delta/apache/httpd.git/modules/ssl/ssl_engine_init.c, branch 2.4.17-protocols-changes github.com: apache/httpd.git merge r1703952 from trunk 2015-09-30T11:50:30+00:00 Kaspar Brand kbrand@apache.org 2015-09-30T11:50:30+00:00 ecf675884027e8d2d643d1006301bef092221aed Support compilation against libssl built with OPENSSL_NO_SSL3, and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3", in accordance with RFC 7568. PR 58349, PR 57120. Proposed by: kbrand Reviewed by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68 
Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
merge r1702643 from trunk 2015-09-30T11:42:54+00:00 Kaspar Brand kbrand@apache.org 2015-09-30T11:42:54+00:00 181e083ddb30da04dd59e17d6fdfb5228c2b7af0 Append :!aNULL:!eNULL:!EXP to the cipher string settings, instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7 and later). Enables support for configuring the SUITEB* cipher strings introduced in OpenSSL 1.0.2. PR 58213. Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive. Proposed by: kbrand Reviewed by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68 
Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68
merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151, 2015-09-30T11:31:43+00:00 Kaspar Brand kbrand@apache.org 2015-09-30T11:31:43+00:00 b0dc766b75f07e25a0d5fcd79ee9da46ee5048b4 r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832, r1677834, r1677835 from trunk mod_ssl namespacing Proposed by: kbrand Reviewed by: ylavic, jorton mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo. For related discussion, see the dev@ thread starting at: http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2, and SSL_set_app_data2 from SSL_* to modssl_*. Update references in README.dsov.* files. Rename static variable SSL_app_data2_idx to just app_data2_idx since the symbol is internal to ssl_util_ssl.c. mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside ssl_util_ssl.c (no callers outside this file). The new static function name chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_ nor ASN1_ are safe prefixes to use without potential future overlap. mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to modssl_X509_NAME_ENTRY_to_string. mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the file ssl_util_ssl.c (no outside callers). Rename to just getIDs(). mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller ssl_init_proxy_certs() in ssl_engine_init.c. No functional change. Review by: kbrand mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c and make it a static function called load_x509_info(). mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c and make it a static function called use_certificate_chain(). mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz(). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68 
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,
r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand
Reviewed by: ylavic, jorton


mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the
file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
Merge r1697855, r1697339, r1696428, r1696266, r1696264, r1695874, r1695727, r1692516, r1692486, r1610674, r1685069, r1693918, r1698116, r1698133, r1694950, r1700968, r1701005, r1701145, r1701178 from trunk: 2015-09-28T12:31:37+00:00 Jim Jagielski jim@apache.org 2015-09-28T12:31:37+00:00 7475aa0909975f8491de64bb08d9793c6e503ae2 adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get changed Protocols to let vhosts override servers, removed old H2Engine example from readme creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment removed unnecessary lingering_close and sbh update on end of protocol upgrade handling introducing ap_array_index in util, used in protocol and mod_h2 fixes existing protocol missing in selection if not explicitly proposed new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging removed accidental code new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2 SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse proxy configuration, a remote attacker could send a carefully crafted request which could crash a server process, resulting in denial of service. Thanks to Marek Kroemeke working with HP's Zero Day Initiative for reporting this issue. * server/util.c (ap_parse_token_list_strict): New function. * modules/proxy/proxy_util.c (find_conn_headers): Use it here. * modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Send a 400 for a malformed Connection header. Submitted by: Edward Lu, breser, covener http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code for clients requesting a hostname on a reused connection whose SNI (from the TLS handshake) does not match. PR 5802. This allows HTTP/2 clients to fall back to a new connection as per: https://tools.ietf.org/html/rfc7540#section-9.1.2 Proposed by: Stefan Eissing <stefan eissing.org> Reviewed by: ylavic c89 Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com giving ap_array_index a start parameter, adding ap_array_contains ap_process_request needs exportation for use in mod_h2 on Windows final final change to the new ap_array_str_* functions after review changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon mod_ssl: fix compiler warning (bad cast). improvements in ap_select_protocol(), supplied by yann ylavic Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705672 13f79535-47bb-0310-9956-ffa450edef68 
adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get

