You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2013/04/15 17:56:07 UTC
svn commit: r1468131 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_private.h
Author: kbrand
Date: Mon Apr 15 15:56:07 2013
New Revision: 1468131
URL: http://svn.apache.org/r1468131
Log:
revert r1352596, for the reasons explained in
https://mail-archives.apache.org/mod_mbox/httpd-dev/201304.mbox/%3C515FED7C.5010009%40velox.ch%3E
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1468131&r1=1468130&r2=1468131&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Apr 15 15:56:07 2013
@@ -134,8 +134,6 @@ Changes with Apache 2.5.0
- mod_socache_shmcb, mod_socache_dbm: shared memory or dbm for cache
[Jeff Trawick]
- *) mod_ssl: Add RFC 5878 support. [Ben Laurie]
-
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
setuid/setgid capability bits rather than a setuid root binary.
[Joe Orton]
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1468131&r1=1468130&r2=1468131&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Mon Apr 15 15:56:07 2013
@@ -99,15 +99,6 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
"PKCS#7 file containing server certificate and chain"
" certificates ('/path/to/file' - PEM encoded)")
- SSL_CMD_ALL(RSAAuthzFile, TAKE1,
- "RFC 5878 Authz Extension file for RSA certificate "
- "(`/path/to/file')")
- SSL_CMD_ALL(DSAAuthzFile, TAKE1,
- "RFC 5878 Authz Extension file for DSA certificate "
- "(`/path/to/file')")
- SSL_CMD_ALL(ECAuthzFile, TAKE1,
- "RFC 5878 Authz Extension file for EC certificate "
- "(`/path/to/file')")
#ifdef HAVE_TLS_SESSION_TICKETS
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
"TLS session ticket encryption/decryption key file (RFC 5077) "
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1468131&r1=1468130&r2=1468131&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Mon Apr 15 15:56:07 2013
@@ -125,10 +125,6 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
- mctx->rsa_authz_file = NULL;
- mctx->dsa_authz_file = NULL;
- mctx->ec_authz_file = NULL;
-
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
mctx->auth.cipher_suite = NULL;
@@ -265,10 +261,6 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
- cfgMergeString(rsa_authz_file);
- cfgMergeString(dsa_authz_file);
- cfgMergeString(ec_authz_file);
-
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
cfgMergeString(auth.cipher_suite);
@@ -858,54 +850,6 @@ const char *ssl_cmd_SSLPKCS7CertificateF
return NULL;
}
-const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd,
- void *dcfg,
- const char *arg)
-{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err;
-
- if ((err = ssl_cmd_check_file(cmd, &arg))) {
- return err;
- }
-
- sc->server->rsa_authz_file = arg;
-
- return NULL;
-}
-
-const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd,
- void *dcfg,
- const char *arg)
-{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err;
-
- if ((err = ssl_cmd_check_file(cmd, &arg))) {
- return err;
- }
-
- sc->server->dsa_authz_file = arg;
-
- return NULL;
-}
-
-const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd,
- void *dcfg,
- const char *arg)
-{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err;
-
- if ((err = ssl_cmd_check_file(cmd, &arg))) {
- return err;
- }
-
- sc->server->ec_authz_file = arg;
-
- return NULL;
-}
-
#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
void *dcfg,
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1468131&r1=1468130&r2=1468131&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Mon Apr 15 15:56:07 2013
@@ -1022,8 +1022,7 @@ static void ssl_init_ctx(server_rec *s,
static int ssl_server_import_cert(server_rec *s,
modssl_ctx_t *mctx,
const char *id,
- int idx,
- const char *authz_file)
+ int idx)
{
SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
@@ -1062,24 +1061,6 @@ static int ssl_server_import_cert(server
}
#endif
- if (authz_file) {
-#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x10002000L
- if (!SSL_CTX_use_authz_file(mctx->ssl_ctx, authz_file)) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Unable to initialize TLS authz extension");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
- ssl_die(s);
- }
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Set %s authz_file to %s",
- type, authz_file);
-#else
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Unable to initialize TLS authz extension: "
- "OpenSSL version too low");
- ssl_die(s);
-#endif
- }
-
mctx->pks->certs[idx] = cert;
return TRUE;
@@ -1217,13 +1198,10 @@ static void ssl_init_server_certs(server
ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
#endif
- have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA,
- mctx->rsa_authz_file);
- have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA,
- mctx->dsa_authz_file);
+ have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
+ have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
#ifndef OPENSSL_NO_EC
- have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC,
- mctx->ec_authz_file);
+ have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
#endif
if (!(have_rsa || have_dsa
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1468131&r1=1468130&r2=1468131&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Mon Apr 15 15:56:07 2013
@@ -678,11 +678,6 @@ typedef struct {
SRP_VBASE *srp_vbase;
#endif
- /** RFC 5878 */
- const char *rsa_authz_file;
- const char *dsa_authz_file;
- const char *ec_authz_file;
-
modssl_auth_ctx_t auth;
BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -762,9 +757,6 @@ const char *ssl_cmd_SSLCryptoDevice(cmd
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);