Hi folks,
httpd has (at least) two committers from the OpenSSL project
working on mod_ssl - here's what they've recently done since
OpenSSL 1.0.1 is edging closer and with it TLSv1.1 and TLSv1.2
I think we should try to catch up, ASAP :)
So long,
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.ga...@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
--- Begin Message ---
Author: kbrand
Date: Sat Dec 24 07:31:50 2011
New Revision: 1222930
URL: http://svn.apache.org/viewvc?rev=1222930&view=rev
Log:
add missing #ifdef in ssl_cmd_protocol_parse (should have been in r1222921)
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1222930&r1=1222929&r2=1222930&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sat Dec 24 07:31:50 2011
@@ -1283,12 +1283,14 @@ static const char *ssl_cmd_protocol_pars
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
}
+#ifdef HAVE_TLSV1_X
else if (strcEQ(w, "TLSv1.1")) {
thisopt = SSL_PROTOCOL_TLSV1_1;
}
else if (strcEQ(w, "TLSv1.2")) {
thisopt = SSL_PROTOCOL_TLSV1_2;
}
+#endif
else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL;
}
--- End Message ---
--- Begin Message ---
Author: kbrand
Date: Sat Dec 24 06:40:10 2011
New Revision: 1222921
URL: http://svn.apache.org/viewvc?rev=1222921&view=rev
Log:
SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when
compiled against OpenSSL 1.0.1 or later. Update documentation.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1222921&r1=1222920&r2=1222921&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Sat Dec 24 06:40:10 2011
@@ -61,7 +61,7 @@ compatibility variables.</p>
<th>Description:</th>
</tr>
<tr><td><code>HTTPS</code></td> <td>flag</td>
<td>HTTPS is being used.</td></tr>
-<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td>
<td>The SSL protocol version (SSLv3, TLSv1)</td></tr>
+<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td>
<td>The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr>
<tr><td><code>SSL_SESSION_ID</code></td> <td>string</td>
<td>The hex-encoded SSL session id</td></tr>
<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td>
<td>Initial or Resumed SSL Session. Note: multiple requests may be served over
the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
<tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td>
<td><code>true</code> if secure renegotiation is supported, else
<code>false</code></td></tr>
@@ -588,15 +588,25 @@ The available (case-insensitive) <em>pro
<li><code>TLSv1</code>
<p>
- This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
- successor to SSLv3 and was originally defined in <a
href="http://www.ietf.org/rfc/rfc2246.txt";>RFC 2246</a>
- (obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt";>RFC 4346</a>
- and <a href="http://www.ietf.org/rfc/rfc5246.txt";>RFC 5246</a> in
- the meantime).</p></li>
+ This is the Transport Layer Security (TLS) protocol, version 1.0.
+ It is the successor to SSLv3 and is defined in
+ <a href="http://www.ietf.org/rfc/rfc2246.txt";>RFC 2246</a>.</p></li>
+
+<li><code>TLSv1.1</code> (when using OpenSSL 1.0.1 and later)
+ <p>
+ A revision of the TLS 1.0 protocol, as defined in
+ <a href="http://www.ietf.org/rfc/rfc4346.txt";>RFC 4346</a>.</p></li>
+
+<li><code>TLSv1.2</code> (when using OpenSSL 1.0.1 and later)
+ <p>
+ A revision of the TLS 1.1 protocol, as defined in
+ <a href="http://www.ietf.org/rfc/rfc5246.txt";>RFC 5246</a>.</p></li>
<li><code>all</code>
<p>
- This is a shortcut for ``<code>+SSLv3 +TLSv1</code>''.</p></li>
+ This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
+ - when using OpenSSL 1.0.1 and later -
+ ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
</ul>
<example><title>Example</title>
SSLProtocol TLSv1
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1222921&r1=1222920&r2=1222921&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Dec 24 06:40:10 2011
@@ -130,7 +130,11 @@ static const command_rec ssl_config_cmds
"('N' - number of seconds)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
- "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+ "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
@@ -148,7 +152,11 @@ static const command_rec ssl_config_cmds
"('on', 'off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
- "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+ "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"('XXX:...:XXX' - see manual)")
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1222921&r1=1222920&r2=1222921&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sat Dec 24 06:40:10 2011
@@ -1283,6 +1283,12 @@ static const char *ssl_cmd_protocol_pars
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
}
+ else if (strcEQ(w, "TLSv1.1")) {
+ thisopt = SSL_PROTOCOL_TLSV1_1;
+ }
+ else if (strcEQ(w, "TLSv1.2")) {
+ thisopt = SSL_PROTOCOL_TLSV1_2;
+ }
else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1222921&r1=1222920&r2=1222921&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Dec 24 06:40:10 2011
@@ -501,6 +501,10 @@ static void ssl_init_ctx_protocol(server
cp = apr_pstrcat(p,
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
+#ifdef HAVE_TLSV1_X
+ (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
+ (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
+#endif
NULL);
cp[strlen(cp)-2] = NUL;
@@ -517,6 +521,18 @@ static void ssl_init_ctx_protocol(server
TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */
}
+#ifdef HAVE_TLSV1_X
+ else if (protocol == SSL_PROTOCOL_TLSV1_1) {
+ method = mctx->pkp ?
