summaryrefslogtreecommitdiff
path: root/modules/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'modules/ssl')
-rw-r--r--modules/ssl/mod_ssl.c3
-rw-r--r--modules/ssl/ssl_engine_config.c23
-rw-r--r--modules/ssl/ssl_engine_init.c62
-rw-r--r--modules/ssl/ssl_engine_io.c26
-rw-r--r--modules/ssl/ssl_engine_kernel.c33
-rw-r--r--modules/ssl/ssl_engine_log.c13
-rw-r--r--modules/ssl/ssl_engine_pphrase.c18
-rw-r--r--modules/ssl/ssl_private.h17
-rw-r--r--modules/ssl/ssl_scache.c4
-rw-r--r--modules/ssl/ssl_util.c26
-rw-r--r--modules/ssl/ssl_util_ocsp.c8
-rw-r--r--modules/ssl/ssl_util_stapling.c4
12 files changed, 140 insertions, 97 deletions
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index fe7aeae5..0872da8a 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -138,6 +138,9 @@ static const command_rec ssl_config_cmds[] = {
"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
+ SSL_CMD_SRV(Compression, FLAG,
+ "Enable SSL level compression"
+ "(`on', `off')")
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
"Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1,
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 6aab7641..15993f16 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -207,6 +207,9 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
#ifdef HAVE_FIPS
sc->fips = UNSET;
#endif
+#ifndef OPENSSL_NO_COMP
+ sc->compression = UNSET;
+#endif
modssl_ctx_init_proxy(sc, p);
@@ -328,6 +331,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
#ifdef HAVE_FIPS
cfgMergeBool(fips);
#endif
+#ifndef OPENSSL_NO_COMP
+ cfgMergeBool(compression);
+#endif
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -663,6 +669,23 @@ static const char *ssl_cmd_check_file(cmd_parms *parms,
}
+const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
+{
+#if !defined(OPENSSL_NO_COMP)
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#ifndef SSL_OP_NO_COMPRESSION
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err)
+ return "This version of openssl does not support configuring "
+ "compression within <VirtualHost> sections.";
+#endif
+ sc->compression = flag ? TRUE : FALSE;
+ return NULL;
+#else
+ return "Setting Compression mode unsupported; not implemented by the SSL library";
+#endif
+}
+
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
{
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 5d816478..7c121737 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -349,7 +349,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
else {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
}
}
@@ -438,7 +438,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p)
"Init: Failed to load Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (strEQ(mc->szCryptoDevice, "chil")) {
@@ -450,7 +450,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p)
"Init: Failed to enable Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01890)
"Init: loaded Crypto Device API `%s'",
@@ -473,7 +473,7 @@ static void ssl_init_server_check(server_rec *s,
if (!mctx->pks->cert_files[0] && !mctx->pkcs7) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01891)
"No SSL Certificate set [hint: SSLCertificateFile]");
- ssl_die();
+ ssl_die(s);
}
/*
@@ -489,7 +489,7 @@ static void ssl_init_server_check(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01892)
"Illegal attempt to re-initialise SSL for server "
"(SSLEngine On should go in the VirtualHost, not in global scope.)");
- ssl_die();
+ ssl_die(s);
}
}
@@ -515,7 +515,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
"Unable to initialize TLS servername extension "
"callback (incompatible OpenSSL version?)");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
#ifdef HAVE_OCSP_STAPLING
@@ -546,7 +546,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
if (protocol == SSL_PROTOCOL_NONE) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
"No SSL protocols available [hint: SSLProtocol]");
- ssl_die();
+ ssl_die(s);
}
cp = apr_pstrcat(p,
@@ -622,6 +622,18 @@ static void ssl_init_ctx_protocol(server_rec *s,
}
#endif
+
+#ifndef OPENSSL_NO_COMP
+ if (sc->compression == FALSE) {
+#ifdef SSL_OP_NO_COMPRESSION
+ /* OpenSSL >= 1.0 only */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
+#endif
+ }
+#endif
+
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
if (sc->insecure_reneg == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
@@ -731,7 +743,7 @@ static void ssl_init_ctx_verify(server_rec *s,
