You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2015/02/22 16:50:54 UTC
svn commit: r1661487 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl_ct.xml
include/ap_mmn.h modules/ssl/mod_ssl.c modules/ssl/mod_ssl_ct.c
modules/ssl/mod_ssl_openssl.h
Author: trawick
Date: Sun Feb 22 15:50:54 2015
New Revision: 1661487
URL: http://svn.apache.org/r1661487
Log:
Provide separate SSL_CT_*_STATUS variables for client vs. proxy
connections, courtesy of a new flag passed from mod_ssl on its
pre_connection "optional hook."
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml
httpd/httpd/trunk/include/ap_mmn.h
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
httpd/httpd/trunk/modules/ssl/mod_ssl_openssl.h
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml?rev=1661487&r1=1661486&r2=1661487&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml Sun Feb 22 15:50:54 2015
@@ -217,10 +217,11 @@ testing.</p>
<section id="logging">
<title>Logging CT status in the access log</title>
- <p>Both proxy and server modes set the <code>SSL_CT_PEER_STATUS</code>
- variable to indicate if the peer is CT-aware.</p>
+ <p>Proxy and server modes set the <code>SSL_CT_PROXY_STATUS</code> and
+ <code>SSL_CT_CLIENT_STATUS</code> variables, respectively, to indicate
+ if the corresponding peer is CT-aware.</p>
- <p>Proxy mode sets the <code>SSL_PROXY_SCT_SOURCES</code> variable to
+ <p>Proxy mode sets the <code>SSL_CT_PROXY_SCT_SOURCES</code> variable to
indicate whether and where SCTs were obtained (ServerHello, certificate
extension, etc.).</p>
Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1661487&r1=1661486&r2=1661487&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Sun Feb 22 15:50:54 2015
@@ -479,6 +479,7 @@
* 20150121.0 (2.5.0-dev) Revert field addition from core_dir_config; r1653666
* 20150121.1 (2.5.0-dev) Add cmd_parms_struct.parent to http_config.h
* 20150121.2 (2.5.0-dev) Add response_code_exprs to http_core.h
+ * 20150222.0 (2.5.0-dev) ssl pre_handshake hook now indicates proxy|client
*/
#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1661487&r1=1661486&r2=1661487&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sun Feb 22 15:50:54 2015
@@ -39,8 +39,8 @@ int ssl_running_on_valgrind = 0;
#endif
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
- (conn_rec *c,SSL *ssl),
- (c,ssl), OK, DECLINED);
+ (conn_rec *c,SSL *ssl,int is_proxy),
+ (c,ssl,is_proxy), OK, DECLINED);
/*
* the table of configuration directives we provide
@@ -512,7 +512,7 @@ int ssl_init_ssl_connection(conn_rec *c,
return DECLINED; /* XXX */
}
- rc = ssl_run_pre_handshake(c, ssl);
+ rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
if (rc != OK && rc != DECLINED) {
return rc;
}
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c?rev=1661487&r1=1661486&r2=1661487&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c Sun Feb 22 15:50:54 2015
@@ -89,11 +89,12 @@
#define DOTEXE ""
#endif
-#define STATUS_VAR "SSL_CT_PEER_STATUS"
+#define CLIENT_STATUS_VAR "SSL_CT_CLIENT_STATUS"
+#define PROXY_STATUS_VAR "SSL_CT_PROXY_STATUS"
#define STATUS_VAR_AWARE_VAL "peer-aware"
#define STATUS_VAR_UNAWARE_VAL "peer-unaware"
-#define PROXY_SCT_SOURCES_VAR "SSL_PROXY_SCT_SOURCES"
+#define PROXY_SCT_SOURCES_VAR "SSL_CT_PROXY_SCT_SOURCES"
#define DAEMON_NAME "SCT maintenance daemon"
#define DAEMON_THREAD_NAME DAEMON_NAME " thread"
@@ -129,6 +130,8 @@ typedef struct ct_server_config {
typedef struct ct_conn_config {
int peer_ct_aware;
+ int client_handshake;
+ int proxy_handshake;
