Changeset 816 for server/common/patches/httpd-2.2.x-sni.patch
- Timestamp:
- Aug 20, 2008, 3:49:58 AM (16 years ago)
- File:
-
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
server/common/patches/httpd-2.2.x-sni.patch
r814 r816 1 httpd-2.2.8-sni.patch - server name indication support for Apache 2.22 (see RFC 4366, "Transport Layer Security (TLS) Extensions")1 # httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 2 # (see RFC 4366, "Transport Layer Security (TLS) Extensions") 3 3 4 based on a patch from the EdelKey project5 (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)4 # based on a patch from the EdelKey project 5 # (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) 6 6 7 Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later8 to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions9 must be configured explicitly for TLS extension support at compile time10 ("./config enable-tlsext").7 # Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later 8 # to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions 9 # must be configured explicitly for TLS extension support at compile time 10 # ("./config enable-tlsext"). 11 11 12 12 Index: httpd-2.2.x/modules/ssl/ssl_private.h 13 13 =================================================================== 14 --- httpd-2.2.x/modules/ssl/ssl_private.h (revision 6 27519)14 --- httpd-2.2.x/modules/ssl/ssl_private.h (revision 663014) 15 15 +++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) 16 16 @@ -35,6 +35,7 @@ … … 22 22 #include "util_filter.h" 23 23 #include "util_ebcdic.h" 24 @@ -555,6 +556,9 @@ 24 @@ -555,6 +556,9 @@ int ssl_callback_NewSessionCach 25 25 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); 26 26 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); … … 34 34 Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c 35 35 =================================================================== 36 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 6 27519)36 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 663014) 37 37 +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) 38 @@ -355,6 +355,33 @@ 38 @@ -355,6 +355,33 @@ static void ssl_init_server_check(server 39 39 } 40 40 } … … 70 70 apr_pool_t *p, 71 71 apr_pool_t *ptemp, 72 @@ -687,6 +714,9 @@ 72 @@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s, 73 73 if (mctx->pks) { 74 74 /* XXX: proxy support? */ … … 80 80 } 81 81 82 @@ -1038,7 +1068,11 @@ 82 @@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b 83 klen = strlen(key); 84 83 85 if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { 84 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, 86 - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, 87 + ap_log_error(APLOG_MARK, 88 +#ifdef OPENSSL_NO_TLSEXT 89 + APLOG_WARNING, 90 +#else 91 + APLOG_DEBUG, 92 +#endif 93 + 0, 85 94 base_server, 86 95 +#ifdef OPENSSL_NO_TLSEXT … … 92 101 ssl_util_vhostid(p, s), 93 102 (s->defn_name ? s->defn_name : "unknown"), 94 @@ -1055,8 +10 89,14 @@103 @@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b 95 104 96 105 if (conflict) { … … 109 118 Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c 110 119 =================================================================== 111 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 6 27519)120 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 663014) 112 121 +++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) 113 @@ -320,6 +320,12 @@ 122 @@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool 114 123 else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { 115 124 result = ssl_var_lookup_ssl_compress_meth(ssl); … … 126 135 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c 127 136 =================================================================== 128 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 6 27519)137 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014) 129 138 +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) 130 139 @@ -31,6 +31,9 @@ … … 138 147 /* 139 148 * Post Read Request Handler 140 @@ -39,6 +42,9 @@ 149 @@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r) 141 150 { 142 151 SSLConnRec *sslconn = myConnConfig(r->connection); … … 148 157 if (!sslconn) { 149 158 return DECLINED; 150 @@ -87,6 +93,14 @@ 159 @@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r) 151 160 if (!ssl) { 152 161 return DECLINED; … … 163 172 164 173 /* 165 @@ -997,6 +1011,9 @@ 174 @@ -252,7 +266,7 @@ int ssl_hook_Access(request_rec *r) 175 * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no 176 * implicit optimizations. 