</usage>
</directivesynopsis>
-<directivesynopsis type="section" idtype="section">
-<name>SSLPolicyDefine</name>
-<description>Define a named set of SSL configurations</description>
-<syntax><SSLPolicyDefine <em>name</em>></syntax>
-<contextlist><context>server config</context></contextlist>
-<compatibility>Available in httpd 2.4.30 and later</compatibility>
-
-<usage>
-<p>This directive defines a set of SSL* configurations under
-and gives it a name. This name can be used in the directives
-<directive>SSLPolicy</directive> and <directive>SSLProxyPolicy</directive>
-to apply this configuration set in the current context.</p>
-
-<example><title>Define and Use of a Policy</title>
-<highlight language="config">
-<SSLPolicyDefine safe-stapling>
- SSLUseStapling on
- SSLStaplingResponderTimeout 2
- SSLStaplingReturnResponderErrors off
- SSLStaplingFakeTryLater off
- SSLStaplingStandardCacheTimeout 86400
-</SSLPolicyDefine>
-
- ...
- <VirtualHost...>
- SSLPolicy safe-stapling
- ...
-</highlight>
-</example>
-
-<p>On the one hand, this can make server configurations easier to
-<em>read</em> and <em>maintain</em>. On the other hand, it is
-intended to make SSL easier and safer to <em>use</em>. For the
-latter, Apache httpd ships with a set of pre-defined policies
-that reflect good open source practise. The policy "modern",
-for example, carries the settings to make your server work
-compatible and securely with current browsers.</p>
-
-<p>The list of predefined policies in your Apache can be obtained
-by running the following command. This list shows you the
-detailed configurations each policy is made of:</p>
-
-<example><title>List all Defined Policies</title>
-<highlight language="sh">
-httpd -t -D DUMP_SSL_POLICIES
-</highlight>
-</example>
-
-<p>The directive can only be used in the server config (global context). It can take
-most SSL* directives, however a few can only be set once and are not allowed inside
-policy defintions. These are <directive>SSLCryptoDevice</directive>,
-<directive>SSLRandomSeed</directive>,
-<directive>SSLSessionCache</directive> and
-<directive>SSLStaplingCache</directive>.
-</p>
-<p>Two policies cannot have the same name. However, policies can
-be redefined:</p>
-
-<example><title>Policy Overwrite</title>
-<highlight language="config">
-<SSLPolicyDefine proxy-trust>
- SSLProxyVerify require
-</SSLPolicyDefine>
- ...
-<SSLPolicyDefine proxy-trust>
- SSLProxyVerify none
-</SSLPolicyDefine>
-</highlight>
-</example>
-
-<p>Policy definitions are <em>added</em> in the order they appear, but are
-<em>applied</em> when the whole configuration has been read. This means that any
-use of 'proxy-trust' will mean 'SSLProxyVerify none'. The first definition
-has no effect at all. That allows pre-installed policies to be replaced
-without the need to disable them.</p>
-
-<p>Additional to replacing policies, redefinitions may just alter
-an aspect of a policy:</p>
-
-<example><title>Policy Redefine</title>
-<highlight language="config">
-<SSLPolicyDefine proxy-trust>
- SSLProxyVerify require
-</SSLPolicyDefine>
- ...
-<SSLPolicyDefine proxy-trust>
- SSLPolicy proxy-trust
- SSLProxyVerifyDepth 10
-</SSLPolicyDefine>
-</highlight>
-</example>
-
-<p>This re-uses all settings from the previous 'proxy-trust' and adds
-one directive on top of it. All others still apply. This is very handy
-when pre-defined policies (from Apache itself or a distributor)
-that <em>almost</em> what you need. Previously, such definitions were
-(copied and) edited. This made updating them difficult. Now they can
-be setup like this:</p>
-
-<example><title>Tweak a Pre-Defined Policy</title>
-<highlight language="config">
-Include ssl-policies.conf
-
-<SSLPolicyDefine modern>
- SSLPolicy modern
- SSLProxyVerify none
-</SSLPolicyDefine>
-</highlight>
-</example>
-
-</usage>
-</directivesynopsis>
-
<directivesynopsis>
<name>SSLPolicy</name>
<description>Apply a SSLPolicy by name</description>
<li><code>intermediate</code>: the fallback if you need to support old (but not very old) clients.</li>
<li><code>old</code>: when you need to give Windows XP/Internet Explorer 6 access. The last resort.</li>
</ul>
+<p>SSLPolicy applies configuration settings in place, meaning previous values are
+overwritten. Configuration directives following an SSLPolicy may overwrite it.
