summaryrefslogtreecommitdiffstats
path: root/modules/ssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* free memory when neededGiovanni Bechis2022-02-251-1/+6
| | | | | | | bz #65905 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898410 13f79535-47bb-0310-9956-ffa450edef68
* return early if X509_STORE_CTX_init failsGiovanni Bechis2022-02-241-1/+4
| | | | | | | bz 65902 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898368 13f79535-47bb-0310-9956-ffa450edef68
* return early if ASN1_STRING_new failsGiovanni Bechis2022-02-241-0/+4
| | | | | | | bz 65902 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898367 13f79535-47bb-0310-9956-ffa450edef68
* release memory if neededGiovanni Bechis2022-02-242-2/+7
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898366 13f79535-47bb-0310-9956-ffa450edef68
* *) core/mod_ssl/mpm_event: reverting changes to nonblocing SSL handshakesStefan Eissing2022-02-042-112/+17
| | | | | | | | | | to stabilize CI tests again. Previous revision of trunk has been copied to branches/trunk-ssl-handshake-unblocking to make those into a PR where changes can be discussed and tested separately. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897760 13f79535-47bb-0310-9956-ffa450edef68
* check BIO_new(3) return valuesGiovanni Bechis2022-02-015-8/+25
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897663 13f79535-47bb-0310-9956-ffa450edef68
* core: Efficient ap_thread_current() when apr_thread_local() is missing.Yann Ylavic2022-01-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | #define ap_thread_create, ap_thread_current_create and ap_thread_current to their apr-1.8+ equivalent if available, or implement them using the compiler's thread_local mechanism if available, or finally provide stubs otherwise. #define AP_HAS_THREAD_LOCAL to 1 in the two former case or 0 otherwise, while AP_THREAD_LOCAL is defined to the compiler's keyword iff AP_HAS_THREAD_LOCAL. Replace all apr_thread_create() calls with ap_thread_create() so that httpd threads can use ap_thread_current()'s pool data as Thread Local Storage. Bump MMN minor. * include/httpd.h(): Define AP_HAS_THREAD_LOCAL, AP_THREAD_LOCAL (eventually), ap_thread_create(), ap_thread_current_create() and ap_thread_current(). * server/util.c: Implement ap_thread_create(), ap_thread_current_create() and ap_thread_current() when APR < 1.8. * modules/core/mod_watchdog.c, modules/http2/h2_workers.c, modules/ssl/mod_ssl_ct.c: Use ap_thread_create() instead of apr_thread_create. * server/main.c: Use AP_HAS_THREAD_LOCAL and ap_thread_current_create instead of APR's. * server/util_pcre.c: Use AP_HAS_THREAD_LOCAL and ap_thread_current instead of APR's. * server/mpm/event/event.c, server/mpm/worker/worker.c, server/mpm/prefork/prefork.c: Use ap_thread_create() instead of apr_thread_create. Create an apr_thread_t/ap_thread_current() for the main chaild thread usable at child_init(). * server/mpm/winnt/child.c: Use ap_thread_create() instead of CreateThread(). Create an apr_thread_t/ap_thread_current() for the main chaild thread usable git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897460 13f79535-47bb-0310-9956-ffa450edef68
* Begone, foul tabs.Graham Leggett2022-01-241-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897424 13f79535-47bb-0310-9956-ffa450edef68
* event: Add AP_MPM_CAN_AGAIN and AGAIN to signal to the MPM thatGraham Leggett2022-01-241-5/+5
| | | | | | | non blocking behaviour is requested. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897423 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Use AP_FILTER_ERROR to indicate when the SSL filter hasGraham Leggett2022-01-242-2/+2
| | | | | | | handled its own errors. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897418 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: We no longer throw away handshake errors. Handle APR_EGENERALGraham Leggett2022-01-231-1/+21
| | | | | | | which means that mod_ssl has passed an http error down the stack. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897387 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: An edge case exists where SSL_read might return SSL_ERROR_WANT_READGraham Leggett2022-01-221-12/+15
| | | | | | | | | even in blocking BIO cases. Set guards so that an async MPM is not accessed at this point. There is no need to set non blocking, mod_ssl's BIO already knows how to do this. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897356 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Add the missing SSL_ERROR_WANT_WRITE case in the SSL_read. MakeGraham Leggett2022-01-221-0/+24
