/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.
*/
/* * Per-server context configuration directives
*/
SSL_CMD_SRV(Engine, TAKE1, "SSL switch for the protocol engine " "('on', 'off')")
SSL_CMD_SRV(FIPS, FLAG, "Enable FIPS-140 mode " "(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE12, "Colon-delimited list of permitted SSL Ciphers, optional preceded " "by protocol identifier ('XXX:...:XXX' - see manual)")
SSL_CMD_SRV(CertificateFile, TAKE1, "SSL Server Certificate file " "('/path/to/file' - PEM or DER encoded)")
SSL_CMD_SRV(CertificateKeyFile, TAKE1, "SSL Server Private Key file " "('/path/to/file' - PEM or DER encoded)")
SSL_CMD_SRV(CertificateChainFile, TAKE1, "SSL Server CA Certificate Chain file " "('/path/to/file' - PEM encoded)") #ifdef HAVE_TLS_SESSION_TICKETS
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1, "TLS session ticket encryption/decryption key file (RFC 5077) " "('/path/to/file' - file with 48 bytes of random data)") #endif
SSL_CMD_ALL(CACertificatePath, TAKE1, "SSL CA Certificate path " "('/path/to/dir' - contains PEM encoded files)")
SSL_CMD_ALL(CACertificateFile, TAKE1, "SSL CA Certificate file " "('/path/to/file' - PEM encoded)")
SSL_CMD_SRV(CADNRequestPath, TAKE1, "SSL CA Distinguished Name path " "('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
SSL_CMD_SRV(CADNRequestFile, TAKE1, "SSL CA Distinguished Name file " "('/path/to/file' - PEM encoded to derive acceptable CA names to request)")
SSL_CMD_SRV(CARevocationPath, TAKE1, "SSL CA Certificate Revocation List (CRL) path " "('/path/to/dir' - contains PEM encoded files)")
SSL_CMD_SRV(CARevocationFile, TAKE1, "SSL CA Certificate Revocation List (CRL) file " "('/path/to/file' - PEM encoded)")
SSL_CMD_SRV(CARevocationCheck, RAW_ARGS, "SSL CA Certificate Revocation List (CRL) checking mode")
SSL_CMD_ALL(VerifyClient, TAKE1, "SSL Client verify type " "('none', 'optional', 'require', 'optional_no_ca')")
SSL_CMD_ALL(VerifyDepth, TAKE1, "SSL Client verify depth " "('N' - number of intermediate certificates)")
SSL_CMD_SRV(SessionCacheTimeout, TAKE1, "SSL Session Cache object lifetime " "('N' - number of seconds)") #ifdef OPENSSL_NO_SSL3 #define SSLv3_PROTO_PREFIX "" #else #define SSLv3_PROTO_PREFIX "SSLv3|" #endif #ifdef HAVE_TLSV1_X #define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2" #else #define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1" #endif
SSL_CMD_SRV(Protocol, RAW_ARGS, "Enable or disable various SSL protocols " "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
SSL_CMD_SRV(HonorCipherOrder, FLAG, "Use the server's cipher ordering preference")
SSL_CMD_SRV(Compression, FLAG, "Enable SSL level compression " "(`on', `off')")
SSL_CMD_SRV(SessionTickets, FLAG, "Enable or disable TLS session tickets" "(`on', `off')")
SSL_CMD_SRV(InsecureRenegotiation, FLAG, "Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1, "Set user name to SSL variable value")
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, "Strict SNI virtual host checking")
#ifdef HAVE_SRP
SSL_CMD_SRV(SRPVerifierFile, TAKE1, "SRP verifier file " "('/path/to/file' - created by srptool)")
SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1, "SRP seed for unknown users (to avoid leaking a user's existence) " "('some secret text')") #endif
/* * Proxy configuration for remote SSL connections
*/
SSL_CMD_PXY(ProxyEngine, FLAG, "SSL switch for the proxy protocol engine " "('on', 'off')")
SSL_CMD_PXY(ProxyProtocol, RAW_ARGS, "SSL Proxy: enable or disable SSL protocol flavors " "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
SSL_CMD_PXY(ProxyCipherSuite, TAKE12, "SSL Proxy: colon-delimited list of permitted SSL ciphers " ", optionally preceded by protocol specifier ('XXX:...:XXX' - see manual)")
SSL_CMD_PXY(ProxyVerify, TAKE1, "SSL Proxy: whether to verify the remote certificate " "('on' or 'off')")
SSL_CMD_PXY(ProxyVerifyDepth, TAKE1, "SSL Proxy: maximum certificate verification depth " "('N' - number of intermediate certificates)")
SSL_CMD_PXY(ProxyCACertificateFile, TAKE1, "SSL Proxy: file containing server certificates " "('/path/to/file' - PEM encoded certificates)")
SSL_CMD_PXY(ProxyCACertificatePath, TAKE1, "SSL Proxy: directory containing server certificates " "('/path/to/dir' - contains PEM encoded certificates)")
SSL_CMD_PXY(ProxyCARevocationPath, TAKE1, "SSL Proxy: CA Certificate Revocation List (CRL) path " "('/path/to/dir' - contains PEM encoded files)")
SSL_CMD_PXY(ProxyCARevocationFile, TAKE1, "SSL Proxy: CA Certificate Revocation List (CRL) file " "('/path/to/file' - PEM encoded)")
SSL_CMD_PXY(ProxyCARevocationCheck, RAW_ARGS, "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
