View | Details | Raw Unified | Return to bug 60186
Collapse All | Expand All

(-)a/modules/ssl/mod_ssl.c (+3 lines)
Lines 138-143 static const command_rec ssl_config_cmds[] = { Link Here
138
    SSL_CMD_ALL(VerifyDepth, TAKE1,
138
    SSL_CMD_ALL(VerifyDepth, TAKE1,
139
                "SSL Client verify depth "
139
                "SSL Client verify depth "
140
                "('N' - number of intermediate certificates)")
140
                "('N' - number of intermediate certificates)")
141
    SSL_CMD_ALL(VerifyAcceptExpiredClient, TAKE1,
142
                "SSL Accept expired Client certificate "
143
                "('on' 'off')")
141
    SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
144
    SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
142
                "SSL Session Cache object lifetime "
145
                "SSL Session Cache object lifetime "
143
                "('N' - number of seconds)")
146
                "('N' - number of seconds)")
(-)a/modules/ssl/ssl_engine_config.c (+47 lines)
Lines 128-133 static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) Link Here
128
    mctx->auth.cipher_suite   = NULL;
128
    mctx->auth.cipher_suite   = NULL;
129
    mctx->auth.verify_depth   = UNSET;
129
    mctx->auth.verify_depth   = UNSET;
130
    mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
130
    mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
131
    mctx->auth.nAcceptExpired = SSL_CACCEPTEXPIRED_UNSET;
131
132
132
    mctx->ocsp_enabled        = UNSET;
133
    mctx->ocsp_enabled        = UNSET;
133
    mctx->ocsp_force_default  = UNSET;
134
    mctx->ocsp_force_default  = UNSET;
Lines 262-267 static void modssl_ctx_cfg_merge(apr_pool_t *p, Link Here
262
    cfgMergeString(auth.cipher_suite);
263
    cfgMergeString(auth.cipher_suite);
263
    cfgMergeInt(auth.verify_depth);
264
    cfgMergeInt(auth.verify_depth);
264
    cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
265
    cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
266
    cfgMerge(auth.nAcceptExpired, SSL_CACCEPTEXPIRED_UNSET);
265
267
266
    cfgMergeBool(ocsp_enabled);
268
    cfgMergeBool(ocsp_enabled);
267
    cfgMergeBool(ocsp_force_default);
269
    cfgMergeBool(ocsp_force_default);
Lines 377-382 void *ssl_config_perdir_create(apr_pool_t *p, char *dir) Link Here
377
    dc->szCipherSuite          = NULL;
379
    dc->szCipherSuite          = NULL;
378
    dc->nVerifyClient          = SSL_CVERIFY_UNSET;
380
    dc->nVerifyClient          = SSL_CVERIFY_UNSET;
379
    dc->nVerifyDepth           = UNSET;
381
    dc->nVerifyDepth           = UNSET;
382
    dc->nAcceptExpired         = SSL_CACCEPTEXPIRED_UNSET;
380
383
381
    dc->szUserName             = NULL;
384
    dc->szUserName             = NULL;
382
385
Lines 431-436 void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) Link Here
431
    cfgMergeString(szCipherSuite);
434
    cfgMergeString(szCipherSuite);
432
    cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
435
    cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
433
    cfgMergeInt(nVerifyDepth);
436
    cfgMergeInt(nVerifyDepth);
437
    cfgMerge(nAcceptExpired, SSL_CACCEPTEXPIRED_UNSET);
434
438
435
    cfgMergeString(szUserName);
439
    cfgMergeString(szUserName);
436
440
Lines 1125-1130 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *cmd, Link Here
1125
    return NULL;
1129
    return NULL;
1126
}
1130
}
1127
1131
1132
static const char *ssl_cmd_accept_expired_client(cmd_parms *parms,
1133
                                                 const char *arg,
1134
                                                 ssl_accept_expired_t *nAcceptExpired)