"Unable to configure verify locations "
"for client authentication");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
@@ -746,7 +758,7 @@ static void ssl_init_ctx_verify(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01896)
"Unable to determine list of acceptable "
"CA certificates for client authentication");
- ssl_die();
+ ssl_die(s);
}
SSL_CTX_set_client_CA_list(ctx, ca_list);
@@ -791,7 +803,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01898)
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
}
@@ -815,7 +827,7 @@ static void ssl_init_ctx_crl(server_rec *s,
"Host %s: CRL checking has been enabled, but "
"neither %sCARevocationFile nor %sCARevocationPath "
"is configured", mctx->sc->vhost_id, cfgp, cfgp);
- ssl_die();
+ ssl_die(s);
}
return;
}
@@ -829,7 +841,7 @@ static void ssl_init_ctx_crl(server_rec *s,
"Host %s: unable to configure X.509 CRL storage "
"for certificate revocation", mctx->sc->vhost_id);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
switch (mctx->crl_check_mode) {
@@ -915,7 +927,7 @@ static void ssl_init_ctx_cert_chain(server_rec *s,
if (n < 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
"Failed to configure CA certificate chain!");
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01904)
@@ -973,14 +985,14 @@ static int ssl_server_import_cert(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02233)
"Unable to import %s server certificate", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02234)
"Unable to configure %s server certificate", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
#ifdef HAVE_OCSP_STAPLING
@@ -1029,14 +1041,14 @@ static int ssl_server_import_key(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02237)
"Unable to import %s server private key", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02238)
"Unable to configure %s server private key", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
/*
@@ -1188,7 +1200,7 @@ static void ssl_init_server_certs(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01910)
"Oops, no " KEYTYPES " server certificate found "
"for '%s:%d'?!", s->server_hostname, s->port);
- ssl_die();
+ ssl_die(s);
}
for (i = 0; i < SSL_AIDX_MAX; i++) {
@@ -1208,7 +1220,7 @@ static void ssl_init_server_certs(server_rec *s,
)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01911)
"Oops, no " KEYTYPES " server private key found?!");
- ssl_die();
+ ssl_die(s);
}
}
@@ -1238,7 +1250,7 @@ static void ssl_init_ticket_key(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02286)
"Failed to open ticket key file %s: (%d) %pm",
path, rv, &rv);
- ssl_die();
+ ssl_die(s);
}
rv = apr_file_read_full(fp, &buf[0], TLSEXT_TICKET_KEY_LEN, &len);
@@ -1247,7 +1259,7 @@ static void ssl_init_ticket_key(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02287)
"Failed to read %d bytes from %s: (%d) %pm",
TLSEXT_TICKET_KEY_LEN, path, rv, &rv);
- ssl_die();
+ ssl_die(s);
}
memcpy(ticket_key->key_name, buf, 16);
@@ -1260,7 +1272,7 @@ static void ssl_init_ticket_key(server_rec *s,
"Unable to initialize TLS session ticket key callback "
"(incompatible OpenSSL version?)");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02288)
@@ -1315,7 +1327,7 @@ static void ssl_init_proxy_certs(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy "
"(missing or encrypted private key?)");
- ssl_die();
+ ssl_die(s);
return;
}
}
@@ -1338,7 +1350,7 @@ static void ssl_init_proxy_certs(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)
"SSL proxy client cert initialization failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
@@ -1628,7 +1640,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211)
"Failed to open Certificate Path `%s'",
ca_path);
- ssl_die();
+ ssl_die(s);
}
while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 2ffe21f4..510e1606 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -813,12 +813,12 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
/* Just use a simple request. Any request will work for this, because
* we use a flag in the conn_rec->conn_vector now. The fake request just
* gets the request back to the Apache core so that a response can be sent.
- *
- * To avoid calling back for more data from the socket, use an HTTP/0.9
- * request, and tack on an EOS bucket.
+ * Since we use an HTTP/1.x request, we also have to inject the empty line
+ * that terminates the headers, or the core will read more data from the
+ * socket.
