Attachment #28460 for bug #52874

View | Details | Raw Unified | Return to bug 52874
Collapse All | Expand All

Lines 145-150 Link Here

(-)httpd-2.2.3-source/httpd-2.2.3/modules/ssl/mod_ssl.c (+3 lines)
145	"Use the server's cipher ordering preference")	145	"Use the server's cipher ordering preference")
146	SSL_CMD_ALL(UserName, TAKE1,	146	SSL_CMD_ALL(UserName, TAKE1,
147	"Set user name to SSL variable value")	147	"Set user name to SSL variable value")
		148	SSL_CMD_SRV(TrustedFirst, TAKE1,
		149	"SSL Client Check Trusted Store first "
		150	"(`on', `off')")
148		151
149	/*	152	/*
150	* Proxy configuration for remote SSL connections	153	* Proxy configuration for remote SSL connections




    mctx->auth.ca_cert_file   = NULL;
    mctx->auth.cipher_suite   = NULL;
    mctx->auth.verify_depth   = UNSET;
    mctx->auth.trusted_first  = UNSET;
    mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
}


    cfgMergeString(auth.ca_cert_file);
    cfgMergeString(auth.cipher_suite);
    cfgMergeInt(auth.verify_depth);
    cfgMergeInt(auth.trusted_first);
    cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
}


    return NULL;
}

const char *ssl_cmd_SSLTrustedFirst(cmd_parms *cmd,
                                   void *dcfg,
                                   const char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    if (!strcasecmp(arg, "On")) {
        sc->server->auth.trusted_first = 1;
        return NULL;
    }
    else if (!strcasecmp(arg, "Off")) {
        sc->server->auth.trusted_first = 0;
        return NULL;
    }

    return "Argument must be On or Off";
}

#define MODSSL_NO_SHARED_MEMORY_ERROR \
    "SSLSessionCache: shared memory cache not useable on this platform"





        mctx->auth.verify_depth = 1;
    }

	/**
	 * If requested, set flag for using Trusted set of CA
	 * Certificates first. (Backport from openssl-1.0.2)
	 */
    if (mctx->auth.trusted_first == SSL_CVERIFY_TRUSTED_ON) {
		if (s->loglevel >= APLOG_INFO) {
			ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
				"Setting Use Trusted First Flag for Client Verification");
		}
		ctx->param->flags |= X509_V_FLAG_TRUSTED_FIRST;
	}

    /*
     *  Configure callbacks for SSL context
     */




    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))

/**
 * Define SSL Verification Flags
 * (Backport from openssl-1.0.2)
 */

#ifndef X509_V_FLAG_TRUSTED_FIRST 
#define X509_V_FLAG_TRUSTED_FIRST 0x8000
#endif

/**
 * Define the values for Client Verification Trust enabled or not
 */
#ifndef SSL_CVERIFY_TRUSTED
#define SSL_CVERIFY_TRUSTED_ON 1
#define SSL_CVERIFY_TRUSTED_OFF 0

#define SSL_CVERIFY_TRUSTED
#endif


/**
 * Define the SSL pass phrase dialog types
 */
typedef enum {

    const char *verify_info;
    const char *verify_error;
    int verify_depth;
    int trusted_first;
    int is_proxy;
    int disabled;
    int non_ssl_request;


    /** for client or downstream server authentication */
    int          verify_depth;
    int          trusted_first;
    ssl_verify_t verify_mode;
} modssl_auth_ctx_t;


const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLTrustedFirst(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);

Return to bug 52874

Lines 125-130 Link Here

(-)httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_config.c (+20 lines)
125	mctx->auth.ca_cert_file = NULL;	125	mctx->auth.ca_cert_file = NULL;
126	mctx->auth.cipher_suite = NULL;	126	mctx->auth.cipher_suite = NULL;
127	mctx->auth.verify_depth = UNSET;	127	mctx->auth.verify_depth = UNSET;
		128	mctx->auth.trusted_first = UNSET;
128	mctx->auth.verify_mode = SSL_CVERIFY_UNSET;	129	mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
129	}	130	}
130		131
Lines 213-218 Link Here
213	cfgMergeString(auth.ca_cert_file);	214	cfgMergeString(auth.ca_cert_file);
214	cfgMergeString(auth.cipher_suite);	215	cfgMergeString(auth.cipher_suite);
215	cfgMergeInt(auth.verify_depth);	216	cfgMergeInt(auth.verify_depth);
		217	cfgMergeInt(auth.trusted_first);
216	cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);	218	cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
217	}	219	}
218		220
Lines 977-982 Link Here
977	return NULL;	979	return NULL;
978	}	980	}
979		981
		982	const char ssl_cmd_SSLTrustedFirst(cmd_parms cmd,
		983	void *dcfg,
		984	const char *arg)
		985	{
		986	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		987
		988	if (!strcasecmp(arg, "On")) {
		989	sc->server->auth.trusted_first = 1;
		990	return NULL;
		991	}
		992	else if (!strcasecmp(arg, "Off")) {
		993	sc->server->auth.trusted_first = 0;
		994	return NULL;
		995	}
		996
		997	return "Argument must be On or Off";
		998	}
		999
980	#define MODSSL_NO_SHARED_MEMORY_ERROR \	1000	#define MODSSL_NO_SHARED_MEMORY_ERROR \
981	"SSLSessionCache: shared memory cache not useable on this platform"	1001	"SSLSessionCache: shared memory cache not useable on this platform"
982		1002

