Lines 135-221
static int ssl_tmp_keys_init(server_rec
Link Here
|
135 |
return OK; |
135 |
return OK; |
136 |
} |
136 |
} |
137 |
|
137 |
|
138 |
#ifndef OPENSSL_NO_TLSEXT |
|
|
139 |
static int set_ssl_vhost(void *servername, conn_rec *c, server_rec *s) |
140 |
{ |
141 |
SSLSrvConfigRec *sc; |
142 |
SSL *ssl; |
143 |
BOOL found = FALSE; |
144 |
apr_array_header_t *names; |
145 |
int i; |
146 |
|
147 |
/* check ServerName */ |
148 |
if (!strcasecmp(servername, s->server_hostname)) |
149 |
found = TRUE; |
150 |
|
151 |
/* if not matched yet, check ServerAlias entries */ |
152 |
if (!found) { |
153 |
names = s->names; |
154 |
if (names) { |
155 |
char **name = (char **)names->elts; |
156 |
for (i = 0; i < names->nelts; ++i) { |
157 |
if (!name[i]) |
158 |
continue; |
159 |
if (!strcasecmp(servername, name[i])) { |
160 |
found = TRUE; |
161 |
break; |
162 |
} |
163 |
} |
164 |
} |
165 |
} |
166 |
|
167 |
/* if still no match, check ServerAlias entries with wildcards */ |
168 |
if (!found) { |
169 |
names = s->wild_names; |
170 |
if (names) { |
171 |
char **name = (char **)names->elts; |
172 |
for (i = 0; i < names->nelts; ++i) { |
173 |
if (!name[i]) |
174 |
continue; |
175 |
if (!ap_strcasecmp_match(servername, name[i])) { |
176 |
found = TRUE; |
177 |
break; |
178 |
} |
179 |
} |
180 |
} |
181 |
} |
182 |
|
183 |
/* set SSL_CTX (if matched) */ |
184 |
if (found) { |
185 |
if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL) |
186 |
return 0; |
187 |
if (!(sc = mySrvConfig(s))) |
188 |
return 0; |
189 |
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); |
190 |
return 1; |
191 |
} |
192 |
return 0; |
193 |
} |
194 |
|
195 |
int ssl_set_vhost_ctx(SSL *ssl, const char *servername) |
196 |
{ |
197 |
conn_rec *c; |
198 |
|
199 |
if (servername == NULL) /* should not occur. */ |
200 |
return 0; |
201 |
SSL_set_SSL_CTX(ssl, NULL); |
202 |
if (!(c = (conn_rec *)SSL_get_app_data(ssl))) |
203 |
return 0; |
204 |
return ap_vhost_iterate_given_conn(c, set_ssl_vhost, (void *)servername); |
205 |
} |
206 |
|
207 |
int ssl_servername_cb(SSL *ssl, int *al, modssl_ctx_t *mctx) |
208 |
{ |
209 |
const char *servername = |
210 |
SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
211 |
|
212 |
if (servername) |
213 |
return ssl_set_vhost_ctx(ssl, servername) ? |
214 |
SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_FATAL; |
215 |
return SSL_TLSEXT_ERR_NOACK; |
216 |
} |
217 |
#endif |
218 |
|
219 |
/* |
138 |
/* |
220 |
* Per-module initialization |
139 |
* Per-module initialization |
221 |
*/ |
140 |
*/ |
Lines 436-464
static void ssl_init_server_check(server
Link Here
|
436 |
} |
355 |
} |
437 |
} |
356 |
} |
438 |
|
357 |
|
439 |
static void ssl_init_server_extensions(server_rec *s, |
358 |
#ifndef OPENSSL_NO_TLSEXT |
440 |
apr_pool_t *p, |
359 |
static void ssl_init_ctx_tls_extensions(server_rec *s, |
441 |
apr_pool_t *ptemp, |
360 |
apr_pool_t *p, |
442 |
modssl_ctx_t *mctx) |
361 |
apr_pool_t *ptemp, |
|
|
362 |
modssl_ctx_t *mctx) |
443 |
{ |
363 |
{ |
444 |
/* |
364 |
/* |
445 |
* Configure TLS extensions support |
365 |
* Configure TLS extensions support |
446 |
*/ |
366 |
*/ |
447 |
#ifndef OPENSSL_NO_TLSEXT |
|
|
448 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, |
367 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, |
449 |
"Configuring TLS extensions facility"); |
368 |
"Configuring TLS extension handling"); |
450 |
|
369 |
|
|
|
370 |
/* |
371 |
* Server name indication (SNI) |
372 |
*/ |
451 |
if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, |
373 |
if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, |
452 |
ssl_servername_cb) || |
374 |
ssl_callback_ServerNameIndication) || |
453 |
!SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) { |
375 |
!SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) { |
454 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, |
376 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, |
455 |
"Unable to initialize servername callback - " |
377 |
"Unable to initialize TLS servername extension " |
456 |
