You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2017/12/07 15:11:13 UTC
svn commit: r1817381 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml docs/manual/sections.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_policies.h
modules/ssl/update_policies.py
Author: icing
Date: Thu Dec 7 15:11:13 2017
New Revision: 1817381
URL: http://svn.apache.org/viewvc?rev=1817381&view=rev
Log:
On the trunk:
mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour
for new server config merge flag. Denying global, only once used directives
inside a SSLPolicyDefine.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/docs/manual/sections.xml
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_policies.h
httpd/httpd/trunk/modules/ssl/update_policies.py
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1817381&r1=1817380&r2=1817381&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Dec 7 15:11:13 2017
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour
+ for new server config merge flag. Denying global, only once used directives
+ inside a SSLPolicyDefine. [Stefan Eissing]
+
*) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
should be accepted after the authorization scheme. \t are also tolerated.
[Christophe Jaillet]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1817381&r1=1817380&r2=1817381&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Dec 7 15:11:13 2017
@@ -560,7 +560,7 @@ SSLSessionCacheTimeout 600
<default>SSLEngine off</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
-<compatibility>The <code>addr:port</code> parameter is available in Apache 2.4.28 and later.</compatibility>
+<compatibility>The <code>addr:port</code> parameter is available in Apache 2.4.30 and later.</compatibility>
<usage>
<p>
@@ -2840,11 +2840,11 @@ SSLOpenSSLConfCmd SignatureAlgorithms RS
</directivesynopsis>
<directivesynopsis type="section" idtype="section">
-<name>SSLPolicy</name>
+<name>SSLPolicyDefine</name>
<description>Define a named set of SSL configurations</description>
<syntax><SSLPolicy <em>name</em>></syntax>
<contextlist><context>server config</context></contextlist>
-<compatibility>Available in httpd 2.4.28 and later</compatibility>
+<compatibility>Available in httpd 2.4.30 and later</compatibility>
<usage>
<p>This directive defines a set of SSL* configurations under
@@ -2854,13 +2854,13 @@ to apply this configuration set in the c
<example><title>Define and Use of a Policy</title>
<highlight language="config">
-<SSLPolicy safe-stapling>
+<SSLPolicyDefine safe-stapling>
SSLUseStapling on
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off
SSLStaplingStandardCacheTimeout 86400
-</SSLPolicy>
+</SSLPolicyDefine>
...
<VirtualHost...>
@@ -2887,19 +2887,25 @@ httpd -t -D DUMP_SSL_POLICIES
</highlight>
</example>
-<p>The directive can only be used in the server config (global context), so
-there cannot be two policies with the same name. However, policies can
+<p>The directive can only be used in the server config (global context). It can take
+most SSL* directives, however a few can only be set once and are not allowed inside
+policy defintions. These are <directive>SSLCryptoDevice</directive>,
+<directive>SSLRandomSeed</directive>,
+<directive>SSLSessionCache</directive> and
+<directive>SSLStaplingCache</directive>.
+</p>
+<p>Two policies cannot have the same name. However, policies can
be redefined:</p>
<example><title>Policy Overwrite</title>
<highlight language="config">
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLProxyVerify require
-</SSLPolicy>
+</SSLPolicyDefine>
...
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLProxyVerify none
-</SSLPolicy>
+</SSLPolicyDefine>
</highlight>
</example>
@@ -2914,14 +2920,14 @@ an aspect of a policy:</p>
<example><title>Policy Redefine</title>
<highlight language="config">
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLProxyVerify require
-</SSLPolicy>
+</SSLPolicyDefine>
...
