git.ipfire.org Git - thirdparty/apache/httpd.git/log

* modules/ssl/ssl_engine_io.c (bio_filter_out_flush): Create a new
brigade for sending output after passing on the current one.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103967 13f79535-47bb-0310-9956-ffa450edef68

Add "SSLUserName" directive to set r->user based on a chosen SSL
environment variable name.

* modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add
szUserName field.

* modules/ssl/ssl_engine_config.c (ssl_config_perdir_create,
ssl_config_perdir_merge): Initialize and merge szUserName field.
(ssl_cmd_SSLUserName): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to
the value of the chosen SSL environment variable.

* modules/ssl/mod_ssl.c: Add SSLUserName config directive.

PR: 20957
Submitted by: Martin v. Loewis <martin v.loewis.de>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103834 13f79535-47bb-0310-9956-ffa450edef68

Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag
which uses the server's cipher preference order rather than the
client's.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.

PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103832 13f79535-47bb-0310-9956-ffa450edef68

Drop support for the "CompatEnvVars" argument to SSLOptions, which was
never implemented in 2.0 and never needed to be.

* docs/ssl/ssl-std.conf.in: Remove CompatEnvVars examples.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Don't allow
the CompatEnvVars argument.

* modules/ssl/ssl_private.h: Remove SSL_OPT_COMPATENVVARS macro.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103829 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache.c (ssl_scache_expire): Remove unused function.

* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_expire): Likewise.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_expire): Likewise.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_expire): Make static.

* modules/ssl/ssl_private.h: Remove prototypes.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103793 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_util.c, modules/ssl/ssl_private.h: Remove unused
functions ssl_util_strupper, ssl_util_ptxtstub, and
ssl_util_uuencode*.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103755 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer
overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103754 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Fix gcc
strict-aliasing warning.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103688 13f79535-47bb-0310-9956-ffa450edef68

Fix SEGV in 'shmcb' session cache:
When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68

In the newer versions of OpenSSL, the flag SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.

PR: 26562
Reviewed by: Geoff Thorpe, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103165 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_cleanup): Don't try and
send an SSL shutdown from a pool cleanup.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103156 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_log.c (ssl_log_annotation): const-ify more.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102943 13f79535-47bb-0310-9956-ffa450edef68

Pick up mod_status.h

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102938 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation,
ssl_log_ssl_error): const-ify annotation strings and simplify
ssl_log_annotation.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102927 13f79535-47bb-0310-9956-ffa450edef68

Fix use of mod_ssl as a DSO linked against static SSL libraries; also
stop linking all of support/* against the SSL libraries:

* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.

* support/Makefile.in: Link ab against SSL_LIBS.

* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.

PR: 17217

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102870 13f79535-47bb-0310-9956-ffa450edef68

Allow the enabled flag to be set to more than just TRUE or FALSE so that
the OPTIONAL flag can be correctly merged within the
ssl_config_server_merge() function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102860 13f79535-47bb-0310-9956-ffa450edef68

Allow the enabled flag to be set to more that just TRUE or FALSE so that
the OPTIONAL flag is correctly merged within the
ssl_config_server_merge() function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102859 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL
error stack contents if engine load/init fails.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102857 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print
an unsigned long.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102856 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup,
ssl_var_lookup_ssl_cipher): Use apr_itoa instead of psprintf %d.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102855 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars (ssl_var_lookup): const'ify result and
drop a bunch of casts; use apr_table_get directly in place of
ssl_var_lookup_header.
(ssl_var_lookup_header): Remove function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102854 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars (ssl_var_lookup): Optimise such that
lookup of SSL_* variables (the common case) requires 2 rather than 29
strcasecmp calls before getting to ssl_var_lookup_ssl().

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102851 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/mod_ssl.h: Declare ssl_is_https optional function.

* modules/ssl/ssl_engine_vars (ssl_is_https): New function.
(ssl_var_register): Register it.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102850 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars (ssl_var_lookup): Fix potential
segfaults if called with r=NULL, c!=NULL, spotted by Andr��.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102849 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_disable,
ssl_io_filter_error): Clear the SSL * pointer in the SSLConnRec too.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102819 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Simplify
to use apr_pstrmemdup.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102815 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): For a DN
which includes several RDNs with the same OID, allow lookup of any
particular RDN using an "_<n>" suffix on the name.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102813 13f79535-47bb-0310-9956-ffa450edef68

Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h
to be included even when mod_ssl is not enabled.