+ TLSv1_1_client_method() : /* proxy */
+ TLSv1_1_server_method(); /* server */
+ }
+ else if (protocol == SSL_PROTOCOL_TLSV1_2) {
+ method = mctx->pkp ?
+ TLSv1_2_client_method() : /* proxy */
+ TLSv1_2_server_method(); /* server */
+ }
+#endif
else { /* For multiple protocols, we need a flexible method */
method = mctx->pkp ?
SSLv23_client_method() : /* proxy */
@@ -539,6 +555,16 @@ static void ssl_init_ctx_protocol(server
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
}
+#ifdef HAVE_TLSV1_X
+ if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
+ }
+
+ if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
+
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (sc->cipher_server_pref == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1222921&r1=1222920&r2=1222921&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Dec 24 06:40:10 2011
@@ -176,6 +176,10 @@
#endif
#endif
+#ifdef SSL_OP_NO_TLSv1_2
+#define HAVE_TLSV1_X
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -316,7 +320,14 @@ typedef int ssl_opt_t;
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
+#ifdef HAVE_TLSV1_X
+#define SSL_PROTOCOL_TLSV1_1 (1<<3)
+#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
+ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#endif
typedef int ssl_proto_t;
/**
--- End Message ---
--- Begin Message ---
Author: kbrand
Date: Sat Dec 24 06:31:37 2011
New Revision: 1222917
URL: http://svn.apache.org/viewvc?rev=1222917&view=rev
Log:
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Dec 24 06:31:37 2011
@@ -780,8 +780,15 @@ static void ssl_init_ctx_pkcs7_cert_chai
{
STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
int n;
+ STACK_OF(X509) *extra_certs = NULL;
- if (!mctx->ssl_ctx->extra_certs)
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ if (!extra_certs)
for (n = 1; n < sk_X509_num(certs); ++n)
SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs,
n));
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Dec 24 06:31:37 2011
@@ -799,11 +799,15 @@ int ssl_hook_Access(request_rec *r)
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
"Awaiting re-negotiation handshake");
- /* XXX: Should replace setting ssl->state with
SSL_renegotiate(ssl);
+ /* XXX: Should replace setting state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_set_state(ssl, SSL_ST_ACCEPT);
+#else
ssl->state = SSL_ST_ACCEPT;
+#endif
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
@@ -1728,8 +1732,12 @@ int ssl_callback_NewSessionCacheEntry(SS
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
rc = ssl_scache_store(s, id, idlen,
apr_time_from_sec(SSL_SESSION_get_time(session)
@@ -1809,8 +1817,12 @@ void ssl_callback_DelSessionCacheEntry(S
/*
* Remove the SSL_SESSION from the inter-process cache
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
/* TODO: Do we need a temp pool here, or are we always shutting down? */
ssl_scache_remove(s, id, idlen, sc->mc->pPool);
@@ -2024,13 +2036,14 @@ static int ssl_find_vhost(void *serverna
sslcon = myConnConfig(c);
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
/*
* SSL_set_SSL_CTX() only deals with the server cert,
* so we need to duplicate a few additional settings
* from the ctx by hand
*/
- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
/*
@@ -2040,8 +2053,8 @@ static int ssl_find_vhost(void *serverna
* Otherwise, we would possibly reset a per-directory
* configuration which was put into effect by ssl_hook_Access.
