctx->ssl_ctx, pkey)) {
1560 EVP_PKEY_free(pkey);
1561 }
1562 else {
1563 custom_dh_done = 1;
1564 }
1565 }
1566#endif
1567 if (custom_dh_done) {
1568 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
1569 "Custom DH parameters (%d bits) for %s loaded from %s",
1570 num_bits, vhost_id, certfile);
1571 }
1572 }
1573#if !MODSSL_USE_OPENSSL_PRE_1_1_API
1574 if (!custom_dh_done) {
1575 /* If no parameter is manually configured, enable auto
1576 * selection. */
1577 SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
1578 }
1579#endif
1580
1581#ifdef HAVE_ECC
1582 /*
1583 * Similarly, try to read the ECDH curve name from SSLCertificateFile...
1584 */
1585 if (certfile && !modssl_is_engine_id(certfile)
1586 && (ecgroup = modssl_ec_group_from_file(certfile))
1587 && (curve_nid = EC_GROUP_get_curve_name(ecgroup))) {
1588#if OPENSSL_VERSION_NUMBER < 0x30000000L
1589 EC_KEY *eckey = EC_KEY_new_by_curve_name(curve_nid);
1590 if (eckey) {
1591 SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
1592 EC_KEY_free(eckey);
1593 }
1594 else {
1595 curve_nid = 0;
1596 }
1597#else
1598 if (!SSL_CTX_set1_curves(mctx->ssl_ctx, &curve_nid, 1)) {
1599 curve_nid = 0;
1600 }
1601#endif
1602 if (curve_nid) {
1603 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541)
1604 "ECDH curve %s for %s specified in %s",
1605 OBJ_nid2sn(curve_nid), vhost_id, certfile);
1606 }
1607 }
1608 /*
1609 * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
1610 * or configure NIST P-256 (required to enable ECDHE for earlier versions)
1611 * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
1612 */
1613#if MODSSL_USE_OPENSSL_PRE_1_1_API
1614 if (!curve_nid) {
1615#if defined(SSL_CTX_set_ecdh_auto)
1616 SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
1617#else
1618 EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1619 if (eckey) {
1620 SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
1621 EC_KEY_free(eckey);
1622 }
1623#endif
1624 }
1625#endif
1626 /* OpenSSL assures us that _free() is NULL-safe */
1627 EC_GROUP_free(ecgroup);
1628#endif
1629
1630 return APR_SUCCESS;
1631}
1632
1633#ifdef HAVE_TLS_SESSION_TICKETS
1634static apr_status_t ssl_init_ticket_key(server_rec *s,
1635 apr_pool_t *p,
1636 apr_pool_t *ptemp,
1637 modssl_ctx_t *mctx)
1638{
1639 apr_status_t rv;
1640 apr_file_t *fp;
1641 apr_size_t len;
1642 char buf[TLSEXT_TICKET_KEY_LEN];
1643 char *path;
1644 modssl_ticket_key_t *ticket_key = mctx->ticket_key;
1645 int res;
1646
1647 if (!ticket_key->file_path) {
1648 return APR_SUCCESS;
1649 }
1650
1651 path = ap_server_root_relative(p, ticket_key->file_path);
1652
1653 rv = apr_file_open(&fp, path, APR_READ|APR_BINARY,
1654 APR_OS_DEFAULT, ptemp);
1655
1656 if (rv != APR_SUCCESS) {
1657 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02286)
1658 "Failed to open ticket key file %s: (%d) %pm",
1659 path, rv, &rv);
1660 return ssl_die(s);
1661 }
1662
1663 rv = apr_file_read_full(fp, &buf[0], TLSEXT_TICKET_KEY_LEN, &len);
1664
1665 if (rv != APR_SUCCESS) {
1666 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02287)
1667 "Failed to read %d bytes from %s: (%d) %pm",
1668 TLSEXT_TICKET_KEY_LEN, path, rv, &rv);
1669 return ssl_die(s);
1670 }
1671
1672 memcpy(ticket_key->key_name, buf, 16);
1673 memcpy(ticket_key->aes_key, buf + 32, 16);
1674#if OPENSSL_VERSION_NUMBER < 0x30000000L
1675 memcpy(ticket_key->hmac_secret, buf + 16, 16);
1676 res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
1677 ssl_callback_SessionTicket);
1678#else
1679 ticket_key->mac_params[0] =
1680 OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
1681 ticket_key->mac_params[1] =
1682 OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
1683 ticket_key->mac_params[2] =
1684 OSSL_PARAM_construct_end();
1685 res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
1686 ssl_callback_SessionTicket);
1687#endif
1688 if (!res) {
1689 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
1690 "Unable to initialize TLS session ticket key callback "
1691 "(incompatible OpenSSL version?)");
1692 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1693 return ssl_die(s);
1694 }
1695
1696 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02288)
1697 "TLS session ticket key for %s successfully loaded from %s",
1698 (mySrvConfig(s))->vhost_id, path);
1699
1700 return APR_SUCCESS;
1701}
1702#endif
1703
1704static BOOL load_x509_info(apr_pool_t *ptemp,
1705 STACK_OF(X509_INFO) *sk,
1706 const char *filename)
1707{
1708 BIO *in;
1709
1710 if (!(in = BIO_new(BIO_s_file()))) {
1711 return FALSE;
1712 }
1713
1714 if (BIO_read_filename(in, filename) <= 0) {
1715 BIO_free(in);
1716 return FALSE;
1717 }
1718
1719 ERR_clear_error();
1720
1721 PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
1722
1723 BIO_free(in);
1724
1725 return TRUE;
1726}
1727
1728static apr_status_t ssl_init_proxy_certs(server_rec *s,
1729 apr_pool_t *p,
1730 apr_pool_t *ptemp,
1731 modssl_ctx_t *mctx)
1732{
1733 int n, ncerts = 0;
1734 STACK_OF(X509_INFO) *sk;
1735 modssl_pk_proxy_t *pkp = mctx->pkp;
1736 STACK_OF(X509) *chain;
1737 X509_STORE_CTX *sctx;
1738 X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
1739 int addl_chain = 0; /* non-zero if additional chain certs were
1740 * added to store */
1741
1742 ap_assert(store != NULL); /* safe to assume always non-NULL? */
1743
1744#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)
1745 /* For OpenSSL >=1.1.1, turn on client cert support which is
1746 * otherwise turned off by default (by design).
