You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/04/25 11:50:28 UTC
svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c
modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c
modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Author: rpluem
Date: Sat Apr 25 09:50:27 2009
New Revision: 768504
URL: http://svn.apache.org/viewvc?rev=768504&view=rev
Log:
Backport of r760866:
* Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
Submitted by: rpluem
Reviewed by: rpluem, jim, jfclere
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sat Apr 25 09:50:27 2009
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.12
+ *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
+ to enable stricter checking of remote server certificates.
+ [Ruediger Pluem]
+
*) mod_substitute: Fix a memory leak. PR 44948
[Dan Poirier <poirier pobox.com>]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sat Apr 25 09:50:27 2009
@@ -97,14 +97,6 @@
Trunk version of patch works
+1: rpluem, wrowe, jfclere
- * mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
- to enable stricter checking of remote server certificates.
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=760866&view=rev
- Backport version for 2.2.x of patch:
- http://people.apache.org/~rpluem/patches/SSLProxyCheckPeer.diff
- +1: rpluem, jim, jfclere
-
* mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol.
Trunk version of patch:
http://svn.apache.org/viewvc?rev=764239&view=rev
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Sat Apr 25 09:50:27 2009
@@ -1503,6 +1503,48 @@
</directivesynopsis>
<directivesynopsis>
+<name>SSLProxyCheckPeerExpire</name>
+<description>Whether to check if remote server certificate is expired
+</description>
+<syntax>SSLProxyCheckPeerExpire on|off|optional</syntax>
+<default>SSLProxyCheckPeerExpire off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+
+<usage>
+<p>
+This directive sets whether it is checked if the remote server certificate
+is expired or not. If the check fails a 502 status code (Bad Gateway) is
+sent.
+</p>
+<example><title>Example</title>
+SSLProxyCheckPeerExpire on
+</example>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLProxyCheckPeerCN</name>
+<description>Whether to check the remote server certificates CN field
+</description>
+<syntax>SSLProxyCheckPeerCN on|off|optional</syntax>
+<default>SSLProxyCheckPeerCN off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+
+<usage>
+<p>
+This directive sets whether the remote server certificates CN field is
+compared against the hostname of the request URL. If both are not equal
+a 502 status code (Bad Gateway) is sent.
+</p>
+<example><title>Example</title>
+SSLProxyCheckPeerCN on
+</example>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
<name>SSLProxyEngine</name>
<description>SSL Proxy Engine Operation Switch</description>
<syntax>SSLProxyEngine on|off</syntax>
Modified: httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c Sat Apr 25 09:50:27 2009
@@ -1966,6 +1966,15 @@
if ((status = ap_proxy_connection_create(proxy_function, backend,
c, r->server)) != OK)
goto cleanup;
+ /*
+ * On SSL connections set a note on the connection what CN is
+ * requested, such that mod_ssl can check if it is requested to do
+ * so.
+ */
+ if (is_ssl) {
+ apr_table_set(backend->connection->notes, "proxy-request-hostname",
+ uri->hostname);
+ }
}
/* Step Four: Send the Request */
Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Sat Apr 25 09:50:27 2009
@@ -182,6 +182,10 @@
SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
"SSL Proxy: directory containing client certificates "
"(`/path/to/dir' - contains PEM encoded certificates)")
+ SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG,
+ "SSL Proxy: check the peers certificate expiration date")
+ SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
+ "SSL Proxy: check the peers certificate CN")
/*
* Per-directory context configuration directives
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Sat Apr 25 09:50:27 2009
@@ -169,6 +169,8 @@
sc->vhost_id_len = 0; /* set during module init */
sc->session_cache_timeout = UNSET;
sc->cipher_server_pref = UNSET;
+ sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
+ sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
modssl_ctx_init_proxy(sc, p);
@@ -257,6 +259,8 @@
cfgMergeBool(proxy_enabled);
cfgMergeInt(session_cache_timeout);
cfgMergeBool(cipher_server_pref);
+ cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
+ cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -1428,6 +1432,24 @@
return NULL;
}
+const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->proxy_ssl_check_peer_expire = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->proxy_ssl_check_peer_cn = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
+
+ return NULL;
+}
+
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{
if (!ap_exists_config_define("DUMP_CERTS")) {
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Sat Apr 25 09:50:27 2009
@@ -28,6 +28,7 @@
core keeps dumping.''