/* proxy mode only */
cert_chain *certs;
int server_cert_has_sct_list;
@@ -2334,8 +2337,17 @@ static void tlsext_cb(SSL *ssl, int clie
}
}
-static int ssl_ct_pre_handshake(conn_rec *c, SSL *ssl)
+static int ssl_ct_pre_handshake(conn_rec *c, SSL *ssl, int is_proxy)
{
+ ct_conn_config *conncfg = get_conn_config(c);
+
+ if (is_proxy) {
+ conncfg->proxy_handshake = 1;
+ }
+ else {
+ conncfg->client_handshake = 1;
+ }
+
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "client connected (pre-handshake)");
SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); /* UNDOC */
@@ -2403,11 +2415,13 @@ static int ssl_ct_post_read_request(requ
ct_conn_config *conncfg =
ap_get_module_config(r->connection->conn_config, &ssl_ct_module);
- if (conncfg && conncfg->peer_ct_aware) {
- apr_table_set(r->subprocess_env, STATUS_VAR, STATUS_VAR_AWARE_VAL);
- }
- else {
- apr_table_set(r->subprocess_env, STATUS_VAR, STATUS_VAR_UNAWARE_VAL);
+ if (conncfg) {
+ if (conncfg->client_handshake) {
+ apr_table_set(r->subprocess_env, CLIENT_STATUS_VAR,
+ conncfg->peer_ct_aware ?
+ STATUS_VAR_AWARE_VAL : STATUS_VAR_UNAWARE_VAL);
+ }
+ /* else no SSL on this client connection */
}
return DECLINED;
@@ -2631,29 +2645,30 @@ static int ssl_ct_detach_backend(request
conncfg->serverhello_has_sct_list,
conncfg->ocsp_has_sct_list);
- apr_table_set(r->subprocess_env, STATUS_VAR,
- conncfg->peer_ct_aware ? STATUS_VAR_AWARE_VAL : STATUS_VAR_UNAWARE_VAL);
-
- list = apr_pstrcat(r->pool,
- conncfg->server_cert_has_sct_list ? "certext," : "",
- conncfg->serverhello_has_sct_list ? "tlsext," : "",
- conncfg->ocsp_has_sct_list ? "ocsp" : "",
- NULL);
- if (*list) {
- last = list + strlen(list) - 1;
- if (*last == ',') {
- *last = '\0';
+ if (conncfg->proxy_handshake) {
+ apr_table_set(r->subprocess_env, PROXY_STATUS_VAR,
+ conncfg->peer_ct_aware ?
+ STATUS_VAR_AWARE_VAL : STATUS_VAR_UNAWARE_VAL);
+
+ list = apr_pstrcat(r->pool,
+ conncfg->server_cert_has_sct_list ? "certext," : "",
+ conncfg->serverhello_has_sct_list ? "tlsext," : "",
+ conncfg->ocsp_has_sct_list ? "ocsp" : "",
+ NULL);
+ if (*list) {
+ last = list + strlen(list) - 1;
+ if (*last == ',') {
+ *last = '\0';
+ }
}
- }
- apr_table_set(r->subprocess_env, PROXY_SCT_SOURCES_VAR, list);
+ apr_table_set(r->subprocess_env, PROXY_SCT_SOURCES_VAR, list);
+ }
}
else {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "No backend connection available in "
- "ssl_ct_detach_backend(); assuming peer unaware");
- apr_table_set(r->subprocess_env, STATUS_VAR,
- STATUS_VAR_UNAWARE_VAL);
+ /* why here? some odd error path? */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "No backend connection available in ssl_ct_detach_backend()");
}
return OK;
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl_openssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl_openssl.h?rev=1661487&r1=1661486&r2=1661487&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl_openssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl_openssl.h Sun Feb 22 15:50:54 2015
@@ -55,9 +55,10 @@ APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int,
* pre_handshake hook
* @param c conn_rec for new connection from client or to backend server
* @param ssl OpenSSL SSL Connection for the client or backend server
+ * @param is_proxy 1 if this handshake is for a backend connection, 0 otherwise
*/
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
- (conn_rec *c, SSL *ssl))
+ (conn_rec *c, SSL *ssl, int is_proxy))
/**
* proxy_post_handshake hook -- allow module to abort after successful