1747 * https://github.com/openssl/openssl/issues/6933 */
1748 SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1);
1749#endif
1750
1751 SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
1752 ssl_callback_proxy_cert);
1753
1754 if (!(pkp->cert_file || pkp->cert_path)) {
1755 return APR_SUCCESS;
1756 }
1757
1758 sk = sk_X509_INFO_new_null();
1759
1760 if (pkp->cert_file) {
1761 load_x509_info(ptemp, sk, pkp->cert_file);
1762 }
1763
1764 if (pkp->cert_path) {
1765 ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk);
1766 }
1767
1768 /* Check that all client certs have got certificates and private
1769 * keys. Note the number of certs in the stack may decrease
1770 * during the loop. */
1771 for (n = 0; n < sk_X509_INFO_num(sk); n++) {
1772 X509_INFO *inf = sk_X509_INFO_value(sk, n);
1773 int has_privkey = inf->x_pkey && inf->x_pkey->dec_pkey;
1774
1775 /* For a lone certificate in the file, trust it as a
1776 * CA/intermediate certificate. */
1777 if (inf->x509 && !has_privkey && !inf->enc_data) {
1778 ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509,
1779 APLOGNO(10261) "Trusting non-leaf certificate");
1780 X509_STORE_add_cert(store, inf->x509); /* increments inf->x509 */
1781 /* Delete from the stack and iterate again. */
1782 X509_INFO_free(inf);
1783 sk_X509_INFO_delete(sk, n);
1784 n--;
1785 addl_chain = 1;
1786 continue;
1787 }
1788
1789 if (!has_privkey || inf->enc_data) {
1790 sk_X509_INFO_free(sk);
1791 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
1792 "incomplete client cert configured for SSL proxy "
1793 "(missing or encrypted private key?)");
1794 return ssl_die(s);
1795 }
1796
1797 if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
1798 ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
1799 APLOGNO(02326) "proxy client certificate and "
1800 "private key do not match");
1801 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
1802 return ssl_die(s);
1803 }
1804 }
1805
1806 if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
1807 sk_X509_INFO_free(sk);
1808 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
1809 "no client certs found for SSL proxy");
1810 return APR_SUCCESS;
1811 }
1812
1813 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
1814 "loaded %d client certs for SSL proxy",
1815 ncerts);
1816 pkp->certs = sk;
1817
1818 /* If any chain certs are configured, build the ->ca_certs chains
1819 * corresponding to the loaded keypairs. */
1820 if (!pkp->ca_cert_file && !addl_chain) {
1821 return APR_SUCCESS;
1822 }
1823
1824 /* If SSLProxyMachineCertificateChainFile is configured, load all
1825 * the CA certs and have OpenSSL attempt to construct a full chain
1826 * from each configured end-entity cert up to a root. This will
1827 * allow selection of the correct cert given a list of root CA
1828 * names in the certificate request from the server. */
1829 pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
1830 sctx = X509_STORE_CTX_new();
1831
1832 if (!sctx) {
1833 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)
1834 "SSL proxy client cert initialization failed");
1835 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
1836 sk_X509_INFO_free(sk);
1837 return ssl_die(s);
1838 }
1839
1840 modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
1841
1842 for (n = 0; n < ncerts; n++) {
1843 int i;
1844
1845 X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n);
1846 if (!X509_STORE_CTX_init(sctx, store, inf->x509, NULL)) {
1847 sk_X509_INFO_free(sk);
1848 X509_STORE_CTX_free(sctx);
1849 return ssl_die(s);
1850 }
1851
1852 /* Attempt to verify the client cert */
1853 if (X509_verify_cert(sctx) != 1) {
1854 int err = X509_STORE_CTX_get_error(sctx);
1855 ssl_log_xerror(SSLLOG_MARK, APLOG_WARNING, 0, ptemp, s, inf->x509,
1856 APLOGNO(02270) "SSL proxy client cert chain "
1857 "verification failed: %s :",
1858 X509_verify_cert_error_string(err));
1859 }
1860
1861 /* Clear X509_verify_cert errors */
1862 ERR_clear_error();
1863
1864 /* Obtain a copy of the verified chain */
1865 chain = X509_STORE_CTX_get1_chain(sctx);
1866
1867 if (chain != NULL) {
1868 /* Discard end entity cert from the chain */
1869 X509_free(sk_X509_shift(chain));
1870
1871 if ((i = sk_X509_num(chain)) > 0) {
1872 /* Store the chain for later use */
1873 pkp->ca_certs[n] = chain;
1874 }
1875 else {
1876 /* Discard empty chain */
1877 sk_X509_pop_free(chain, X509_free);
1878 pkp->ca_certs[n] = NULL;
1879 }
1880
1881 ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509,
1882 APLOGNO(02271)
1883 "loaded %i intermediate CA%s for cert %i: ",
1884 i, i == 1 ? "" : "s", n);
1885 if (i > 0) {
1886 int j;
1887 for (j = 0; j < i; j++) {
1888 ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s,
1889 sk_X509_value(chain, j), APLOGNO(03039)
1890 "%i:", j);
1891 }
1892 }
1893 }
1894
1895 /* get ready for next X509_STORE_CTX_init */
1896 X509_STORE_CTX_cleanup(sctx);
1897 }
1898
1899 X509_STORE_CTX_free(sctx);
1900
1901 return APR_SUCCESS;
1902}
1903
1904#define MODSSL_CFG_ITEM_FREE(func, item) \
1905 if (item) { \
1906 func(item); \
1907 item = NULL; \
1908 }
1909
1910static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
1911{
1912 MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
1913
1914#ifdef HAVE_SRP
1915 if (mctx->srp_vbase != NULL) {
1916 SRP_VBASE_free(mctx->srp_vbase);
1917 mctx->srp_vbase = NULL;
1918 }
1919#endif
1920}
1921
1922static apr_status_t ssl_cleanup_proxy_ctx(void *data)
1923{
1924 modssl_ctx_t *mctx = data;
1925
1926 ssl_init_ctx_cleanup(mctx);
1927
1928 if (mctx->pkp->certs) {
1929 int i = 0;
1930 int ncerts = sk_X509_INFO_num(mctx->pkp->certs);
1931
1932 if (mctx->pkp->ca_certs) {
1933 for (i = 0; i < ncerts; i++) {
1934 if (mctx->pkp->ca_certs[i] != NULL) {
