summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd
diff options
context:
space:
mode:
authorBrad Smith <brad@cvs.openbsd.org>1999-10-01 23:50:45 +0000
committerBrad Smith <brad@cvs.openbsd.org>1999-10-01 23:50:45 +0000
commit0acd9cb2363683f7fd4c849e740b152717aca732 (patch)
tree6557d9460e0f63f0a22b26449f0c1ec39be585d0 /usr.sbin/httpd
parent4eb1a8adc0eba603e08e9ce646152706a8293506 (diff)
Sync with mod_ssl v2.4.5. ok beck@.
Diffstat (limited to 'usr.sbin/httpd')
-rw-r--r--usr.sbin/httpd/src/CHANGES.SSL46
-rw-r--r--usr.sbin/httpd/src/modules/ssl/libssl.module12
-rw-r--r--usr.sbin/httpd/src/modules/ssl/libssl.version2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/mod_ssl.h5
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c9
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c4
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c43
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c2
8 files changed, 92 insertions, 31 deletions
diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL
index 5d1ba553ea3..ee2f9d9ae86 100644
--- a/usr.sbin/httpd/src/CHANGES.SSL
+++ b/usr.sbin/httpd/src/CHANGES.SSL
@@ -23,6 +23,50 @@
/ __/ |__ _|
__ |_____(_) |_| ___________________________________________
+ Changes with mod_ssl 2.4.5 (28-Sep-1999 to 01-Oct-1999)
+
+ *) Now ``make certificate'' displays a warning message if one generates a
+ DSA certificate with it to make sure the user is aware of the fact that
+ a DSA-only webserver is currently useless because the popular browsers
+ do not speak DH-based ciphers. A hint is given that a DSA cert/key pair
+ is only useful in _combination_ with a parallel configured RSA
+ cert/key pair.
+
+ *) Enhanced the pass phrase dialog: Now ``Server <host>:<port> (<algo>)''
+ is displayed instead of just ``Server <host>:<port>'' and the
+ ``SSLPassPhraseDialog exec:/path/to/program'' is called with arguments
+ ``<host>:<port> <algo>'' instead of just ``<host>:<port>'' to allow the
+ distinction between RSA and DSA keys both to the user and to the
+ program. This is important, because a single virtual host can use both
+ a RSA and a DSA cert/key at the same time.
+
+ *) Added pre-configured (but commented out) SSLCertificate[Key]File
+ directives to conf/httpd.conf-dist which explains the use of the
+ additional DSA cert/key.
+
+ *) Now the default for SSL_SDBM is 'yes' on Linux boxes because it occurrs
+ too often that Linux boxes with broken DBM libraries are used and people
+ are wondering why their session cache operations segfault the server. If
+ you really want to use the vendor DBM library on Linux you now have to
+ use --disable-rule=SSL_SDBM. But I recommend you to use SDBM except
+ you know what you're doing.
+
+ *) Fixed typo in FAQ: SSLSessioCache -> SSLSessionCache.
+
+ *) Enhanced the logging facility: First the "Connection to child x"
+ messages now also contain the client IP address, second every
+ logfile entry now has a prefix which contains also the process id in
+ addition to the time. This way it's easier to identify logfile entries
+ written by different processes.
+
+ *) Fixed ssl_engine_vars.c: SSL3_TXT_RSA_IDEA_128_SHA was contained twice
+ in a table. Instead the second occurrence should be
+ SSL2_TXT_IDEA_128_CBC_WITH_MD5.
+
+ *) Fixed the `union semun' situation for SSLMutex again, this time for
+ brain-dead anchient Linux versions which have incorrect semctl(2)
+ prototypes. We now enable IPC semaphores only on glibc 2.1 boxes.
+
Changes with mod_ssl 2.4.4 (27-Sep-1999 to 28-Sep-1999)
*) Fixed the `union semun' situation for SSLMutex which was broken in 2.4.3
@@ -200,7 +244,7 @@
*) Added support for latest OpenSSL 0.9.4-dev snapshot version.
- *) Fixed initialization and cleanup relazed problems with SSLMutex: The
+ *) Fixed initialization and cleanup related problems with SSLMutex: The
mutex is now closed before the chown and the mutex is removed only in
the parent on module shutdown.