"bad OpenSSL version."); |
378 |
"callback (incompatible OpenSSL version?)"); |
457 |
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); |
379 |
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); |
458 |
ssl_die(); |
380 |
ssl_die(); |
459 |
} |
381 |
} |
460 |
#endif |
|
|
461 |
} |
382 |
} |
|
|
383 |
#endif |
462 |
|
384 |
|
463 |
static void ssl_init_ctx_protocol(server_rec *s, |
385 |
static void ssl_init_ctx_protocol(server_rec *s, |
464 |
apr_pool_t *p, |
386 |
apr_pool_t *p, |
Lines 816-822
static void ssl_init_ctx(server_rec *s,
Link Here
|
816 |
if (mctx->pks) { |
738 |
if (mctx->pks) { |
817 |
/* XXX: proxy support? */ |
739 |
/* XXX: proxy support? */ |
818 |
ssl_init_ctx_cert_chain(s, p, ptemp, mctx); |
740 |
ssl_init_ctx_cert_chain(s, p, ptemp, mctx); |
819 |
ssl_init_server_extensions(s, p, ptemp, mctx); |
741 |
#ifndef OPENSSL_NO_TLSEXT |
|
|
742 |
ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); |
743 |
#endif |
820 |
} |
744 |
} |
821 |
} |
745 |
} |
822 |
|
746 |
|
Lines 1110-1125
void ssl_init_ConfigureServer(server_rec
Link Here
|
1110 |
|
1034 |
|
1111 |
void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) |
1035 |
void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) |
1112 |
{ |
1036 |
{ |
|
|
1037 |
server_rec *s, *ps; |
1113 |
SSLSrvConfigRec *sc; |
1038 |
SSLSrvConfigRec *sc; |
1114 |
server_rec *s; |
|
|
1115 |
#ifdef OPENSSL_NO_TLSEXT |
1116 |
server_rec *ps; |
1117 |
apr_hash_t *table; |
1039 |
apr_hash_t *table; |
1118 |
const char *key; |
1040 |
const char *key; |
1119 |
apr_ssize_t klen; |
1041 |
apr_ssize_t klen; |
1120 |
|
1042 |
|
1121 |
BOOL conflict = FALSE; |
1043 |
BOOL conflict = FALSE; |
1122 |
#endif |
|
|
1123 |
|
1044 |
|
1124 |
/* |
1045 |
/* |
1125 |
* Give out warnings when a server has HTTPS configured |
1046 |
* Give out warnings when a server has HTTPS configured |
Lines 1147-1153
void ssl_init_CheckServers(server_rec *b
Link Here
|
1147 |
} |
1068 |
} |
1148 |
} |
1069 |
} |
1149 |
|
1070 |
|
1150 |
#ifdef OPENSSL_NO_TLSEXT |
|
|
1151 |
/* |
1071 |
/* |
1152 |
* Give out warnings when more than one SSL-aware virtual server uses the |
1072 |
* Give out warnings when more than one SSL-aware virtual server uses the |
1153 |
* same IP:port. This doesn't work because mod_ssl then will always use |
1073 |
* same IP:port. This doesn't work because mod_ssl then will always use |
Lines 1172-1178
void ssl_init_CheckServers(server_rec *b
Link Here
|
1172 |
if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { |
1092 |
if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { |
1173 |
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, |
1093 |
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, |
1174 |
base_server, |
1094 |
base_server, |
|
|
1095 |
#ifdef OPENSSL_NO_TLSEXT |
1175 |
"Init: SSL server IP/port conflict: " |
1096 |
"Init: SSL server IP/port conflict: " |
|
|
1097 |
#else |
1098 |
"Init: SSL server IP/port overlap: " |
1099 |
#endif |
1176 |
"%s (%s:%d) vs. %s (%s:%d)", |
1100 |
"%s (%s:%d) vs. %s (%s:%d)", |
1177 |
ssl_util_vhostid(p, s), |
1101 |
ssl_util_vhostid(p, s), |
1178 |
(s->defn_name ? s->defn_name : "unknown"), |
1102 |
(s->defn_name ? s->defn_name : "unknown"), |
Lines 1189-1198
void ssl_init_CheckServers(server_rec *b
Link Here
|
1189 |
|
1113 |
|
1190 |
if (conflict) { |
1114 |
if (conflict) { |
1191 |
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, |
1115 |
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, |
|
|
1116 |
#ifdef OPENSSL_NO_TLSEXT |
1192 |
"Init: You should not use name-based " |
1117 |
"Init: You should not use name-based " |
1193 |
"virtual hosts in conjunction with SSL!!"); |
1118 |
"virtual hosts in conjunction with SSL!!"); |
1194 |
} |
1119 |
#else |
|
|
1120 |
"Init: Name-based SSL virtual hosts only " |
1121 |
"work for clients with TLS server name indication " |
1122 |
"support (RFC 4366)"); |
1195 |
#endif |
1123 |
#endif |
|
|
1124 |
} |
1196 |
} |
1125 |
} |
1197 |
|
1126 |
|
1198 |
#ifdef SSLC_VERSION_NUMBER |
1127 |
#ifdef SSLC_VERSION_NUMBER |