1935 sk_X509_pop_free(mctx->pkp->ca_certs[i], X509_free);
1936 }
1937 }
1938 }
1939
1940 sk_X509_INFO_pop_free(mctx->pkp->certs, X509_INFO_free);
1941 mctx->pkp->certs = NULL;
1942 }
1943
1944 return APR_SUCCESS;
1945}
1946
1947static apr_status_t ssl_init_proxy_ctx(server_rec *s,
1948 apr_pool_t *p,
1949 apr_pool_t *ptemp,
1950 modssl_ctx_t *proxy)
1951{
1952 apr_status_t rv;
1953
1954 if (proxy->ssl_ctx) {
1955 /* Merged/initialized already */
1956 return APR_SUCCESS;
1957 }
1958
1959 apr_pool_cleanup_register(p, proxy,
1960 ssl_cleanup_proxy_ctx,
1961 apr_pool_cleanup_null);
1962
1963 if ((rv = ssl_init_ctx(s, p, ptemp, proxy)) != APR_SUCCESS) {
1964 return rv;
1965 }
1966
1967 if ((rv = ssl_init_proxy_certs(s, p, ptemp, proxy)) != APR_SUCCESS) {
1968 return rv;
1969 }
1970
1971 return APR_SUCCESS;
1972}
1973
1974static apr_status_t ssl_init_server_ctx(server_rec *s,
1975 apr_pool_t *p,
1976 apr_pool_t *ptemp,
1977 SSLSrvConfigRec *sc,
1978 apr_array_header_t *pphrases)
1979{
1980 apr_status_t rv;
1981 modssl_pk_server_t *pks;
1982#ifdef HAVE_SSL_CONF_CMD
1983 ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts;
1984 SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
1985 int i;
1986#endif
1987 int n;
1988
1989 /*
1990 * Check for problematic re-initializations
1991 */
1992 if (sc->server->ssl_ctx) {
1993 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02569)
1994 "Illegal attempt to re-initialise SSL for server "
1995 "(SSLEngine On should go in the VirtualHost, not in global scope.)");
1996 return APR_EGENERAL;
1997 }
1998
1999 /* Allow others to provide certificate files */
2000 pks = sc->server->pks;
2001 n = pks->cert_files->nelts;
2002 ap_ssl_add_cert_files(s, p, pks->cert_files, pks->key_files);
2003 ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files);
2004
2005 if (apr_is_empty_array(pks->cert_files)) {
2006 /* does someone propose a certiciate to fall back on here? */
2007 ap_ssl_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
2008 ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
2009 if (n < pks->cert_files->nelts) {
2010 pks->service_unavailable = 1;
2011 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
2012 "Init: %s will respond with '503 Service Unavailable' for now. There "
2013 "are no SSL certificates configured and no other module contributed any.",
2014 ssl_util_vhostid(p, s));
2015 }
2016 }
2017
2018 if (n < pks->cert_files->nelts) {
2019 /* additionally installed certs overrides any old chain configuration */
2020 sc->server->cert_chain = NULL;
2021 }
2022
2023 if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) {
2024 return rv;
2025 }
2026
2027 if ((rv = ssl_init_server_certs(s, p, ptemp, sc->server, pphrases))
2028 != APR_SUCCESS) {
2029 return rv;
2030 }
2031
2032#ifdef HAVE_SSL_CONF_CMD
2033 SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx);
2034 for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) {
2035 ERR_clear_error();
2036 if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
2037 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
2038 "\"SSLOpenSSLConfCmd %s %s\" failed for %s",
2039 param->name, param->value, sc->vhost_id);
2040 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
2041 return ssl_die(s);
2042 } else {
2043 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02556)
2044 "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
2045 param->name, param->value, sc->vhost_id);
2046 }
2047 }
2048
2049 if (SSL_CONF_CTX_finish(cctx) == 0) {
2050 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
2051 "SSL_CONF_CTX_finish() failed");
2052 SSL_CONF_CTX_free(cctx);
2053 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
2054 return ssl_die(s);
2055 }
2056#endif
2057
2058 if (SSL_CTX_check_private_key(sc->server->ssl_ctx) != 1) {
2059 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02572)
2060 "Failed to configure at least one certificate and key "
2061 "for %s", sc->vhost_id);
2062 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
2063 return ssl_die(s);
2064 }
2065
2066#if defined(HAVE_OCSP_STAPLING) && defined(SSL_CTRL_SET_CURRENT_CERT)
2067 /*
2068 * OpenSSL 1.0.2 and later allows iterating over all SSL_CTX certs
2069 * by means of SSL_CTX_set_current_cert. Enabling stapling at this
2070 * (late) point makes sure that we catch both certificates loaded
2071 * via SSLCertificateFile and SSLOpenSSLConfCmd Certificate.
2072 */
2073 do {
2074 X509 *cert;
2075 int i = 0;
2076 int ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx,
2077 SSL_CERT_SET_FIRST);
2078 while (ret) {
2079 cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
2080 if (!cert || !ssl_stapling_init_cert(s, p, ptemp, sc->server,
2081 cert)) {
2082 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02604)
2083 "Unable to configure certificate %s:%d "
2084 "for stapling", sc->vhost_id, i);
2085 }
2086 ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx,
2087 SSL_CERT_SET_NEXT);
2088 i++;
2089 }
2090 } while(0);
2091#endif
2092
2093#ifdef HAVE_TLS_SESSION_TICKETS
2094 if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) {
2095 return rv;
2096 }
2097#endif
2098
2099 SSL_CTX_set_timeout(sc->server->ssl_ctx,
2100 sc->session_cache_timeout == UNSET ?
2101 SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout);
2102
2103 return APR_SUCCESS;
2104}
2105
2106/*
2107 * Configure a particular server
2108 */
2109apr_status_t ssl_init_ConfigureServer(server_rec *s,
2110 apr_pool_t *p,
2111 apr_pool_t *ptemp,
2112 SSLSrvConfigRec *sc,
2113 apr_array_header_t *pphrases)
2114{
2115 SSLDirConfigRec *sdc = ap_get_module_config(s->lookup_defaults,
2116 &ssl_module);
2117 apr_status_t rv;
2118
2119 /* Initialize the server if SSL is enabled or optional.