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLPolicy proxy-trust
SSLProxyVerifyDepth 10
-</SSLPolicy>
+</SSLPolicyDefine>
</highlight>
</example>
@@ -2936,10 +2942,10 @@ be setup like this:</p>
<highlight language="config">
Include ssl-policies.conf
-<SSLPolicy modern>
+<SSLPolicyDefine modern>
SSLPolicy modern
SSLProxyVerify none
-</SSLPolicy>
+</SSLPolicyDefine>
</highlight>
</example>
@@ -2952,11 +2958,11 @@ Include ssl-policies.conf
<syntax>SSLPolicy <em>name</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
-<compatibility>Available in httpd 2.4.28 and later</compatibility>
+<compatibility>Available in httpd 2.4.30 and later</compatibility>
<usage>
<p>This directive applies the set of SSL* directives defined
-under 'name' (see <directive type="section">SSLPolicy</directive>) as the <em>base</em>
+under 'name' (see <directive type="section">SSLPolicyDefine</directive>) as the <em>base</em>
settings in the current context. Apache comes with the following pre-defined policies from
Mozilla, the makers of the Firefox browser
(<a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">see here
@@ -3029,7 +3035,7 @@ later ones overshadowing the earlier one
<syntax>SSLProxyPolicy <em>name</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
-<compatibility>Available in httpd 2.4.28 and later</compatibility>
+<compatibility>Available in httpd 2.4.30 and later</compatibility>
<usage>
<p>This directive is similar to <directive>SSLPolicy</directive>, but
Modified: httpd/httpd/trunk/docs/manual/sections.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/sections.xml?rev=1817381&r1=1817380&r2=1817381&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/sections.xml (original)
+++ httpd/httpd/trunk/docs/manual/sections.xml Thu Dec 7 15:11:13 2017
@@ -54,7 +54,7 @@ to change the scope of other configurati
<directive type="section" idtype="section" module="mod_md">ManagedDomain</directive>
<directive type="section" module="mod_proxy">Proxy</directive>
<directive type="section" module="mod_proxy">ProxyMatch</directive>
-<directive type="section" idtype="section" module="mod_ssl">SSLPolicy</directive>
+<directive type="section" idtype="section" module="mod_ssl">SSLPolicyDefine</directive>
<directive type="section" module="core">VirtualHost</directive>
</directivelist>
</related>
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1817381&r1=1817380&r2=1817381&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Thu Dec 7 15:11:13 2017
@@ -312,13 +312,13 @@ static const command_rec ssl_config_cmds
AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
- AP_INIT_TAKE1("<SSLPolicy", ssl_cmd_SSLPolicyDefine, NULL, RSRC_CONF,
+ AP_INIT_TAKE1("<SSLPolicyDefine", ssl_cmd_SSLPolicyDefine, NULL, RSRC_CONF,
"Define a set of SSL* configurations under a new name. Such a policy may "
"be used in any location where the SSL* directives are viable. The policy "
"may contain both SSL* and SSLProxy* specific settings. Which one is applied "
"depends on the use."),
AP_INIT_TAKE1("SSLPolicy", ssl_cmd_SSLPolicyApply, NULL, RSRC_CONF,
- "Use the SSL* (not the SSLProxy*) settings from the policy with the given name."),
+ "Apply the SSL* (not the SSLProxy*) settings from the policy with the given name."),
AP_INIT_TAKE1("SSLProxyPolicy", ssl_cmd_SSLProxyPolicyApply, NULL, RSRC_CONF|PROXY_CONF,
"Use the SSLProxy* settings from the policy with the given name."),
AP_END_CMD
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1817381&r1=1817380&r2=1817381&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Dec 7 15:11:13 2017
@@ -93,7 +93,7 @@ void ssl_config_global_fix(SSLModConfigR
BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
{
- return mc->bFixed;
+ return mc && mc->bFixed;
}
/* _________________________________________________________________
@@ -635,7 +635,7 @@ static apr_array_header_t *get_policy_na
SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name)
{
- apr_hash_t *policies = get_policies(pool, 0);
+ apr_hash_t *policies = get_policies(pool, 1);
if (policies) {
return apr_hash_get(policies, name, APR_HASH_KEY_STRING);
}
@@ -670,7 +670,7 @@ const char *ssl_cmd_SSLPolicyDefine(cmd_
arg = apr_pstrndup(cmd->pool, arg, endp-arg);
if (!arg || !*arg) {
- return "<SSLPolicy > block must specify a name";
+ return "<SSLPolicyDefine > block must specify a name";
}
name = ap_getword_white(cmd->pool, &arg);
@@ -681,6 +681,7 @@ const char *ssl_cmd_SSLPolicyDefine(cmd_
policy = apr_pcalloc(cmd->pool, sizeof(*policy));
policy->name = name;
policy->sc = ssl_config_server_new(cmd->pool);
+ policy->sc->mc = NULL; /* No global configs during SSLPolicy definition */
policy->dc = ssl_config_perdir_create(cmd->pool, "/");/* TODO */
ap_set_module_config(s->module_config, &ssl_module, policy->sc);
@@ -846,6 +847,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLCryptoDevice: cannot be used inside SSLPolicyDefine";
+ }
if (strcEQ(arg, "builtin")) {
mc->szCryptoDevice = NULL;
@@ -887,6 +891,9 @@ const char *ssl_cmd_SSLRandomSeed(cmd_pa
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLRandomSeed: cannot be used inside SSLPolicyDefine";
+ }
if (ssl_config_global_isfixed(mc)) {
return NULL;
@@ -1486,6 +1493,9 @@ const char *ssl_cmd_SSLSessionCache(cmd_
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLSessionCache: cannot be used inside SSLPolicyDefine";
+ }
/* The OpenSSL session cache mode must have both the flags
