summaryrefslogtreecommitdiff
path: root/modules/ssl
Commit message (Collapse)AuthorAgeFilesLines
* add SSL_CTX_set_session_id_context(3) checksGiovanni Bechis2023-04-041-3/+13
| | | | | | | bz #66226 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908971 13f79535-47bb-0310-9956-ffa450edef68
* check SSL_do_handshake(3) return value Giovanni Bechis2023-04-041-3/+7
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908964 13f79535-47bb-0310-9956-ffa450edef68
* SSL_do_handshake can fail with 0 or <0 status codes.Giovanni Bechis2023-04-031-1/+1
| | | | | | | spotted and fixed by rpluem@ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908936 13f79535-47bb-0310-9956-ffa450edef68
* check for more possible SSL failuresGiovanni Bechis2023-03-301-4/+1
| | | | | | | bz #66225 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908805 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Fix deprecation warnings with openssl-3.Yann Ylavic2023-03-1913-140/+288
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * mod_ssl_openssl.h: Make it the first openssl to be included openssl header, selecting the OpenSSL api based on OPENSSL_API_COMPAT eventually. * ssl_private.h; Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API) before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to new "providers" api before the ENGINE_ api is abandonned..). mod_ssl.h is now implicitely included from there. Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0". Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the engine features are disabled, only "builtin" is accepted). Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api above, so it might not be implemenentedain httpd anymore at some point..). Define X509_get_not{Before,After} if missing to the non deprecated version. New modssl_set_io_callbacks() to factorize compat code for io callbacks. ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and modssl_dh_pkey_from_file() for openssl >= 3.0. * mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling: Including "ssl_private.h" only is suited/enough now. * mod_ssl_ct.c, ssl_ct_log_config: Use EVP api with openssl >= 3 instead of the deprecated SHA256 one. * ssl_engine_config.c(ssl_cmd_SSLCryptoDevice): Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API. * ssl_engine_init: New compat modssl_runtime_lib_version() to address deprecated SSLeay(). ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API. Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars. Compat loading DH parameters and EC curve from cert. * ssl_engine_io.c, ssl_engine_kernel.c: Implement common modssl_set_io_callbacks() and use it. * ssl_engine_pphrase(modssl_load_engine_keypair): Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL. * ssl_util.c(modssl_is_engine_id): No engine supported unless MODSSL_HAVE_ENGINE_API. * ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file): Compat with openssl >= 3.0. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
* * Favour HUGE_STRING_LEN * 2 over 1024 * 16Ruediger Pluem2023-03-131-3/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908339 13f79535-47bb-0310-9956-ffa450edef68
* Add SSL_SHARED_CIPHER environment variableDirk-Willem van Gulik2023-03-062-0/+6
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908132 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_ssl: when a proxy connection had handled a request using SSL, anStefan Eissing2022-08-011-0/+7
| | | | | | | | | | error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. Fixed PR66190. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1903167 13f79535-47bb-0310-9956-ffa450edef68
* check BN_bn2dec return valueGiovanni Bechis2022-06-281-1/+6
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1902302 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Missing bit from r1901470 to handle OpenSSL-3+ FIPS.Yann Ylavic2022-06-091-1/+1
| | | | | | | | OPENSSL_FIPS is no longer defined with openssl-3, it always HAVE_FIPS. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1901772 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.Yann Ylavic2022-05-312-4/+14
| | | | | | | | | | | | | | | | * modules/ssl/ssl_private.h(): #define modssl_fips_is_enabled() and modssl_fips_enable() to wrap the native OpenSSL FIPS functions available on OPENSSL_VERSION_NUMBER. * modules/ssl/ssl_engine_init.c(ssl_init_Module, modssl_fips_cleanup): Use the new wrappers instead of the OPENSSL_VERSION_NUMBER < 3.0 functions. Submitted by: Petr Sumbera <petr.sumbera oracle.com>, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1901470 13f79535-47bb-0310-9956-ffa450edef68