+</p>
<p>You can check the detailed description of all defined policies via the command line:</p>
<example><title>List all Defined Policies</title>
</highlight>
</example>
-<p>A SSLPolicy defines the baseline for the context it is used in. That means that any
-other SSL* directives in the same context override it. As an example of this, see the effective
-<directive>SSLProtocol</directive> value in the following settings:</p>
-
-<example><title>Policy Precedence</title>
-<highlight language="config">
-<VirtualHost...> # effective: 'all'
- SSLPolicy modern
- SSLProtocol all
-</VirtualHost>
-
-<VirtualHost...> # effective: 'all'
- SSLProtocol all
- SSLPolicy modern
-</VirtualHost>
-
-SSLPolicy modern
-<VirtualHost...> # effective: 'all'
- SSLProtocol all
-</VirtualHost>
-
-SSLProtocol all
-<VirtualHost...> # effective: '+TLSv1.2'
- SSLPolicy modern
-</VirtualHost>
-</highlight>
-</example>
-
-<p>There can be more than one policy applied in a context. The
-later ones overshadowing the earlier ones:</p>
-
-<example><title>Policy Ordering</title>
-<highlight language="config">
-<VirtualHost...> # effective protocol: 'all -SSLv3'
- SSLPolicy modern
- SSLPolicy intermediate
-</VirtualHost>
-
-<VirtualHost...> # effective protocol: '+TLSv1.2'
- SSLPolicy intermediate
- SSLPolicy modern
-</VirtualHost>
-</highlight>
-</example>
-
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>SSLProxyPolicy</name>
-<description>Apply the SSLProxy* parts alone of a SSLPolicy</description>
-<syntax>SSLProxyPolicy <em>name</em></syntax>
-<contextlist><context>server config</context>
-<context>virtual host</context></contextlist>
-<compatibility>Available in httpd 2.4.30 and later</compatibility>
-
-<usage>
-<p>This directive is similar to <directive>SSLPolicy</directive>, but
-applies only the SSLProxy* directives defined in the policy. This helps
-when you need different policies for front and backends:</p>
-
-<example><title>Another Policies for Proxy Only</title>
-<highlight language="config">
-SSLPolicy modern
-SSLProxyPolicy intermediate
-</highlight>
-</example>
-
-<p>In this example, the 'modern' policy is first applied for front- and backend. The backend
-parts are then overwritten by the 'intermediate' policy settings.</p>
</usage>
</directivesynopsis>
sc->compression = UNSET;
#endif
sc->session_tickets = UNSET;
- sc->policies = NULL;
- sc->error_policy = NULL;
sc->enabled_on = NULL;
modssl_ctx_init_server(sc, p);
#endif
}
-static void ssl_policy_apply(SSLSrvConfigRec *sc, apr_pool_t *p);
-static void ssl_dir_policy_apply(SSLDirConfigRec *dc, apr_pool_t *p);
-
void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
{
SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
SSLSrvConfigRec *mrg = ssl_config_server_new(p);
- /* This is a NOP, unless a policy has not been applied yet */
- ssl_policy_apply(base, p);
- ssl_policy_apply(add, p);
-
cfgMerge(mc, NULL);
cfgMerge(enabled, SSL_ENABLED_UNSET);
cfgMergeInt(session_cache_timeout);
#endif
cfgMergeBool(session_tickets);
- mrg->policies = NULL;
- cfgMergeString(error_policy);