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module
index 444a3818c5b..d6537529aa4 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.module
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.module
@@ -229,7 +229,17 @@ ConfigStart
exit 1
fi
fi
- # 4. finally configure the chosen DBM lib
+ # 4. override decision on a few brain-dead platforms
+ if [ ".$my_rule_SSL_SDBM" = .default ]; then
+ case "$OS" in
+ Linux )
+ # force Linux boxes to use builtin SDBM per default because
+ # of too much broken vendor DBM libraries on this platform
+ SSL_DBM_NAME=''
+ ;;
+ esac
+ fi
+ # 5. finally configure the chosen DBM lib
if [ ".$SSL_DBM_NAME" != . ]; then
echo "$my_prefix SSL interface plugin: $SSL_DBM_NAME"
my_dbm_already_used=`echo $LIBS | grep -- " $SSL_DBM_FLAG"`
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version
index e4156ddb315..aaa8f08aab2 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.version
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.version
@@ -1 +1 @@
-mod_ssl/2.4.4-1.3.9
+mod_ssl/2.4.5-1.3.9
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index 5dac8c81ec7..e49ed932100 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
@@ -257,7 +257,8 @@
#endif
#if defined(USE_SYSVSEM_SERIALIZED_ACCEPT) ||\
defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) ||\
- (defined(LINUX) && LINUX >= 2) ||\
+ (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) && \
+ LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\
defined(SOLARIS2)
#define SSL_CAN_USE_SEM
#define SSL_HAVE_IPCSEM
@@ -521,7 +522,7 @@ typedef struct {
ssl_ds_table *tPublicCert;
ssl_ds_table *tPrivateKey;
struct {
- void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9;
+ void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
} rCtx;
#ifdef SSL_VENDOR
ap_ctx *ctx;
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index 152a61b1a8e..f404914903a 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -162,8 +162,8 @@ void ssl_hook_NewConnection(conn_rec *conn)
* later access inside callback functions
*/
cpVHostID = ssl_util_vhostid(conn->pool, srvr);
- ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d established (server %s)",
- conn->child_num, cpVHostID);
+ ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d established "
+ "(server %s, client %s)", conn->child_num, cpVHostID, conn->remote_ip);
/*
* Seed the Pseudo Random Number Generator (PRNG)
@@ -505,8 +505,9 @@ void ssl_hook_CloseConnection(conn_rec *conn)
/* and finally log the fact that we've closed the connection */
ssl_log(conn->server, SSL_LOG_INFO,
- "Connection to child %d closed with %s shutdown (server %s)",
- conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server));
+ "Connection to child %d closed with %s shutdown (server %s, client %s)",
+ conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server),
+ conn->remote_ip);
return;
}
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
index 7b57f399056..7b18e8b4347 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
@@ -222,7 +222,9 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
tstr[0] = NUL;
else {
t = ap_get_gmtoff(&timz);
- strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S] ", t);
+ strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t);
+ i = strlen(tstr);
+ ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid());
}
/* determine whether newline should be writteni */
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
index 11261aee565..5ff057d0ede 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
@@ -207,15 +207,16 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
* the callback function which serves the pass
* phrases to OpenSSL
*/