1135
{
1136
    if (strcEQ(arg, "on")) {
1137
        *nAcceptExpired = SSL_CACCEPTEXPIRED_YES;
1138
    }
1139
    else if (strcEQ(arg, "off")) {
1140
        *nAcceptExpired = SSL_CACCEPTEXPIRED_NO;
1141
    }
1142
    else {
1143
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1144
                           ": Invalid argument '", arg, "'",
1145
                           NULL);
1146
    }
1147
1148
    return NULL;
1149
}
1150
1151
const char *ssl_cmd_SSLVerifyAcceptExpiredClient(cmd_parms *cmd,
1152
                                                 void *dcfg,
1153
                                                 const char *arg)
1154
{
1155
    SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
1156
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1157
    ssl_accept_expired_t nAcceptExpired = SSL_CACCEPTEXPIRED_NO;
1158
    
1159
    const char *err;
1160
1161
    if ((err = ssl_cmd_accept_expired_client(cmd, arg, &nAcceptExpired))) {
1162
        return err;
1163
    }
1164
1165
    if (cmd->path) {
1166
        dc->nAcceptExpired = nAcceptExpired;
1167
    }
1168
    else {
1169
        sc->server->auth.nAcceptExpired = nAcceptExpired;
1170
    }
1171
1172
    return NULL;
1173
}
1174
1128
const char *ssl_cmd_SSLSessionCache(cmd_parms *cmd,
1175
const char *ssl_cmd_SSLSessionCache(cmd_parms *cmd,
1129
                                    void *dcfg,
1176
                                    void *dcfg,
1130
                                    const char *arg)
1177
                                    const char *arg)
(-)a/modules/ssl/ssl_engine_io.c (-2 / +24 lines)
Lines 1403-1408 static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) Link Here
1403
        return inctx->rc;
1403
        return inctx->rc;
1404
    }
1404
    }
1405
    sc = mySrvConfig(sslconn->server);
1405
    sc = mySrvConfig(sslconn->server);
1406
    SSLDirConfigRec *dc;
1407
    dc = sslconn->dc;
1408
    ssl_accept_expired_t nAcceptExpired;
1409
1410
    if (dc && (dc->nAcceptExpired != SSL_CACCEPTEXPIRED_UNSET)) {
1411
        nAcceptExpired = dc->nAcceptExpired;
1412
    }
1413
    else {
1414
        nAcceptExpired = sc->server->auth.nAcceptExpired;
1415
    }
1406
1416
1407
    /*
1417
    /*
1408
     * Check for failed client authentication
1418
     * Check for failed client authentication
Lines 1434-1441 static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) Link Here
1434
             * will not be called, therefore we have to set it here
1444
             * will not be called, therefore we have to set it here
1435
             */
1445
             */
1436
            sslconn->verify_info = "GENEROUS";
1446
            sslconn->verify_info = "GENEROUS";
1437
        }
1447
        } else if ((verify_result == X509_V_ERR_CERT_HAS_EXPIRED) &&
1438
        else {
1448
                   (nAcceptExpired == SSL_CACCEPTEXPIRED_YES)) {
1449
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02009)
1450
                          "SSL client authentication failed, "
1451
                          "accepting certificate based on "
1452
                          "\"SSLVerifyAcceptExpiredClient on\" "
1453
                          "configuration");
1454
            ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1455
1456
            /* on session resumption ssl_callback_SSLVerify() 
1457
             * will not be called, therefore we have to set it here
1458
             */
1459
            sslconn->verify_info = "GENEROUS";
1460
        } else {
1439
            const char *error = sslconn->verify_error ?
1461
            const char *error = sslconn->verify_error ?
