/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. /* _ _ * _ __ ___ ___ __| | ___ ___| | mod_ssl * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL * | | | | | | (_) | (_| | \__ \__ \ | * |_| |_| |_|\___/ \__,_|___|___/___/_| * |_____| * ssl_engine_config.c * Apache Configuration Directives /* ``Damned if you do, damned if you don't.'' #include "ssl_private.h" #include "util_mutex.h" #include "ap_provider.h" /* _________________________________________________________________** ** Support for Global Configuration ** _________________________________________________________________ #define SSL_MOD_CONFIG_KEY "ssl_module" void *vmc;if (vmc) {return vmc; /* reused for lifetime of the server */ /* * allocate an own subpool which survives server restarts sizeof (*mc));FALSE ;/* * initialize per-module configuration sizeof (ssl_randseed_t));#if defined (HAVE_OPENSSL_ENGINE_H) && defined (HAVE_ENGINE_INIT)#endif #ifdef HAVE_OCSP_STAPLING#endif #ifdef HAVE_OPENSSL_KEYLOG#endif #ifdef HAVE_FIPS#endif return mc;void ssl_config_global_fix(SSLModConfigRec *mc)TRUE ;BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)return mc->bFixed;/* _________________________________________________________________** ** Configuration handling ** _________________________________________________________________ #ifdef HAVE_SSL_CONF_CMDstatic apr_status_t modssl_ctx_config_cleanup(void *ctx)return APR_SUCCESS;#endif static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)/* set during module init */ /* set during module init */ #ifdef HAVE_TLS_SESSION_TICKETS#endif /* Set OCSP Responder Certificate Verification variable */ /* Set OCSP Responder File variables */ #ifdef HAVE_OCSP_STAPLING#endif #ifdef HAVE_SRP#endif #ifdef HAVE_SSL_CONF_CMDsizeof (ssl_ctx_param_t));#endif static void modssl_ctx_init_server(SSLSrvConfigRec *sc,sizeof (*sc->server));sizeof (*mctx->pks));sizeof (char *));sizeof (char *));#ifdef HAVE_TLS_SESSION_TICKETSsizeof (*mctx->ticket_key));#endif static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)sizeof (*sc));/* set during module init */ /* set during module init */ #ifdef HAVE_TLSEXT#endif #ifndef OPENSSL_NO_COMP#endif return sc;/* * Create per-server SSL configuration void *ssl_config_server_create(apr_pool_t *p, server_rec *s)return sc;#define cfgMerge(el,unset) mrg->el = (add->el == (unset)) ? base->el : add->el#define cfgMergeArray(el) mrg->el = apr_array_append(p, base->el, add->el)#define cfgMergeString(el) cfgMerge(el, NULL)#define cfgMergeBool(el) cfgMerge(el, UNSET)#define cfgMergeInt(el) cfgMerge(el, UNSET)/* * Merge per-server SSL configurations static void modssl_ctx_cfg_merge(apr_pool_t *p,if (add->protocol_set) {else {/* Set OCSP Responder Certificate Verification directive */ /* Set OCSP Responder File directive for importing */ #ifdef HAVE_OCSP_STAPLING#endif #ifdef HAVE_SRP#endif #ifdef HAVE_SSL_CONF_CMD#endif static void modssl_ctx_cfg_merge_certkeys_array(apr_pool_t *p,int i;/* * pick up to CERTKEYS_IDX_MAX+1 entries from "add" (in which case they * they "knock out" their corresponding entries in "base", emulating * the behavior with cfgMergeString in releases up to 2.4.7) for (i = 0; i < add->nelts && i <= CERTKEYS_IDX_MAX; i++) {const char *) = APR_ARRAY_IDX(add, i, const char *);/* add remaining ones from "base" */ while (i < base->nelts) {const char *) = APR_ARRAY_IDX(base, i, const char *);/* and finally, append the rest of "add" (if there are any) */ for (i = CERTKEYS_IDX_MAX+1; i < add->nelts; i++) {const char *) = APR_ARRAY_IDX(add, i, const char *);static void modssl_ctx_cfg_merge_server(apr_pool_t *p,/* * For better backwards compatibility with releases up to 2.4.7, * merging global and vhost-level SSLCertificateFile and * SSLCertificateKeyFile directives needs special treatment. * See also PR 56306 and 56353. #ifdef HAVE_TLS_SESSION_TICKETS#endif void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)#ifdef HAVE_TLSEXT#endif #ifndef OPENSSL_NO_COMP#endif return mrg;/* * Create per-directory SSL configuration static void modssl_ctx_init_proxy(SSLDirConfigRec *dc,sizeof (*dc->proxy));sizeof (*mctx->pkp));void *ssl_config_perdir_create(apr_pool_t *p, char *dir)sizeof (*dc));FALSE ;sizeof (ssl_require_t));FALSE ;return dc;/* * Merge per-directory SSL configurations static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)sizeof (*mrg));FALSE );if (add->nOptions & SSL_OPT_RELSET) {else {if (!mrg->proxy_post_config) {/* Since ssl_proxy_section_post_config() hook won't be called if there * is no SSLProxy* in this dir config, the ssl_ctx may still be NULL * here at runtime. Merging it is either a no-op (NULL => NULL) because * we are still before post config, or we really want to reuse the one * from the upper/server context (outside of <Proxy> sections). else {/* The post_config hook has already merged and initialized the * proxy context, use it. return mrg;/* Simply merge conf with base into conf, no third party. */ void ssl_config_proxy_merge(apr_pool_t *p,if (conf->proxy_enabled == UNSET) {/* * Configuration functions for particular directives const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;int arglen = strlen(arg);if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {return err;if (strcEQ(arg, "builtin" )) {else if ((arglen > 5) && strEQn(arg, "exec:" , 5)) {if (!sc->server->pphrase_dialog_path) {return apr_pstrcat(cmd->pool,"Invalid SSLPassPhraseDialog exec: path " ,if (!ssl_util_path_check(SSL_PCM_EXISTS,return apr_pstrcat(cmd->pool,"SSLPassPhraseDialog: file '" ,"' does not exist" , NULL);else if ((arglen > 1) && (arg[0] == '|' )) {else {return "SSLPassPhraseDialog: Invalid argument" ;return NULL;const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;#if MODSSL_HAVE_ENGINE_API#endif if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {return err;if (strcEQ(arg, "builtin" )) {#if MODSSL_HAVE_ENGINE_APIelse if ((e = ENGINE_by_id(arg))) {#endif else {"SSLCryptoDevice: Invalid argument; must be one of: " "'builtin' (none)" ;#if MODSSL_HAVE_ENGINE_APIwhile (e) {", '" , ENGINE_get_id(e),"' (" , ENGINE_get_name(e), ")" , NULL);/* Iterate; this call implicitly decrements the refcount #endif return err;return NULL;const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,void *dcfg,const char *arg1,const char *arg2,const char *arg3)const char *err;int arg2len = strlen(arg2);if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {return err;if (ssl_config_global_isfixed(mc)) {return NULL;if (strcEQ(arg1, "startup" )) {else if (strcEQ(arg1, "connect" )) {else {return apr_pstrcat(cmd->pool, "SSLRandomSeed: " "invalid context: `" , arg1, "'" ,if ((arg2len > 5) && strEQn(arg2, "file:" , 5)) {else if ((arg2len > 5) && strEQn(arg2, "exec:" , 5)) {else if ((arg2len > 4) && strEQn(arg2, "egd:" , 4)) {#ifdef HAVE_RAND_EGD#else return apr_pstrcat(cmd->pool, "Invalid SSLRandomSeed entropy source `" ,"': This version of " MODSSL_LIBRARY_NAME" does not support the Entropy Gathering Daemon " "(EGD)." , NULL);#endif else if (strcEQ(arg2, "builtin" )) {else {if (seed->nSrc != SSL_RSSRC_BUILTIN) {if (!seed->cpPath) {return apr_pstrcat(cmd->pool,"Invalid SSLRandomSeed path " ,if (!ssl_util_path_check(SSL_PCM_EXISTS, seed->cpPath, cmd->pool)) {return apr_pstrcat(cmd->pool,"SSLRandomSeed: source path '" ,"' does not exist" , NULL);if (!arg3) {/* read whole file */ else {if (seed->nSrc == SSL_RSSRC_BUILTIN) {return "SSLRandomSeed: byte specification not " "allowed for builtin seed source" ;if (seed->nBytes < 0) {return "SSLRandomSeed: invalid number of bytes specified" ;return NULL;const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)if (!strcasecmp(arg, "On" )) {return NULL;else if (!strcasecmp(arg, "Off" )) {return NULL;else if (!strcasecmp(arg, "Optional" )) {"'SSLEngine optional' is no longer supported" );return NULL;return "Argument must be On or Off" ;const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)#ifdef HAVE_FIPS#endif const char *err;if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {return err;#ifdef HAVE_FIPSif ((mc->fips != UNSET) && (mc->fips != (BOOL )(flag ? TRUE : FALSE )))return "Conflicting SSLFIPS options, cannot be both On and Off" ;TRUE : FALSE ;#else if (flag)return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS" ;#endif return NULL;const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,void *dcfg,const char *arg1, const char *arg2)if (arg2 == NULL) {"SSL" ;if (!strcmp("SSL" , arg1)) {/* always disable null and export ciphers */ ":!aNULL:!eNULL:!EXP" , NULL);if (cmd->path) {else {return NULL;#if SSL_HAVE_PROTOCOL_TLSV1_3else if (!strcmp("TLSv1.3" , arg1)) {if (cmd->path) {return "TLSv1.3 ciphers cannot be set inside a directory context" ;return NULL;#endif return apr_pstrcat(cmd->pool, "protocol '" , arg1, "' not supported" , NULL);#define SSL_FLAGS_CHECK_FILE \#define SSL_FLAGS_CHECK_DIR \static const char *ssl_cmd_check_file(cmd_parms *parms,const char **file)const char *filepath;/* If only dumping the config, don't verify the paths */ if (ap_state_query(AP_SQ_RUN_MODE) == AP_SQ_RM_CONFIG_DUMP) {return NULL;if (!filepath) {return apr_pstrcat(parms->pool, parms->cmd->name,": Invalid file path " , *file, NULL);if (ssl_util_path_check(SSL_FLAGS_CHECK_FILE, *file, parms->pool)) {return NULL;return apr_pstrcat(parms->pool, parms->cmd->name,": file '" , *file,"' does not exist or is empty" , NULL);const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)#if !defined (OPENSSL_NO_COMP)#ifndef SSL_OP_NO_COMPRESSIONconst char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);if (err)return "This version of OpenSSL does not support enabling " "SSLCompression within sections." ;#endif if (flag) {/* Some (packaged) versions of OpenSSL do not support * compression by default. Enabling this directive would not if (sk_SSL_COMP_num(meths) == 0) {return "This version of OpenSSL does not have any compression methods " "available, cannot enable SSLCompression." ;TRUE : FALSE ;#else if (flag) {return "Setting Compression mode unsupported; not implemented by the SSL library" ;#endif return NULL;const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)#ifdef SSL_OP_CIPHER_SERVER_PREFERENCETRUE :FALSE ;return NULL;#else return "SSLHonorCipherOrder unsupported; not implemented by the SSL library" ;#endif const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)#ifndef SSL_OP_NO_TICKETreturn "This version of OpenSSL does not support using " "SSLSessionTickets." ;#endif TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATIONTRUE :FALSE ;return NULL;#else return "The SSLInsecureRenegotiation directive is not available " "with this SSL library" ;#endif static const char *ssl_cmd_check_dir(cmd_parms *parms,const char **dir)const char *dirpath = ap_server_root_relative(parms->pool, *dir);if (!dirpath) {return apr_pstrcat(parms->pool, parms->cmd->name,": Invalid dir path " , *dir, NULL);if (ssl_util_path_check(SSL_FLAGS_CHECK_DIR, *dir, parms->pool)) {return NULL;return apr_pstrcat(parms->pool, parms->cmd->name,": directory '" , *dir,"' does not exist" , NULL);const char *ssl_cmd_SSLCertificateFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;/* Only check for non-ENGINE based certs. */ if (!modssl_is_engine_id(arg)return err;const char **)apr_array_push(sc->server->pks->cert_files) = arg;return NULL;const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;/* Check keyfile exists for non-ENGINE keys. */ if (!modssl_is_engine_id(arg)return err;const char **)apr_array_push(sc->server->pks->key_files) = arg;return NULL;const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;#ifdef HAVE_TLS_SESSION_TICKETSconst char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;#endif #define NO_PER_DIR_SSL_CA \"Your SSL library does not have support for per-directory CA" const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd,void *dcfg,const char *arg)/*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/ const char *err;if ((err = ssl_cmd_check_dir(cmd, &arg))) {return err;if (cmd->path) {return NO_PER_DIR_SSL_CA;/* XXX: bring back per-dir */ return NULL;const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd,void *dcfg,const char *arg)/*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/ const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;if (cmd->path) {return