-
mrg->enabled_on = (add->enabled == SSL_ENABLED_UNSET)? base->enabled_on : add->enabled_on;
modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server);
modssl_ctx_init_proxy(dc, p);
dc->proxy_post_config = FALSE;
- dc->policies = NULL;
- dc->error_policy = NULL;
-
return dc;
}
SSLDirConfigRec *add = (SSLDirConfigRec *)addv;
SSLDirConfigRec *mrg = (SSLDirConfigRec *)apr_palloc(p, sizeof(*mrg));
- ssl_dir_policy_apply(base, p);
- ssl_dir_policy_apply(add, p);
-
cfgMerge(bSSLRequired, FALSE);
cfgMergeArray(aRequirement);
mrg->proxy = add->proxy;
}
- mrg->policies = NULL;
- cfgMergeString(error_policy);
-
return mrg;
}
static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name,
int protocols, const char *ciphers,
- int honor_order, int compression, int session_tickets,
- ssl_verify_t proxy_verify_mode, int proxy_verify_depth)
+ int honor_order, int compression, int session_tickets)
{
SSLPolicyRec *policy;
policy = apr_pcalloc(p, sizeof(*policy));
policy->name = name;
policy->sc = ssl_config_server_new(p);
- policy->dc = ssl_config_perdir_create(p, "/");
if (protocols || ciphers) {
policy->sc->server->protocol_set = 1;
policy->sc->server->protocol = protocols;
- policy->dc->proxy->protocol_set = 1;
- policy->dc->proxy->protocol = protocols;
}
if (ciphers) {
policy->sc->server->auth.cipher_suite = ciphers;
- policy->dc->proxy->auth.cipher_suite = ciphers;
}
#ifndef OPENSSL_NO_COMP
#endif
policy->sc->session_tickets = session_tickets ? TRUE : FALSE;
- policy->dc->proxy->auth.verify_mode = proxy_verify_mode;
- if (proxy_verify_depth >= 0) {
- policy->dc->proxy->auth.verify_depth = proxy_verify_depth;
- }
-
apr_hash_set(policies, policy->name, APR_HASH_KEY_STRING, policy);
}
SSL_POLICY_MODERN_CIPHERS,
SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION,
- SSL_POLICY_SESSION_TICKETS,
- SSL_POLICY_PROXY_VERIFY_MODE,
- SSL_POLICY_PROXY_VERIFY_DEPTH);
+ SSL_POLICY_SESSION_TICKETS);
#endif
#if SSL_POLICY_INTERMEDIATE
add_policy(policies, p, "intermediate",
SSL_POLICY_INTERMEDIATE_CIPHERS,
SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION,
- SSL_POLICY_SESSION_TICKETS,
- SSL_POLICY_PROXY_VERIFY_MODE,
- SSL_POLICY_PROXY_VERIFY_DEPTH);
+ SSL_POLICY_SESSION_TICKETS);
#endif
#if SSL_POLICY_OLD
add_policy(policies, p, "old",
SSL_POLICY_OLD_CIPHERS,
SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION,
- SSL_POLICY_SESSION_TICKETS,
- SSL_CVERIFY_NONE,
- SSL_POLICY_PROXY_VERIFY_DEPTH);
+ SSL_POLICY_SESSION_TICKETS);
#endif
apr_pool_userdata_set(policies, SSL_MOD_POLICIES_KEY,
return apr_hash_get(policies, name, APR_HASH_KEY_STRING);
}
-static void ssl_policy_set(apr_pool_t *pool, SSLPolicyRec *policy)
-{
- apr_hash_t *policies = get_policies(pool, 1);
- return apr_hash_set(policies, policy->name, APR_HASH_KEY_STRING, policy);
-}
-
-const char *ssl_cmd_SSLPolicyDefine(cmd_parms *cmd, void *mconfig, const char *arg)
-{
- server_rec *s = cmd->server;
- SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLDirConfigRec *dc = ap_get_module_config(s->lookup_defaults, &ssl_module);
- SSLPolicyRec *policy;