*/
#define HTTP_ON_HTTPS_PORT \
- "GET /" CRLF
+ "GET / HTTP/1.0" CRLF
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
@@ -848,6 +848,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
{
SSLConnRec *sslconn = myConnConfig(f->c);
apr_bucket *bucket;
+ int send_eos = 1;
switch (status) {
case MODSSL_ERROR_HTTP_ON_HTTPS:
@@ -857,11 +858,12 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
"trying to send HTML error page");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
- sslconn->non_ssl_request = 1;
+ sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
ssl_io_filter_disable(sslconn, f);
/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
+ send_eos = 0;
break;
case MODSSL_ERROR_BAD_GATEWAY:
@@ -877,9 +879,10 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
}
APR_BRIGADE_INSERT_TAIL(bb, bucket);
- bucket = apr_bucket_eos_create(f->c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(bb, bucket);
-
+ if (send_eos) {
+ bucket = apr_bucket_eos_create(f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, bucket);
+ }
return APR_SUCCESS;
}
@@ -1282,6 +1285,13 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
}
if (!inctx->ssl) {
+ SSLConnRec *sslconn = myConnConfig(f->c);
+ if (sslconn->non_ssl_request == NON_SSL_SEND_HDR_SEP) {
+ apr_bucket *bucket = apr_bucket_immortal_create(CRLF, 2, f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, bucket);
+ sslconn->non_ssl_request = NON_SSL_SET_ERROR_MSG;
+ return APR_SUCCESS;
+ }
return ap_get_brigade(f->next, bb, mode, block, readbytes);
}
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 35b2a854..e514a74b 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -140,37 +140,16 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED;
}
- if (sslconn->non_ssl_request) {
- const char *errmsg;
- char *thisurl;
- char *thisport = "";
- int port = ap_get_server_port(r);
-
- if (!ap_is_default_port(port, r)) {
- thisport = apr_psprintf(r->pool, ":%u", port);
- }
-
- thisurl = ap_escape_html(r->pool,
- apr_psprintf(r->pool, "https://%s%s/",
- ap_get_server_name_for_url(r),
- thisport));
-
- errmsg = apr_psprintf(r->pool,
- "Reason: You're speaking plain HTTP "
- "to an SSL-enabled server port.<br />\n"
- "Instead use the HTTPS scheme to access "
- "this URL, please.<br />\n"
- "<blockquote>Hint: "
- "<a href=\"%s\"><b>%s</b></a></blockquote>",
- thisurl, thisurl);
-
- apr_table_setn(r->notes, "error-notes", errmsg);
+ if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
+ apr_table_setn(r->notes, "error-notes",
+ "Reason: You're speaking plain HTTP to an SSL-enabled "
+ "server port.<br />\n Instead use the HTTPS scheme to "
+ "access this URL, please.<br />\n");
/* Now that we have caught this error, forget it. we are done
* with using SSL on this request.
*/
- sslconn->non_ssl_request = 0;
-
+ sslconn->non_ssl_request = NON_SSL_OK;
return HTTP_BAD_REQUEST;
}
diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
index 31861ca7..3f6d6edc 100644
--- a/modules/ssl/ssl_engine_log.c
+++ b/modules/ssl/ssl_engine_log.c
@@ -63,12 +63,23 @@ static const char *ssl_log_annotation(const char *error)
return ssl_log_annotate[i].cpAnnotation;
}
-void ssl_die(void)
+void ssl_die(server_rec *s)
{
+ if (s != NULL && s->is_virtual && s->error_fname != NULL)
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02311)
+ "Fatal error initialising mod_ssl, exiting. "
+ "See %s for more information",
+ ap_server_root_relative(s->process->pool,
+ s->error_fname));
+ else
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02312)
+ "Fatal error initialising mod_ssl, exiting.");
+
/*
* This is used for fatal errors and here
* it is common module practice to really
* exit from the complete program.
+ * XXX: The config hooks should return errors instead of calling exit().
*/
exit(1);
}
diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
index 1fa4a2ef..23ccaf4a 100644
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -196,7 +196,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
"Server should be SSL-aware but has no certificate "
"configured [Hint: SSLCertificateFile] (%s:%d)",
pServ->defn_name, pServ->defn_line_number);
- ssl_die();
+ ssl_die(pServ);
}
/* Bitmasks for all key algorithms configured for this server;
@@ -225,14 +225,14 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)
"Init: Can't open server certificate file %s",
szPath);
- ssl_die();
+ ssl_die(s);
}
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)
"Init: Unable to read server certificate from"
" file %s", szPath);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)
"Init: Read server certificate from '%s'",
@@ -249,7 +249,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
"Init: Multiple %s server certificates not "
"allowed", an);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
algoCert |= at;
@@ -328,7 +328,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02243)
"Init: Can't open server private key file "
"%s",szPath);
- ssl_die();
+ ssl_die(s);
}
/*
@@ -425,7 +425,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
"Init: SSLPassPhraseDialog builtin is not "
"supported on Win32 (key file "
"%s)", szPath);
- ssl_die();
+ ssl_die(s);
}
#endif /* WIN32 */
@@ -464,7 +464,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
apr_file_printf(writetty, "**Stopped\n");
}
}
- ssl_die();
+ ssl_die(pServ);
}
/* If a cached private key was found, nothing more to do
@@ -479,7 +479,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
"file %s [Hint: Perhaps it is in a separate file? "
