Joe Orton [Tue, 12 Oct 2004 11:55:30 +0000 (11:55 +0000)]
* os/unix/os.h: Define AP_NEED_SET_MUTEX_PERMS.
* modules/mappers/mod_rewrite.c, modules/ssl/ssl_engine_mutex.c: Use
AP_NEED_SET_MUTEX_PERMS to determine whether unixd_set_*_mutex_perms
calls are necessary.
Joe Orton [Fri, 8 Oct 2004 11:59:33 +0000 (11:59 +0000)]
Fix CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
Joe Orton [Wed, 22 Sep 2004 15:32:09 +0000 (15:32 +0000)]
* modules/ssl/ssl_scache_shmcb.c (ssl_scahe_shmcb_init): If anonymous
shm is not supported, always remove the named segment first to cope
with unclean shutdowns.
Joe Orton [Wed, 18 Aug 2004 11:05:22 +0000 (11:05 +0000)]
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_remain): New
function. (ssl_var_lookup_ssl_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.
* modules/ssl_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if
+StdEnvVars is configured.
Joe Orton [Wed, 11 Aug 2004 13:19:24 +0000 (13:19 +0000)]
* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix potential
infinite loop in ssl_io_input_getline if connection is aborted without
inctx->rc being set.
Fix SEGV in 'shmcb' session cache:
When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.
In the newer versions of OpenSSL, the flag SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.
Joe Orton [Sat, 6 Mar 2004 16:47:41 +0000 (16:47 +0000)]
Fix use of mod_ssl as a DSO linked against static SSL libraries; also
stop linking all of support/* against the SSL libraries:
* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.
* support/Makefile.in: Link ab against SSL_LIBS.
* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.
Allow the enabled flag to be set to more than just TRUE or FALSE so that
the OPTIONAL flag can be correctly merged within the
ssl_config_server_merge() function.
Allow the enabled flag to be set to more that just TRUE or FALSE so that
the OPTIONAL flag is correctly merged within the
ssl_config_server_merge() function.
Joe Orton [Thu, 4 Mar 2004 20:39:53 +0000 (20:39 +0000)]
* modules/ssl/ssl_engine_vars (ssl_var_lookup): const'ify result and
drop a bunch of casts; use apr_table_get directly in place of
ssl_var_lookup_header.
(ssl_var_lookup_header): Remove function.
Joe Orton [Thu, 4 Mar 2004 13:42:09 +0000 (13:42 +0000)]
* modules/ssl/ssl_engine_vars (ssl_var_lookup): Optimise such that
lookup of SSL_* variables (the common case) requires 2 rather than 29
strcasecmp calls before getting to ssl_var_lookup_ssl().
Joe Orton [Sat, 28 Feb 2004 22:56:01 +0000 (22:56 +0000)]
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): For a DN
which includes several RDNs with the same OID, allow lookup of any
particular RDN using an "_<n>" suffix on the name.
Send the 'Close Alert' message to the peer upon closing a SSL session. This
required creating a new EOC (End-Of-Connection) bucket type to notify mod_ssl
that the connection is about to be closed.
Joe Orton [Fri, 23 Jan 2004 16:50:24 +0000 (16:50 +0000)]
* modules/ssl/ssl_engine_io.c (ssl_io_filter_output): Use non-blocking
bucket reads whilst data remains available; flush when a read returns
EAGAIN. Fixes streaming nph- CGI scripts over SSL.
Joe Orton [Tue, 25 Nov 2003 13:10:09 +0000 (13:10 +0000)]
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Only call
ssl_var_lookup_ssl for a real SSL connection; fix lookup of "HTTPS"
for non-SSL connections.
(ssl_var_log_handler_x): Give results for non-SSL connections too;
e.g. %{HTTPS}x does the right thing.
Joe Orton [Tue, 25 Nov 2003 12:35:45 +0000 (12:35 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.
Simplify includes - we always (in HTTPD 2.1 forward) are looking
for the openssl/foo.h headers explicitly. Fix the abs.dsp build
to define HAVE_OPENSSL instead of USE_SSL so the correct headers
are included upfront.