177 */ 178 - if (dc->szCipherSuite) { 179 + if (dc->szCipherSuite || (r->server != r->connection->base_server)) { 180 /* remember old state */ 181 182 if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { 183 @@ -267,7 +281,10 @@ int ssl_hook_Access(request_rec *r) 184 } 185 186 /* configure new state */ 187 - if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) { 188 + if ((dc->szCipherSuite && 189 + !modssl_set_cipher_list(ssl, dc->szCipherSuite)) || 190 + (sc->server->auth.cipher_suite && 191 + !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) { 192 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, 193 r->server, 194 "Unable to reconfigure (per-directory) " 195 @@ -334,8 +351,13 @@ int ssl_hook_Access(request_rec *r) 196 sk_SSL_CIPHER_free(cipher_list_old); 197 } 198 199 - /* tracing */ 200 if (renegotiate) { 201 +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE 202 + if (sc->cipher_server_pref == TRUE) { 203 + SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); 204 + } 205 +#endif 206 + /* tracing */ 207 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, 208 "Reconfigured cipher suite will force renegotiation"); 209 } 210 @@ -353,14 +375,16 @@ int ssl_hook_Access(request_rec *r) 211 * currently active/remembered verify depth (because this means more 212 * restriction on the certificate chain). 213 */ 214 - if (dc->nVerifyDepth != UNSET) { 215 + if ((dc->nVerifyDepth != UNSET) || 216 + (sc->server->auth.verify_depth != UNSET)) { 217 /* XXX: doesnt look like sslconn->verify_depth is actually used */ 218 if (!(n = sslconn->verify_depth)) { 219 sslconn->verify_depth = n = sc->server->auth.verify_depth; 220 } 221 222 /* determine whether a renegotiation has to be forced */ 223 - if (dc->nVerifyDepth < n) { 224 + if ((dc->nVerifyDepth < n) || 225 + (sc->server->auth.verify_depth < n)) { 226 renegotiate = TRUE; 227 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, 228 "Reduced client verification depth will force " 229 @@ -382,18 +406,22 @@ int ssl_hook_Access(request_rec *r) 230 * verification but at least skip the I/O-intensive renegotation 231 * handshake. 232 */ 233 - if (dc->nVerifyClient != SSL_CVERIFY_UNSET) { 234 + if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) || 235 + (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { 236 /* remember old state */ 237 verify_old = SSL_get_verify_mode(ssl); 238 /* configure new state */ 239 verify = SSL_VERIFY_NONE; 240 241 - if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) { 242 + if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || 243 + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) { 244 verify |= SSL_VERIFY_PEER_STRICT; 245 } 246 247 if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || 248 - (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) 249 + (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) || 250 + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) || 251 + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) 252 { 253 verify |= SSL_VERIFY_PEER; 254 } 255 @@ -491,6 +519,40 @@ int ssl_hook_Access(request_rec *r) 256 "Changed client verification locations will force " 257 "renegotiation"); 258 } 259 +#else 260 +#ifndef OPENSSL_NO_TLSEXT 261 +#define MODSSL_CFG_CA_NE(f, sc1, sc2) \ 262 + (sc1->server->auth.f && \ 263 + (!sc2->server->auth.f || \ 264 + sc2->server->auth.f && strNE(sc1->server->auth.f, sc2->server->auth.f))) 265 + 266 + /* If we're handling a request for a vhost other than the default one, 267 + * then we need to make sure that client authentication is properly 268 + * enforced. For clients supplying an SNI extension, the peer certificate 269 + * verification has happened in the handshake already (and r->server 270 + * has been set to r->connection->base_server). For non-SNI requests, 271 + * an additional check is needed here. If client authentication is 272 + * configured as mandatory, then we can only proceed if the CA list 273 + * doesn't have to be changed (SSL_set_cert_store() would be required 274 + * for this). 275 + */ 276 + if ((r->server != r->connection->base_server) && 277 + (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) && 278 + renegotiate && 279 + !