" See SSLCertificateKeyFile]", szPath);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
/*
@@ -493,7 +493,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
"Init: Multiple %s server private keys not "
"allowed", an);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
algoKey |= at;
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 1b5d0428..f2fb7d52 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -180,6 +180,11 @@
#define HAVE_TLSV1_X
#endif
+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
+ && OPENSSL_VERSION_NUMBER < 0x00908000L
+#define OPENSSL_NO_COMP
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -454,7 +459,11 @@ typedef struct {
int verify_depth;
int is_proxy;
int disabled;
- int non_ssl_request;
+ enum {
+ NON_SSL_OK = 0, /* is SSL request, or error handling completed */
+ NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
+ NON_SSL_SET_ERROR_MSG /* Need to set the error message */
+ } non_ssl_request;
/* Track the handshake/renegotiation state for the connection so
* that all client-initiated renegotiations can be rejected, as a
@@ -669,6 +678,9 @@ struct SSLSrvConfigRec {
#ifdef HAVE_FIPS
BOOL fips;
#endif
+#ifndef OPENSSL_NO_COMP
+ BOOL compression;
+#endif
};
/**
@@ -723,6 +735,7 @@ const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
@@ -902,7 +915,7 @@ int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
#define SSL_STAPLING_MUTEX_TYPE "ssl-stapling"
/** Logfile Support */
-void ssl_die(void);
+void ssl_die(server_rec *);
void ssl_log_ssl_error(const char *, int, int, server_rec *);
/* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c
index 2c8d1bc8..d32f8e1d 100644
--- a/modules/ssl/ssl_scache.c
+++ b/modules/ssl/ssl_scache.c
@@ -63,7 +63,7 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p)
if (rv) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01872)
"Could not initialize stapling cache. Exiting.");
- ssl_die();
+ ssl_die(s);
}
}
#endif
@@ -88,7 +88,7 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p)
if (rv) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01874)
"Could not initialize session cache. Exiting.");
- ssl_die();
+ ssl_die(s);
}
}
diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
index 6b5a7de6..475fe4d2 100644
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -76,8 +76,7 @@ apr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
return NULL;
if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS)
return NULL;
- if ((proc = (apr_proc_t *)apr_pcalloc(p, sizeof(apr_proc_t))) == NULL)
- return NULL;
+ proc = apr_pcalloc(p, sizeof(apr_proc_t));
if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS)
return NULL;
return proc->out;
@@ -287,7 +286,7 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
f = fopen(pkcs7, "r");
if (!f) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02212) "Can't open %s", pkcs7);
- ssl_die();
+ ssl_die(s);
}
p7 = PEM_read_PKCS7(f, NULL, NULL, NULL);
@@ -314,13 +313,13 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
default:
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02213)
"Don't understand PKCS7 file %s", pkcs7);
- ssl_die();
+ ssl_die(s);
}
if (!certs) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02214)
"No certificates in %s", pkcs7);
- ssl_die();
+ ssl_die(s);
}
fclose(f);
@@ -376,24 +375,11 @@ static struct CRYPTO_dynlock_value *ssl_dyn_create_function(const char *file,
* allocated memory from a pool, create a subpool that we can blow
* away in the destruction callback.
*/
- rv = apr_pool_create(&p, dynlockpool);
- if (rv != APR_SUCCESS) {
- ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_ERR, rv, dynlockpool,
- APLOGNO(02183) "Failed to create subpool for dynamic lock");
- return NULL;
- }
-
+ apr_pool_create(&p, dynlockpool);
ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_TRACE1, 0, p,
"Creating dynamic lock");
- value = (struct CRYPTO_dynlock_value *)apr_palloc(p,
- sizeof(struct CRYPTO_dynlock_value));
- if (!value) {
- ap_log_perror(file, line, APLOG_MODULE_INDEX, APLOG_ERR, 0, p,
- APLOGNO(02185) "Failed to allocate dynamic lock structure");
- return NULL;
- }
-
+ value = apr_palloc(p, sizeof(struct CRYPTO_dynlock_value));
value->pool = p;
/* Keep our own copy of the place from which we were created,
using our own pool. */
diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
index 94ef4cd0..e5c5e58d 100644
--- a/modules/ssl/ssl_util_ocsp.c
+++ b/modules/ssl/ssl_util_ocsp.c
@@ -153,7 +153,13 @@ static char *get_line(apr_bucket_brigade *bbout, apr_bucket_brigade *bbin,
return NULL;
}
- if (len && line[len-1] != APR_ASCII_LF) {
+ if (len == 0) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(02321)
+ "empty response from OCSP server");
+ return NULL;
+ }
+
+ if (line[len-1] != APR_ASCII_LF) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01979)
"response header line too long from OCSP server");
return NULL;
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 3ff08dcc..89be7f53 100644
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -662,12 +662,12 @@ void modssl_init_stapling(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
if (mc->stapling_cache == NULL) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
"SSLStapling: no stapling cache available");
- ssl_die();
+ ssl_die(s);
}
if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
"SSLStapling: cannot initialise stapling mutex");
- ssl_die();
+ ssl_die(s);
}
/* Set some default values for parameters if they are not set */
if (mctx->stapling_resptime_skew == UNSET) {
generated by cgit v1.2.3 (git 2.46.0) at 2026-01-16 12:34:06 +0000