* Makefile.in (install-include): Only install mod_ssl.h.

* modules/ssl/ssl_private.h: New file.

* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.

* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h

* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.

* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102803 13f79535-47bb-0310-9956-ffa450edef68

Relicense.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102799 13f79535-47bb-0310-9956-ffa450edef68

Send the 'Close Alert' message to the peer upon closing a SSL session. This
required creating a new EOC (End-Of-Connection) bucket type to notify mod_ssl
that the connection is about to be closed.

Reviewed by: Joe Orton, Justin Erenkrantz

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102793 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_disable): Don't leak an
SSL structure for each plain-HTTP-on-SSL-port request.

PR: 27106

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102770 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Wording
tweaks.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102747 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_init): Use an
anonymous shm segment by default or fall back on name-based shm.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102746 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_pphrase.c: Note that the ERR_clear_error()
call is not merely a cosmetic fix in light of PR 21160.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102628 13f79535-47bb-0310-9956-ffa450edef68

fix name of The Apache Software Foundation

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102618 13f79535-47bb-0310-9956-ffa450edef68

fix copyright dates according to the first check in

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102573 13f79535-47bb-0310-9956-ffa450edef68

apply Apache License, Version 2.0

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102525 13f79535-47bb-0310-9956-ffa450edef68

We need the SSL module dir in our path in order to compile mod_ssl.
Otherwise, we can't find mod_ssl.h.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102515 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_output): Use non-blocking
bucket reads whilst data remains available; flush when a read returns
EAGAIN. Fixes streaming nph- CGI scripts over SSL.

PR: 21944
Inspired by: Jeff Trawick

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102397 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl): Fix segfault if
SSL_get_session() returns NULL.

PR: 15057
Submitted by: Otmar Lendl (lendl@nic.at)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102281 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache_dc.c: Add the Apache Software License.

* modules/ssl/mod_ssl.h: Undo accidental comment change in previous
commit.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102228 13f79535-47bb-0310-9956-ffa450edef68

Add support to mod_ssl for a distributed session cache using
distcache.

* LAYOUT: Update for removal of scache_shmht and addition of scache_dc.

* modules/ssl/config.m4: Check for libdistcache; build ssl_scache_dc.lo.

* modules/ssl/mod_ssl.dsp: Build ssl_scache_dc (with luck).

* modules/ssl/mod_ssl.h: Add SSL_SCMODE_DC and scache_dc_* prototypes.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Allow
use of dc: argument.

* modules/ssl/ssl_scache_dc.c: New file.

* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_store, ssl_scache_retrieve, ssl_scache_remove,
ssl_ext_status_hook): Hook into scache_dc.

Submitted by: Geoff Thorpe <geoff@geoffthorpe.net>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102227 13f79535-47bb-0310-9956-ffa450edef68

update license to 2004.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102135 13f79535-47bb-0310-9956-ffa450edef68

We need the error strings loaded as early as possible

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102067 13f79535-47bb-0310-9956-ffa450edef68

get mod_ssl.dsp to load again
(we *x weenies have to be careful :) )

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102062 13f79535-47bb-0310-9956-ffa450edef68

Fix format string warnings from gcc on amd64:

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_store):
Print apr_size_t using APR_SIZE_T_FMT.

* modules/ssl/ssl_engine_io.c (ssl_filter_write): Print difference
between sizes using APR_SSIZE_T_FMT, apr_size_t using APR_SIZE_T_FMT.

* modules/proxy/proxy_http.c (ap_proxy_http_request): Print
apr_uint64_t using APR_UINT64_T_HEX_FMT.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102037 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/mod_ssl.h: Remove prototypes for shmht.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101900 13f79535-47bb-0310-9956-ffa450edef68

Extend mod_status output to include SSL session cache status
information:

* modules/ssl/mod_ssl.c (ssl_hook_pre_config): Call
ssl_scache_status_register.

* modules/ssl/ssl_scache.c (ssl_scache_status): Removed function.
(ssl_ext_status_hook): Renamed from ssl_ext_ms_display: switch to
2.1's mod_status "status_hook" API.
(ssl_scache_status_register): Register optional hook.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_status): Adjust to use
new API.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_status): Adjust
to use new API.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101889 13f79535-47bb-0310-9956-ffa450edef68

Remove shmht session cache in favour of shmcb; shmht has had
data corruption bugs since being apr_rmm'ified.

* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.

* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.

* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.

* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.

* ssl_scache.c: Remove shmht hooks throughout.

* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101888 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_log_handler_x): Fix
unused variable from previous commit.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101881 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Only call
ssl_var_lookup_ssl for a real SSL connection; fix lookup of "HTTPS"
for non-SSL connections.
(ssl_var_log_handler_x): Give results for non-SSL connections too;
e.g. %{HTTPS}x does the right thing.

PR: 23956

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101880 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_version):
Determine the library version string at run-time rather than at
compile-time.

Submitted by: Eric Seidel <eseidel@apple.com>
PR: 23956

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101879 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.

PR: 24030

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101878 13f79535-47bb-0310-9956-ffa450edef68

Sync with APR-util deprecated functions.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101789 13f79535-47bb-0310-9956-ffa450edef68

* ssl_engine_log.c (ssl_log_ssl_error): Use the thread-safe
interface for retrieving error strings.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101625 13f79535-47bb-0310-9956-ffa450edef68

Fix missing human-readable error information in SSL log messages:

* mod_ssl.c (ssl_cleanup_pre_config): Don't free the error strings,
since they can't be loaded again once.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101624 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_log_handler_c): Fix
segfault on a non-SSL request.

PR: 22741
Submitted by: Gary E. Miller <gem@rellim.com>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101534 13f79535-47bb-0310-9956-ffa450edef68

Fix a cosmetic issue where OpenSSL 0.9.7 will dump the error stack
during pass phrase entry.

* ssl_engine_pphrase.c (ssl_pphrase_Handle): Clear the OpenSSL error
stack before reading the private key.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101515 13f79535-47bb-0310-9956-ffa450edef68

SSL-C doesn't declare the char* file arg const, so we shouldn't either.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101303 13f79535-47bb-0310-9956-ffa450edef68

These silent errors have bitten me a few times, now that we
use APR'd dbm. mod_ssl had hacked sdbm for larger sizes.

PR:
Obtained from:
Submitted by:
Reviewed by:

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101214 13f79535-47bb-0310-9956-ffa450edef68

  Simplify includes - we always (in HTTPD 2.1 forward) are looking
  for the openssl/foo.h headers explicitly.  Fix the abs.dsp build
  to define HAVE_OPENSSL instead of USE_SSL so the correct headers
  are included upfront.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101195 13f79535-47bb-0310-9956-ffa450edef68

switch to APR 1.0 API (which is still in flux)

because of the changes to the argument lists of apr_mmap_dup and apr_socket_create,
2.1-dev won't build with apr and apr-util's 0.9 branch anymore

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101154 13f79535-47bb-0310-9956-ffa450edef68

* ssl_engine_io.c (ssl_io_filter_connect): Check the
library code as well as the reason code when looking for the
plain-HTTP-request error.

Submitted by: Stephen Henson <steve@openssl.org>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101135 13f79535-47bb-0310-9956-ffa450edef68

Make mod_ssl consistent with itself when you have a halfass install of
openssl-engine (ie, you're missing the headers). ssl_cmd_SSLCryptoDevice()
is thrown away by the preprocessor if you're missing the header, so the
call to it should have the same condition applied. otherwise, mod_ssl
will fail to link.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100970 13f79535-47bb-0310-9956-ffa450edef68

Trivial change to reporting an error when an identity spoof is
encountered with respect to FakeBasicAuth.

Submitted by: Greg Stein

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100941 13f79535-47bb-0310-9956-ffa450edef68

Add an error msg when encountering a spoofed identity. If this would
have been here in the first place. Makes issues like these be found
easier in the future.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100937 13f79535-47bb-0310-9956-ffa450edef68

Fix FakeBasicAuth for subrequests.  This was reported via issue
#1364 in Subversion:

  http://subversion.tigris.org/issues/show_bug.cgi?id=1364

The fix is to make mod_ssl's check_user_id hook stop tripping
over it's own checks in case of a subrequest.  That is, it
should DECLINE in case of a subrequest.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100926 13f79535-47bb-0310-9956-ffa450edef68

  Although we initialize mc->pid in the child init phase,
  we haven't initialized it before initially performing
  our ssl_rand_seed() in the parent/postconfig phase.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100912 13f79535-47bb-0310-9956-ffa450edef68

Prevent the OpenSSL id_callback from pointing at a mod_ssl
function after mod_ssl is unloaded.