SSL_CMD_PXY(ProxyMachineCertificateFile, TAKE1, "SSL Proxy: file containing client certificates " "('/path/to/file' - PEM encoded certificates)")
SSL_CMD_PXY(ProxyMachineCertificatePath, TAKE1, "SSL Proxy: directory containing client certificates " "('/path/to/dir' - contains PEM encoded certificates)")
SSL_CMD_PXY(ProxyMachineCertificateChainFile, TAKE1, "SSL Proxy: file containing issuing certificates " "of the client certificate " "(`/path/to/file' - PEM encoded certificates)")
SSL_CMD_PXY(ProxyCheckPeerExpire, FLAG, "SSL Proxy: check the peer certificate's expiration date")
SSL_CMD_PXY(ProxyCheckPeerCN, FLAG, "SSL Proxy: check the peer certificate's CN")
SSL_CMD_PXY(ProxyCheckPeerName, FLAG, "SSL Proxy: check the peer certificate's name " "(must be present in subjectAltName extension or CN")
/* * Per-directory context configuration directives
*/
SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS, "Set one or more options to configure the SSL engine" "('[+-]option[=value] ...' - see manual)")
SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS, "Require the SSL protocol for the per-directory context " "(no arguments)")
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS, "Require a boolean expression to evaluate to true for granting access" "(arbitrary complex boolean expression - see manual)")
SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1, "Configure the amount of memory that will be used for buffering the " "request body if a per-location SSL renegotiation is required due to " "changed access control requirements")
SSL_CMD_SRV(OCSPEnable, RAW_ARGS, "Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')")
SSL_CMD_SRV(OCSPDefaultResponder, TAKE1, "URL of the default OCSP Responder")
SSL_CMD_SRV(OCSPOverrideResponder, FLAG, "Force use of the default responder URL ('on', 'off')")
SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1, "Maximum time difference in OCSP responses")
SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1, "Maximum age of OCSP responses")
SSL_CMD_SRV(OCSPResponderTimeout, TAKE1, "OCSP responder query timeout")
SSL_CMD_SRV(OCSPUseRequestNonce, FLAG, "Whether OCSP queries use a nonce or not ('on', 'off')")
SSL_CMD_SRV(OCSPProxyURL, TAKE1, "Proxy URL to use for OCSP requests")
/* Deprecated directives. */
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL, "SSLLog directive is no longer supported - use ErrorLog."),
AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL, "SSLLogLevel directive is no longer supported - use LogLevel."),
AP_END_CMD
};
/* * the various processing hooks
*/ staticint modssl_is_prelinked(void)
{
apr_size_t i = 0; const module *mod; while ((mod = ap_prelinked_modules[i++])) { if (strcmp(mod->name, "mod_ssl.c") == 0) { return 1;
}
} return 0;
}
static apr_status_t ssl_cleanup_pre_config(void *data)
{ #if HAVE_OPENSSL_INIT_SSL || (OPENSSL_VERSION_NUMBER >= 0x10100000L && \
!defined(LIBRESSL_VERSION_NUMBER)) /* Openssl v1.1+ handles all termination automatically from * OPENSSL_init_ssl(). Do nothing in this case.
*/
#else /* Termination below is for legacy Openssl versions v1.0.x and * older.
*/
/* Usually needed per thread, but this parent process is single-threaded */ #if MODSSL_USE_OPENSSL_PRE_1_1_API #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
ERR_remove_thread_state(NULL); #else
ERR_remove_state(0); #endif #endif
/* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only * actually loaded the error strings once per process due to static
* variable abuse in OpenSSL. */ #if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
ERR_free_strings(); #endif
/* Also don't call CRYPTO_cleanup_all_ex_data when linked statically here; * any registered ex_data indices may have been cached in static variables * in OpenSSL; removing them may cause havoc. Notably, with OpenSSL * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
* could result in a per-connection memory leak (!). */ if (!modssl_running_statically) {
CRYPTO_cleanup_all_ex_data();
} #endif
/* * TODO: determine somewhere we can safely shove out diagnostics * (when enabled) at this late stage in the game: * CRYPTO_mem_leaks_fp(stderr);
*/
#if HAVE_OPENSSL_INIT_SSL || (OPENSSL_VERSION_NUMBER >= 0x10100000L && \
!defined(LIBRESSL_VERSION_NUMBER)) /* Openssl v1.1+ handles all initialisation automatically, apart * from hints as to how we want to use the library. * * We tell openssl we want to include engine support.
*/
OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
#else /* Configuration below is for legacy versions Openssl v1.0 and * older.