2120 */
2121 if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) {
2122 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914)
2123 "Configuring server %s for SSL protocol", sc->vhost_id);
2124 if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases))
2125 != APR_SUCCESS) {
2126 return rv;
2127 }
2128
2129 /* Initialize OCSP Responder certificate if OCSP enabled */
2130 #ifndef OPENSSL_NO_OCSP
2131 ssl_init_ocsp_certificates(s, sc->server);
2132 #endif
2133
2134 }
2135
2136 sdc->proxy->sc = sc;
2137 if (sdc->proxy_enabled == TRUE) {
2138 rv = ssl_init_proxy_ctx(s, p, ptemp, sdc->proxy);
2139 if (rv != APR_SUCCESS) {
2140 return rv;
2141 }
2142 }
2143 else {
2144 sdc->proxy_enabled = FALSE;
2145 }
2146 sdc->proxy_post_config = 1;
2147
2148 return APR_SUCCESS;
2149}
2150
2151apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
2152{
2153 server_rec *s;
2154 SSLSrvConfigRec *sc;
2155#ifndef HAVE_TLSEXT
2156 server_rec *ps;
2157 apr_hash_t *table;
2158 const char *key;
2159 apr_ssize_t klen;
2160
2161 BOOL conflict = FALSE;
2162#endif
2163
2164 /*
2165 * Give out warnings when a server has HTTPS configured
2166 * for the HTTP port or vice versa
2167 */
2168 for (s = base_server; s; s = s->next) {
2169 sc = mySrvConfig(s);
2170
2171 if ((sc->enabled == SSL_ENABLED_TRUE) && (s->port == DEFAULT_HTTP_PORT)) {
2172 ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
2173 base_server, APLOGNO(01915)
2174 "Init: (%s) You configured HTTPS(%d) "
2175 "on the standard HTTP(%d) port!",
2176 ssl_util_vhostid(p, s),
2177 DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
2178 }
2179
2180 if ((sc->enabled == SSL_ENABLED_FALSE) && (s->port == DEFAULT_HTTPS_PORT)) {
2181 ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
2182 base_server, APLOGNO(01916)
2183 "Init: (%s) You configured HTTP(%d) "
2184 "on the standard HTTPS(%d) port!",
2185 ssl_util_vhostid(p, s),
2186 DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
2187 }
2188 }
2189
2190#ifndef HAVE_TLSEXT
2191 /*
2192 * Give out warnings when more than one SSL-aware virtual server uses the
2193 * same IP:port and an OpenSSL version without support for TLS extensions
2194 * (SNI in particular) is used.
2195 */
2196 table = apr_hash_make(p);
2197
2198 for (s = base_server; s; s = s->next) {
2199 char *addr;
2200
2201 sc = mySrvConfig(s);
2202
2203 if (!((sc->enabled == SSL_ENABLED_TRUE) && s->addrs)) {
2204 continue;
2205 }
2206
2207 apr_sockaddr_ip_get(&addr, s->addrs->host_addr);
2208 key = apr_psprintf(p, "%s:%u", addr, s->addrs->host_port);
2209 klen = strlen(key);
2210
2211 if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
2212 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(02662)
2213 "Init: SSL server IP/port conflict: "
2214 "%s (%s:%d) vs. %s (%s:%d)",
2215 ssl_util_vhostid(p, s),
2216 (s->defn_name ? s->defn_name : "unknown"),
2217 s->defn_line_number,
2218 ssl_util_vhostid(p, ps),
2219 (ps->defn_name ? ps->defn_name : "unknown"),
2220 ps->defn_line_number);
2221 conflict = TRUE;
2222 continue;
2223 }
2224
2225 apr_hash_set(table, key, klen, s);
2226 }
2227
2228 if (conflict) {
2229 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
2230 "Init: Name-based SSL virtual hosts require "
2231 "an OpenSSL version with support for TLS extensions "
2232 "(RFC 6066 - Server Name Indication / SNI), "
2233 "but the currently used library version (%s) is "
2234 "lacking this feature", MODSSL_LIBRARY_DYNTEXT);
2235 }
2236#endif
2237
2238 return APR_SUCCESS;
2239}
2240
2241int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
2242 apr_pool_t *ptemp, server_rec *s,
2243 ap_conf_vector_t *section_config)
2244{
2245 SSLDirConfigRec *sdc = ap_get_module_config(s->lookup_defaults,
2246 &ssl_module);
2247 SSLDirConfigRec *pdc = ap_get_module_config(section_config,
2248 &ssl_module);
2249 if (pdc) {
2250 pdc->proxy->sc = mySrvConfig(s);
2251 ssl_config_proxy_merge(p, sdc, pdc);
2252 if (pdc->proxy_enabled) {
2253 apr_status_t rv;
2254
2255 rv = ssl_init_proxy_ctx(s, p, ptemp, pdc->proxy);
2256 if (rv != APR_SUCCESS) {
2257 return !OK;
2258 }
2259
2260 rv = ssl_run_init_server(s, p, 1, pdc->proxy->ssl_ctx);
2261 if (rv != APR_SUCCESS) {
2262 return !OK;
2263 }
2264 }
2265 pdc->proxy_post_config = 1;
2266 }
2267 return OK;
2268}
2269
2270static apr_status_t ssl_init_ca_cert_path(server_rec *s,
2271 apr_pool_t *ptemp,
2272 const char *path,
2273 STACK_OF(X509_NAME) *ca_list,
2274 STACK_OF(X509_INFO) *xi_list)
2275{
2276 apr_dir_t *dir;
2277 apr_finfo_t direntry;
2278 apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
2279
2280 if (!path || (!ca_list && !xi_list) ||
2281 (apr_dir_open(&dir, path, ptemp) != APR_SUCCESS)) {
2282 return APR_EGENERAL;
2283 }
2284
2285 while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
2286 const char *file;
2287 if (direntry.filetype == APR_DIR) {
2288 continue; /* don't try to load directories */
2289 }
2290 file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
2291 if (ca_list) {
2292 SSL_add_file_cert_subjects_to_stack(ca_list, file);
2293 }
2294 if (xi_list) {
2295 load_x509_info(ptemp, xi_list, file);
2296 }
2297 }
2298
2299 apr_dir_close(dir);
2300
2301 return APR_SUCCESS;
2302}
2303
2304STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
2305 apr_pool_t *ptemp,
2306 const char *ca_file,
2307 const char *ca_path)
2308{
2309 STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();;
2310
2311 /*
2312 * Process CA certificate bundle file
2313 */
2314 if (ca_file) {
2315 SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
2316 /*
2317 * If ca_list is still empty after trying to load ca_file
2318 * then the file failed to load, and users should hear about that.
