You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2014/01/06 07:02:43 UTC
svn commit: r1555683 - in /httpd/httpd: branches/2.4.x/
branches/2.4.x/docs/manual/mod/ branches/2.4.x/modules/ssl/ trunk/
Author: kbrand
Date: Mon Jan 6 06:02:42 2014
New Revision: 1555683
URL: http://svn.apache.org/r1555683
Log:
Backport r1421323, r1534754, r1546693, r1555464 from trunk:
Add support for OpenSSL configuration commands by introducing
the SSLOpenSSLConfCmd directive.
Proposed by: kbrand
Reviewed by: drh, trawick
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
httpd/httpd/trunk/CHANGES
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1421323,1534754,1546693,1555464
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jan 6 06:02:42 2014
@@ -2,6 +2,9 @@
Changes with Apache 2.4.8
+ *) mod_ssl: Add support for OpenSSL configuration commands by introducing
+ the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand]
+
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Mon Jan 6 06:02:42 2014
@@ -98,14 +98,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: Add support for OpenSSL configuration commands (SSLOpenSSLConfCmd)
- trunk patches: https://svn.apache.org/r1421323
- https://svn.apache.org/r1534754
- https://svn.apache.org/r1546693
- https://svn.apache.org/r1555464
- 2.4.x patch: https://people.apache.org/~kbrand/mod_ssl-2.4.x-confcmd.diff
- +1: kbrand, drh, trawick
-
* mod_cache_disk hangs on windows reading from closed files
trunk patch: http://svn.apache.org/r1547845
2.4.x patch: trunk works
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Mon Jan 6 06:02:42 2014
@@ -2535,5 +2535,43 @@ CRIME attack).</p>
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLOpenSSLConfCmd</name>
+<description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description>
+<syntax>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later</compatibility>
+
+<usage>
+<p>This directive exposes OpenSSL's <em>SSL_CONF</em> API to mod_ssl,
+allowing a flexible configuration of OpenSSL parameters without the need
+of implementing additional <module>mod_ssl</module> directives when new
+features are added to OpenSSL.</p>
+
+<p>The set of available <directive>SSLOpenSSLConfCmd</directive> commands
+depends on the OpenSSL version being used for <module>mod_ssl</module>
+(at least version 1.0.2 is required). For a list of supported command
+names, see the section <em>Supported configuration file commands</em> in the
+<a href="http://www.openssl.org/docs/ssl/SSL_CONF_cmd.html#SUPPORTED_CONFIGURATION_FILE_COM">SSL_CONF_cmd(3)</a> manual page for OpenSSL.</p>
+
+<p>Some of the <directive>SSLOpenSSLConfCmd</directive> commands can be used
+as an alternative to existing directives (such as
+<directive module="mod_ssl">SSLCipherSuite</directive> or
+<directive module="mod_ssl">SSLProtocol</directive>),
+though it should be noted that the syntax / allowable values for the parameters
+may sometimes differ.</p>
+
+<example><title>Examples</title>
+<highlight language="config">
+SSLOpenSSLConfCmd Options -SessionTicket,ServerPreference
+SSLOpenSSLConfCmd ECDHParameters brainpoolP256r1
+SSLOpenSSLConfCmd ServerInfoFile /usr/local/apache2/conf/server-info.pem
+SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
+SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256
+</highlight>
+</example>
+</usage>
+</directivesynopsis>
</modulesynopsis>
Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Mon Jan 6 06:02:42 2014
@@ -266,6 +266,11 @@ static const command_rec ssl_config_cmds
"SSL stapling option to Force the OCSP Stapling URL")
#endif
+#ifdef HAVE_SSL_CONF_CMD
+ SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
+ "OpenSSL configuration command")
+#endif
+
/* Deprecated directives. */
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
"SSLLog directive is no longer supported - use ErrorLog."),
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Mon Jan 6 06:02:42 2014
@@ -98,7 +98,7 @@ BOOL ssl_config_global_isfixed(SSLModCon
** _________________________________________________________________
*/
-static void modssl_ctx_init(modssl_ctx_t *mctx)
+static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
{
mctx->sc = NULL; /* set during module init */
@@ -153,6 +153,13 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->srp_unknown_user_seed = NULL;
mctx->srp_vbase = NULL;
#endif
+#ifdef HAVE_SSL_CONF_CMD
+ mctx->ssl_ctx_config = SSL_CONF_CTX_new();
+ SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_FILE);
+ SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_SERVER);
+ SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
+ mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
+#endif
}
static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
@@ -162,7 +169,7 @@ static void modssl_ctx_init_proxy(SSLSrv
mctx = sc->proxy = apr_palloc(p, sizeof(*sc->proxy));
- modssl_ctx_init(mctx);
+ modssl_ctx_init(mctx, p);
mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));
@@ -180,7 +187,7 @@ static void modssl_ctx_init_server(SSLSr
mctx = sc->server = apr_palloc(p, sizeof(*sc->server));
- modssl_ctx_init(mctx);
+ modssl_ctx_init(mctx, p);
mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
@@ -241,7 +248,8 @@ void *ssl_config_server_create(apr_pool_
#define cfgMergeBool(el) cfgMerge(el, UNSET)
#define cfgMergeInt(el) cfgMerge(el, UNSET)
-static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge(apr_pool_t *p,
+ modssl_ctx_t *base,
modssl_ctx_t *add,
modssl_ctx_t *mrg)
{
