diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2000-07-21 01:20:31 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2000-07-21 01:20:31 +0000 |
| commit | 4b2a27698bbf56ff35658aa59500d98c31399e91 (patch) | |
| tree | 5b07a5ad5f5c74de73d5cfb6936ed3aad8ec0c17 /usr.sbin/httpd | |
| parent | aa389468cd20d9cba720513723e7cdd3c96b386c (diff) | |
Mod_SSL 2.6.5 - from brad@, thanks.
Diffstat (limited to 'usr.sbin/httpd')
| -rw-r--r-- | usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html | 61 | ||||
| -rw-r--r-- | usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml | 69 | ||||
| -rw-r--r-- | usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html | 34 | ||||
| -rw-r--r-- | usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml | 34 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/CHANGES.SSL | 36 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/libssl.version | 2 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/mod_ssl.h | 2 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c | 38 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c | 8 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c | 5 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c | 3 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_util.c | 4 |
15 files changed, 222 insertions, 86 deletions
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html index 94e743862f6..aedc52bd62c 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html @@ -325,8 +325,8 @@ author. <a href="#ToC45"><strong>Why do I get 'no shared ciphers'?</strong></a><br> <a href="#ToC46"><strong>HTTPS and name-based vhosts</strong></a><br> <a href="#ToC47"><strong>The lock icon in Netscape locks very late</strong></a><br> - <a href="#ToC48"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br> - <a href="#ToC49"><strong>Why do I get I/O errors with my NS clients?</strong></a><br> + <a href="#ToC48"><strong>Why do I get I/O errors with MSIE clients?</strong></a><br> + <a href="#ToC49"><strong>Why do I get I/O errors with NS clients?</strong></a><br> <a href="#ToC50"><strong>About Support</strong></a><br> <a href="#ToC51"><strong>Resources in case of problems?</strong></a><br> <a href="#ToC52"><strong>Support in case of problems?</strong></a><br> @@ -1263,20 +1263,55 @@ username/password is still transmitted unencrypted?</strong> <p> <li><a name="ToC48"></a> <a name="io-ie"></a> - <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet -Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the -server". What's the reason?</strong> + <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet +Explorer (MSIE) I get various I/O errors. What is the reason?</strong> [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie"><b>L</b></a>] <p> - The reason is that MSIE's SSL implementation has some subtle bugs related - to the HTTP keep-alive facility and the SSL close notify alerts on socket - connection close. You've to work-around this by forcing Apache+mod_ssl to - not use keep-alive connections and not sending the SSL close notify - messages to MSIE clients. This can be done by using the following - directive in your SSL-aware virtual host section: + The first reason is that the SSL implementation in some MSIE versions has + some subtle bugs related to the HTTP keep-alive facility and the SSL close + notify alerts on socket connection close. Additionally the interaction + between SSL and HTTP/1.1 features are problematic with some MSIE versions, + too. You've to work-around these problems by forcing + Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or + sending the SSL close notify messages to MSIE clients. This can be done by + using the following directive in your SSL-aware virtual host section: <pre> - SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown - </pre> + SetEnvIf User-Agent ".*MSIE.*" \ + <b>nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0</b></pre> + Additionally it is known some MSIE versions have also problems + with particular ciphers. Unfortunately one cannot workaround these + bugs only for those MSIE particular clients, because the ciphers + are already used in the SSL handshake phase. So a MSIE-specific + <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one + has to do more drastic adjustments to the global parameters. But + before you decide to do this, make sure your clients really have + problems. If not, do not do this, because it affects all(!) your + clients, i.e., also your non-MSIE clients. + <p> + The next problem is that 56bit export versions of MSIE 5.x browsers have a + broken SSLv3 implementation which badly interacts with OpenSSL versions + greater than 0.9.4. You can either accept this and force your clients to + upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you + can decide to workaround it by accepting the drawback that your workaround + will horribly affect also other browsers: + <pre> + SSLProtocol all <b>-SSLv3</b></pre> + This completely disables the SSLv3 protocol and lets those browsers work. + But usually this is an even less acceptable workaround. A more reasonable + workaround is to address the problem more closely and disable only the + ciphers which cause trouble. + <pre> + SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</pre> + This