-- Unknown */
#include "ssl_private.h"
+#include "apr_date.h"
/* _________________________________________________________________
**
@@ -1011,6 +1012,31 @@
}
/*
+ * Parse an ASN1time string as returned by ASN1_UTCTIME_print into an
+ * apr_time_t.
+ */
+static apr_time_t parseASN1time(apr_pool_t *p, const char *asn1time)
+{
+ char *asctime;
+
+ /*
+ * Little bit ugly hack:
+ * The ASN1time looks very similar to the asctime format which can be
+ * parsed by apr_date_parse_rfc:
+ * It misses the weekday at the beginning (which is ignored by
+ * apr_date_parse_rfc anyway) and it has a GMT at the end which
+ * does not into the asctime pattern. So add a dummy "Sun " before
+ * the ASN1time and remove the GMT string at the end.
+ */
+ asctime = apr_pstrcat(p, "Sun ", asn1time, NULL);
+ if (strlen(asctime) < 25) {
+ return APR_DATE_BAD;
+ }
+ asctime[24] = '\0';
+ return apr_date_parse_rfc(asctime);
+}
+
+/*
* The hook is NOT registered with ap_hook_process_connection. Instead, it is
* called manually from the churn () before it tries to read any data.
* There is some problem if I accept conn_rec *. Still investigating..
@@ -1032,6 +1058,8 @@
}
if (sslconn->is_proxy) {
+ const char *hostname_note;
+
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL Proxy connect failed");
@@ -1041,6 +1069,47 @@
return HTTP_BAD_GATEWAY;
}
+ if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
+ apr_time_t start_time;
+ apr_time_t end_time;
+ apr_time_t now;
+
+ start_time = parseASN1time(c->pool,
+ ssl_var_lookup(NULL, c->base_server,
+ c, NULL,
+ "SSL_CLIENT_V_START"));
+ end_time = parseASN1time(c->pool,
+ ssl_var_lookup(NULL, c->base_server,
+ c, NULL,
+ "SSL_CLIENT_V_END"));
+ now = apr_time_now();
+ if ((now > end_time) || (now < start_time)) {
+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
+ "SSL Proxy: Peer certificate is expired");
+ /* ensure that the SSL structures etc are freed, etc: */
+ ssl_filter_io_shutdown(filter_ctx, c, 1);
+ return HTTP_BAD_GATEWAY;
+ }
+ }
+ if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE)
+ && ((hostname_note =
+ apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
+ const char *hostname;
+
+ hostname = ssl_var_lookup(NULL, c->base_server, c, NULL,
+ "SSL_CLIENT_S_DN_CN");
+ apr_table_unset(c->notes, "proxy-request-hostname");
+ if (strcasecmp(hostname, hostname_note)) {
+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
+ "SSL Proxy: Peer certificate CN mismatch:"
+ " Certificate CN: %s Requested hostname: %s",
+ hostname, hostname_note);
+ /* ensure that the SSL structures etc are freed, etc: */
+ ssl_filter_io_shutdown(filter_ctx, c, 1);
+ return HTTP_BAD_GATEWAY;
+ }
+ }
+
return APR_SUCCESS;
}
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=768504&r1=768503&r2=768504&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Sat Apr 25 09:50:27 2009
@@ -454,6 +454,8 @@
BOOL cipher_server_pref;
modssl_ctx_t *server;
modssl_ctx_t *proxy;
+ ssl_enabled_t proxy_ssl_check_peer_expire;
+ ssl_enabled_t proxy_ssl_check_peer_cn;
};
/**
@@ -532,6 +534,8 @@
const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
/** module initialization */
int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Posted by Ruediger Pluem <rp...@apache.org>.