* Fix some typosChristophe Jaillet2022-05-082-3/+3
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900694 13f79535-47bb-0310-9956-ffa450edef68
* Fix a typoChristophe Jaillet2022-05-081-1/+1
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900693 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_io.c:Joe Orton2022-04-271-72/+8
| | | | | | | | | | | | | Drop noop functions for BIO methods mod_ssl doesn't implement. OpenSSL handles missing BIO methods internally in BIO_xxxx() wrappers. Consistently log at TRACE4 unhandled _ctrl commands, but note these are not a "BUG" as in the previous log message. PR: 66028 Github: closes #316 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900309 13f79535-47bb-0310-9956-ffa450edef68
* free memory when neededGiovanni Bechis2022-02-251-1/+6
| | | | | | | bz #65905 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898410 13f79535-47bb-0310-9956-ffa450edef68
* return early if X509_STORE_CTX_init failsGiovanni Bechis2022-02-241-1/+4
| | | | | | | bz 65902 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898368 13f79535-47bb-0310-9956-ffa450edef68
* return early if ASN1_STRING_new failsGiovanni Bechis2022-02-241-0/+4
| | | | | | | bz 65902 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898367 13f79535-47bb-0310-9956-ffa450edef68
* release memory if neededGiovanni Bechis2022-02-242-2/+7
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898366 13f79535-47bb-0310-9956-ffa450edef68
* *) core/mod_ssl/mpm_event: reverting changes to nonblocing SSL handshakesStefan Eissing2022-02-042-112/+17
| | | | | | | | | | to stabilize CI tests again. Previous revision of trunk has been copied to branches/trunk-ssl-handshake-unblocking to make those into a PR where changes can be discussed and tested separately. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897760 13f79535-47bb-0310-9956-ffa450edef68
* check BIO_new(3) return valuesGiovanni Bechis2022-02-015-8/+25
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897663 13f79535-47bb-0310-9956-ffa450edef68
* core: Efficient ap_thread_current() when apr_thread_local() is missing.Yann Ylavic2022-01-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | #define ap_thread_create, ap_thread_current_create and ap_thread_current to their apr-1.8+ equivalent if available, or implement them using the compiler's thread_local mechanism if available, or finally provide stubs otherwise. #define AP_HAS_THREAD_LOCAL to 1 in the two former case or 0 otherwise, while AP_THREAD_LOCAL is defined to the compiler's keyword iff AP_HAS_THREAD_LOCAL. Replace all apr_thread_create() calls with ap_thread_create() so that httpd threads can use ap_thread_current()'s pool data as Thread Local Storage. Bump MMN minor. * include/httpd.h(): Define AP_HAS_THREAD_LOCAL, AP_THREAD_LOCAL (eventually), ap_thread_create(), ap_thread_current_create() and ap_thread_current(). * server/util.c: Implement ap_thread_create(), ap_thread_current_create() and ap_thread_current() when APR < 1.8. * modules/core/mod_watchdog.c, modules/http2/h2_workers.c, modules/ssl/mod_ssl_ct.c: Use ap_thread_create() instead of apr_thread_create. * server/main.c: Use AP_HAS_THREAD_LOCAL and ap_thread_current_create instead of APR's. * server/util_pcre.c: Use AP_HAS_THREAD_LOCAL and ap_thread_current instead of APR's. * server/mpm/event/event.c, server/mpm/worker/worker.c, server/mpm/prefork/prefork.c: Use ap_thread_create() instead of apr_thread_create. Create an apr_thread_t/ap_thread_current() for the main chaild thread usable at child_init(). * server/mpm/winnt/child.c: Use ap_thread_create() instead of CreateThread(). Create an apr_thread_t/ap_thread_current() for the main chaild thread usable git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897460 13f79535-47bb-0310-9956-ffa450edef68
* Begone, foul tabs.Graham Leggett2022-01-241-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897424 13f79535-47bb-0310-9956-ffa450edef68
* event: Add AP_MPM_CAN_AGAIN and AGAIN to signal to the MPM thatGraham Leggett2022-01-241-5/+5
| | | | | | | non blocking behaviour is requested. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897423 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Use AP_FILTER_ERROR to indicate when the SSL filter hasGraham Leggett2022-01-242-2/+2
| | | | | | | handled its own errors. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897418 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: We no longer throw away handshake errors. Handle APR_EGENERALGraham Leggett2022-01-231-1/+21