*/
/* * Let us cleanup the ssl library when the module is unloaded
*/
apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
apr_pool_cleanup_null);
/* Register us to handle mod_log_config %c/%x variables */
ssl_var_log_config_register(pconf);
/* Register to handle mod_status status page generation */
ssl_scache_status_register(pconf);
/* Register mutex type names so they can be configured with Mutex */
ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); #ifdef HAVE_OCSP_STAPLING
ap_mutex_register(pconf, SSL_STAPLING_CACHE_MUTEX_TYPE, NULL,
APR_LOCK_DEFAULT, 0);
ap_mutex_register(pconf, SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL,
APR_LOCK_DEFAULT, 0); #endif
return OK;
}
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
ap_conf_vector_t *per_dir_config, int reinit)
{
SSLConnRec *sslconn = myConnConfig(c); int need_setup = 0;
/* mod_proxy's (r->)per_dir_config has the lifetime of the request, thus * it uses ssl_engine_set() to reset sslconn->dc when reusing SSL backend * connections, so we must fall through here. But in the case where we are * called from ssl_init_ssl_connection() with no per_dir_config (which also * includes mod_proxy's later run_pre_connection call), sslconn->dc should * be preserved if it's already set.
*/ if (!sslconn) {
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
need_setup = 1;
} elseif (!reinit) { return sslconn;
}
/* Reinit dc in any case because it may be r->per_dir_config scoped * and thus a caller like mod_proxy needs to update it per request.
*/ if (per_dir_config) {
sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
} else {
sslconn->dc = ap_get_module_config(c->base_server->lookup_defaults,
&ssl_module);
}
staticint ssl_engine_status(conn_rec *c, SSLConnRec *sslconn)
{ if (c->master) { return DECLINED;
} if (sslconn) { /* This connection has already been configured. Check what applies. */ if (sslconn->disabled) { return SUSPENDED;
} if (c->outgoing) { if (!sslconn->dc->proxy_enabled) { return DECLINED;
}
} else { if (mySrvConfig(sslconn->server)->enabled != SSL_ENABLED_TRUE) { return DECLINED;
}
}
} else { /* we decline by default for outgoing connections and for incoming
* where the base_server is not enabled. */ if (c->outgoing || mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) { return DECLINED;
}
} return OK;
}
staticint ssl_hook_ssl_bind_outgoing(conn_rec *c,
ap_conf_vector_t *per_dir_config, int enable_ssl)
{
SSLConnRec *sslconn; int status;
sslconn = ssl_init_connection_ctx(c, per_dir_config, 1); if (sslconn->ssl) { /* we are already bound to this connection. We have rebound * or removed the reference to a previous per_dir_config,
* there is nothing more to do. */ return OK;
}
status = ssl_engine_status(c, sslconn); if (enable_ssl) { if (status != OK) {
SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
sslconn->disabled = 1;
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(10272) "SSL Proxy requested for %s but not enabled for us.",
sc->vhost_id);
} else {
sslconn->disabled = 0; return OK;
}
} else {
sslconn->disabled = 1;
} return DECLINED;
}
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{
SSLSrvConfigRec *sc;
SSL *ssl;
SSLConnRec *sslconn; char *vhost_md5; int rc;
modssl_ctx_t *mctx;
server_rec *server;
/* * Create or retrieve SSL context
*/
sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL, 0);
server = sslconn->server;
sc = mySrvConfig(server);
/* * Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
c->outgoing ? "Proxy: " : "Server: ");
mctx = myConnCtxConfig(c, sc);
/* * Create a new SSL connection with the configured server SSL context and * attach this to the socket. Additionally we register this attachment * so we can detach later.
*/ if (!(sslconn->ssl = ssl = SSL_new(mctx->ssl_ctx))) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962) "Unable to create a new SSL connection from the SSL " "context");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
if (!SSL_set_session_id_context(ssl, (unsignedchar *)vhost_md5,
APR_MD5_DIGESTSIZE*2))
{
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963) "Unable to set session id context to '%s'", vhost_md5);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_set_app_data(ssl, c);
modssl_set_app_data2(ssl, NULL); /* will be request_rec */
/* * Remember the connection information for * later access inside callback functions
*/
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964) "Connection to child %ld established " "(server %s)", c->id, sc->vhost_id);
return ssl_init_ssl_connection(c, NULL);
}
staticint ssl_hook_process_connection(conn_rec* c)
{
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn && !sslconn->disabled) { /* On an active SSL connection, let the input filters initialize * themselves which triggers the handshake, which again triggers * all kinds of useful things such as SNI and ALPN.
*/
apr_bucket_brigade* temp;
staticvoid ssl_register_hooks(apr_pool_t *p)
{ /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
* run after mod_setenvif's post_read_request hook. */ staticconstchar *pre_prr[] = { "mod_setenvif.c", NULL }; /* The ssl_init_Module post_config hook should run before mod_proxy's * for the ssl proxy main configs to be merged with vhosts' before being * themselves merged with mod_proxy's in proxy_hook_section_post_config.
*/ staticconstchar *b_pc[] = { "mod_proxy.c", NULL};
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