Cliff Woolley [Tue, 12 Aug 2003 20:58:53 +0000 (20:58 +0000)]
Make mod_ssl consistent with itself when you have a halfass install of
openssl-engine (ie, you're missing the headers). ssl_cmd_SSLCryptoDevice()
is thrown away by the preprocessor if you're missing the header, so the
call to it should have the same condition applied. otherwise, mod_ssl
will fail to link.
Sander Striker [Thu, 7 Aug 2003 23:57:11 +0000 (23:57 +0000)]
Add an error msg when encountering a spoofed identity. If this would
have been here in the first place. Makes issues like these be found
easier in the future.
The fix is to make mod_ssl's check_user_id hook stop tripping
over it's own checks in case of a subrequest. That is, it
should DECLINE in case of a subrequest.
Although we initialize mc->pid in the child init phase,
we haven't initialized it before initially performing
our ssl_rand_seed() in the parent/postconfig phase.
Joe Orton [Mon, 21 Jul 2003 12:02:40 +0000 (12:02 +0000)]
Prevent segfaults after SSL renegotiation failures.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.
* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.
PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton
SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]
Reaction to Jeff Trawick's observations that we are double-initializing
dynalinked OpenSSL Engines and Configs. Move the library teardown code
so that it is torn down in the proper order, corresponding to when the
library itself was initialized. And leave a little reminder that some
memory diagnostics would be good if OpenSSL is built for malloc debugging.
Jeff Trawick [Sat, 7 Jun 2003 19:50:01 +0000 (19:50 +0000)]
Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex.
This resolves a fatal problem with mod_rewrite on systems where
APR uses flock-based mutex.
It simplifies mod_ssl as well, which had special logic to perform
the chown(). It fixed an init error with mod_ssl on systems where
flock is used when the user had no SSLMutex directive.
The Unix MPMs continue to call unixd_set_global|proc_mutex_perms()
only for SysV sems. There is no permission problem with flock-based
accept mutexes since the child init logic for the MPMs is done
prior to switching identity.
The right patch (thanks to Eric for identifying the wrong patch) to move
SSL_library_init() into the register hooks phase. OpenSSL_add_ssl_algorithms
devolves to SSL_library_init, which is the same for most toolkits (and would
be accomodated in ssl_toolkit_config.h if not.)
OpenSSL_add_all_algorithms is simply an alias for SSL_load_library.
Note that the entire schema of what-we-load-how follows from
OpenSSL 0.9.7's own apps/ example applications. More review
is greatly desired, but that's where I believed I should
start looking for the 'correct' order of operations.
Provide a far more useful explanation when SSLCryptoDevice fails to
find a device. Still would be nice to implement dynamic:{options}
but this gets us to display the usual, builtin devices.
We now load builtin engines up front, in the pre_config phase, because
this and any other config cmd processor must have an already valid
library config. So loading builtin engines becomes redundant in this
cmd handler.
Solve a pretty horrific bug in SSLCryptoDevice and other places where
the config cmd processors should be examining the SSL context. We must
initialize the SSL library before we can actually obtain any useful
information from the SSL library.
Based on list discussion between myself and Geoff, it seems prudent
to check for both the existence of the openssl/engine.h header file
and some 'expected function' such as ENGINE_init() (better suggestions
are welcome.) Also clear up some confusion; so long as we have
ENGINE_load_builtin_engines() we should attempt to preload those.
This patch protects all ENGINE-based code within the tests for the
engine header and function, and changes a version test into a
function test.
The patch below reverts the prior commit to eliminate SSL_set_state().
Some additional work or research is required in order to pass the
perl-framework regressions, but I don't have the cycles and don't
care to leave the broken code in cvs HEAD.
REVERTING: wrowe 2003/05/19 08:13:19
Modified: modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c
ssl_toolkit_compat.h
Log:
Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
rehandshaking the SSL connection, vis-a-vis ApacheSSL.
projects / thirdparty / apache / httpd.git / log
