You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Christophe JAILLET <ch...@wanadoo.fr> on 2017/04/23 03:45:14 UTC
Re: svn commit: r1734561 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Hi,
this patch (and the ones listed in the corresponding backport proposal
(http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?sortby=date&r1=1748338&r2=1748337&pathrev=1748338)
adds a new optional parameter to "SSLCARevocationCheck" and
"SSLProxyCARevocationCheck" (i.e. "no_crl_for_cert_ok").
However, it is only documented for "SSLCARevocationCheck".
I think that "SSLProxyCARevocationCheck" has been forgotten in the
process. (in doc and in CHANGES)
I guess that a (slightly tweaked) cut'n'paste from
"SSLCARevocationCheck" documentation would be just fine. But not been a
mod_ssl expert, confirmation would be much appreciated.
This has been introduced in 2.4.21.
CJ
Le 11/03/2016 � 14:51, ylavic@apache.org a �crit :
> Author: ylavic
> Date: Fri Mar 11 13:51:17 2016
> New Revision: 1734561
>
> URL: http://svn.apache.org/viewvc?rev=1734561&view=rev
> Log:
> mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive
> to opt-in previous behaviour (2.2) with CRLs verification when checking
> certificate(s) with no corresponding CRL.
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
>
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1734561&r1=1734560&r2=1734561&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Mar 11 13:51:17 2016
> @@ -1,6 +1,10 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.5.0
>
> + *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
> + to opt-in previous behaviour (2.2) with CRLs verification when checking
> + certificate(s) with no corresponding CRL. [Yann Ylavic]
> +
> *) mod_proxy_http2: rescheduling of requests that have not been processed
> by the backend when receiving a GOAWAY frame before done.
> [Stefan Eissing]
>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1734561&r1=1734560&r2=1734561&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Fri Mar 11 13:51:17 2016
> @@ -1205,10 +1205,12 @@ SSLCARevocationFile /usr/local/apache2/c
> <directivesynopsis>
> <name>SSLCARevocationCheck</name>
> <description>Enable CRL-based revocation checking</description>
> -<syntax>SSLCARevocationCheck chain|leaf|none</syntax>
> +<syntax>SSLCARevocationCheck chain|leaf|none <em>flag</em>s</syntax>
> <default>SSLCARevocationCheck none</default>
> <contextlist><context>server config</context>
> <context>virtual host</context></contextlist>
> +<compatibility>Optional <em>flag</em>s available in httpd 2.5-dev or
> +later</compatibility>
>
> <usage>
> <p>
> @@ -1219,25 +1221,38 @@ configured. When set to <code>chain</cod
> CRL checks are applied to all certificates in the chain, while setting it to
> <code>leaf</code> limits the checks to the end-entity cert.
> </p>
> -<note>
> -<title>When set to <code>chain</code> or <code>leaf</code>,
> -CRLs <em>must</em> be available for successful validation</title>
> -<p>
> -Prior to version 2.3.15, CRL checking in mod_ssl also succeeded when
> -no CRL(s) were found in any of the locations configured with
> -<directive module="mod_ssl">SSLCARevocationFile</directive>
> -or <directive module="mod_ssl">SSLCARevocationPath</directive>.
> -With the introduction of this directive, the behavior has been changed:
> -when checking is enabled, CRLs <em>must</em> be present for the validation
> -to succeed - otherwise it will fail with an
> -<code>"unable to get certificate CRL"</code> error.
> -</p>
> -</note>
> +The available <em>flag</em>s are:</p>
> +<ul>
> +<li><code>no_crl_for_cert_ok</code>
> + <p>
> + Prior to version 2.3.15, CRL checking in mod_ssl also succeeded when
> + no CRL(s) for the checked certificate(s) were found in any of the locations
> + configured with <directive module="mod_ssl">SSLCARevocationFile</directive>
> + or <directive module="mod_ssl">SSLCARevocationPath</directive>.
> + </p>
> + <p>
> + With the introduction of <directive>SSLCARevocationFile</directive>,
> + the behavior has been changed: by default with <code>chain</code> or
> + <code>leaf</code>, CRLs <strong>must</strong> be present for the
> + validation to succeed - otherwise it will fail with an
> + <code>"unable to get certificate CRL"</code> error.
> + </p>
> + <p>
> + The <em>flag</em> <code>no_crl_for_cert_ok</code> allows to restore
> + previous behaviour.
