View | Details | Raw Unified | Return to bug 34607
Collapse All | Expand All

(-)httpd-trunk/modules/ssl/ssl_private.h (-5 / +3 lines)
Lines 581-586 int ssl_callback_NewSessionCach Link Here
581
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
581
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
582
void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
582
void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
583
void         ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
583
void         ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
584
#ifndef OPENSSL_NO_TLSEXT
585
int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
586
#endif
584
587
585
/**  Session Cache Support  */
588
/**  Session Cache Support  */
586
void         ssl_scache_init(server_rec *, apr_pool_t *);
589
void         ssl_scache_init(server_rec *, apr_pool_t *);
Lines 727-737 OCSP_RESPONSE *modssl_dispatch_ocsp_requ Link Here
727
                                            conn_rec *c, apr_pool_t *p);
730
                                            conn_rec *c, apr_pool_t *p);
728
#endif
731
#endif
729
732
730
#ifndef OPENSSL_NO_TLSEXT
731
int ssl_servername_cb(SSL *ssl, int *al, modssl_ctx_t *mctx);
732
int ssl_set_vhost_ctx(SSL *ssl, const char *servername); 
733
#endif
734
735
#endif /* SSL_PRIVATE_H */
733
#endif /* SSL_PRIVATE_H */
736
/** @} */
734
/** @} */
737
735
(-)httpd-trunk/modules/ssl/ssl_engine_init.c (-98 / +27 lines)
Lines 135-221 static int ssl_tmp_keys_init(server_rec Link Here
135
    return OK;
135
    return OK;
136
}
136
}
137
137
138
#ifndef OPENSSL_NO_TLSEXT
139
static int set_ssl_vhost(void *servername, conn_rec *c, server_rec *s) 
140
{
141
    SSLSrvConfigRec *sc;
142
    SSL *ssl;
143
    BOOL found = FALSE;
144
    apr_array_header_t *names;
145
    int i;
146
147
    /* check ServerName */
148
    if (!strcasecmp(servername, s->server_hostname))
149
        found = TRUE;
150
151
    /* if not matched yet, check ServerAlias entries */
152
    if (!found) {
153
        names = s->names;
154
        if (names) {
155
            char **name = (char **)names->elts;
156
            for (i = 0; i < names->nelts; ++i) {
157
                if (!name[i])
158
                    continue;
159
                if (!strcasecmp(servername, name[i])) {
160
                    found = TRUE;
161
                    break;
162
                }
163
            }
164
        }
165
    }
166
167
    /* if still no match, check ServerAlias entries with wildcards */
168
    if (!found) {
169
        names = s->wild_names;
170
        if (names) {
171
            char **name = (char **)names->elts;
172
            for (i = 0; i < names->nelts; ++i) {
173
                if (!name[i])
174
                    continue;
175
                if (!ap_strcasecmp_match(servername, name[i])) {
176
                    found = TRUE;
177
                    break;
178
                }
179
            }
180
        }
181
    }
182
183
    /* set SSL_CTX (if matched) */
184
    if (found) {
185
        if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
186
            return 0;
187
        if (!(sc = mySrvConfig(s)))
188
            return 0;
189
        SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
190
        return 1;
191
    }
192
    return 0;
193
}
194
195
int ssl_set_vhost_ctx(SSL *ssl, const char *servername) 
196
{
197
    conn_rec *c;
198
199
    if (servername == NULL)   /* should not occur. */
200
        return 0;
201
    SSL_set_SSL_CTX(ssl, NULL);
202
    if (!(c = (conn_rec *)SSL_get_app_data(ssl)))
203
        return 0;
204
    return ap_vhost_iterate_given_conn(c, set_ssl_vhost, (void *)servername);
205
}
206
207
int ssl_servername_cb(SSL *ssl, int *al, modssl_ctx_t *mctx)
208
{
209
    const char *servername =
210
                SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
211
212
    if (servername)
213
        return ssl_set_vhost_ctx(ssl, servername) ? 