- const char *endp = ap_strrchr_c(arg, '>');
- const char *err, *name;
-
- if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
- return err;
- }
-
- if (endp == NULL) {
- return apr_pstrcat(cmd->pool, cmd->cmd->name, "> directive missing closing '>'", NULL);
- }
-
- arg = apr_pstrndup(cmd->pool, arg, endp-arg);
- if (!arg || !*arg) {
- return "<SSLPolicyDefine > block must specify a name";
- }
-
- name = ap_getword_white(cmd->pool, &arg);
- if (*arg != '\0') {
- return apr_pstrcat(cmd->pool, cmd->cmd->name, "> takes only 1 argument", NULL);
- }
-
- policy = apr_pcalloc(cmd->pool, sizeof(*policy));
- policy->name = name;
- policy->sc = ssl_config_server_new(cmd->pool);
- policy->sc->mc = NULL; /* No global configs during SSLPolicy definition */
- policy->dc = ssl_config_perdir_create(cmd->pool, "/");/* TODO */
-
- ap_set_module_config(s->module_config, &ssl_module, policy->sc);
- ap_set_module_config(s->lookup_defaults, &ssl_module, policy->dc);
-
- err = ap_walk_config(cmd->directive->first_child, cmd, cmd->context);
- if (!err) {
- /* If this new policy uses other policies, we need to merge it
- * before adding, otherwise a policy cannot re-use an existing one */
- ssl_policy_apply(policy->sc, cmd->pool);
- ssl_dir_policy_apply(policy->dc, cmd->pool);
- /* time to persist */
- ssl_policy_set(cmd->pool, policy);
- }
-
- ap_set_module_config(s->module_config, &ssl_module, sc);
- ap_set_module_config(s->lookup_defaults, &ssl_module, dc);
-
- return err;
-}
-
const char *ssl_cmd_SSLPolicyApply(cmd_parms *cmd, void *mconfig, const char *arg)
{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-
- if (!sc->policies) {
- sc->policies = apr_array_make(cmd->pool, 5, sizeof(const char*));
- }
- APR_ARRAY_PUSH(sc->policies, const char *) = arg;
-
- /* Also apply the proxy parts of the policy */
- return ssl_cmd_SSLProxyPolicyApply(cmd, mconfig, arg);
-}
-
-const char *ssl_cmd_SSLProxyPolicyApply(cmd_parms *cmd, void *mconfig, const char *arg)
-{
- SSLDirConfigRec *dc = ap_get_module_config(cmd->server->lookup_defaults, &ssl_module);
-
- if (!dc->policies) {
- dc->policies = apr_array_make(cmd->pool, 5, sizeof(const char*));
- }
- APR_ARRAY_PUSH(dc->policies, const char *) = arg;
-
- return NULL;
-}
-
-void ssl_policy_apply(SSLSrvConfigRec *sc, apr_pool_t *p)
-{
- SSLSrvConfigRec *mrg;
+ SSLSrvConfigRec *mrg, *sc = mySrvConfig(cmd->server);
SSLPolicyRec *policy;
- apr_array_header_t *policies;
- const char *name;
- int i;
-
- policies = sc->policies;
- if (policies && policies->nelts > 0 && !sc->error_policy) {
- sc->policies = NULL;
- for (i = policies->nelts - 1; i >= 0; --i) {
- name = APR_ARRAY_IDX(policies, i, const char *);
- policy = ssl_policy_lookup(p, name);
- if (policy) {
- mrg = ssl_config_server_merge(p, policy->sc, sc);
- /* apply in place */
- memcpy(sc, mrg, sizeof(*sc));
- }
- else {
- sc->error_policy = name;
- break;
- /* report error policies in post_config */
- }
- }
- }
-}
-
-void ssl_dir_policy_apply(SSLDirConfigRec *dc, apr_pool_t *p)
-{
- SSLDirConfigRec *mrg;
- SSLPolicyRec *policy;