| | | | | | | | sure the sense is correctly specified in response to SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE so we don't poll for the wrong case. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897353 13f79535-47bb-0310-9956-ffa450edef68
* Use OK status to match process_connection behaviour.Graham Leggett2022-01-221-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897352 13f79535-47bb-0310-9956-ffa450edef68
* When failing, we need to explicitly set the connection state.Graham Leggett2022-01-221-1/+4
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897336 13f79535-47bb-0310-9956-ffa450edef68
* event: Add support for non blocking behaviour in theGraham Leggett2022-01-212-7/+56
| | | | | | | | | CONN_STATE_READ_REQUEST_LINE phase, in addition to the existing CONN_STATE_WRITE_COMPLETION phase. Update mod_ssl to perform non blocking TLS handshakes. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897281 13f79535-47bb-0310-9956-ffa450edef68
* Follow-up to r1896361.Christophe Jaillet2022-01-071-3/+2
| | | | | | Use a cleaner solution. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896817 13f79535-47bb-0310-9956-ffa450edef68
* Close a file handle in case of error in ct_static_scts()Christophe Jaillet2021-12-241-0/+1
| | | | | | PR 65760 <ryancaicse gmail.com> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896361 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Fix -Werror=unused-value in ssl_var_lookup_ssl_cert_data().Yann Ylavic2021-12-151-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896008 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_io.c (bio_filter_in_ctrl): Remove debuggingJoe Orton2021-12-101-1/+0
| | | | | | | | | | | | | assert for unexpected control commands, matching bio_filter_out_ctrl which also ignores such invocations. Fixes core dumps in debug builds with OpenSSL 3.0.0 which triggers this via the BIO_get_ktls_recv() call on the SSL bio, aka BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, ...); See: https://github.com/openssl/openssl/blob/105af0ad923a665ca5fee296b52dbf34b524a2aa/ssl/record/rec_layer_s3.c#L274 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895774 13f79535-47bb-0310-9956-ffa450edef68
* * mod_ssl: fix in CHECK_PRIVKEY_ERROR for openssl 3.0Stefan Eissing2021-11-031-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894716 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks,Joe Orton2021-10-071-7/+9
| | | | | | | | | ssl_init_server_certs): Flip logic for enabling/disabling DH auto parameter selection for OpenSSL 1.1+ to be simpler and consistent with auto ECDH curve selection. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893964 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSLJoe Orton2021-10-041-0/+7
| | | | | | | | | 1.1+, disable auto DH parameter selection if parameters have been manually configured. This fixes a regression in r1890067 after which manually configured parameters are ignored. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893876 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use ofJoe Orton2021-06-291-2/+17
| | | | | | | | | | | | encrypted private keys with OpenSSL 3.0. * test/travis_run_linux.sh: For TEST_SSL, test loading encrypted private keys. Github: closes #{197} git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891138 13f79535-47bb-0310-9956-ffa450edef68
* * log-tags always win.Stefan Eissing2021-06-111-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890696 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)Stefan Eissing2021-06-111-1/+61
| | | | | | | | | | | | | | | connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890693 13f79535-47bb-0310-9956-ffa450edef68
* *) core/mod_proxy/mod_ssl:Stefan Eissing2021-06-086-60/+42
| | | | | | | | | | | | | | | | | | | | Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
* fix build with LibreSSL [Yann Ylavic]Giovanni Bechis2021-05-211-3/+2
| | | | | | | Github issue #188 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890076 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Switch to using OpenSSL's automatic internal DH parameterJoe Orton2021-05-213-4/+14
| | | | | | | | | | | | | | | | | | generation from OpenSSL 1.1.0 and later. The SSL_set_tmp_dh_callback() API is deprecated from OpenSSL 3.0 onwards. Should not be a user-visible change (except mod_ssl gets smaller). * modules/ssl/ssl_private.h, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Drop internal DH parameter generation and callback for OpenSSL 1.1+, use SSL_CTX_set_dh_auto(, 1) instead. Github: closes #188 Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890067 13f79535-47bb-0310-9956-ffa450edef68
* * mod_log_config/mod_ssl: moved the log_handlers registered by mod_sslStefan Eissing2021-05-183-77/+3