214
                SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_FATAL;
215
    return SSL_TLSEXT_ERR_NOACK;
216
}
217
#endif
218
219
/*
138
/*
220
 *  Per-module initialization
139
 *  Per-module initialization
221
 */
140
 */
Lines 436-464 static void ssl_init_server_check(server Link Here
436
    }
355
    }
437
}
356
}
438
357
439
static void ssl_init_server_extensions(server_rec *s,
358
#ifndef OPENSSL_NO_TLSEXT
440
                                       apr_pool_t *p,
359
static void ssl_init_ctx_tls_extensions(server_rec *s,
441
                                       apr_pool_t *ptemp,
360
                                        apr_pool_t *p,
442
                                       modssl_ctx_t *mctx)
361
                                        apr_pool_t *ptemp,
362
                                        modssl_ctx_t *mctx)
443
{
363
{
444
    /*
364
    /*
445
     * Configure TLS extensions support
365
     * Configure TLS extensions support
446
     */
366
     */
447
#ifndef OPENSSL_NO_TLSEXT
448
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
367
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
449
                 "Configuring TLS extensions facility");
368
                 "Configuring TLS extension handling");
450
369
370
    /*
371
     * Server name indication (SNI)
372
     */
451
    if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
373
    if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
452
                                                ssl_servername_cb) ||
374
                          ssl_callback_ServerNameIndication) ||
453
        !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
375
        !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
454
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
376
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
455
                     "Unable to initialize servername callback - "
377
                     "Unable to initialize TLS servername extension "
456
                     "bad OpenSSL version.");
378
                     "callback (incompatible OpenSSL version?)");
457
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
379
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
458
        ssl_die();
380
        ssl_die();
459
    }
381
    }
460
#endif
461
}
382
}
383
#endif
462
384
463
static void ssl_init_ctx_protocol(server_rec *s,
385
static void ssl_init_ctx_protocol(server_rec *s,
464
                                  apr_pool_t *p,
386
                                  apr_pool_t *p,
Lines 816-822 static void ssl_init_ctx(server_rec *s, Link Here
816
    if (mctx->pks) {
738
    if (mctx->pks) {
817
        /* XXX: proxy support? */
739
        /* XXX: proxy support? */
818
        ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
740
        ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
819
        ssl_init_server_extensions(s, p, ptemp, mctx);
741
#ifndef OPENSSL_NO_TLSEXT
742
        ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
743
#endif
820
    }
744
    }
821
}
745
}
822
746
Lines 1110-1125 void ssl_init_ConfigureServer(server_rec Link Here
1110
1034
1111
void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
1035
void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
1112
{
1036
{
1037
    server_rec *s, *ps;
1113
    SSLSrvConfigRec *sc;
1038
    SSLSrvConfigRec *sc;
1114
    server_rec *s;
1115
#ifdef OPENSSL_NO_TLSEXT
1116
    server_rec *ps;
1117
    apr_hash_t *table;
1039
    apr_hash_t *table;
1118
    const char *key;
1040
    const char *key;
1119
    apr_ssize_t klen;
1041
    apr_ssize_t klen;
1120
1042
1121
    BOOL conflict = FALSE;
1043
    BOOL conflict = FALSE;
1122
#endif
1123
1044
1124
    /*
1045
    /*
1125
     * Give out warnings when a server has HTTPS configured
1046
     * Give out warnings when a server has HTTPS configured
Lines 1147-1153 void ssl_init_CheckServers(server_rec *b Link Here
1147
        }
1068
        }
1148
    }
1069
    }
1149
1070
1150
#ifdef OPENSSL_NO_TLSEXT
1151
    /*
1071
    /*
1152
     * Give out warnings when more than one SSL-aware virtual server uses the
1072
     * Give out warnings when more than one SSL-aware virtual server uses the
1153
     * same IP:port. This doesn't work because mod_ssl then will always use
1073
     * same IP:port. This doesn't work because mod_ssl then will always use
Lines 1172-1178 void ssl_init_CheckServers(server_rec *b Link Here
1172
        if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
1092
