diff options
| -rw-r--r-- | CHANGES | 2 | ||||
| -rw-r--r-- | docs/log-message-tags/next-number | 2 | ||||
| -rw-r--r-- | modules/ssl/mod_ssl.c | 5 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_config.c | 27 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 20 | ||||
| -rw-r--r-- | modules/ssl/ssl_private.h | 17 |
6 files changed, 67 insertions, 6 deletions
@@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Add support for OpenSSL configuration commands [Stephen Henson] + *) EventOpt MPM *) mod_proxy_balancer: Improve output diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index 0af28381aa..1415bc5737 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2407 +2408 diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index ab9a8a65ea..2e50dc979e 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -272,6 +272,11 @@ static const command_rec ssl_config_cmds[] = { "SSL stapling option to Force the OCSP Stapling URL") #endif +#ifdef HAVE_SSL_CONF_CMD + SSL_CMD_SRV(OpenSSLConfCmd, TAKE2, + "OpenSSL configuration command") +#endif + /* Deprecated directives. */ AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL, "SSLLog directive is no longer supported - use ErrorLog."), diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 39f20f9497..bda5c0e4e4 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -100,7 +100,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc) ** _________________________________________________________________ */ -static void modssl_ctx_init(modssl_ctx_t *mctx) +static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) { mctx->sc = NULL; /* set during module init */ @@ -159,6 +159,9 @@ static void modssl_ctx_init(modssl_ctx_t *mctx) mctx->srp_unknown_user_seed = NULL; mctx->srp_vbase = NULL; #endif +#ifdef HAVE_SSL_CONF_CMD + mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t)); +#endif } static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc, @@ -168,7 +171,7 @@ static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc, mctx = sc->proxy = apr_palloc(p, sizeof(*sc->proxy)); - modssl_ctx_init(mctx); + modssl_ctx_init(mctx, p); mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp)); @@ -186,7 +189,7 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc, mctx = sc->server = apr_palloc(p, sizeof(*sc->server)); - modssl_ctx_init(mctx); + modssl_ctx_init(mctx, p); mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks)); @@ -293,6 +296,11 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base, cfgMergeString(srp_vfile); cfgMergeString(srp_unknown_user_seed); #endif + +#ifdef HAVE_SSL_CONF_CMD + apr_array_cat(mrg->ssl_ctx_param, base->ssl_ctx_param); + apr_array_cat(mrg->ssl_ctx_param, add->ssl_ctx_param); +#endif } static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base, @@ -1848,7 +1856,18 @@ const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg, } #endif /* HAVE_OCSP_STAPLING */ - +#ifdef HAVE_SSL_CONF_CMD +const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, + const char *arg1, const char *arg2) +{ + ssl_ctx_param_t *param; + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + param = apr_array_push(sc->server->ssl_ctx_param); + param->name = arg1; + param->value = arg2; + return NULL; +} +#endif #ifndef OPENSSL_NO_SRP const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 815228126b..817f6fd88c 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -687,6 +687,26 @@ static void ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif +#ifdef HAVE_SSL_CONF_CMD +{ + ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts; + SSL_CONF_CTX *cctx; + int i; + cctx = SSL_CONF_CTX_new(); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE|SSL_CONF_FLAG_SERVER); + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) { + if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407) + "Error SSL_CONF_cmd(%s,%s)", param->name, param->value); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + ssl_die(s); + } + } + SSL_CONF_CTX_free(cctx); +} +#endif + #ifdef SSL_MODE_RELEASE_BUFFERS /* If httpd is configured to reduce mem usage, ask openssl to do so, too */ if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED) diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 63e401db52..16e0bcd499 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -144,6 +144,10 @@ #define HAVE_TLS_NPN #endif +#ifdef SSL_CONF_FLAG_FILE +#define HAVE_SSL_CONF_CMD +#endif + #if (OPENSSL_VERSION_NUMBER >= 0x10000000) #define MODSSL_SSL_CIPHER_CONST const #define MODSSL_SSL_METHOD_CONST const @@ -620,6 +624,13 @@ typedef struct { } modssl_ticket_key_t; #endif +#ifdef HAVE_SSL_CONF_CMD +typedef struct { + const char *name; + const char *value; +} ssl_ctx_param_t; +#endif + typedef struct SSLSrvConfigRec SSLSrvConfigRec; typedef struct { @@ -681,7 +692,9 @@ typedef struct { long ocsp_resptime_skew; long ocsp_resp_maxage; apr_interval_time_t ocsp_responder_timeout; - +#ifdef HAVE_SSL_CONF_CMD + apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */ +#endif } modssl_ctx_t; struct SSLSrvConfigRec { @@ -803,6 +816,8 @@ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); +const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); + #ifndef OPENSSL_NO_SRP const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); |