> + </p>
> +</li>
> +</ul>
> <example><title>Example</title>
> <highlight language="config">
> SSLCARevocationCheck chain
> </highlight>
> </example>
> +<example><title>Compatibility with versions 2.2</title>
> +<highlight language="config">
> +SSLCARevocationCheck chain no_crl_for_cert_ok
> +</highlight>
> +</example>
> </usage>
> </directivesynopsis>
>
>
> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1734561&r1=1734560&r2=1734561&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Fri Mar 11 13:51:17 2016
> @@ -124,7 +124,7 @@ static const command_rec ssl_config_cmds
> SSL_CMD_SRV(CARevocationFile, TAKE1,
> "SSL CA Certificate Revocation List (CRL) file "
> "('/path/to/file' - PEM encoded)")
> - SSL_CMD_SRV(CARevocationCheck, TAKE1,
> + SSL_CMD_SRV(CARevocationCheck, RAW_ARGS,
> "SSL CA Certificate Revocation List (CRL) checking mode")
> SSL_CMD_ALL(VerifyClient, TAKE1,
> "SSL Client verify type "
> @@ -202,7 +202,7 @@ static const command_rec ssl_config_cmds
> SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
> "SSL Proxy: CA Certificate Revocation List (CRL) file "
> "('/path/to/file' - PEM encoded)")
> - SSL_CMD_SRV(ProxyCARevocationCheck, TAKE1,
> + SSL_CMD_SRV(ProxyCARevocationCheck, RAW_ARGS,
> "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
> SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
> "SSL Proxy: file containing client certificates "
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1734561&r1=1734560&r2=1734561&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Fri Mar 11 13:51:17 2016
> @@ -122,6 +122,7 @@ static void modssl_ctx_init(modssl_ctx_t
> mctx->crl_path = NULL;
> mctx->crl_file = NULL;
> mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
> + mctx->crl_check_flags = UNSET;
>
> mctx->auth.ca_cert_path = NULL;
> mctx->auth.ca_cert_file = NULL;
> @@ -272,6 +273,7 @@ static void modssl_ctx_cfg_merge(apr_poo
> cfgMerge(crl_path, NULL);
> cfgMerge(crl_file, NULL);
> cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
> + cfgMergeInt(crl_check_flags);
>
> cfgMergeString(auth.ca_cert_path);
> cfgMergeString(auth.ca_cert_file);
> @@ -998,8 +1000,29 @@ const char *ssl_cmd_SSLCARevocationCheck
> const char *arg)
> {
> SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
> + const char *err, *w;
>
> - return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode);
> + w = ap_getword_conf(cmd->temp_pool, &arg);
> + err = ssl_cmd_crlcheck_parse(cmd, w, &sc->server->crl_check_mode);
> + if (err || sc->server->crl_check_mode == SSL_CRLCHECK_NONE) {
> + return err;
> + }
> +
> + if (sc->server->crl_check_flags == UNSET) {
> + sc->server->crl_check_flags = 0;
> + }
> + while (*arg) {
> + w = ap_getword_conf(cmd->temp_pool, &arg);
> + if (strcEQ(w, "no_crl_for_cert_ok")) {
> + sc->server->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
> + }
> + else {
> + return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
> + ": Invalid flag '", w, "'",
> + NULL);
> + }
> + }
> + return NULL;
> }
>
> static const char *ssl_cmd_verify_parse(cmd_parms *parms,
> @@ -1512,8 +1535,29 @@ const char *ssl_cmd_SSLProxyCARevocation
> const char *arg)
> {
> SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
> + const char *err, *w;
>
> - return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mode);
> + w = ap_getword_conf(cmd->temp_pool, &arg);
> + err = ssl_cmd_crlcheck_parse(cmd, w, &sc->proxy->crl_check_mode);
> + if (err || sc->proxy->crl_check_mode == SSL_CRLCHECK_NONE) {
> + return err;
> + }
> +
> + if (sc->proxy->crl_check_flags == UNSET) {
> + sc->proxy->crl_check_flags = 0;
> + }
> + while (*arg) {
> + w = ap_getword_conf(cmd->temp_pool, &arg);
> + if (strcEQ(w, "no_crl_for_cert_ok")) {
> + sc->proxy->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
> + }
> + else {
> + return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
> + ": Invalid flag '", w, "'",
> + NULL);
> + }
> + }
> + return NULL;
> }
>
> const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1734561&r1=1734560&r2=1734561&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Fri Mar 11 13:51:17 2016
> @@ -229,6 +229,13 @@ apr_status_t ssl_init_Module(apr_pool_t
> sc->fips = FALSE;
> }
> #endif
> +
> + if (sc->server && sc->server->crl_check_flags == UNSET) {
> + sc->server->crl_check_flags = 0;
> + }
> + if (sc->proxy && sc->proxy->crl_check_flags == UNSET) {
> + sc->proxy->crl_check_flags = 0;
> + }
> }
>
> #if APR_HAS_THREADS
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1734561&r1=1734560&r2=1734561&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Mar 11 13:51:17 2016
> @@ -1581,10 +1581,11 @@ int ssl_callback_SSLVerify(int ok, X509_
> ssl_log_cxerror(SSLLOG_MARK, APLOG_DEBUG, 0, conn,
> X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275)
> "Certificate Verification, depth %d, "
> - "CRL checking mode: %s", errdepth,
> + "CRL checking mode: %s (%x)", errdepth,
> mctx->crl_check_mode == SSL_CRLCHECK_CHAIN ?
> "chain" : (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ?
> - "leaf" : "none"));
> + "leaf" : "none"),
> + mctx->crl_check_flags);
>
> /*
> * Check for optionally acceptable non-verifiable issuer situation
> @@ -1633,6 +1634,12 @@ int ssl_callback_SSLVerify(int ok, X509_
> X509_STORE_CTX_set_error(ctx, -1);
> }
>
> + if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
> + && (sc->server->crl_check_flags & MODSSL_CCF_NO_CRL_FOR_CERT_OK)) {
> + errnum = X509_V_OK;
> + ok = TRUE;
> + }
> +
> #ifndef OPENSSL_NO_OCSP
> /*
> * Perform OCSP-based revocation checks
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1734561&r1=1734560&r2=1734561&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri Mar 11 13:51:17 2016
> @@ -338,6 +338,7 @@ typedef enum {
> /**
> * CRL checking modes
> */
> +#define MODSSL_CCF_NO_CRL_FOR_CERT_OK (1 << 0)
> typedef enum {
> SSL_CRLCHECK_UNSET = UNSET,
> SSL_CRLCHECK_NONE = 0,
> @@ -601,6 +602,7 @@ typedef struct {
> const char *crl_path;
> const char *crl_file;
> ssl_crlcheck_t crl_check_mode;
> + int crl_check_flags;
>
> #ifdef HAVE_OCSP_STAPLING
> /** OCSP stapling options */
>
>
>