        if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
1173
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
1093
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
1174
                         base_server,
1094
                         base_server,
1095
#ifdef OPENSSL_NO_TLSEXT
1175
                         "Init: SSL server IP/port conflict: "
1096
                         "Init: SSL server IP/port conflict: "
1097
#else
1098
                         "Init: SSL server IP/port overlap: "
1099
#endif
1176
                         "%s (%s:%d) vs. %s (%s:%d)",
1100
                         "%s (%s:%d) vs. %s (%s:%d)",
1177
                         ssl_util_vhostid(p, s),
1101
                         ssl_util_vhostid(p, s),
1178
                         (s->defn_name ? s->defn_name : "unknown"),
1102
                         (s->defn_name ? s->defn_name : "unknown"),
Lines 1189-1198 void ssl_init_CheckServers(server_rec *b Link Here
1189
1113
1190
    if (conflict) {
1114
    if (conflict) {
1191
        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
1115
        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
1116
#ifdef OPENSSL_NO_TLSEXT
1192
                     "Init: You should not use name-based "
1117
                     "Init: You should not use name-based "
1193
                     "virtual hosts in conjunction with SSL!!");
1118
                     "virtual hosts in conjunction with SSL!!");
1194
    }
1119
#else
1120
                     "Init: Name-based SSL virtual hosts only "
1121
                     "work for clients with TLS server name indication "
1122
                     "support (RFC 4366)");
1195
#endif
1123
#endif
1124
    }
1196
}
1125
}
1197
1126
1198
#ifdef SSLC_VERSION_NUMBER
1127
#ifdef SSLC_VERSION_NUMBER
(-)httpd-trunk/modules/ssl/ssl_engine_vars.c (+6 lines)
Lines 320-325 static char *ssl_var_lookup_ssl(apr_pool Link Here
320
    else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
320
    else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
321
        result = ssl_var_lookup_ssl_compress_meth(ssl);
321
        result = ssl_var_lookup_ssl_compress_meth(ssl);
322
    }
322
    }
323
#ifndef OPENSSL_NO_TLSEXT
324
    else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
325
        result = apr_pstrdup(p, SSL_get_servername(ssl,
326
                                                   TLSEXT_NAMETYPE_host_name));
327
    }
328
#endif
323
    return result;
329
    return result;
324
}
330
}
325
331
(-)httpd-trunk/modules/ssl/ssl_engine_kernel.c (-11 / +130 lines)
Lines 31-36 Link Here
31
#include "ssl_private.h"
31
#include "ssl_private.h"
32
32
33
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
33
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
34
#ifndef OPENSSL_NO_TLSEXT
35
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
36
#endif
34
37
35
#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
38
#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
36
#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
39
#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
Lines 92-97 int ssl_hook_ReadReq(request_rec *r) Link Here
92
    SSLSrvConfigRec *sc = mySrvConfig(r->server);
95
    SSLSrvConfigRec *sc = mySrvConfig(r->server);
93
    SSLConnRec *sslconn;
96
    SSLConnRec *sslconn;
94
    const char *upgrade;
97
    const char *upgrade;
98
#ifndef OPENSSL_NO_TLSEXT
99
    const char *servername;
100
#endif
95
    SSL *ssl;
101
    SSL *ssl;
96
    
102
    
97
    /* Perform TLS upgrade here if "SSLEngine optional" is configured,
103
    /* Perform TLS upgrade here if "SSLEngine optional" is configured,
Lines 153-158 int ssl_hook_ReadReq(request_rec *r) Link Here
153
    if (!ssl) {
159
    if (!ssl) {
154
        return DECLINED;
160
        return DECLINED;
155
    }
161
    }
162
#ifndef OPENSSL_NO_TLSEXT
163
    if (!r->hostname &&
164
        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
165
        /* Use the SNI extension as the hostname if no Host: header was sent */
166
        r->hostname = apr_pstrdup(r->pool, servername);
167
        ap_update_vhost_from_headers(r);
168
    }
169
#endif
156
    SSL_set_app_data2(ssl, r);
170
    SSL_set_app_data2(ssl, r);
157
171
158
    /*
172
    /*
Lines 297-312 int ssl_hook_Access(request_rec *r) Link Here
297
     * the currently active one.
311
     * the currently active one.
298
     */
312
     */
299
313
300
#ifndef OPENSSL_NO_TLSEXT
301
    /*
302
     * We will force a renegotiation if we switch to another virtualhost.