* ssl_util.c (ssl_util_thread_cleanup): Clear the id_callback.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100767 13f79535-47bb-0310-9956-ffa450edef68

Prevent segfaults after SSL renegotiation failures.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.

* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.

PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100720 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Fix a problem setting variables that represent the
client certificate chain.

PR: 21371

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100605 13f79535-47bb-0310-9956-ffa450edef68

not valid to modify string pointed to by szCryptoDevice... it points to a
static string or something parsed from the config

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100603 13f79535-47bb-0310-9956-ffa450edef68

Forward port patch for CAN-2003-0192 from 2.0.

SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100518 13f79535-47bb-0310-9956-ffa450edef68

  Narrow the scope of several OPENSSL-specific setup and teardown calls
  to only OpenSSL based builds.

  Also introduce success result for the registered cleanup callback
  to clean up a compiler emit.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100348 13f79535-47bb-0310-9956-ffa450edef68

Use portable macro instead of the (no longer working) Apache-1.3 code

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100314 13f79535-47bb-0310-9956-ffa450edef68

Needed on EBCDIC systems

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100313 13f79535-47bb-0310-9956-ffa450edef68

  Reaction to Jeff Trawick's observations that we are double-initializing
  dynalinked OpenSSL Engines and Configs.  Move the library teardown code
  so that it is torn down in the proper order, corresponding to when the
  library itself was initialized.  And leave a little reminder that some
  memory diagnostics would be good if OpenSSL is built for malloc debugging.

Suggested by: Geoff Thorpe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100288 13f79535-47bb-0310-9956-ffa450edef68

OPENSSL_load_builtin_modules -appears- to have been introduced in beta-1,
but boy is this a hassle to determine without gstein's viewcvs ;-)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100211 13f79535-47bb-0310-9956-ffa450edef68

Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms().  Allow the functions to be
called for any type of mutex.

This resolves a fatal problem with mod_rewrite on systems where
APR uses flock-based mutex.

It simplifies mod_ssl as well, which had special logic to perform
the chown().  It fixed an init error with mod_ssl on systems where
flock is used when the user had no SSLMutex directive.

The Unix MPMs continue to call unixd_set_global|proc_mutex_perms()
only for SysV sems.  There is no permission problem with flock-based
accept mutexes since the child init logic for the MPMs is done
prior to switching identity.

PR:              20312

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100189 13f79535-47bb-0310-9956-ffa450edef68

  The right patch (thanks to Eric for identifying the wrong patch) to move
  SSL_library_init() into the register hooks phase.  OpenSSL_add_ssl_algorithms
  devolves to SSL_library_init, which is the same for most toolkits (and would
  be accomodated in ssl_toolkit_config.h if not.)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100136 13f79535-47bb-0310-9956-ffa450edef68

Revert revision 1.81 which called non-existent SSL_load_library.

No idea where this was seen, but OpenSSL 0.9.7b does not have this. This
gets mod_ssl working again.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100122 13f79535-47bb-0310-9956-ffa450edef68

  OpenSSL_add_all_algorithms is simply an alias for SSL_load_library.

  Note that the entire schema of what-we-load-how follows from
  OpenSSL 0.9.7's own apps/ example applications.  More review
  is greatly desired, but that's where I believed I should
  start looking for the 'correct' order of operations.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100110 13f79535-47bb-0310-9956-ffa450edef68

  Provide a far more useful explanation when SSLCryptoDevice fails to
  find a device.  Still would be nice to implement dynamic:{options}
  but this gets us to display the usual, builtin devices.

  We now load builtin engines up front, in the pre_config phase, because
  this and any other config cmd processor must have an already valid
  library config.  So loading builtin engines becomes redundant in this
  cmd handler.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100108 13f79535-47bb-0310-9956-ffa450edef68

  Solve a pretty horrific bug in SSLCryptoDevice and other places where
  the config cmd processors should be examining the SSL context.  We must
  initialize the SSL library before we can actually obtain any useful
  information from the SSL library.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100107 13f79535-47bb-0310-9956-ffa450edef68

  Based on list discussion between myself and Geoff, it seems prudent
  to check for both the existence of the openssl/engine.h header file
  and some 'expected function' such as ENGINE_init() (better suggestions
  are welcome.)  Also clear up some confusion; so long as we have
  ENGINE_load_builtin_engines() we should attempt to preload those.