changed Protocols to let vhosts override servers, removed old H2Engine example from readme

creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment

removed unnecessary lingering_close and sbh update on end of protocol upgrade handling

introducing ap_array_index in util, used in protocol and mod_h2

fixes existing protocol missing in selection if not explicitly proposed

new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging

removed accidental code

new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2

SECURITY (CVE-2014-0117): Fix a crash in mod_proxy.  In a reverse
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
  Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener


http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
for clients requesting a hostname on a reused connection whose SNI (from the
TLS handshake) does not match.
PR 5802.

This allows HTTP/2 clients to fall back to a new connection as per:
https://tools.ietf.org/html/rfc7540#section-9.1.2

Proposed by: Stefan Eissing <stefan eissing.org>
Reviewed by: ylavic


c89


Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com

giving ap_array_index a start parameter, adding ap_array_contains

ap_process_request needs exportation for use in mod_h2 on Windows


final final change to the new ap_array_str_* functions after review

changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon

mod_ssl: fix compiler warning (bad cast).

improvements in ap_select_protocol(), supplied by yann ylavic
Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705672 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used. 2015-05-27T16:33:10+00:00 William A. Rowe Jr wrowe@apache.org 2015-05-27T16:33:10+00:00 fb5c0d5f14fff02062d377241dd7fc44d0b2e809 SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free, otherwise eckey will not be freed. Backports: r1666363 Author: jkaluza Reviewed by: rjung, ylavic, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682074 13f79535-47bb-0310-9956-ffa450edef68 
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
EC_KEY_free, otherwise eckey will not be freed.

Backports: r1666363
Author: jkaluza
Reviewed by: rjung, ylavic, wrowe



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682074 13f79535-47bb-0310-9956-ffa450edef68
Merge r1679470 from trunk: 2015-05-18T11:07:07+00:00 Jim Jagielski jim@apache.org 2015-05-18T11:07:07+00:00 8ad013bf7bfe3cfa3701fd2abc19ea8c9c6bd408 mod_ssl: follow up to r1527291. Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was not yet included by default. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679989 13f79535-47bb-0310-9956-ffa450edef68 
mod_ssl: follow up to r1527291.
Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
not yet included by default.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679989 13f79535-47bb-0310-9956-ffa450edef68
Merge r1673455 from trunk: 2015-04-15T17:55:41+00:00 Jeff Trawick trawick@apache.org 2015-04-15T17:55:41+00:00 e8414c0be18469446981109673a7a6420ac26cea mod_ssl: Protect ENGINE_CTRL_CHIL_SET_FORKCHECK macro with a featue check for libressl. Submitted by: Stuart Henderson <sthen openbsd.org> Reviewed by: covener, trawick, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673900 13f79535-47bb-0310-9956-ffa450edef68 
mod_ssl: Protect ENGINE_CTRL_CHIL_SET_FORKCHECK macro with a 
featue check for libressl.

Submitted by: Stuart Henderson <sthen openbsd.org>
Reviewed by: covener, trawick, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673900 13f79535-47bb-0310-9956-ffa450edef68
Merge r1650310 and r1650320 from trunk: 2015-01-15T12:20:33+00:00 Rainer Jung rjung@apache.org 2015-01-15T12:20:33+00:00 d53a8588ef6520b112c04c2ab3b9247ff7907d15 mod_ssl: Add SSLSessionTickets (on|off). It controls the use of TLS session tickets (RFC 5077). Default is unchanged (on). Using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. As long as we do not have a nice key management there needs to be a way to deactivate the use of session tickets. Submitted by: rjung Reviewed by: rjung, covener, ylavic Backported by: rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1652074 13f79535-47bb-0310-9956-ffa450edef68 
mod_ssl: Add SSLSessionTickets (on|off).
It controls the use of TLS session tickets (RFC 5077).
Default is unchanged (on).
Using session tickets without restarting the web server with
an appropriate frequency (e.g. daily) compromises perfect forward
secrecy. As long as we do not have a nice key management
there needs to be a way to deactivate the use of session tickets.