* SSL_SESS_CACHE_SERVER and SSL_SESS_CACHE_NO_INTERNAL set if a
@@ -2110,6 +2120,9 @@ const char *ssl_cmd_SSLStaplingCache(cmd
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLStaplingCache: cannot be used inside SSLPolicyDefine";
+ }
/* Argument is of form 'name:args' or just 'name'. */
sep = ap_strchr_c(arg, ':');
Modified: httpd/httpd/trunk/modules/ssl/ssl_policies.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_policies.h?rev=1817381&r1=1817380&r2=1817381&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_policies.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_policies.h Thu Dec 7 15:11:13 2017
@@ -65,13 +65,13 @@
#define SSL_POLICY_MOZILLA_VERSION 4.0
-#ifdef HAVE_TLS1_X
+#ifdef HAVE_TLSV1_X
#define SSL_POLICY_MODERN 1
#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
#define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2
-#else /* ifdef HAVE_TLS1_X */
+#else /* ifdef HAVE_TLSV1_X */
#define SSL_POLICY_MODERN 0
-#endif /* ifdef HAVE_TLS1_X, else part */
+#endif /* ifdef HAVE_TLSV1_X, else part */
#define SSL_POLICY_INTERMEDIATE 1
#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
Modified: httpd/httpd/trunk/modules/ssl/update_policies.py
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/update_policies.py?rev=1817381&r1=1817380&r2=1817381&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/update_policies.py (original)
+++ httpd/httpd/trunk/modules/ssl/update_policies.py Thu Dec 7 15:11:13 2017
@@ -70,7 +70,7 @@ def required_ifdef(conf):
# if it has a non-1_X protocol, it works without OpenSSL 1.0.2
if not tlsv in TLS_1_X_VERSIONS:
return None
- return "HAVE_TLS1_X"
+ return "HAVE_TLSV1_X"
def getPolicyDef():
Re: svn commit: r1817381 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml docs/manual/sections.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_policies.h
modules/ssl/update_policies.py
Posted by Stefan Eissing <st...@greenbytes.de>.
Right, you are. Fixed in r1817894.
Changes and Lookups happen now in the same main config pool, so the logic for subpools is no longer needed.
Thanks for reviewing!
-Stefan
> Am 11.12.2017 um 21:08 schrieb Ruediger Pluem <rp...@apache.org>:
>
>
>
> On 12/07/2017 04:11 PM, icing@apache.org wrote:
>> Author: icing
>> Date: Thu Dec 7 15:11:13 2017
>> New Revision: 1817381
>>
>> URL: http://svn.apache.org/viewvc?rev=1817381&view=rev
>> Log:
>> On the trunk:
>>
>> mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour
>> for new server config merge flag. Denying global, only once used directives
>> inside a SSLPolicyDefine.
>>
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
>> httpd/httpd/trunk/docs/manual/sections.xml
>> httpd/httpd/trunk/modules/ssl/mod_ssl.c
>> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>> httpd/httpd/trunk/modules/ssl/ssl_policies.h
>> httpd/httpd/trunk/modules/ssl/update_policies.py
>>
>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1817381&r1=1817380&r2=1817381&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Dec 7 15:11:13 2017
>> @@ -93,7 +93,7 @@ void ssl_config_global_fix(SSLModConfigR
>>
>> BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
>> {
>> - return mc->bFixed;
>> + return mc && mc->bFixed;
>> }
>>
>> /* _________________________________________________________________
>> @@ -635,7 +635,7 @@ static apr_array_header_t *get_policy_na
>>
>> SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name)
>> {
>> - apr_hash_t *policies = get_policies(pool, 0);
>> + apr_hash_t *policies = get_policies(pool, 1);
>> if (policies) {
>> return apr_hash_get(policies, name, APR_HASH_KEY_STRING);
>> }
>
> Hm, the else case below the lines above does not seem to be needed any longer, since policies should not be NULL, correct?
>
> Regards
>
> RĂ¼diger
Re: svn commit: r1817381 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml docs/manual/sections.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_policies.h
modules/ssl/update_policies.py
Posted by Ruediger Pluem <rp...@apache.org>.
On 12/07/2017 04:11 PM, icing@apache.org wrote:
> Author: icing
> Date: Thu Dec 7 15:11:13 2017
> New Revision: 1817381
>
> URL: http://svn.apache.org/viewvc?rev=1817381&view=rev
> Log:
> On the trunk:
>
> mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour
> for new server config merge flag. Denying global, only once used directives
> inside a SSLPolicyDefine.
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> httpd/httpd/trunk/docs/manual/sections.xml
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_policies.h
> httpd/httpd/trunk/modules/ssl/update_policies.py
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1817381&r1=1817380&r2=1817381&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Dec 7 15:11:13 2017
> @@ -93,7 +93,7 @@ void ssl_config_global_fix(SSLModConfigR
>
> BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
> {
> - return mc->bFixed;
> + return mc && mc->bFixed;
> }
>
> /* _________________________________________________________________
> @@ -635,7 +635,7 @@ static apr_array_header_t *get_policy_na
>
> SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name)
> {
> - apr_hash_t *policies = get_policies(pool, 0);
> + apr_hash_t *policies = get_policies(pool, 1);
> if (policies) {
> return apr_hash_get(policies, name, APR_HASH_KEY_STRING);
> }
Hm, the else case below the lines above does not seem to be needed any longer, since policies should not be NULL, correct?
Regards
RĂ¼diger