2319 */
2320 if (sk_X509_NAME_num(ca_list) == 0) {
2321 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02210)
2322 "Failed to load SSLCACertificateFile: %s", ca_file);
2323 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
2324 }
2325 }
2326
2327 /*
2328 * Process CA certificate path files
2329 */
2330 if (ca_path &&
2331 ssl_init_ca_cert_path(s, ptemp,
2332 ca_path, ca_list, NULL) != APR_SUCCESS) {
2333 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02211)
2334 "Failed to open Certificate Path `%s'", ca_path);
2335 sk_X509_NAME_pop_free(ca_list, X509_NAME_free);
2336 return NULL;
2337 }
2338
2339 return ca_list;
2340}
2341
2342void ssl_init_Child(apr_pool_t *p, server_rec *s)
2343{
2344 SSLModConfigRec *mc = myModConfig(s);
2345 mc->pid = getpid(); /* only call getpid() once per-process */
2346
2347 /* XXX: there should be an ap_srand() function */
2348 srand((unsigned int)time(NULL));
2349
2350 /* open the mutex lockfile */
2351 ssl_mutex_reinit(s, p);
2352#ifdef HAVE_OCSP_STAPLING
2353 ssl_stapling_mutex_reinit(s, p);
2354#endif
2355}
2356
2357apr_status_t ssl_init_ModuleKill(void *data)
2358{
2359 SSLSrvConfigRec *sc;
2360 server_rec *base_server = (server_rec *)data;
2361 server_rec *s;
2362
2363 /*
2364 * Drop the session cache and mutex
2365 */
2366 ssl_scache_kill(base_server);
2367
2368 /*
2369 * Free the non-pool allocated structures
2370 * in the per-server configurations
2371 */
2372 for (s = base_server; s; s = s->next) {
2373 sc = mySrvConfig(s);
2374
2375 ssl_init_ctx_cleanup(sc->server);
2376
2377 /* Not Sure but possibly clear X509 trusted cert file */
2378 #ifndef OPENSSL_NO_OCSP
2379 sk_X509_pop_free(sc->server->ocsp_certs, X509_free);
2380 #endif
2381
2382 }
2383
2384#if MODSSL_USE_OPENSSL_PRE_1_1_API
2385 free_dh_params();
2386#else
2387 free_bio_methods();
2388#endif
2389
2390 return APR_SUCCESS;
2391}
n
int n
Definition ap_regex.h:278
len
const char apr_size_t len
Definition ap_regex.h:187
AP_SERVER_BASEVERSION
#define AP_SERVER_BASEVERSION
Definition ap_release.h:75
TRUE
#define TRUE
Definition abts.h:38
FALSE
#define FALSE
Definition abts.h:35
min
#define min(a, b)
Definition apr_random.c:32
pconf
static apr_pool_t * pconf
Definition event.c:441
ap_get_module_config
#define ap_get_module_config(v, m)
Definition http_config.h:550
ap_conf_vector_t
struct ap_conf_vector_t ap_conf_vector_t
Definition http_config.h:509
ap_server_root_relative
char * ap_server_root_relative(apr_pool_t *p, const char *fname)
Definition config.c:1594
path
request_rec int int apr_table_t const char * path
Definition http_config.h:1172
ps
const char server_rec server_rec ** ps
Definition http_config.h:1186
ap_add_version_component
void ap_add_version_component(apr_pool_t *pconf, const char *component)
Definition core.c:3598
DEFAULT_HTTPS_PORT
#define DEFAULT_HTTPS_PORT
Definition httpd.h:280
DECLINED
#define DECLINED
Definition httpd.h:457
OK
#define OK
Definition httpd.h:456
DEFAULT_HTTP_PORT
#define DEFAULT_HTTP_PORT
Definition httpd.h:278
ap_get_server_protocol
const char * ap_get_server_protocol(server_rec *s)
Definition core.c:3084
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
APLOG_NOTICE
#define APLOG_NOTICE
Definition http_log.h:69
APLOG_STARTUP
#define APLOG_STARTUP
Definition http_log.h:105
APLOG_INFO
#define APLOG_INFO
Definition http_log.h:70
APLOG_ERR
#define APLOG_ERR
Definition http_log.h:67
APLOG_TRACE3
#define APLOG_TRACE3
Definition http_log.h:74
ap_log_error
#define ap_log_error
Definition http_log.h:370
APLOGdebug
#define APLOGdebug(s)
Definition http_log.h:234
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_WARNING
#define APLOG_WARNING
Definition http_log.h:68
APLOG_EMERG
#define APLOG_EMERG
Definition http_log.h:64
APLOG_TRACE1
#define APLOG_TRACE1
Definition http_log.h:72
APLOG_DEBUG
#define APLOG_DEBUG
Definition http_log.h:71
buf
const unsigned char * buf
Definition util_md5.h:50
ap_ssl_answer_challenge
int ap_ssl_answer_challenge(conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem)
Definition ssl.c:239
ap_ssl_add_cert_files
apr_status_t ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:223
ap_ssl_add_fallback_cert_files
apr_status_t ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:231
ap_max_mem_free
apr_uint32_t ap_max_mem_free
Definition mpm_common.c:155
APR_EGENERAL
#define APR_EGENERAL
Definition apr_errno.h:313
e
apr_bucket * e
Definition apr_buckets.h:699
ctx
apr_brigade_flush void * ctx
Definition apr_buckets.h:802
res
apr_pool_t apr_dbd_t apr_dbd_results_t ** res
Definition apr_dbd.h:287
pkey
apr_datum_t * pkey
Definition apr_dbm.h:158
mc
apr_memcache_t * mc
Definition apr_memcache.h:161
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL
#define APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ns, link, ret, name, args_decl, args_use, ok, decline)
Definition apr_optional_hooks.h:90
HTTP_INTERNAL_SERVER_ERROR
#define HTTP_INTERNAL_SERVER_ERROR
Definition httpd.h:535
BN_get_rfc3526_prime_4096