303
     */
304
    if (r->hostname && !SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) {
305
        if (ssl_set_vhost_ctx(ssl, r->hostname) && ctx != SSL_get_SSL_CTX(ssl))
306
            renegotiate = TRUE;
307
    }
308
#endif
309
310
    /*
314
    /*
311
     * Override of SSLCipherSuite
315
     * Override of SSLCipherSuite
312
     *
316
     *
Lines 1074-1080 int ssl_hook_Fixup(request_rec *r) Link Here
1074
    apr_table_t *env = r->subprocess_env;
1078
    apr_table_t *env = r->subprocess_env;
1075
    char *var, *val = "";
1079
    char *var, *val = "";
1076
#ifndef OPENSSL_NO_TLSEXT
1080
#ifndef OPENSSL_NO_TLSEXT
1077
    const char* servername;
1081
    const char *servername;
1078
#endif
1082
#endif
1079
    STACK_OF(X509) *peer_certs;
1083
    STACK_OF(X509) *peer_certs;
1080
    SSL *ssl;
1084
    SSL *ssl;
Lines 1909-1911 void ssl_callback_LogTracingState(MODSSL Link Here
1909
    }
1913
    }
1910
}
1914
}
1911
1915
1916
#ifndef OPENSSL_NO_TLSEXT
1917
/*
1918
 * This callback function is executed when OpenSSL encounters an extended
1919
 * client hello with a server name indication extension ("SNI", cf. RFC 4366).
1920
 */
1921
int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
1922
{
1923
    const char *servername =
1924
                SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
1925
1926
    if (servername) {
1927
        conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
1928
        if (c) {
1929
            if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
1930
                                            (void *)servername)) {
1931
                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
1932
                              "SSL virtual host for servername %s found",
1933
                              servername);
1934
                return SSL_TLSEXT_ERR_OK;
1935
            }
1936
            else {
1937
                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
1938
                              "No matching SSL virtual host for servername "
1939
                              "%s found (using default/first virtual host)",
1940
                              servername);
1941
                return SSL_TLSEXT_ERR_ALERT_WARNING;
1942
            }
1943
        }
1944
    }
1945
1946
    return SSL_TLSEXT_ERR_NOACK;
1947
}
1948
1949
/*
1950
 * Find a (name-based) SSL virtual host where either the ServerName
1951
 * or one of the ServerAliases matches the supplied name (to be used
1952
 * with ap_vhost_iterate_given_conn())
1953
 */
1954
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) 
1955
{
1956
    SSLSrvConfigRec *sc;
1957
    SSL *ssl;
1958
    BOOL found = FALSE;
1959
    apr_array_header_t *names;
1960
    int i;
1961
1962
    /* check ServerName */
1963
    if (!strcasecmp(servername, s->server_hostname)) {
1964
        found = TRUE;
1965
    }
1966
1967
    /* 
1968
     * if not matched yet, check ServerAlias entries
1969
     * (adapted from vhost.c:matches_aliases())
1970
     */
1971
    if (!found) {
1972
        names = s->names;
1973
        if (names) {
1974
            char **name = (char **)names->elts;
1975
            for (i = 0; i < names->nelts; ++i) {
1976
                if (!name[i])
1977
                    continue;
1978
                if (!strcasecmp(servername, name[i])) {
1979
                    found = TRUE;
1980
                    break;
1981
                }
1982
            }
1983
        }
1984
    }
1985
1986
    /* if still no match, check ServerAlias entries with wildcards */
1987
    if (!found) {
1988
        names = s->wild_names;
1989
        if (names) {
1990
            char **name = (char **)names->elts;
1991
            for (i = 0; i < names->nelts; ++i) {
1992
                if (!name[i])
1993
                    continue;
1994
                if (!ap_strcasecmp_match(servername, name[i])) {
1995
                    found = TRUE;
1996
                    break;
1997
                }
1998
            }
1999
        }
2000
    }
2001
2002
    /* set SSL_CTX (if matched) */
2003
    if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
2004
        (sc = mySrvConfig(s))) {
2005
        SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
2006
        /*
2007
         * SSL_set_SSL_CTX() only deals with the server cert,
2008
         * so we need to duplicate a few additional settings
2009
         * from the ctx by hand
2010
         */
2011
        SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
2012
        if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
2013
            (SSL_num_renegotiations(ssl) == 0)) {
2014
           /*
2015
            * Only initialize the verification settings from the ctx
2016
            * if they are not yet set, or if we're called when a new
2017
            * SSL connection is set up (num_renegotiations == 0).
2018
            * Otherwise, we would possibly reset a per-directory
2019
            * configuration which was put into effect by ssl_hook_Access.
2020
            */
2021
            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
2022
                           SSL_CTX_get_verify_callback(ssl->ctx));
2023
        }
2024
2025
        return 1;
2026
    }
2027
2028
    return 0;
2029
}
2030
#endif

Return to bug 34607