*/
- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
- SSL_CTX_get_verify_callback(ssl->ctx));
+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+ SSL_CTX_get_verify_callback(ctx));
}
/*
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sat Dec 24 06:31:37 2011
@@ -335,10 +335,18 @@ static char *ssl_var_lookup_ssl(apr_pool
char buf[SSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
- result = apr_pstrdup(p, SSL_SESSION_id2sz(
- pSession->session_id,
- pSession->session_id_length,
- buf, sizeof(buf)));
+ unsigned char *id;
+ unsigned int idlen;
+
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen);
+#else
+ id = pSession->session_id;
+ idlen = pSession->session_id_length;
+#endif
+
+ result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
+ buf, sizeof(buf)));
}
}
else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
@@ -955,11 +963,15 @@ apr_array_header_t *ssl_ext_list(apr_poo
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
{
char *result = "NULL";
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP)
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
+#ifdef OPENSSL_NO_SSL_INTERN
+ switch (SSL_SESSION_get_compress_id(pSession)) {
+#else
switch (pSession->compress_meth) {
+#endif
case 0:
/* default "NULL" already set */
break;
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Dec 24 06:31:37 2011
@@ -82,6 +82,11 @@
#include "ap_expr.h"
/* OpenSSL headers */
+#include <openssl/opensslv.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
+/* must be defined before including ssl.h */
+#define OPENSSL_NO_SSL_INTERN
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat Dec 24 06:31:37 2011
@@ -184,47 +184,6 @@ int SSL_smart_shutdown(SSL *ssl)
/* _________________________________________________________________
**
-** Cipher Suite Spec String Creation
-** _________________________________________________________________
-*/
-
-char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
-{
- STACK_OF(SSL_CIPHER) *sk;
- SSL_CIPHER *c;
- int i;
- int l;
- char *cpCipherSuite;
- char *cp;
-
- if (ssl == NULL)
- return "";
- if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
- return "";
- l = 0;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l += strlen(SSL_CIPHER_get_name(c))+2+1;
- }
- if (l == 0)
- return "";
- cpCipherSuite = (char *)apr_palloc(p, l+1);
- cp = cpCipherSuite;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l = strlen(SSL_CIPHER_get_name(c));
- memcpy(cp, SSL_CIPHER_get_name(c), l);
- cp += l;
- *cp++ = '/';
- *cp++ = (c->valid == 1 ? '1' : '0');
- *cp++ = ':';
- }
- *(cp-1) = NUL;
- return cpCipherSuite;
-}
-
-/* _________________________________________________________________
-**
** Certificate Checks
** _________________________________________________________________
*/
@@ -464,7 +423,6 @@ int SSL_CTX_use_certificate_chain(
X509 *x509;
unsigned long err;
int n;
- STACK_OF(X509) *extra_certs;
if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
return -1;
@@ -481,11 +439,14 @@ int SSL_CTX_use_certificate_chain(
X509_free(x509);
}
/* free a perhaps already configured extra chain */
- extra_certs = ctx->extra_certs;
- if (extra_certs != NULL) {
- sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_clear_extra_chain_certs(ctx);
+#else
+ if (ctx->extra_certs != NULL) {
+ sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
}
+#endif
/* create new extra chain by loading the certs */
n = 0;
while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sat Dec 24 06:31:37 2011
@@ -63,7 +63,6 @@ void SSL_set_app_data2(SSL *, voi
X509 *SSL_read_X509(char *, X509 **, pem_password_cb *);
EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void
*);
int SSL_smart_shutdown(SSL *ssl);
-char *SSL_make_ciphersuite(apr_pool_t *, SSL *);
BOOL SSL_X509_isSGC(X509 *);
BOOL SSL_X509_getBC(X509 *, int *, int *);
char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY
*xsne);
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Sat Dec 24 06:31:37 2011
@@ -81,9 +81,16 @@ static X509 *stapling_get_issuer(modssl_
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
X509_STORE_CTX inctx;
+ STACK_OF(X509) *extra_certs = NULL;
- for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) {
- issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i);
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
return issuer;
--- End Message ---
--- Begin Message ---
Author: kbrand
Date: Sat Dec 24 06:22:49 2011
New Revision: 1222915
URL: http://svn.apache.org/viewvc?rev=1222915&view=rev
Log:
REMOTE_ADDR is now r->useragent_ip, which is not/never available at
SSL_CB_HANDSHAKE_DONE time. ap_log_cerror() already logs c->client_ip
for us, however, so we can simply drop REMOTE_ADDR from the message.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1222915&r1=1222914&r2=1222915&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Dec 24 06:22:49 2011
@@ -1879,9 +1879,7 @@ static void log_tracing_state(const SSL
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02041)
- "Connection: Client IP: %s, Protocol: %s, "
- "Cipher: %s (%s/%s bits)",
- ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"),
+ "Protocol: %s, Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL,
"SSL_CIPHER_USEKEYSIZE"),
--- End Message ---