| | | | | | | which means that mod_ssl has passed an http error down the stack. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897387 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: An edge case exists where SSL_read might return SSL_ERROR_WANT_READGraham Leggett2022-01-221-12/+15
| | | | | | | | | even in blocking BIO cases. Set guards so that an async MPM is not accessed at this point. There is no need to set non blocking, mod_ssl's BIO already knows how to do this. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897356 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Add the missing SSL_ERROR_WANT_WRITE case in the SSL_read. MakeGraham Leggett2022-01-221-0/+24
| | | | | | | | sure the sense is correctly specified in response to SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE so we don't poll for the wrong case. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897353 13f79535-47bb-0310-9956-ffa450edef68
* Use OK status to match process_connection behaviour.Graham Leggett2022-01-221-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897352 13f79535-47bb-0310-9956-ffa450edef68
* When failing, we need to explicitly set the connection state.Graham Leggett2022-01-221-1/+4
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897336 13f79535-47bb-0310-9956-ffa450edef68
* event: Add support for non blocking behaviour in theGraham Leggett2022-01-212-7/+56
| | | | | | | | | CONN_STATE_READ_REQUEST_LINE phase, in addition to the existing CONN_STATE_WRITE_COMPLETION phase. Update mod_ssl to perform non blocking TLS handshakes. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897281 13f79535-47bb-0310-9956-ffa450edef68
* Follow-up to r1896361.Christophe Jaillet2022-01-071-3/+2
| | | | | | Use a cleaner solution. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896817 13f79535-47bb-0310-9956-ffa450edef68
* Close a file handle in case of error in ct_static_scts()Christophe Jaillet2021-12-241-0/+1
| | | | | | PR 65760 <ryancaicse gmail.com> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896361 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Fix -Werror=unused-value in ssl_var_lookup_ssl_cert_data().Yann Ylavic2021-12-151-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896008 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_io.c (bio_filter_in_ctrl): Remove debuggingJoe Orton2021-12-101-1/+0
| | | | | | | | | | | | | assert for unexpected control commands, matching bio_filter_out_ctrl which also ignores such invocations. Fixes core dumps in debug builds with OpenSSL 3.0.0 which triggers this via the BIO_get_ktls_recv() call on the SSL bio, aka BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, ...); See: https://github.com/openssl/openssl/blob/105af0ad923a665ca5fee296b52dbf34b524a2aa/ssl/record/rec_layer_s3.c#L274 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895774 13f79535-47bb-0310-9956-ffa450edef68
* * mod_ssl: fix in CHECK_PRIVKEY_ERROR for openssl 3.0Stefan Eissing2021-11-031-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894716 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks,Joe Orton2021-10-071-7/+9
| | | | | | | | | ssl_init_server_certs): Flip logic for enabling/disabling DH auto parameter selection for OpenSSL 1.1+ to be simpler and consistent with auto ECDH curve selection. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893964 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSLJoe Orton2021-10-041-0/+7
| | | | | | | | | 1.1+, disable auto DH parameter selection if parameters have been manually configured. This fixes a regression in r1890067 after which manually configured parameters are ignored. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893876 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use ofJoe Orton2021-06-291-2/+17
| | | | | | | | | | | | encrypted private keys with OpenSSL 3.0. * test/travis_run_linux.sh: For TEST_SSL, test loading encrypted private keys. Github: closes #{197} git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891138 13f79535-47bb-0310-9956-ffa450edef68
* * log-tags always win.Stefan Eissing2021-06-111-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890696 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)Stefan Eissing2021-06-111-1/+61
| | | | | | | | | | | | | | | connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890693 13f79535-47bb-0310-9956-ffa450edef68
* *) core/mod_proxy/mod_ssl:Stefan Eissing2021-06-086-60/+42
| | | | | | | | | | | | | | | | | | | | Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
* fix build with LibreSSL [Yann Ylavic]Giovanni Bechis2021-05-211-3/+2
| | | | | | | Github issue #188 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890076 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Switch to using OpenSSL's automatic internal DH parameterJoe Orton2021-05-213-4/+14
| | | | | | | | | | | | | | | | | | generation from OpenSSL 1.1.0 and later. The SSL_set_tmp_dh_callback() API is deprecated from OpenSSL 3.0 onwards. Should not be a user-visible change (except mod_ssl gets smaller). * modules/ssl/ssl_private.h, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Drop internal DH parameter generation and callback for OpenSSL 1.1+, use SSL_CTX_set_dh_auto(, 1) instead. Github: closes #188 Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890067 13f79535-47bb-0310-9956-ffa450edef68
* * mod_log_config/mod_ssl: moved the log_handlers registered by mod_sslStefan Eissing2021-05-183-77/+3
| | | | | | | | | | | | into mod_log_config itself. These now use the global `ap_ssl_var_lookup()` functions and work for all running SSL modules. The dependency from mod_ssl to mod_log_config and its header is removed. mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR". This change should be fully compatible to all deployed configurations. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890003 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1889938: APLOGNO().Yann Ylavic2021-05-161-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889939 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: coalesce using a bucket brigade and the setaside/reinstate mechanism.Yann Ylavic2021-05-161-48/+36
| | | | | | | | | | | | | ssl_io_filter_coalesce() now uses apr_brigade_write() to save its retained data in a heap bucket, and ap_filter_{setaside,reinstate}_brigade() to declare them to the output filters' write completion mechanism. This prevents MPM event to miss them when it enters write completion state, and will allow the tunneling loop of mod_proxy to flush them in a following commit too. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889938 13f79535-47bb-0310-9956-ffa450edef68
* * Spelling fixes after review by @bigio.Stefan Eissing2021-05-122-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889788 13f79535-47bb-0310-9956-ffa450edef68
* core/ap_ssl_*: changes after review by rpluemStefan Eissing2021-04-203-16/+24
| | | | | | | | | | | | | | | - removed no longer needed (char*) casts when looking up ssl variables. - move 'goto cleanup;' on separate source line - fixed check for wrong optional function in ap_run_ssl_var_lookup - remove ap_bytes_t again from httpd.h and passes now ocsp identifier as separate const char* and apr_size_t. This follows more how such data is passed in the rest of the server. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889009 13f79535-47bb-0310-9956-ffa450edef68
* *) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. ↵Stefan Eissing2021-04-133-19/+87
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows modules to access and provide OCSP response data without being tied of each other. The data is exchanged in standard, portable formats (PEM encoded certificates and DER encoded responses), so that the actual SSL/crypto implementations used by the modules are independant of each other. Registration and retrieval happen in the context of a server (server_rec) which modules may use to decide if they are configured for this or not. The area of changes: 1. core: defines 2 functions in include/http_ssl.h, so that modules may register a certificate, together with its issuer certificate for OCSP response provisioning and ask for current response data (DER bytes) later. Also, 2 hooks are defined that allow modules to implement this OCSP provisioning. 2. mod_ssl uses the new functions, in addition to what it did already, to register its certificates this way. If no one is interested in providing OCSP, it falls back to its own (if configured) stapling implementation. 3. mod_md registers itself at the core hooks for OCSP provisioning. Depending on configuration, it will accept registrations of its own certificates only, all certficates or none. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
* *) core: provide ap_ssl_* functions in new http_ssl.h header file.Stefan Eissing2021-03-261-0/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888083 13f79535-47bb-0310-9956-ffa450edef68
View Lorry Controller Status