#define BN_get_rfc3526_prime_4096
Definition ssl_private.h:260
ssl_callback_NewSessionCacheEntry
int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
Definition ssl_engine_kernel.c:2072
ssl_die
apr_status_t ssl_die(server_rec *s)
Definition ssl_engine_log.c:66
SSLLOG_MARK
#define SSLLOG_MARK
Definition ssl_private.h:1156
modssl_get_dh_params
DH * modssl_get_dh_params(unsigned keylen)
Definition ssl_engine_init.c:162
ssl_scache_kill
void ssl_scache_kill(server_rec *)
Definition ssl_scache.c:97
modssl_is_engine_id
int modssl_is_engine_id(const char *name)
Definition ssl_util.c:477
ssl_init_CheckServers
apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
Definition ssl_engine_init.c:2151
modssl_load_engine_keypair
apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *pconf, apr_pool_t *ptemp, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey)
Definition ssl_engine_pphrase.c:1025
SSL_VERIFY_PEER_STRICT
#define SSL_VERIFY_PEER_STRICT
Definition ssl_private.h:463
ssl_config_global_create
SSLModConfigRec * ssl_config_global_create(server_rec *s)
Definition ssl_engine_config.c:42
ssl_init_FindCAList
* ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *)
mySrvConfig
#define mySrvConfig(srv)
Definition ssl_private.h:358
ssl_init_Module
apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *base_server)
Definition ssl_engine_init.c:233
ssl_util_vhostid
char * ssl_util_vhostid(apr_pool_t *, server_rec *)
Definition ssl_util.c:42
SSL_PROTOCOL_TLSV1
#define SSL_PROTOCOL_TLSV1
Definition ssl_private.h:422
ssl_scache_init
apr_status_t ssl_scache_init(server_rec *, apr_pool_t *)
Definition ssl_scache.c:40
BN_get_rfc3526_prime_2048
#define BN_get_rfc3526_prime_2048
Definition ssl_private.h:258
ssl_load_encrypted_pkey
apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx, const char *pkey_file, apr_array_header_t **pphrases)
Definition ssl_engine_pphrase.c:142
ssl_init_ModuleKill
apr_status_t ssl_init_ModuleKill(void *data)
Definition ssl_engine_init.c:2357
modssl_dh_from_file
DH * modssl_dh_from_file(const char *)
Definition ssl_util_ssl.c:468
ssl_callback_TmpDH
DH * ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
Definition ssl_engine_kernel.c:1689
BN_get_rfc2409_prime_1024
#define BN_get_rfc2409_prime_1024
Definition ssl_private.h:256
ssl_var_lookup
char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var)
Definition mod_nw_ssl.c:956
MODSSL_SSL_METHOD_CONST
#define MODSSL_SSL_METHOD_CONST
Definition ssl_private.h:145
ssl_proxy_section_post_config
int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
Definition ssl_engine_init.c:2241
ssl_config_proxy_merge
void ssl_config_proxy_merge(apr_pool_t *p, SSLDirConfigRec *base, SSLDirConfigRec *conf)
Definition ssl_engine_config.c:535
BN_get_rfc3526_prime_8192
#define BN_get_rfc3526_prime_8192
Definition ssl_private.h:262
myModConfig
#define myModConfig(srv)
Definition ssl_private.h:364
BN_get_rfc3526_prime_3072
#define BN_get_rfc3526_prime_3072
Definition ssl_private.h:259
ssl_log_ssl_error
void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
Definition ssl_engine_log.c:94
BN_get_rfc3526_prime_6144
#define BN_get_rfc3526_prime_6144
Definition ssl_private.h:261
ssl_is_challenge
int ssl_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey, const char **pcert_pem, const char **pkey_pem)
Definition ssl_engine_init.c:196
DH_bits
#define DH_bits(x)
Definition ssl_private.h:268
ssl_stapling_mutex_reinit
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *)
ssl_callback_Info
void ssl_callback_Info(const SSL *ssl, int where, int rc)
Definition ssl_engine_kernel.c:2266
ssl_callback_DelSessionCacheEntry
void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx, SSL_SESSION *session)
Definition ssl_engine_kernel.c:2158
ssl_init_Engine
apr_status_t ssl_init_Engine(server_rec *s, apr_pool_t *p)
Definition ssl_engine_init.c:487
SSL_SESSION_CACHE_TIMEOUT
#define SSL_SESSION_CACHE_TIMEOUT
Definition ssl_private.h:374
ssl_asn1_table_get
ssl_asn1_t * ssl_asn1_table_get(apr_hash_t *table, const char *key)
Definition ssl_util.c:228
ssl_init_ConfigureServer
apr_status_t ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, SSLSrvConfigRec *sc, apr_array_header_t *pphrases)
Definition ssl_engine_init.c:2109
ssl_mutex_init
int ssl_mutex_init(server_rec *s, apr_pool_t *p)
Definition ssl_engine_mutex.c:33
ssl_callback_GetSessionCacheEntry
SSL_SESSION * ssl_callback_GetSessionCacheEntry(SSL *ssl, unsigned char *id, int idlen, int *do_copy)
Definition ssl_engine_kernel.c:2123
ssl_init_Child
void ssl_init_Child(apr_pool_t *p, server_rec *s)
Definition ssl_engine_init.c:2342
BOOL
#define BOOL
Definition ssl_private.h:81
SSL_PROTOCOL_NONE
#define SSL_PROTOCOL_NONE
Definition ssl_private.h:418
ssl_rand_seed
int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
Definition ssl_engine_rand.c:41
NUL
#define NUL
Definition ssl_private.h:325
ssl_mutex_reinit
int ssl_mutex_reinit(server_rec *s, apr_pool_t *p)
Definition ssl_engine_mutex.c:59
ssl_callback_proxy_cert