On 05/04/2009 10:29 PM, Roy T. Fielding wrote:
> On May 4, 2009, at 12:22 PM, Ruediger Pluem wrote:
>> During my work on the SNI backport I noticed that during my
>> preparation of
>> the backport patch for this proposal one import line fell through the
>> cracks
>> that was contained in r760866.
>>
>> The following patch would fix this missing initialization:
>>
>> Index: modules/ssl/ssl_engine_io.c
>> ===================================================================
>> --- modules/ssl/ssl_engine_io.c (revision 771213)
>> +++ modules/ssl/ssl_engine_io.c (working copy)
>> @@ -1060,6 +1060,7 @@
>> if (sslconn->is_proxy) {
>> const char *hostname_note;
>>
>> + sc = mySrvConfig(sslconn->server);
>> if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
>> ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
>> "SSL Proxy connect failed");
>>
>>
>>
>> Can I just correct this error and fix it in 2.2.x?
>
> Yes, just fix it.
Thanks. Sorry for the confusion I create now, but I now
find out that this line *must* be part of the SNI backport
proposal that I am currently working on and not part of this
backport. What confused me and created my messy question was
that r760866 was a backport of code that was committed to trunk
*after* some parts of the SNI code and this line in trunk is
actually the right and needed thing to do with the SNI patches
applied, but not without.
Hope that I will be less confusing next time :-).
Regards
RĂ¼diger
Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On May 4, 2009, at 12:22 PM, Ruediger Pluem wrote:
> During my work on the SNI backport I noticed that during my
> preparation of
> the backport patch for this proposal one import line fell through
> the cracks
> that was contained in r760866.
>
> The following patch would fix this missing initialization:
>
> Index: modules/ssl/ssl_engine_io.c
> ===================================================================
> --- modules/ssl/ssl_engine_io.c (revision 771213)
> +++ modules/ssl/ssl_engine_io.c (working copy)
> @@ -1060,6 +1060,7 @@
> if (sslconn->is_proxy) {
> const char *hostname_note;
>
> + sc = mySrvConfig(sslconn->server);
> if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
> ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
> "SSL Proxy connect failed");
>
>
>
> Can I just correct this error and fix it in 2.2.x?
Yes, just fix it.
....Roy
Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Posted by Ruediger Pluem <rp...@apache.org>.
On 04/25/2009 11:50 AM, rpluem@apache.org wrote:
> Author: rpluem
> Date: Sat Apr 25 09:50:27 2009
> New Revision: 768504
>
> URL: http://svn.apache.org/viewvc?rev=768504&view=rev
> Log:
> Backport of r760866:
>
> * Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
> stricter checking of remote server certificates.
>
> (docs/manual/mod/mod_ssl.xml)
> Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
>
> (modules/proxy/mod_proxy_http.c)
> Set the hostname of the request URL as note on the connection.
>
> (modules/ssl/ssl_private.h)
> Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
> the SSLSrvConfigRec.
>
> (modules/ssl/ssl_engine_config.c)
> Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
>
> (modules/ssl/ssl_engine_io.c)
> Check whether the remote servers certificate is expired / if there is a
> mismatch between the requested hostanme and the remote server certificates
> CN field.
> Be able to parse ASN1 times.
>
> (modules/ssl/mod_ssl.c)
> Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
>
> Submitted by: rpluem
> Reviewed by: rpluem, jim, jfclere
>
> Modified:
> httpd/httpd/branches/2.2.x/CHANGES
> httpd/httpd/branches/2.2.x/STATUS
> httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
> httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
> httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
> httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
> httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
> httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
>
During my work on the SNI backport I noticed that during my preparation of
the backport patch for this proposal one import line fell through the cracks
that was contained in r760866.
The following patch would fix this missing initialization:
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 771213)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -1060,6 +1060,7 @@
if (sslconn->is_proxy) {
const char *hostname_note;
+ sc = mySrvConfig(sslconn->server);
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL Proxy connect failed");
Can I just correct this error and fix it in 2.2.x?
Regards
RĂ¼diger