  This patch protects all ENGINE-based code within the tests for the
  engine header and function, and changes a version test into a
  function test.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100104 13f79535-47bb-0310-9956-ffa450edef68

These tests now exist in acinclude.m4

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100041 13f79535-47bb-0310-9956-ffa450edef68

  The patch below reverts the prior commit to eliminate SSL_set_state().
  Some additional work or research is required in order to pass the
  perl-framework regressions, but I don't have the cycles and don't
  care to leave the broken code in cvs HEAD.

REVERTING: wrowe 2003/05/19 08:13:19

  Modified:    modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c
                        ssl_toolkit_compat.h
  Log:
    Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
    rehandshaking the SSL connection, vis-a-vis ApacheSSL.

  Revision  Changes    Path
  1.15      +0 -1      httpd-2.0/modules/ssl/config.m4
  1.108     +1 -1      httpd-2.0/modules/ssl/ssl_engine_io.c
  1.93      +1 -1      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  1.34      +0 -6      httpd-2.0/modules/ssl/ssl_toolkit_compat.h

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100004 13f79535-47bb-0310-9956-ffa450edef68

Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
rehandshaking the SSL connection, vis-a-vis ApacheSSL.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99921 13f79535-47bb-0310-9956-ffa450edef68

Drop archiac notes - no special steps required once we test for ENGINE_init()

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99920 13f79535-47bb-0310-9956-ffa450edef68

Roll away the SSL_EXPERIMENTAL_ENGINE test in favor of testing for the
ENGINE_init() function in config.m4, and rely on HAVE_ENGINE_INIT instead.

Reviewed by: Ben Laurie (concept)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99919 13f79535-47bb-0310-9956-ffa450edef68

First point out that we lost HAVE_SSL_SET_STATE and HAVE_SSL_SET_CERT_STORE
autoconf discovery.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99918 13f79535-47bb-0310-9956-ffa450edef68

Get the AP_ and APR_ prefixes right.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99879 13f79535-47bb-0310-9956-ffa450edef68

Why wouldn't this be a mod_ssl header?

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99871 13f79535-47bb-0310-9956-ffa450edef68

  Assure that we block on the read BIO when we invoke the read BIO for both
  first-use cases (via ssl_io_input_add_filter) and when we are writing and
  need response from the client (via ssl_io_filter_output).  Both of these
  cases are always blocking.  [

PR: 19242
Submitted by: David Deaves <David.Deaves@dd.id.au>, William Rowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99863 13f79535-47bb-0310-9956-ffa450edef68

tweak the const-ness of MODSSL_INFO_CB_ARG_TYPE based on the OpenSSL
version

this resolves some warnings with RH 8 (OpenSSL 0.9.6)
and some errors with AIX's native compiler (OpenSSL 0.9.6)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99678 13f79535-47bb-0310-9956-ffa450edef68

Further breakage from r.1.131: MODSSL_INFO_CB_ARG_TYPE also includes the *.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99279 13f79535-47bb-0310-9956-ffa450edef68

Fix compile breakage introduced in r1.131.

MODSSL_INFO_CB_ARG_TYPE already includes 'SSL' in its type. Don't duplicate.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99278 13f79535-47bb-0310-9956-ffa450edef68

  Solve SSL-C breakage introduced in mod_ssl.h rev 1.129 and
  ssl_engine_kernel.c rev 1.88.  SSL* is not const under SSL-C.

  I've confirmed Jeff's comment that the original patch doesn't harm
  earlier OpenSSL versions which declared no arguments at all.

  I suspect now that we could fold
     #define MODSSL_BIO_CB_ARG_TYPE const char
     #define MODSSL_CRYPTO_CB_ARG_TYPE const char
     #define MODSSL_INFO_CB_ARG_TYPE const SSL*
  into a single MODSSL_CB_ARG_CONST define, but this works for now.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99263 13f79535-47bb-0310-9956-ffa450edef68

Noop MS DevStudio IDE change\r to include ssl_toolkit_compat.h
in the list of project headers.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99261 13f79535-47bb-0310-9956-ffa450edef68