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
Definition ssl_engine_kernel.c:1946
SSL_PROTOCOL_SSLV3
#define SSL_PROTOCOL_SSLV3
Definition ssl_private.h:420
ssl_init_ocsp_certificates
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
Definition ssl_util_ocsp.c:401
ssl_config_global_fix
void ssl_config_global_fix(SSLModConfigRec *mc)
Definition ssl_engine_config.c:93
ssl_callback_SSLVerify
int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
Definition ssl_engine_kernel.c:1737
SSL_OCSPCHECK_NONE
@ SSL_OCSPCHECK_NONE
Definition ssl_private.h:489
SSL_ENABLED_TRUE
@ SSL_ENABLED_TRUE
Definition ssl_private.h:520
SSL_ENABLED_UNSET
@ SSL_ENABLED_UNSET
Definition ssl_private.h:518
SSL_ENABLED_FALSE
@ SSL_ENABLED_FALSE
Definition ssl_private.h:519
SSL_ENABLED_OPTIONAL
@ SSL_ENABLED_OPTIONAL
Definition ssl_private.h:521
SSL_RSCTX_STARTUP
@ SSL_RSCTX_STARTUP
Definition ssl_private.h:536
SSL_CVERIFY_OPTIONAL
@ SSL_CVERIFY_OPTIONAL
Definition ssl_private.h:458
SSL_CVERIFY_OPTIONAL_NO_CA
@ SSL_CVERIFY_OPTIONAL_NO_CA
Definition ssl_private.h:460
SSL_CVERIFY_UNSET
@ SSL_CVERIFY_UNSET
Definition ssl_private.h:456
SSL_CVERIFY_NONE
@ SSL_CVERIFY_NONE
Definition ssl_private.h:457
SSL_CVERIFY_REQUIRE
@ SSL_CVERIFY_REQUIRE
Definition ssl_private.h:459
SSL_CRLCHECK_LEAF
@ SSL_CRLCHECK_LEAF
Definition ssl_private.h:478
SSL_CRLCHECK_NONE
@ SSL_CRLCHECK_NONE
Definition ssl_private.h:477
SSL_CRLCHECK_CHAIN
@ SSL_CRLCHECK_CHAIN
Definition ssl_private.h:479
SSL_PPTYPE_BUILTIN
@ SSL_PPTYPE_BUILTIN
Definition ssl_private.h:500
SSL_PPTYPE_UNSET
@ SSL_PPTYPE_UNSET
Definition ssl_private.h:499
modssl_init_app_data2_idx
void modssl_init_app_data2_idx(void)
Definition ssl_util_ssl.c:43
MODSSL_LIBRARY_VERSION
#define MODSSL_LIBRARY_VERSION
Definition ssl_util_ssl.h:41
MODSSL_LIBRARY_DYNTEXT
#define MODSSL_LIBRARY_DYNTEXT
Definition ssl_util_ssl.h:47
MODSSL_LIBRARY_NAME
#define MODSSL_LIBRARY_NAME
Definition ssl_util_ssl.h:42
MODSSL_LIBRARY_TEXT
#define MODSSL_LIBRARY_TEXT
Definition ssl_util_ssl.h:43
modssl_X509_getBC
unsigned int modssl_X509_getBC(X509 *cert, int *ca, int *pathlen)
Definition ssl_util_ssl.c:159
ssl_run_answer_challenge
int ssl_run_answer_challenge(conn_rec *c, const char *server_name, X509 **pcert, EVP_PKEY **pkey)
Definition ssl_engine_init.c:57
ssl_run_init_server
int ssl_run_init_server(server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx)
Definition ssl_engine_init.c:39
ssl_run_add_fallback_cert_files
int ssl_run_add_fallback_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl_engine_init.c:51
ssl_run_add_cert_files
int ssl_run_add_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl_engine_init.c:45
AP_DEBUG_ASSERT
#define AP_DEBUG_ASSERT(exp)
Definition httpd.h:2283
ap_assert
#define ap_assert(exp)
Definition httpd.h:2271
APR_ALLOCATOR_MAX_FREE_UNLIMITED
#define APR_ALLOCATOR_MAX_FREE_UNLIMITED
Definition apr_allocator.h:67
size
apr_size_t size
Definition apr_allocator.h:115
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
APR_DIR
@ APR_DIR
Definition apr_file_info.h:65
key
const char * key
Definition apr_file_io.h:822
data
void * data
Definition apr_file_io.h:832
file
const char apr_file_t * file
Definition apr_file_io.h:823
APR_READ
#define APR_READ
Definition apr_file_io.h:93
APR_BINARY
#define APR_BINARY
Definition apr_file_io.h:98
APR_FOPEN_APPEND
#define APR_FOPEN_APPEND
Definition apr_file_io.h:57
APR_FOPEN_WRITE
#define APR_FOPEN_WRITE
Definition apr_file_io.h:55
APR_FOPEN_LARGEFILE
#define APR_FOPEN_LARGEFILE
Definition apr_file_io.h:82
APR_FOPEN_CREATE
#define APR_FOPEN_CREATE
Definition apr_file_io.h:56
APR_FPROT_UWRITE
#define APR_FPROT_UWRITE
Definition apr_file_info.h:81
APR_OS_DEFAULT
#define APR_OS_DEFAULT
Definition apr_file_info.h:112
APR_FPROT_UREAD
#define APR_FPROT_UREAD
Definition apr_file_info.h:80
APR_FINFO_NAME
#define APR_FINFO_NAME
Definition apr_file_info.h:161
APR_FINFO_TYPE
#define APR_FINFO_TYPE
Definition apr_file_info.h:154
klen
apr_ssize_t * klen
Definition apr_hash.h:71
c
apr_vformatter_buff_t * c
Definition apr_lib.h:175
addr
apr_sockaddr_t * addr
Definition apr_network_io.h:913
protocol
int int int protocol
Definition apr_network_io.h:319
method
apr_uint32_t apr_pool_t apr_uint32_t apr_pollset_method_e method
Definition apr_poll.h:195
apr_pcalloc
#define apr_pcalloc(p, size)
Definition apr_pools.h:465
dir
apr_dir_t * dir
Definition apr_portable.h:240
filename
apr_size_t const char * filename
Definition apr_shm.h:72
s
const char * s
Definition apr_strings.h:95
APR_ARRAY_IDX
#define APR_ARRAY_IDX(ary, i, type)
Definition apr_tables.h:141
err
apr_int32_t apr_int32_t apr_int32_t err
Definition apr_thread_proc.h:418
in
apr_int32_t in
Definition apr_thread_proc.h:417
p
apr_pool_t * p
Definition md_event.c:32
UNSET
#define UNSET
Definition mod_authz_core.c:92
mod_md.h
strEQ
#define strEQ(s1, s2)
Definition mod_nw_ssl.c:88
NULL
return NULL
Definition mod_so.c:359
i
int i
Definition mod_so.c:347
mpm_common.h
Multi-Processing Modules functions.