- apr_array_header_t *policies;
- const char *name;
- int i;
- policies = dc->policies;
- if (policies && policies->nelts > 0 &&!dc->error_policy) {
- dc->policies = NULL;
- for (i = policies->nelts - 1; i >= 0; --i) {
- name = APR_ARRAY_IDX(policies, i, const char *);
- policy = ssl_policy_lookup(p, name);
- if (policy) {
- mrg = ssl_config_perdir_merge(p, policy->dc, dc);
- /* apply in place */
- memcpy(dc, mrg, sizeof(*dc));
- }
- else {
- dc->error_policy = name;
- break;
- /* report error policies in post_config */
- }
- }
+ policy = ssl_policy_lookup(cmd->pool, arg);
+ if (policy) {
+ mrg = ssl_config_server_merge(cmd->pool, policy->sc, sc);
+ /* apply in place */
+ memcpy(sc, mrg, sizeof(*sc));
+ return NULL;
}
+ return apr_pstrcat(cmd->pool,
+ "An SSLPolicy with the name '", arg,
+ "' does not exist", NULL);
}
/*
static void ssl_srv_dump(SSLSrvConfigRec *sc, apr_pool_t *p,
apr_file_t *out, const char *indent, const char **psep);
-static void ssl_dir_dump(SSLDirConfigRec *dc, apr_pool_t *p,
- apr_file_t *out, const char *indent, const char **psep);
static void ssl_policy_dump(SSLPolicyRec *policy, apr_pool_t *p,
apr_file_t *out, const char *indent);
}
}
-static void val_option_dump(apr_file_t *out, const char *key, const char *optname,
- int val, int set_mask, int add_mask, int del_mask,
- apr_pool_t *p, const char *indent, const char **psep)
-{
- const char *op = ((val & set_mask)? "" :
- ((val & add_mask)? "+" :
- (val & del_mask)? "-" : NULL));
- if (op) {
- apr_file_printf(out, "%s\n%s\"%s\": \"%s%s\"", *psep, indent, key, op,
- json_quote(optname, p));
- *psep = ", ";
- }
-}
-
static const char *protocol_str(ssl_proto_t proto, apr_pool_t *p)
{
if (SSL_PROTOCOL_NONE == proto) {
DMP_ON_OFF("SSLFIPS", sc->fips);
#endif
DMP_ON_OFF("SSLSessionTickets", sc->session_tickets);
- DMP_STRARR("SSLPolicy", sc->policies);
-}
-
-static void ssl_dir_dump(SSLDirConfigRec *dc, apr_pool_t *p,
- apr_file_t *out, const char *indent, const char **psep)
-{
- int i;
-
- DMP_ON_OFF("SSLProxyEngine", dc->proxy_enabled);
-
- modssl_ctx_dump(dc->proxy, p, 1, out, indent, psep);
-
- if (dc->bSSLRequired == TRUE) {
- DMP_ON_OFF("SSLRequireSSL", dc->bSSLRequired);
- }
- if (dc->aRequirement && dc->aRequirement->nelts > 0) {
- ssl_require_t *r = (ssl_require_t *)dc->aRequirement->elts;
- for (i = 0; i < dc->aRequirement->nelts; ++i, ++r) {
- DMP_STRING("SSLRequire", r->cpExpr);
- }
- }
- DMP_OPTION("StdEnvVars", SSL_OPT_STDENVVARS);
- DMP_OPTION("ExportCertData", SSL_OPT_EXPORTCERTDATA);
- DMP_OPTION("FakeBasicAuth", SSL_OPT_FAKEBASICAUTH);
- DMP_OPTION("StrictRequire", SSL_OPT_STRICTREQUIRE);
- DMP_OPTION("OptRenegotiate", SSL_OPT_OPTRENEGOTIATE);
- DMP_OPTION("LegacyDNStringFormat", SSL_OPT_LEGACYDNFORMAT);
- DMP_STRARR("SSLProxyPolicy", dc->policies);
}
static void ssl_policy_dump(SSLPolicyRec *policy, apr_pool_t *p,
if (policy->sc) {
ssl_srv_dump(policy->sc, p, out, indent, &sep);
}
- if (policy->dc) {
- ssl_dir_dump(policy->dc, p, out, indent, &sep);
- }
}
projects / thirdparty / apache / httpd.git / commitdiff