1440
                sslconn->verify_error :
1462
                sslconn->verify_error :
1441
                X509_verify_cert_error_string(verify_result);
1463
                X509_verify_cert_error_string(verify_result);
(-)a/modules/ssl/ssl_engine_kernel.c (-1 / +16 lines)
Lines 1580-1586 int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) Link Here
1580
    int errnum   = X509_STORE_CTX_get_error(ctx);
1580
    int errnum   = X509_STORE_CTX_get_error(ctx);
1581
    int errdepth = X509_STORE_CTX_get_error_depth(ctx);
1581
    int errdepth = X509_STORE_CTX_get_error_depth(ctx);
1582
    int depth, verify;
1582
    int depth, verify;
1583
1583
    ssl_accept_expired_t nAcceptExpired;
1584
1584
1585
    /*
1585
    /*
1586
     * Log verification information
1586
     * Log verification information
Lines 1625-1630 int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) Link Here
1625
    }
1625
    }
1626
1626
1627
    /*
1627
    /*
1628
     * Optionaly accept expired client certificate
1629
     */
1630
    if (dc && (dc->nAcceptExpired != SSL_CACCEPTEXPIRED_UNSET)) {
1631
        nAcceptExpired = dc->nAcceptExpired;
1632
    }
1633
    else {
1634
        nAcceptExpired = mctx->auth.nAcceptExpired;
1635
    }
1636
1637
    if ((errnum == X509_V_ERR_CERT_HAS_EXPIRED) &&
1638
        (nAcceptExpired == SSL_CACCEPTEXPIRED_YES)) {
1639
        ok = TRUE;
1640
    }
1641
1642
    /*
1628
     * Expired certificates vs. "expired" CRLs: by default, OpenSSL
1643
     * Expired certificates vs. "expired" CRLs: by default, OpenSSL
1629
     * turns X509_V_ERR_CRL_HAS_EXPIRED into a "certificate_expired(45)"
1644
     * turns X509_V_ERR_CRL_HAS_EXPIRED into a "certificate_expired(45)"
1630
     * SSL alert, but that's not really the message we should convey to the
1645
     * SSL alert, but that's not really the message we should convey to the
(-)a/modules/ssl/ssl_private.h (+8 lines)
Lines 376-381 typedef enum { Link Here
376
    || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
376
    || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
377
    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
377
    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
378
378
379
typedef enum {
380
    SSL_CACCEPTEXPIRED_UNSET    = UNSET,
381
    SSL_CACCEPTEXPIRED_NO       = 0,
382
    SSL_CACCEPTEXPIRED_YES      = 1,
383
} ssl_accept_expired_t;
379
/**
384
/**
380
  * CRL checking mask (mode | flags)
385
  * CRL checking mask (mode | flags)
381
  */
386
  */
Lines 603-608 typedef struct { Link Here
603
    /** for client or downstream server authentication */
608
    /** for client or downstream server authentication */
604
    int          verify_depth;
609
    int          verify_depth;
605
    ssl_verify_t verify_mode;
610
    ssl_verify_t verify_mode;
611
    ssl_accept_expired_t nAcceptExpired;
606
} modssl_auth_ctx_t;
612
} modssl_auth_ctx_t;
607
613
608
#ifdef HAVE_TLS_SESSION_TICKETS
614
#ifdef HAVE_TLS_SESSION_TICKETS
Lines 723-728 struct SSLDirConfigRec { Link Here
723
    const char   *szCipherSuite;
729
    const char   *szCipherSuite;
724
    ssl_verify_t  nVerifyClient;
730
    ssl_verify_t  nVerifyClient;
725
    int           nVerifyDepth;
731
    int           nVerifyDepth;
732
    ssl_accept_expired_t nAcceptExpired;
726
    const char   *szUserName;
733
    const char   *szUserName;
727
    apr_size_t    nRenegBufferSize;
734
    apr_size_t    nRenegBufferSize;
728
735
Lines 768-773 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); Link Here
768
const char  *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
775
const char  *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
769
const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
776
const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
770
const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
777
const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
778
const char  *ssl_cmd_SSLVerifyAcceptExpiredClient(cmd_parms *, void *, const char *);
771
const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
779
const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
772
const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
780
const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
773
const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
781
const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);

Return to bug 60186