| | | | | | | | | | | | into mod_log_config itself. These now use the global `ap_ssl_var_lookup()` functions and work for all running SSL modules. The dependency from mod_ssl to mod_log_config and its header is removed. mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR". This change should be fully compatible to all deployed configurations. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890003 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1889938: APLOGNO().Yann Ylavic2021-05-171-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889939 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: coalesce using a bucket brigade and the setaside/reinstate mechanism.Yann Ylavic2021-05-161-48/+36
| | | | | | | | | | | | | ssl_io_filter_coalesce() now uses apr_brigade_write() to save its retained data in a heap bucket, and ap_filter_{setaside,reinstate}_brigade() to declare them to the output filters' write completion mechanism. This prevents MPM event to miss them when it enters write completion state, and will allow the tunneling loop of mod_proxy to flush them in a following commit too. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889938 13f79535-47bb-0310-9956-ffa450edef68
* * Spelling fixes after review by @bigio.Stefan Eissing2021-05-122-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889788 13f79535-47bb-0310-9956-ffa450edef68
* core/ap_ssl_*: changes after review by rpluemStefan Eissing2021-04-203-16/+24
| | | | | | | | | | | | | | | - removed no longer needed (char*) casts when looking up ssl variables. - move 'goto cleanup;' on separate source line - fixed check for wrong optional function in ap_run_ssl_var_lookup - remove ap_bytes_t again from httpd.h and passes now ocsp identifier as separate const char* and apr_size_t. This follows more how such data is passed in the rest of the server. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889009 13f79535-47bb-0310-9956-ffa450edef68
* *) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. ↵Stefan Eissing2021-04-133-19/+87
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows modules to access and provide OCSP response data without being tied of each other. The data is exchanged in standard, portable formats (PEM encoded certificates and DER encoded responses), so that the actual SSL/crypto implementations used by the modules are independant of each other. Registration and retrieval happen in the context of a server (server_rec) which modules may use to decide if they are configured for this or not. The area of changes: 1. core: defines 2 functions in include/http_ssl.h, so that modules may register a certificate, together with its issuer certificate for OCSP response provisioning and ask for current response data (DER bytes) later. Also, 2 hooks are defined that allow modules to implement this OCSP provisioning. 2. mod_ssl uses the new functions, in addition to what it did already, to register its certificates this way. If no one is interested in providing OCSP, it falls back to its own (if configured) stapling implementation. 3. mod_md registers itself at the core hooks for OCSP provisioning. Depending on configuration, it will accept registrations of its own certificates only, all certficates or none. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
* *) core: provide ap_ssl_* functions in new http_ssl.h header file.Stefan Eissing2021-03-261-0/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888083 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Add base64-encoded DER certificate variables as alternativeJoe Orton2021-03-194-36/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | to PEM, to avoid newline mangling issues when using PEM in header values. * modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant. * modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data): New function, replacing ssl_var_lookup_ssl_cert_PEM. (ssl_var_lookup_ssl): Use it, and add _B64CERT variants of SSL_{CLIENT,SERVER}_CERT. (ssl_var_lookup_ssl_cert_chain): Use it. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support "ExportBase64CertData" argument. * modules/ssl/ssl_engine_kernel.c (extract_to_env): New function. (ssl_hook_Fixup): Use it, also export _B64CERT variables if SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain handling. PR: 65169 Reviewed by: michaelo Github: closes #177 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68
* And the necessary log tags added just shortly afterwards.Stefan Eissing2021-03-031-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887152 13f79535-47bb-0310-9956-ffa450edef68
* Changed ap_ssl_answer_challenge() and its hook to provide PEM data forStefan Eissing2021-03-034-39/+86