Submitted by: rjung
Reviewed by: rjung, covener, ylavic
Backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1652074 13f79535-47bb-0310-9956-ffa450edef68
Merge r1533765, r1621419, r1638159, r1638188, r1601603, r1638412, r1418763 from trunk 2014-11-29T09:22:43+00:00 Christophe Jaillet jailletc36@apache.org 2014-11-29T09:22:43+00:00 c3b551a0f853a07bac88cb57f81f9334da50e5fa ssl: Axe needless string duplication in setup for call to apr_proc_create() Fix sscanf format spotted by cppcheck fix indent. fix style Private function doesn't need ap_ prefix. tab vs space rename variables: s should be the server_rec Submitted by: trawick, jailletc36, jailletc36, jailletc36, takashi, jailletc36, sf Reviewed by: jailletc36, ylavic, covener Backported by: jailletc36 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642403 13f79535-47bb-0310-9956-ffa450edef68 
    ssl: Axe needless string duplication in setup for call to apr_proc_create()
    Fix sscanf format spotted by cppcheck
    fix indent.
    fix style
    Private function doesn't need ap_ prefix.
    tab vs space
    rename variables: s should be the server_rec

Submitted by: trawick, jailletc36, jailletc36, jailletc36, takashi, jailletc36, sf
Reviewed by: jailletc36, ylavic, covener
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642403 13f79535-47bb-0310-9956-ffa450edef68
Merge r1629372, r1629485, r1629519 from trunk: 2014-10-27T12:50:05+00:00 Jim Jagielski jim@apache.org 2014-10-27T12:50:05+00:00 8ac9c67bcf2a66216edef5c1fc3a584a23b2801f Move OCSP stapling information from a per-certificate store (ex_data attached to an X509 *) to a per-server hash which is allocated from the pconf pool. Fixes PR 54357, PR 56919 and a leak with the certinfo_free cleanup function (missing OCSP_CERTID_free). * modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add ssl_stapling_certid_free (used with apr_pool_cleanup_register). Switch to a stapling_certinfo hash which is keyed by the SHA-1 digest of the certificate's DER encoding, rework ssl_stapling_init_cert to only store info once per certificate (allocated from the pconf to the extent possible) and extend the logging. * modules/ssl/ssl_private.h: adjust prototype for ssl_stapling_init_cert, replace ssl_stapling_ex_init with ssl_stapling_certinfo_hash_init * modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls Based on initial work by Alex Bligh <alex alex.org.uk> Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value). Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros). Submitted by: kbrand, ylavic, ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634529 13f79535-47bb-0310-9956-ffa450edef68 
Move OCSP stapling information from a per-certificate store
(ex_data attached to an X509 *) to a per-server hash which is
allocated from the pconf pool. Fixes PR 54357, PR 56919 and
a leak with the certinfo_free cleanup function (missing
OCSP_CERTID_free).

* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
  ssl_stapling_certid_free (used with apr_pool_cleanup_register).
  Switch to a stapling_certinfo hash which is keyed by the SHA-1
  digest of the certificate's DER encoding, rework ssl_stapling_init_cert
  to only store info once per certificate (allocated from the pconf
  to the extent possible) and extend the logging.

* modules/ssl/ssl_private.h: adjust prototype for
  ssl_stapling_init_cert, replace ssl_stapling_ex_init with
  ssl_stapling_certinfo_hash_init

* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls

Based on initial work by Alex Bligh <alex alex.org.uk>


Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).

Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).
Submitted by: kbrand, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634529 13f79535-47bb-0310-9956-ffa450edef68