also lets the broken MSIE versions work, but only removes the + newer 56bit TLS ciphers. + <p> + Another problem with MSIE 5.x clients is that they refuse to connect to + URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used + instead of the hostname), if the server is using the Server Gated + Cryptography (SGC) facility. This can only be avoided by using the fully + qualified domain name (FQDN) of the website in hyperlinks instead, because + MSIE 5.x has an error in the way it handles the SGC negotiation. <p> <li><a name="ToC49"></a> <a name="io-ns"></a> diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml index 80681aa351b..52be25e5bb9 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml @@ -1026,24 +1026,69 @@ username/password is still transmitted unencrypted? handshake phase and switched to encrypted communication. So, don't get confused by this icon. -<faq ref="io-ie" toc="Why do I get I/O errors with my MSIE clients?"> -When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet -Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the -server". What's the reason? +<faq ref="io-ie" toc="Why do I get I/O errors with MSIE clients?"> +When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet +Explorer (MSIE) I get various I/O errors. What is the reason? </faq> - The reason is that MSIE's SSL implementation has some subtle bugs related - to the HTTP keep-alive facility and the SSL close notify alerts on socket - connection close. You've to work-around this by forcing Apache+mod_ssl to - not use keep-alive connections and not sending the SSL close notify - messages to MSIE clients. This can be done by using the following - directive in your SSL-aware virtual host section: + The first reason is that the SSL implementation in some MSIE versions has + some subtle bugs related to the HTTP keep-alive facility and the SSL close + notify alerts on socket connection close. Additionally the interaction + between SSL and HTTP/1.1 features are problematic with some MSIE versions, + too. You've to work-around these problems by forcing + Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or + sending the SSL close notify messages to MSIE clients. This can be done by + using the following directive in your SSL-aware virtual host section: <pre> - SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown + SetEnvIf User-Agent ".*MSIE.*" \\ + <b>nokeepalive ssl-unclean-shutdown \\ + downgrade-1.0 force-response-1.0</b>\ </pre> -<faq ref="io-ns" toc="Why do I get I/O errors with my NS clients?"> + Additionally it is known some MSIE versions have also problems + with particular ciphers. Unfortunately one cannot workaround these + bugs only for those MSIE particular clients, because the ciphers + are already used in the SSL handshake phase. So a MSIE-specific + <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one + has to do more drastic adjustments to the global parameters. But + before you decide to do this, make sure your clients really have + problems. If not, do not do this, because it affects all(!) your + clients, i.e., also your non-MSIE clients. + + <p> + The next problem is that 56bit export versions of MSIE 5.x browsers have a + broken SSLv3 implementation which badly interacts with OpenSSL versions + greater than 0.9.4. You can either accept this and force your clients to + upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you + can decide to workaround it by accepting the drawback that your workaround + will horribly affect also other browsers: + + <pre> + SSLProtocol all <b>-SSLv3</b>\ + </pre> + + This completely disables the SSLv3 protocol and lets those browsers work. + But usually this is an even less acceptable workaround. A more reasonable + workaround is to address the problem more closely and disable only the + ciphers which cause trouble. + + <pre> + SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP\ + </pre> + + This also lets the broken MSIE versions work, but only removes the + newer 56bit TLS ciphers. + + <p> + Another problem with MSIE 5.x clients is that they refuse to connect to + URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used + instead of the hostname), if the server is using the Server Gated + Cryptography (SGC) facility. This can only be avoided by using the fully + qualified domain name (FQDN) of the website in hyperlinks instead, because + MSIE 5.x has an error in the way it handles the SGC negotiation. + +<faq ref="io-ns" toc="Why do I get I/O errors with NS clients?"