| | | | | | | | | | | certificate and key instead of file names. Added support for this in mod_ssl and verified with a local mod_md version that uses it. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887151 13f79535-47bb-0310-9956-ffa450edef68
* Fixed regression in r1887085 where a SSL function was used that is not ↵Stefan Eissing2021-03-031-1/+1
| | | | | | available in OpenSSL 1.0.2. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887134 13f79535-47bb-0310-9956-ffa450edef68
* Adding log tags where log tags are needed.Stefan Eissing2021-03-021-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887087 13f79535-47bb-0310-9956-ffa450edef68
* Adding more ap_ssl_* functions and hooks to the core server.Stefan Eissing2021-03-023-11/+42
| | | | | | | | | | | | | | | | | | - ap_ssl_add_cert_files() to enable other modules like mod_md to provide certificate and keys for an SSL module like mod_ssl. - ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to provide a fallback certificate in case no 'proper' certificate is available for an SSL module like mod_ssl. - ap_ssl_answer_challenge() to enable other modules like mod_md to provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge for the ACME protocol for an SSL module like mod_ssl. - Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and 'ssl_answer_challenge' where modules like mod_md can provide providers to the above mentioned functions. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887085 13f79535-47bb-0310-9956-ffa450edef68
* Treat non-leaf certificates present in SSLProxyMachineCertificateFileJoe Orton2020-12-171-13/+33
| | | | | | | | | | | | | | the same was as non-leaf certs are in SSLCertificateFile - use them to build the trusted cert chain for the end-entity (client) cert. * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): For any non-leaf certificate present in the configured, trust as if used in SSLProxyMachineCertificateChainFile. Github: closes #151 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884552 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_private.h (modssl_pk_proxy_t): Update comment,Joe Orton2020-12-171-4/+7
| | | | | | | no functional change. [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884551 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_init.c (ssl_init_ctx_cert_chain): Log theJoe Orton2020-12-151-1/+4
| | | | | | | OpenSSL errors if CA certs cannot be loaded. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884452 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl_ct: join the threads before their parent pools are destroyed.Yann Ylavic2020-11-201-4/+4
| | | | | | | | | | | | | | | | | | This can happen on stop/restart for the daeomon thread, or on clean_child_exit() for the service thread. When an apr_thread_create()d thread exits it destroys its pool (in any case), either explicitely when apr_thread_exit() is called, or implicitely after the function returns (only in APR 2.0 for now). So we should make sure that mod_ssl_ct's daemon and service threads exit before pconf and pchild (the parent pools, respectively) destroy their children pools, otherwise the threads' pool will be destroyed twice and cause a crash. Using a pre_cleanup to wait for the threads avoids this. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883667 13f79535-47bb-0310-9956-ffa450edef68
* Fix a few warnings on 64 bits windows compilationChristophe Jaillet2020-09-011-1/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881379 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): MoveJoe Orton2020-08-171-10/+8
| | | | | | | | fill_reneg_buffer() call down after r->connection->master check. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880927 13f79535-47bb-0310-9956-ffa450edef68
* Simplify and speed-up ssl_io_data_dump().Christophe Jaillet2020-08-011-16/+12
| | | | | | | | | | | Instead of using a temp buffer for each byte or char written, and calling strlen over and over again to find the place where to copy this buffer, write directly at the correct place in the final buffer, and take advantage of 'apr_snprintf' returning the number of bytes copied. This looks like a hot path when running the test framework (because of TRACE7), so it could be slighly useful in this use case :) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880500 13f79535-47bb-0310-9956-ffa450edef68
* * modules/ssl/ssl_scache.c (ssl_scache_init): Use <16 characterJoe Orton2020-07-021-2/+2
| | | | | | | cname argument for socache ->init() per the API constraint. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879445 13f79535-47bb-0310-9956-ffa450edef68
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 03:22:08 +0100