@@ -284,26 +292,32 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMergeString(srp_vfile);
cfgMergeString(srp_unknown_user_seed);
#endif
+
+#ifdef HAVE_SSL_CONF_CMD
+ cfgMergeArray(ssl_ctx_param);
+#endif
}
-static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
+ modssl_ctx_t *base,
modssl_ctx_t *add,
modssl_ctx_t *mrg)
{
- modssl_ctx_cfg_merge(base, add, mrg);
+ modssl_ctx_cfg_merge(p, base, add, mrg);
cfgMergeString(pkp->cert_file);
cfgMergeString(pkp->cert_path);
cfgMergeString(pkp->ca_cert_file);
}
-static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge_server(apr_pool_t *p,
+ modssl_ctx_t *base,
modssl_ctx_t *add,
modssl_ctx_t *mrg)
{
int i;
- modssl_ctx_cfg_merge(base, add, mrg);
+ modssl_ctx_cfg_merge(p, base, add, mrg);
for (i = 0; i < SSL_AIDX_MAX; i++) {
cfgMergeString(pks->cert_files[i]);
@@ -346,9 +360,9 @@ void *ssl_config_server_merge(apr_pool_t
cfgMergeBool(compression);
#endif
- modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+ modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
- modssl_ctx_cfg_merge_server(base->server, add->server, mrg->server);
+ modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server);
return mrg;
}
@@ -1808,6 +1822,38 @@ const char *ssl_cmd_SSLStaplingForceURL(
#endif /* HAVE_OCSP_STAPLING */
+#ifdef HAVE_SSL_CONF_CMD
+const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
+ const char *arg1, const char *arg2)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
+ int value_type = SSL_CONF_cmd_value_type(cctx, arg1);
+ const char *err;
+ ssl_ctx_param_t *param;
+
+ if (value_type == SSL_CONF_TYPE_UNKNOWN) {
+ return apr_psprintf(cmd->pool,
+ "'%s': invalid OpenSSL configuration command",
+ arg1);
+ }
+
+ if (value_type == SSL_CONF_TYPE_FILE) {
+ if ((err = ssl_cmd_check_file(cmd, &arg2)))
+ return err;
+ }
+ else if (value_type == SSL_CONF_TYPE_DIR) {
+ if ((err = ssl_cmd_check_dir(cmd, &arg2)))
+ return err;
+ }
+
+ param = apr_array_push(sc->server->ssl_ctx_param);
+ param->name = arg1;
+ param->value = arg2;
+ return NULL;
+}
+#endif
+
#ifdef HAVE_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Mon Jan 6 06:02:42 2014
@@ -1287,12 +1287,62 @@ static void ssl_init_server_ctx(server_r
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
+#ifdef HAVE_SSL_CONF_CMD
+ ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts;
+ SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
+ int i;
+#endif
+
ssl_init_server_check(s, p, ptemp, sc->server);
ssl_init_ctx(s, p, ptemp, sc->server);
ssl_init_server_certs(s, p, ptemp, sc->server);
+#ifdef HAVE_SSL_CONF_CMD
+ SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx);
+ for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) {
+ ERR_clear_error();
+ if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
+ "\"SSLOpenSSLConfCmd %s %s\" failed for %s",
+ param->name, param->value, sc->vhost_id);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ ssl_die(s);
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02556)
+ "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
+ param->name, param->value, sc->vhost_id);
+ }
+#ifdef HAVE_OCSP_STAPLING
+ /*
+ * Special case: if OCSP stapling is enabled, and a certificate
+ * has been loaded via "SSLOpenSSLConfCmd Certificate ...", then
+ * we also need to call ssl_stapling_init_cert here.
+ */
+ if ((sc->server->stapling_enabled == TRUE) &&
+ !strcasecmp(param->name, "Certificate")) {
+ X509 *cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
+ if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571)
+ "Unable to configure certificate loaded "
+ "from %s for %s for stapling",
+ param->value, sc->vhost_id);
+ }
+ }
+#endif
+ }
+
+ if (SSL_CONF_CTX_finish(cctx) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
+ "SSL_CONF_CTX_finish() failed");
+ SSL_CONF_CTX_free(cctx);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ ssl_die(s);
+ }
+ SSL_CONF_CTX_free(cctx);
+#endif
+
#ifdef HAVE_TLS_SESSION_TICKETS
ssl_init_ticket_key(s, p, ptemp, sc->server);
#endif
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Mon Jan 6 06:02:42 2014
@@ -131,6 +131,10 @@
#define HAVE_TLSV1_X
#endif
+#if defined(SSL_CONF_FLAG_FILE)
+#define HAVE_SSL_CONF_CMD
+#endif
+
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
@@ -577,6 +581,13 @@ typedef struct {
} modssl_ticket_key_t;
#endif
+#ifdef HAVE_SSL_CONF_CMD
+typedef struct {
+ const char *name;
+ const char *value;
+} ssl_ctx_param_t;
+#endif
+
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
typedef struct {
@@ -633,7 +644,10 @@ typedef struct {
long ocsp_resptime_skew;
long ocsp_resp_maxage;
apr_interval_time_t ocsp_responder_timeout;
-
+#ifdef HAVE_SSL_CONF_CMD
+ SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
+ apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
+#endif
} modssl_ctx_t;
struct SSLSrvConfigRec {
@@ -754,6 +768,10 @@ const char *ssl_cmd_SSLOCSPResponseMaxAg
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
+#ifdef HAVE_SSL_CONF_CMD
+const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
+#endif
+
#ifdef HAVE_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1555683&r1=1555682&r2=1555683&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Jan 6 06:02:42 2014
@@ -206,8 +206,6 @@ Changes with Apache 2.5.0
*) core: Correctly parse an IPv6 literal host specification in an absolute
URL in the request line. [Stefan Fritsch]
- *) mod_ssl: Add support for OpenSSL configuration commands [Stephen Henson]
-
*) EventOpt MPM
*) core: Add LogLevelOverride directive that allows to override the