ssl_init_proxy_ctx
static apr_status_t ssl_init_proxy_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *proxy)
Definition ssl_engine_init.c:1947
ssl_init_server_certs
static apr_status_t ssl_init_server_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx, apr_array_header_t *pphrases)
Definition ssl_engine_init.c:1360
ssl_init_server_ctx
static apr_status_t ssl_init_server_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, SSLSrvConfigRec *sc, apr_array_header_t *pphrases)
Definition ssl_engine_init.c:1974
ssl_init_ctx_protocol
static apr_status_t ssl_init_ctx_protocol(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:610
modssl_runtime_lib_version
static APR_INLINE unsigned long modssl_runtime_lib_version(void)
Definition ssl_engine_init.c:220
ssl_init_ctx_cert_chain
static apr_status_t ssl_init_ctx_cert_chain(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:1207
use_certificate_chain
static int use_certificate_chain(SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
Definition ssl_engine_init.c:1151
init_dh_params
static void init_dh_params(void)
Definition ssl_engine_init.c:134
ssl_add_version_components
static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, server_rec *s)
Definition ssl_engine_init.c:174
MODSSL_CFG_ITEM_FREE
#define MODSSL_CFG_ITEM_FREE(func, item)
Definition ssl_engine_init.c:1904
modssl_X509_STORE_load_locations
static APR_INLINE int modssl_X509_STORE_load_locations(X509_STORE *store, const char *file, const char *path)
Definition ssl_engine_init.c:1060
load_x509_info
static unsigned int load_x509_info(apr_pool_t *ptemp, STACK_OF(X509_INFO) *sk, const char *filename)
Definition ssl_engine_init.c:1704
ssl_init_ctx_crl
static apr_status_t ssl_init_ctx_crl(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:1076
MODSSL_BLOCKS_RENEG
#define MODSSL_BLOCKS_RENEG
Definition ssl_engine_init.c:887
modssl_CTX_load_verify_locations
static APR_INLINE int modssl_CTX_load_verify_locations(SSL_CTX *ctx, const char *file, const char *path)
Definition ssl_engine_init.c:917
STACK_OF
STACK_OF(X509_NAME)
Definition ssl_engine_init.c:2304
free_dh_params
static void free_dh_params(void)
Definition ssl_engine_init.c:142
ssl_init_ctx_cipher_suite
static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:1018
ssl_init_ca_cert_path
static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *, STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *)
Definition ssl_engine_init.c:2270
ssl_init_ctx_callbacks
static void ssl_init_ctx_callbacks(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:890
DH_set0_pqg
static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
Definition ssl_engine_init.c:75
ssl_check_public_cert
static void ssl_check_public_cert(server_rec *s, apr_pool_t *ptemp, X509 *cert, const char *key_id)
Definition ssl_engine_init.c:1300
ssl_init_ctx_cleanup
static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
Definition ssl_engine_init.c:1910
ssl_init_proxy_certs
static apr_status_t ssl_init_proxy_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:1728
ssl_init_ctx_verify
static apr_status_t ssl_init_ctx_verify(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:933
ssl_no_passwd_prompt_cb
static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag, void *userdata)
Definition ssl_engine_init.c:1339
ssl_init_ctx_session_cache
static void ssl_init_ctx_session_cache(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:865
make_dh_params
static DH * make_dh_params(BIGNUM *(*prime)(BIGNUM *))
Definition ssl_engine_init.c:98
dhparams
static struct dhparam dhparams[]
ssl_cleanup_proxy_ctx
static apr_status_t ssl_cleanup_proxy_ctx(void *data)
Definition ssl_engine_init.c:1922
ssl_init_ctx
static apr_status_t ssl_init_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, modssl_ctx_t *mctx)
Definition ssl_engine_init.c:1257
CHECK_PRIVKEY_ERROR
#define CHECK_PRIVKEY_ERROR(ec)
Definition ssl_engine_init.c:1352
ssl_log_xerror
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *ptemp, server_rec *s, X509 *cert, const char *fmt,...)
Definition ssl_engine_log.c:211
ssl_private.h
Internal interfaces private to mod_ssl.
modssl_X509_match_name
unsigned int modssl_X509_match_name(apr_pool_t *p, X509 *x509, const char *name, unsigned int allow_wildcard, server_rec *s)
Definition ssl_util_ssl.c:390
SSLSrvConfigRec::cipher_server_pref
unsigned int cipher_server_pref
Definition ssl_private.h:834
SSLSrvConfigRec::vhost_id
const char * vhost_id
Definition ssl_private.h:831
SSLSrvConfigRec::session_tickets
unsigned int session_tickets
Definition ssl_private.h:843
SSLSrvConfigRec::server
modssl_ctx_t * server
Definition ssl_private.h:836
SSLSrvConfigRec::enabled
ssl_enabled_t enabled
Definition ssl_private.h:830
SSLSrvConfigRec::compression
unsigned int compression
Definition ssl_private.h:841
SSLSrvConfigRec::insecure_reneg
unsigned int insecure_reneg
Definition ssl_private.h:835
apr_array_header_t
Definition apr_tables.h:62
apr_array_header_t::nelts
int nelts
Definition apr_tables.h:68
apr_dir_t
Definition apr_arch_file_io.h:124
apr_file_t
Definition apr_arch_file_io.h:97
apr_finfo_t
Definition apr_file_info.h:174
apr_hash_t
Definition apr_hash.c:75
apr_pool_t
Definition apr_pools.c:562
conn_rec
Structure to store things which are per connection.
Definition httpd.h:1152
dhparam::min
const unsigned int min
Definition ssl_engine_init.c:124
dhparam::prime
BIGNUM *(*const prime)(BIGNUM *)
Definition ssl_engine_init.c:122
modssl_ctx_t
Definition ssl_private.h:755
modssl_ctx_t::pphrase_dialog_type
ssl_pphrase_t pphrase_dialog_type
Definition ssl_private.h:771
modssl_ctx_t::sc
SSLSrvConfigRec * sc
Definition ssl_private.h:756
modssl_ctx_t::ssl_ctx
SSL_CTX * ssl_ctx
Definition ssl_private.h:757
modssl_ctx_t::pks
modssl_pk_server_t * pks
Definition ssl_private.h:760
modssl_ctx_t::cert_chain
const char * cert_chain
Definition ssl_private.h:774
modssl_pk_proxy_t
Definition ssl_private.h:703
modssl_pk_proxy_t::cert_file
const char * cert_file
Definition ssl_private.h:705
modssl_pk_proxy_t::ca_cert_file
const char * ca_cert_file
Definition ssl_private.h:707
modssl_pk_proxy_t::cert_path
const char * cert_path
Definition ssl_private.h:706
modssl_pk_server_t
Definition ssl_private.h:689
modssl_pk_server_t::key_files
apr_array_header_t * key_files
Definition ssl_private.h:692
modssl_pk_server_t::cert_files
apr_array_header_t * cert_files
Definition ssl_private.h:691
modssl_pk_server_t::service_unavailable
int service_unavailable
Definition ssl_private.h:700
param_s
Definition mod_mime.c:96
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
server_rec::defn_line_number
unsigned defn_line_number
Definition httpd.h:1348
server_rec::defn_name
const char * defn_name
Definition httpd.h:1346
server_rec::next
server_rec * next
Definition httpd.h:1326
ssl_asn1_t
Definition ssl_private.h:555
apr_dir_read
apr_status_t apr_dir_read(apr_finfo_t *finfo, apr_int32_t wanted, apr_dir_t *thedir)
Definition dir.c:142
apr_dir_close
apr_status_t apr_dir_close(apr_dir_t *thedir)
Definition dir.c:109
apr_dir_open
apr_status_t apr_dir_open(apr_dir_t **new, const char *dirname, apr_pool_t *pool)
Definition dir.c:75
keylen
static size_t keylen(KEY s)
Definition xmlparse.c:7166
Generated by doxygen 1.9.8