You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2012/12/13 15:52:49 UTC
svn commit: r1421323 - in /httpd/httpd/trunk: CHANGES
docs/log-message-tags/next-number modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_private.h
Author: drh
Date: Thu Dec 13 14:52:47 2012
New Revision: 1421323
URL: http://svn.apache.org/viewvc?rev=1421323&view=rev
Log:
Add support for OpenSSL configuration commands.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/log-message-tags/next-number
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1421323&r1=1421322&r2=1421323&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Dec 13 14:52:47 2012
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Add support for OpenSSL configuration commands [Stephen Henson]
+
*) EventOpt MPM
*) mod_proxy_balancer: Improve output
Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1421323&r1=1421322&r2=1421323&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Thu Dec 13 14:52:47 2012
@@ -1 +1 @@
-2407
+2408
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1421323&r1=1421322&r2=1421323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Thu Dec 13 14:52:47 2012
@@ -272,6 +272,11 @@ static const command_rec ssl_config_cmds
"SSL stapling option to Force the OCSP Stapling URL")
#endif
+#ifdef HAVE_SSL_CONF_CMD
+ SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
+ "OpenSSL configuration command")
+#endif
+
/* Deprecated directives. */
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
"SSLLog directive is no longer supported - use ErrorLog."),
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1421323&r1=1421322&r2=1421323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Dec 13 14:52:47 2012
@@ -100,7 +100,7 @@ BOOL ssl_config_global_isfixed(SSLModCon
** _________________________________________________________________
*/
-static void modssl_ctx_init(modssl_ctx_t *mctx)
+static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
{
mctx->sc = NULL; /* set during module init */
@@ -159,6 +159,9 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->srp_unknown_user_seed = NULL;
mctx->srp_vbase = NULL;
#endif
+#ifdef HAVE_SSL_CONF_CMD
+ mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t));
+#endif
}
static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
@@ -168,7 +171,7 @@ static void modssl_ctx_init_proxy(SSLSrv
mctx = sc->proxy = apr_palloc(p, sizeof(*sc->proxy));
- modssl_ctx_init(mctx);
+ modssl_ctx_init(mctx, p);
mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));
@@ -186,7 +189,7 @@ static void modssl_ctx_init_server(SSLSr
mctx = sc->server = apr_palloc(p, sizeof(*sc->server));
- modssl_ctx_init(mctx);
+ modssl_ctx_init(mctx, p);
mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
@@ -293,6 +296,11 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMergeString(srp_vfile);
cfgMergeString(srp_unknown_user_seed);
#endif
+
+#ifdef HAVE_SSL_CONF_CMD
+ apr_array_cat(mrg->ssl_ctx_param, base->ssl_ctx_param);
+ apr_array_cat(mrg->ssl_ctx_param, add->ssl_ctx_param);
+#endif
}
static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
@@ -1848,7 +1856,18 @@ const char *ssl_cmd_SSLStaplingForceURL(
}
#endif /* HAVE_OCSP_STAPLING */
-
+#ifdef HAVE_SSL_CONF_CMD
+const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
+ const char *arg1, const char *arg2)
+{
+ ssl_ctx_param_t *param;
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ param = apr_array_push(sc->server->ssl_ctx_param);
+ param->name = arg1;
+ param->value = arg2;
+ return NULL;
+}
+#endif
#ifndef OPENSSL_NO_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1421323&r1=1421322&r2=1421323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu Dec 13 14:52:47 2012
@@ -687,6 +687,26 @@ static void ssl_init_ctx_protocol(server
SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
+#ifdef HAVE_SSL_CONF_CMD
+{
+ ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts;
+ SSL_CONF_CTX *cctx;
+ int i;
+ cctx = SSL_CONF_CTX_new();
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE|SSL_CONF_FLAG_SERVER);
+ SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+ for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) {
+ if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
+ "Error SSL_CONF_cmd(%s,%s)", param->name, param->value);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ ssl_die(s);
+ }
+ }
+ SSL_CONF_CTX_free(cctx);
+}
+#endif
+
#ifdef SSL_MODE_RELEASE_BUFFERS
/* If httpd is configured to reduce mem usage, ask openssl to do so, too */
if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED)
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1421323&r1=1421322&r2=1421323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Thu Dec 13 14:52:47 2012
@@ -144,6 +144,10 @@
#define HAVE_TLS_NPN
#endif
+#ifdef SSL_CONF_FLAG_FILE
+#define HAVE_SSL_CONF_CMD
+#endif
+
#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
#define MODSSL_SSL_CIPHER_CONST const
#define MODSSL_SSL_METHOD_CONST const
@@ -620,6 +624,13 @@ typedef struct {
} modssl_ticket_key_t;
#endif
+#ifdef HAVE_SSL_CONF_CMD
+typedef struct {
+ const char *name;
+ const char *value;
+} ssl_ctx_param_t;
+#endif
+
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
typedef struct {
@@ -681,7 +692,9 @@ typedef struct {
long ocsp_resptime_skew;
long ocsp_resp_maxage;
apr_interval_time_t ocsp_responder_timeout;
-
+#ifdef HAVE_SSL_CONF_CMD
+ apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
+#endif
} modssl_ctx_t;
struct SSLSrvConfigRec {
@@ -803,6 +816,8 @@ const char *ssl_cmd_SSLOCSPResponseMaxAg
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
+
#ifndef OPENSSL_NO_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);