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { 280 + SSLSrvConfigRec *bssc = mySrvConfig(r->connection->base_server); 281 + 282 + if (MODSSL_CFG_CA_NE(ca_cert_file, sc, bssc) || 283 + MODSSL_CFG_CA_NE(ca_cert_path, sc, bssc)) { 284 + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 285 + "Non-default virtual host with SSLVerify set to 'require' " 286 + "and VirtualHost-specific CA certificate list is only " 287 + "supported for clients with TLS server name indication " 288 + "(SNI) support"); 289 + return HTTP_FORBIDDEN; 290 + } 291 + } 292 +#endif /* OPENSSL_NO_TLSEXT */ 293 #endif /* HAVE_SSL_SET_CERT_STORE */ 294 295 /* If a renegotiation is now required for this location, and the 296 @@ -666,8 +728,10 @@ int ssl_hook_Access(request_rec *r) 297 /* 298 * Finally check for acceptable renegotiation results 299 */ 300 - if (dc->nVerifyClient != SSL_CVERIFY_NONE) { 301 - BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE); 302 + if ((dc->nVerifyClient != SSL_CVERIFY_NONE) || 303 + (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) { 304 + BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || 305 + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)); 306 307 if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { 308 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, 309 @@ -997,6 +1061,9 @@ int ssl_hook_Fixup(request_rec *r) 166 310 SSLDirConfigRec *dc = myDirConfig(r); 167 311 apr_table_t *env = r->subprocess_env; … … 173 317 SSL *ssl; 174 318 int i; 175 @@ -1018,6 +10 35,13 @@319 @@ -1018,6 +1085,13 @@ int ssl_hook_Fixup(request_rec *r) 176 320 /* the always present HTTPS (=HTTP over SSL) flag! */ 177 321 apr_table_setn(env, "HTTPS", "on"); … … 187 331 if (dc->nOptions & SSL_OPT_STDENVVARS) { 188 332 for (i = 0; ssl_hook_Fixup_vars[i]; i++) { 189 @@ -1810,3 +1834,136 @@ 333 @@ -1166,8 +1240,8 @@ int ssl_callback_SSLVerify(int ok, X509_ 334 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, 335 SSL_get_ex_data_X509_STORE_CTX_idx()); 336 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); 337 - server_rec *s = conn->base_server; 338 request_rec *r = (request_rec *)SSL_get_app_data2(ssl); 339 + server_rec *s = r ? r->server : conn->base_server; 340 341 SSLSrvConfigRec *sc = mySrvConfig(s); 342 SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; 343 @@ -1290,7 +1364,10 @@ int ssl_callback_SSLVerify(int ok, X509_ 344 345 int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) 346 { 347 - server_rec *s = c->base_server; 348 + SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, 349 + SSL_get_ex_data_X509_STORE_CTX_idx()); 350 + request_rec *r = (request_rec *)SSL_get_app_data2(ssl); 351 + server_rec *s = r ? r->server : c->base_server; 352 SSLSrvConfigRec *sc = mySrvConfig(s); 353 SSLConnRec *sslconn = myConnConfig(c); 354 modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); 355 @@ -1810,3 +1887,141 @@ void ssl_callback_LogTracingState(MODSSL 190 356 } 191 357 } … … 301 467 + 302 468 + /* 303 + * We also need to make sure that the correct mctx is 304 + * assigned to the connection - the CRL callback e.g. 469 + * We also need to make sure that the correct mctx 470 + * (accessed through the c->base_server->module_config vector) 471 + * is assigned to the connection - the CRL callback e.g. 305 472 + * makes use of it for retrieving its store (mctx->crl). 306 473 + * Since logging in callbacks uses c->base_server in many 307 474 + * cases, it also ensures that these messages are routed 308 + * to the proper log. And finally, there is one special 309 + * filter callback, which is set very early depending on the 310 + * base_server's log level. If this is not the first vhost 311 + * we're now selecting (and the first vhost doesn't use 312 + * APLOG_DEBUG), then we need to set that callback here. 475 + * to the proper log. 313 476 + */ 314 477 + c->base_server = s; 478 + 479 + /* 480 + * There is one special filter callback, which is set 481 + * very early depending on the base_server's log level. 482 + * If this is not the first vhost we're now selecting 483 + * (and the first vhost doesn't use APLOG_DEBUG), then 484 + * we need to set that callback here. 485 + */ 315 486 + if (c->base_server->loglevel >= APLOG_DEBUG) { 316 487 + BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); … … 326 497 Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h 327 498 =================================================================== 328 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 6 27519)499 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 663014) 329 500 +++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) 330 @@ -264,6 +264,12 @@ 501 @@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char * 331 502 #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 332 503 #endif
Note: See TracChangeset
for help on using the changeset viewer.