- myCtxVarSet(mc, 1, pServ);
- myCtxVarSet(mc, 2, p);
- myCtxVarSet(mc, 3, aPassPhrase);
- myCtxVarSet(mc, 4, &nPassPhraseCur);
- myCtxVarSet(mc, 5, &cpPassPhraseCur);
- myCtxVarSet(mc, 6, cpVHostID);
- myCtxVarSet(mc, 7, &nPassPhraseDialog);
- myCtxVarSet(mc, 8, &nPassPhraseDialogCur);
- myCtxVarSet(mc, 9, &bPassPhraseDialogOnce);
+ myCtxVarSet(mc, 1, pServ);
+ myCtxVarSet(mc, 2, p);
+ myCtxVarSet(mc, 3, aPassPhrase);
+ myCtxVarSet(mc, 4, &nPassPhraseCur);
+ myCtxVarSet(mc, 5, &cpPassPhraseCur);
+ myCtxVarSet(mc, 6, cpVHostID);
+ myCtxVarSet(mc, 7, an);
+ myCtxVarSet(mc, 8, &nPassPhraseDialog);
+ myCtxVarSet(mc, 9, &nPassPhraseDialogCur);
+ myCtxVarSet(mc, 10, &bPassPhraseDialogOnce);
nPassPhraseCur = 0;
nPassPhraseRetry = 0;
@@ -395,6 +396,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)
int *pnPassPhraseCur;
char **cppPassPhraseCur;
char *cpVHostID;
+ char *cpAlgoType;
int *pnPassPhraseDialog;
int *pnPassPhraseDialogCur;
BOOL *pbPassPhraseDialogOnce;
@@ -404,15 +406,16 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)
/*
* Reconnect to the context of ssl_phrase_Handle()
*/
- s = myCtxVarGet(mc, 1, server_rec *);
- p = myCtxVarGet(mc, 2, pool *);
- aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *);
- pnPassPhraseCur = myCtxVarGet(mc, 4, int *);
- cppPassPhraseCur = myCtxVarGet(mc, 5, char **);
- cpVHostID = myCtxVarGet(mc, 6, char *);
- pnPassPhraseDialog = myCtxVarGet(mc, 7, int *);
- pnPassPhraseDialogCur = myCtxVarGet(mc, 8, int *);
- pbPassPhraseDialogOnce = myCtxVarGet(mc, 9, BOOL *);
+ s = myCtxVarGet(mc, 1, server_rec *);
+ p = myCtxVarGet(mc, 2, pool *);
+ aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *);
+ pnPassPhraseCur = myCtxVarGet(mc, 4, int *);
+ cppPassPhraseCur = myCtxVarGet(mc, 5, char **);
+ cpVHostID = myCtxVarGet(mc, 6, char *);
+ cpAlgoType = myCtxVarGet(mc, 7, char *);
+ pnPassPhraseDialog = myCtxVarGet(mc, 8, int *);
+ pnPassPhraseDialogCur = myCtxVarGet(mc, 9, int *);
+ pbPassPhraseDialogOnce = myCtxVarGet(mc, 10, BOOL *);
sc = mySrvConfig(s);
(*pnPassPhraseDialog)++;
@@ -460,7 +463,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)
if (*pbPassPhraseDialogOnce) {
*pbPassPhraseDialogOnce = FALSE;
fprintf(stderr, "\n");
- fprintf(stderr, "Server %s\n", cpVHostID);
+ fprintf(stderr, "Server %s (%s)\n", cpVHostID, cpAlgoType);
}
/*
@@ -498,7 +501,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)
"Init: Requesting pass phrase from dialog filter program (%s)",
sc->szPassPhraseDialogPath);
- cmd = ap_psprintf(p, "%s %s", sc->szPassPhraseDialogPath, cpVHostID);
+ cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
result = ssl_util_readfilter(s, p, cmd);
ap_cpystrn(buf, result, bufsize);
len = strlen(buf);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
index b5d84ae6e15..207084f8770 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
@@ -592,7 +592,6 @@ static const struct {
{ SSL3_TXT_RSA_RC4_128_MD5 /*RC4-MD5*/, 128, 128 },
{ SSL3_TXT_RSA_RC4_128_SHA /*RC4-SHA*/, 128, 128 },
{ SSL3_TXT_RSA_RC2_40_MD5 /*EXP-RC2-CBC-MD5*/, 40, 128 },
- { SSL3_TXT_RSA_IDEA_128_SHA /*IDEA-CBC-MD5*/, 128, 128 },
{ SSL3_TXT_RSA_DES_40_CBC_SHA /*EXP-DES-CBC-SHA*/, 40, 56 },
{ SSL3_TXT_RSA_DES_64_CBC_SHA /*DES-CBC-SHA*/ , 56, 56 },
{ SSL3_TXT_RSA_DES_192_CBC3_SHA /*DES-CBC3-SHA*/ , 168, 168 },
@@ -617,6 +616,7 @@ static const struct {
{ SSL3_TXT_FZA_DMS_FZA_SHA /*FZA-FZA-CBC-SHA*/, 0, 0 },
{ SSL3_TXT_FZA_DMS_RC4_SHA /*FZA-RC4-SHA*/, 128, 128 },
+ { SSL2_TXT_IDEA_128_CBC_WITH_MD5 /*IDEA-CBC-MD5*/, 128, 128 },
{ SSL2_TXT_DES_64_CFB64_WITH_MD5_1 /*DES-CFB-M1*/, 56, 56 },
{ SSL2_TXT_RC2_128_CBC_WITH_MD5 /*RC2-CBC-MD5*/, 128, 128 },
{ SSL2_TXT_DES_64_CBC_WITH_MD5 /*DES-CBC-MD5*/, 56, 56 },