Lines 516-521 Link Here

(-)httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_init.c (+12 lines)
516	mctx->auth.verify_depth = 1;	516	mctx->auth.verify_depth = 1;
517	}	517	}
518		518
		519	/**
		520	* If requested, set flag for using Trusted set of CA
		521	* Certificates first. (Backport from openssl-1.0.2)
		522	*/
		523	if (mctx->auth.trusted_first == SSL_CVERIFY_TRUSTED_ON) {
		524	if (s->loglevel >= APLOG_INFO) {
		525	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
		526	"Setting Use Trusted First Flag for Client Verification");
		527	}
		528	ctx->param->flags \|= X509_V_FLAG_TRUSTED_FIRST;
		529	}
		530
519	/*	531	/*
520	* Configure callbacks for SSL context	532	* Configure callbacks for SSL context
521	*/	533	*/

Lines 238-243 Link Here

(-)httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_private.h (+23 lines)
238	\|\| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))	238	\|\| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
239		239
240	/**	240	/**
		241	* Define SSL Verification Flags
		242	* (Backport from openssl-1.0.2)
		243	*/
		244
		245	#ifndef X509_V_FLAG_TRUSTED_FIRST
		246	#define X509_V_FLAG_TRUSTED_FIRST 0x8000
		247	#endif
		248
		249	/**
		250	* Define the values for Client Verification Trust enabled or not
		251	*/
		252	#ifndef SSL_CVERIFY_TRUSTED
		253	#define SSL_CVERIFY_TRUSTED_ON 1
		254	#define SSL_CVERIFY_TRUSTED_OFF 0
		255
		256	#define SSL_CVERIFY_TRUSTED
		257	#endif
		258
		259
		260	/**
241	* Define the SSL pass phrase dialog types	261	* Define the SSL pass phrase dialog types
242	*/	262	*/
243	typedef enum {	263	typedef enum {
Lines 344-349 Link Here
344	const char *verify_info;	364	const char *verify_info;
345	const char *verify_error;	365	const char *verify_error;
346	int verify_depth;	366	int verify_depth;
		367	int trusted_first;
347	int is_proxy;	368	int is_proxy;
348	int disabled;	369	int disabled;
349	int non_ssl_request;	370	int non_ssl_request;
Lines 410-415 Link Here
410		431
411	/** for client or downstream server authentication */	432	/** for client or downstream server authentication */
412	int verify_depth;	433	int verify_depth;
		434	int trusted_first;
413	ssl_verify_t verify_mode;	435	ssl_verify_t verify_mode;
414	} modssl_auth_ctx_t;	436	} modssl_auth_ctx_t;
415		437
Lines 506-511 Link Here
506	const char ssl_cmd_SSLHonorCipherOrder(cmd_parms cmd, void *dcfg, int flag);	528	const char ssl_cmd_SSLHonorCipherOrder(cmd_parms cmd, void *dcfg, int flag);
507	const char ssl_cmd_SSLVerifyClient(cmd_parms , void , const char );	529	const char ssl_cmd_SSLVerifyClient(cmd_parms , void , const char );
508	const char ssl_cmd_SSLVerifyDepth(cmd_parms , void , const char );	530	const char ssl_cmd_SSLVerifyDepth(cmd_parms , void , const char );
		531	const char ssl_cmd_SSLTrustedFirst(cmd_parms , void , const char );
509	const char ssl_cmd_SSLSessionCache(cmd_parms , void , const char );	532	const char ssl_cmd_SSLSessionCache(cmd_parms , void , const char );
510	const char ssl_cmd_SSLSessionCacheTimeout(cmd_parms , void , const char );	533	const char ssl_cmd_SSLSessionCacheTimeout(cmd_parms , void , const char );
511	const char ssl_cmd_SSLProtocol(cmd_parms , void , const char );	534	const char ssl_cmd_SSLProtocol(cmd_parms , void , const char );