> When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I get I/O errors and the message "Netscape has encountered bad data from the server" What's the reason? diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html index fe1c1326bb9..382cc739dd6 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html @@ -774,7 +774,7 @@ host (so it applies to both HTTPS and HTTP): <Directory /usr/local/apache/htdocs> # Outside the subarea only Intranet access is granted Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 </Directory> @@ -802,7 +802,7 @@ Satisfy any # Network Access Control Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 # HTTP Basic Authentication diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml index 20cdd633040..9d9a3799a7f 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml @@ -281,7 +281,7 @@ host (so it applies to both HTTPS and HTTP): <Directory /usr/local/apache/htdocs> \# Outside the subarea only Intranet access is granted Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 </Directory> @@ -309,7 +309,7 @@ Satisfy any \# Network Access Control Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 \# HTTP Basic Authentication diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html index 779dc7950d5..3d0ea2169d3 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html @@ -1084,26 +1084,30 @@ specify the preference and order for the ciphers (see <a href="#table1">Table <tr id="H"><td colspan="2"><em>Aliases:</em></td></tr> <tr id="D"><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr> <tr id="H"><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr> -<tr id="D"><td><code>EXP</code></td> <td>all export ciphers</td> </tr> -<tr id="H"><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> -<tr id="D"><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> -<tr id="H"><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> -<tr id="D"><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> -<tr id="H"><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> -<tr id="D"><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> -<tr id="H"><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> -<tr id="D"><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> -<tr id="H"><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> +<tr id="D"><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr> +<tr id="H"><td><code>EXP</code></td> <td>all export ciphers</td> </tr> +<tr id="D"><td><code>EXP40</code></td> <td>all 40-bit export ciphers only</td> </tr> +<tr id="H"><td><code>EXP56</code></td> <td>all 56-bit export ciphers only</td> </tr> +<tr id="D"><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> +<tr id="H"><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> +<tr id="D"><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> +<tr id="H"><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> +<tr id="D"><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> +<tr id="H"><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> +<tr id="D"><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> +<tr id="H"><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> +<tr id="D"><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> </table></td> </tr></table> </td></tr></table> </div> <p> -Now where this becomes interesting is that these can be put together to -specify the order and ciphers you wish to use. To speed this up there are -also aliases (<code>SSLv2, SSLv3, EXP, LOW, MEDIUM, HIGH</code>) for certain -groups of ciphers. These tags can be joined together with prefixes to form -the <em>cipher-spec</em>. Available prefixes are: +Now where this becomes interesting is that these can be put together +to specify the order and ciphers you wish to use. To speed this up +there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM, +HIGH</code>) for certain groups of ciphers. These tags can be joined +together with prefixes to form the <em>cipher-spec</em>. Available +prefixes are: <ul> <li>none: add cipher to list <li><code>+</code>: add ciphers to list and pull them to current location in list diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml index 0ebebfab536..a1be5bbb4c2 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml @@ -616,26 +616,30 @@ specify the preference and order for the ciphers (see <a href="#table1">Table <tr id=H><td colspan=2><em>Aliases:</em></td></tr> <tr id=D><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr> <tr id=H><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr> -<tr id=D><td><code>EXP</code></td> <td>all export ciphers</td> </tr> -<tr id=H><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> -<tr id=D><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> -<tr id=H><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> -<tr id=D><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> -<tr id=H><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> -<tr id=D><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> -<tr id=H><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> -<tr id=D><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> -<tr id=H><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> +<tr id=D><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr> +<tr id=H><td><code>EXP</code></td> <td>all export ciphers</td> </tr> +<tr id=D><td><code>EXP40</code></td> <td>all 40-bit export ciphers only</td> </tr> +<tr id=H><td><code>EXP56</code></td> <td>all 56-bit export ciphers only</td> </tr> +<tr id=D><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> +<tr id=H><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> +<tr id=D><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> +<tr id=H><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> +<tr id=D><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> +<tr id=H><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> +<tr id=D><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> +<tr id=H><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> +<tr