NO_PER_DIR_SSL_CA;/* XXX: bring back per-dir */ return NULL;const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_dir(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_dir(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;static const char *ssl_cmd_crlcheck_parse(cmd_parms *parms,const char *arg,int *mask)const char *w;if (strcEQ(w, "none" )) {else if (strcEQ(w, "leaf" )) {else if (strcEQ(w, "chain" )) {else {return apr_pstrcat(parms->temp_pool, parms->cmd->name,": Invalid argument '" , w, "'" ,while (*arg) {if (strcEQ(w, "no_crl_for_cert_ok" )) {else {return apr_pstrcat(parms->temp_pool, parms->cmd->name,": Invalid argument '" , w, "'" ,return NULL;const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *cmd,void *dcfg,const char *arg)return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mask);static const char *ssl_cmd_verify_parse(cmd_parms *parms,const char *arg,if (strcEQ(arg, "none" ) || strcEQ(arg, "off" )) {else if (strcEQ(arg, "optional" )) {else if (strcEQ(arg, "require" ) || strcEQ(arg, "on" )) {else if (strcEQ(arg, "optional_no_ca" )) {else {return apr_pstrcat(parms->temp_pool, parms->cmd->name,": Invalid argument '" , arg, "'" ,return NULL;const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_verify_parse(cmd, arg, &mode))) {return err;if (cmd->path) {else {return NULL;static const char *ssl_cmd_verify_depth_parse(cmd_parms *parms,const char *arg,int *depth)if ((*depth = atoi(arg)) >= 0) {return NULL;return apr_pstrcat(parms->temp_pool, parms->cmd->name,": Invalid argument '" , arg, "'" ,const char *ssl_cmd_SSLVerifyDepth(cmd_parms *cmd,void *dcfg,const char *arg)int depth;const char *err;if ((err = ssl_cmd_verify_depth_parse(cmd, arg, &depth))) {return err;if (cmd->path) {else {return NULL;const char *ssl_cmd_SSLSessionCache(cmd_parms *cmd,void *dcfg,const char *arg)const char *err, *sep, *name;long enabled_flags;if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {return err;/* The OpenSSL session cache mode must have both the flags * SSL_SESS_CACHE_SERVER and SSL_SESS_CACHE_NO_INTERNAL set if a * session cache is configured; NO_INTERNAL prevents the * OpenSSL-internal session cache being used in addition to the * "external" (mod_ssl-provided) cache, which otherwise causes if (strcEQ(arg, "none" )) {/* Nothing to do; session cache will be off. */ else if (strcEQ(arg, "nonenotnull" )) {/* ### Having a separate mode for this seems logically * unnecessary; the stated purpose of sending non-empty * session IDs would be better fixed in OpenSSL or simply else {/* Argument is of form 'name:args' or just 'name'. */ ':' );if (sep) {else {/* Find the provider of given name. */ if (mc->sesscache) {/* Cache found; create it, passing anything beyond the colon. */ else {const char *all_names;/* Build a comma-separated list of all registered provider ',' );"'%s' session cache not supported " "(known names: %s). Maybe you need to load the " "appropriate socache module (mod_socache_%s?)." ,if (err) {return apr_psprintf(cmd->pool, "SSLSessionCache: %s" , err);return NULL;const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *cmd,void *dcfg,const char *arg)if (sc->session_cache_timeout < 0) {return "SSLSessionCacheTimeout: Invalid argument" ;return NULL;const char *ssl_cmd_SSLOptions(cmd_parms *cmd,void *dcfg,const char *arg)int first = TRUE ;char action, *w;while (*arg) {if ((*w == '+' ) || (*w == '-' )) {else if (first) {FALSE ;if (strcEQ(w, "StdEnvVars" )) {else if (strcEQ(w, "ExportCertData" )) {else if (strcEQ(w, "FakeBasicAuth" )) {else if (strcEQ(w, "StrictRequire" )) {else if (strcEQ(w, "OptRenegotiate" )) {else if (strcEQ(w, "LegacyDNStringFormat" )) {else {return apr_pstrcat(cmd->pool,"SSLOptions: Illegal option '" , w, "'" ,if (action == '-' ) {else if (action == '+' ) {else {return NULL;const char *ssl_cmd_SSLRequireSSL(cmd_parms *cmd, void *dcfg)TRUE ;return NULL;const char *ssl_cmd_SSLRequire(cmd_parms *cmd,void *dcfg,const char *arg)sizeof (ap_expr_info_t));const char *errstring;if (errstring) {return apr_pstrcat(cmd->pool, "SSLRequire: " , errstring, NULL);return