You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2005/01/14 14:54:33 UTC
svn commit: r125165 - /httpd/httpd/trunk/CHANGES /httpd/httpd/trunk/modules/ssl/mod_ssl.c /httpd/httpd/trunk/modules/ssl/ssl_engine_config.c /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c /httpd/httpd/trunk/modules/ssl/ssl_private.h
Author: jorton
Date: Fri Jan 14 05:54:31 2005
New Revision: 125165
URL: http://svn.apache.org/viewcvs?view=rev&rev=125165
Log:
* modules/ssl/mod_ssl.c: Declare new config directives
SSLCADNRequestFile and SSLCADNRequestPath.
* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.
* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.
PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/CHANGES
Url: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?view=diff&rev=125165&p1=httpd/httpd/trunk/CHANGES&r1=125164&p2=httpd/httpd/trunk/CHANGES&r2=125165
==============================================================================
--- httpd/httpd/trunk/CHANGES (original)
+++ httpd/httpd/trunk/CHANGES Fri Jan 14 05:54:31 2005
@@ -2,6 +2,11 @@
[Remove entries to the current 2.0 section below, when backported]
+ *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
+ which can be used to configure a specific list of CA names to send
+ in a client certificate request. PR 32848.
+ [Tim Taylor <tim.taylor dfas.mil>]
+
*) --with-module can now take more than one module to be statically
linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
If the <modtype>-subdirectory doesn't exist it will be created and
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
Url: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/mod_ssl.c?view=diff&rev=125165&p1=httpd/httpd/trunk/modules/ssl/mod_ssl.c&r1=125164&p2=httpd/httpd/trunk/modules/ssl/mod_ssl.c&r2=125165
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Fri Jan 14 05:54:31 2005
@@ -116,6 +116,12 @@
SSL_CMD_ALL(CACertificateFile, TAKE1,
"SSL CA Certificate file "
"(`/path/to/file' - PEM encoded)")
+ SSL_CMD_SRV(CADNRequestPath, TAKE1,
+ "SSL CA Distinguished Name path "
+ "(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
+ SSL_CMD_SRV(CADNRequestFile, TAKE1,
+ "SSL CA Distinguished Name file "
+ "(`/path/to/file' - PEM encoded to derive acceptable CA names to request)")
SSL_CMD_SRV(CARevocationPath, TAKE1,
"SSL CA Certificate Revocation List (CRL) path "
"(`/path/to/dir' - contains PEM encoded files)")
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Url: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?view=diff&rev=125165&p1=httpd/httpd/trunk/modules/ssl/ssl_engine_config.c&r1=125164&p2=httpd/httpd/trunk/modules/ssl/ssl_engine_config.c&r2=125165
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Fri Jan 14 05:54:31 2005
@@ -152,17 +152,9 @@
modssl_ctx_init(mctx);
- mctx->pks = apr_palloc(p, sizeof(*mctx->pks));
+ mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
- memset((void*)mctx->pks->cert_files, 0, sizeof(mctx->pks->cert_files));
-
- memset((void*)mctx->pks->key_files, 0, sizeof(mctx->pks->key_files));
-
- /* certs/keys are set during module init */
-
- memset(mctx->pks->certs, 0, sizeof(mctx->pks->certs));
-
- memset(mctx->pks->keys, 0, sizeof(mctx->pks->keys));
+ /* mctx->pks->... certs/keys are set during module init */
}
static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
@@ -245,6 +237,9 @@
cfgMergeString(pks->cert_files[i]);
cfgMergeString(pks->key_files[i]);
}
+
+ cfgMergeString(pks->ca_name_path);
+ cfgMergeString(pks->ca_name_file);
}
/*
@@ -831,6 +826,36 @@
/* XXX: bring back per-dir */
sc->server->auth.ca_cert_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_dir(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->pks->ca_name_path = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->pks->ca_name_file = arg;
return NULL;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Url: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=diff&rev=125165&p1=httpd/httpd/trunk/modules/ssl/ssl_engine_init.c&r1=125164&p2=httpd/httpd/trunk/modules/ssl/ssl_engine_init.c&r2=125165
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Fri Jan 14 05:54:31 2005
@@ -544,12 +544,17 @@
ssl_die();
}
- ca_list = ssl_init_FindCAList(s, ptemp,
- mctx->auth.ca_cert_file,
- mctx->auth.ca_cert_path);
+ if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
+ ca_list = ssl_init_FindCAList(s, ptemp,
+ mctx->pks->ca_name_file,
+ mctx->pks->ca_name_path);
+ } else
+ ca_list = ssl_init_FindCAList(s, ptemp,
+ mctx->auth.ca_cert_file,
+ mctx->auth.ca_cert_path);
if (!ca_list) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
- "Unable to determine list of available "
+ "Unable to determine list of acceptable "
"CA certificates for client authentication");
ssl_die();
}
@@ -1151,7 +1156,7 @@
if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
- "Failed to open SSLCACertificatePath `%s'",
+ "Failed to open Certificate Path `%s'",
ca_path);
ssl_die();
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
Url: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_private.h?view=diff&rev=125165&p1=httpd/httpd/trunk/modules/ssl/ssl_private.h&r1=125164&p2=httpd/httpd/trunk/modules/ssl/ssl_private.h&r2=125165
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri Jan 14 05:54:31 2005
@@ -379,6 +379,11 @@
const char *key_files[SSL_AIDX_MAX];
X509 *certs[SSL_AIDX_MAX];
EVP_PKEY *keys[SSL_AIDX_MAX];
+
+ /* Certificates which specify the set of CA names which should be
+ * sent in the CertificateRequest message: */
+ const char *ca_name_path;
+ const char *ca_name_file;
} modssl_pk_server_t;
typedef struct {
@@ -487,6 +492,8 @@
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);