NULL;const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)int val;if (val < 0) {return apr_pstrcat(cmd->pool, "Invalid size for SSLRenegBufferSize: " ,return NULL;static const char *ssl_cmd_protocol_parse(cmd_parms *parms,const char *arg,while (*arg) {char *w = ap_getword_conf(parms->temp_pool, &arg);char action = '\0' ;if ((*w == '+' ) || (*w == '-' )) {if (strcEQ(w, "SSLv2" )) {if (action == '-' ) {continue ;else {return "SSLProtocol: SSLv2 is no longer supported" ;else if (strcEQ(w, "SSLv3" )) {#ifdef OPENSSL_NO_SSL3if (action != '-' ) {return "SSLv3 not supported by this version of OpenSSL" ;/* Nothing to do, the flag is not present to be toggled */ continue ;#else #endif else if (strcEQ(w, "TLSv1" )) {#ifdef HAVE_TLSV1_Xelse if (strcEQ(w, "TLSv1.1" )) {else if (strcEQ(w, "TLSv1.2" )) {else if (SSL_HAVE_PROTOCOL_TLSV1_3 && strcEQ(w, "TLSv1.3" )) {#endif else if (strcEQ(w, "all" )) {else {return apr_pstrcat(parms->temp_pool,": Illegal protocol '" , w, "'" , NULL);if (action == '-' ) {else if (action == '+' ) {else {if (*options != SSL_PROTOCOL_NONE) {"%s: Protocol '%s' overrides already set parameter(s). " "Check if a +/- prefix is missing." ,return NULL;const char *ssl_cmd_SSLProtocol(cmd_parms *cmd,void *dcfg,const char *arg)return ssl_cmd_protocol_parse(cmd, arg, &sc->server->protocol);const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd,void *dcfg,const char *arg)return ssl_cmd_protocol_parse(cmd, arg, &dc->proxy->protocol);const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,void *dcfg,const char *arg1, const char *arg2)if (arg2 == NULL) {"SSL" ;if (!strcmp("SSL" , arg1)) {/* always disable null and export ciphers */ ":!aNULL:!eNULL:!EXP" , NULL);return NULL;#if SSL_HAVE_PROTOCOL_TLSV1_3else if (!strcmp("TLSv1.3" , arg1)) {return NULL;#endif return apr_pstrcat(cmd->pool, "protocol '" , arg1, "' not supported" , NULL);const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_verify_parse(cmd, arg, &mode))) {return err;return NULL;const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *cmd,void *dcfg,const char *arg)int depth;const char *err;if ((err = ssl_cmd_verify_depth_parse(cmd, arg, &depth))) {return err;return NULL;const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_dir(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_dir(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *cmd,void *dcfg,const char *arg)return ssl_cmd_crlcheck_parse(cmd, arg, &dc->proxy->crl_check_mask);const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_dir(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *cmd,void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg,const char *arg)return NULL;static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms,const char *arg,int *mask)const char *w;if (strcEQ(w, "off" )) {else if (strcEQ(w, "leaf" )) {else if (strcEQ(w, "on" )) {else {return apr_pstrcat(parms->temp_pool, parms->cmd->name,": Invalid argument '" , w, "'" ,while (*arg) {if (strcEQ(w, "no_ocsp_for_cert_ok" )) {else {return apr_pstrcat(parms->temp_pool, parms->cmd->name,": Invalid argument '" , w, "'" ,return NULL;const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)#ifdef OPENSSL_NO_OCSPif (flag) {return "OCSP support disabled in SSL library; cannot enable " "OCSP validation" ;#endif return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask);const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)return NULL;const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)if (sc->server->ocsp_resptime_skew < 0) {return "SSLOCSPResponseTimeSkew: invalid argument" ;return NULL;const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)if (sc->server->ocsp_resp_maxage < 0) {return "SSLOCSPResponseMaxAge: invalid argument" ;return NULL;const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)if (sc->server->ocsp_responder_timeout < 0) {return "SSLOCSPResponderTimeout: invalid argument" ;return NULL;const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg,const char *arg)sizeof (apr_uri_t));if (apr_uri_parse(cmd->pool, arg, sc->server->proxy_uri) != APR_SUCCESS) {return apr_psprintf(cmd->pool,"SSLOCSPProxyURL: Cannot parse URL %s" , arg);return NULL;/* Set OCSP responder certificate verification directive */ const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)#ifdef HAVE_TLSEXTreturn NULL;#else return "SSLStrictSNIVHostCheck failed; OpenSSL is not built with support " "for TLS extensions and SNI indication. Refer to the " "documentation, and build a compatible version of OpenSSL." ;#endif #ifdef HAVE_OCSP_STAPLINGconst char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd,void *dcfg,const char *arg)const char *err, *sep, *name;if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {return err;/* Argument is of form 'name:args' or just 'name'. */ ':' );if (sep) {else {/* Find the provider of given name. */ if (mc->stapling_cache) {/* Cache found; create it, passing anything beyond the colon. */ else {const char *all_names;/* Build a comma-separated list of all registered provider ',' );"'%s' stapling cache not supported " "(known names: %s) Maybe you need to load the " "appropriate socache module (mod_socache_%s?)" ,if (err) {return apr_psprintf(cmd->pool, "SSLStaplingCache: %s" , err);return NULL;const char *ssl_cmd_SSLUseStapling(cmd_parms *cmd, void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *cmd, void *dcfg,const char *arg)if (sc->server->stapling_resptime_skew < 0) {return "SSLStaplingResponseTimeSkew: invalid argument" ;return NULL;const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *cmd, void *dcfg,const char *arg)if (sc->server->stapling_resp_maxage < 0) {return "SSLStaplingResponseMaxAge: invalid argument" ;return NULL;const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *cmd, void *dcfg,const char *arg)if (sc->server->stapling_cache_timeout < 0) {return "SSLStaplingStandardCacheTimeout: invalid argument" ;return NULL;const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *cmd, void *dcfg,const char *arg)if (sc->server->stapling_errcache_timeout < 0) {return "SSLStaplingErrorCacheTimeout: invalid argument" ;return NULL;const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *cmd,void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *cmd,void *dcfg, int flag)TRUE : FALSE ;return NULL;const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *cmd, void *dcfg,const char *arg)if (sc->server->stapling_responder_timeout < 0) {return "SSLStaplingResponderTimeout: invalid argument" ;return NULL;const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg,const char *arg)return NULL;#endif /* HAVE_OCSP_STAPLING */ #ifdef HAVE_SSL_CONF_CMDconst char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,const char *arg1, const char *arg2)int value_type = SSL_CONF_cmd_value_type(cctx, arg1);const char *err;if (value_type == SSL_CONF_TYPE_UNKNOWN) {return apr_psprintf(cmd->pool,"'%s': invalid OpenSSL configuration command" ,if (value_type == SSL_CONF_TYPE_FILE) {if ((err = ssl_cmd_check_file(cmd, &arg2)))return err;else if (value_type == SSL_CONF_TYPE_DIR) {if ((err = ssl_cmd_check_dir(cmd, &arg2)))return err;if (strcEQ(arg1, "CipherString" )) {/* always disable null and export ciphers */ ":!aNULL:!eNULL:!EXP" , NULL);return NULL;#endif #ifdef HAVE_SRPconst char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg)))return err;/* SRP_VBASE_init takes char*, not const char* */ return NULL;const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,const char *arg)/* SRP_VBASE_new takes char*, not const char* */ return NULL;#endif /* HAVE_SRP */ /* OCSP Responder File Function to read in value */ const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)const char *err;if ((err = ssl_cmd_check_file(cmd, &arg))) {return err;return NULL;void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)if (!ap_exists_config_define("DUMP_CERTS" )) {return ;"Server certificates:\n" );/* Dump the filenames of all configured server certificates to while (s) {if (sc && sc->server && sc->server->pks) {const pks = sc->server->pks;int i;for (i = 0; (i < pks->cert_files->nelts) &&const char *);" %s\n" ,const char *));quality 98%
¤ Dauer der Verarbeitung: 0.42 Sekunden
(vorverarbeitet)
¤ *© Formatika GbR, Deutschland