id=D><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> </table> </float> <p> -Now where this becomes interesting is that these can be put together to -specify the order and ciphers you wish to use. To speed this up there are -also aliases (<code>SSLv2, SSLv3, EXP, LOW, MEDIUM, HIGH</code>) for certain -groups of ciphers. These tags can be joined together with prefixes to form -the <em>cipher-spec</em>. Available prefixes are: +Now where this becomes interesting is that these can be put together +to specify the order and ciphers you wish to use. To speed this up +there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM, +HIGH</code>) for certain groups of ciphers. These tags can be joined +together with prefixes to form the <em>cipher-spec</em>. Available +prefixes are: <ul> <li>none: add cipher to list diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL index 6e9e84126ba..8b7fb23ab27 100644 --- a/usr.sbin/httpd/src/CHANGES.SSL +++ b/usr.sbin/httpd/src/CHANGES.SSL @@ -23,6 +23,42 @@ / __/ | (_) | __ |_____(_)___/____________________________________________ + Changes with mod_ssl 2.6.5 (01-May-2000 to 04-Jul-2000) + + *) Removed more memory leaks by freeing even more stuff + from the OpenSSL toolkit on module shutdown. + + *) Added missing TLSv1, EXP40 and EXP56 keywords to + ssl_reference's documentation of SSLCipherSuite. + + *) Updated INSTALL document for MM 1.1.x. + + *) Added hints about MSIE workarounds (-SSLv3, !EXP56, etc.) + to the FAQ entry about MSIE errors. + + *) Added !EXP56 to pre-configured SSLCipherSuite in order to avoid + MSIE5.x problems in advance. + + *) Fixed typos in INSTALL: sbin -> bin for apachectl. + + *) mod_ssl's configure script now touches also ssl_expr_scan.l and + ssl_expr_parse.y when applying the sources corrupted timestamps do + not trigger the lex/yacc Makefile rules (which are intended for + developer use only). + + *) Allow spaces in ServerRoot and SSLPassPhraseDialog arguments + which is especially important for the Win32 environment. + + *) Fixed syntax errors in ssl_howto.wml: "Deny all" -> "Deny from all" + + *) Be aware of extended SERVER_BASEVERSION strings in configure. + + *) Removed a left-over ssl_scache_expire() call in ssl_scache_init() + which made the life of vendors complicated. + + *) Allow more fine-tuned overriding of ap_server_root_relative calls + by providing the context of the call. + Changes with mod_ssl 2.6.4 (16-Apr-2000 to 01-May-2000) *) Fixed Win32 build by adding gdi32.lib to the libraries diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version index 9b6e42714fd..0d0fce319b1 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.version +++ b/usr.sbin/httpd/src/modules/ssl/libssl.version @@ -1 +1 @@ -mod_ssl/2.6.4-1.3.12 +mod_ssl/2.6.5-1.3.12 diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index df91598563f..d8244dc0579 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -816,7 +816,7 @@ void ssl_compat_variables(request_rec *); #endif /* Utility Functions */ -char *ssl_util_server_root_relative(pool *, char *); +char *ssl_util_server_root_relative(pool *, char *, char *); char *ssl_util_vhostid(pool *, server_rec *); void ssl_util_strupper(char *); void ssl_util_uuencode(char *, const char *, BOOL); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index 91c4883de25..6dbeec9ac54 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -398,7 +398,7 @@ const char *ssl_cmd_SSLMutex( #ifndef WIN32 mc->nMutexMode = SSL_MUTEXMODE_FILE; mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu", - ssl_util_server_root_relative(cmd->pool, arg+5), + ssl_util_server_root_relative(cmd->pool, "mutex", arg+5), (unsigned long)getpid()); #else return "SSLMutex: Lockfiles not available on this platform"; @@ -430,7 +430,7 @@ const char *ssl_cmd_SSLPassPhraseDialog( } else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) { sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER; - sc->szPassPhraseDialogPath = ssl_util_server_root_relative(cmd->pool, arg+5); + sc->szPassPhraseDialogPath = ssl_util_server_root_relative(cmd->pool, "dialog", arg+5); if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath)) return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '", sc->szPassPhraseDialogPath, "' not exists", NULL); @@ -461,16 +461,16 @@ const char *ssl_cmd_SSLRandomSeed( "invalid context: `", arg1, "'"); if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) { pRS->nSrc = SSL_RSSRC_FILE; - pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2+5)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+5)); } else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) { pRS->nSrc = SSL_RSSRC_EXEC; - pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2+5)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+5)); } #if SSL_LIBRARY_VERSION >= 0x00905100 else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) { pRS->nSrc = SSL_RSSRC_EGD; - pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2+4)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+4)); } #endif else if (strcEQ(arg2, "builtin")) { @@ -479,7 +479,7 @@ const char *ssl_cmd_SSLRandomSeed( } else { pRS->nSrc = SSL_RSSRC_FILE; - pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2)); } if (pRS->nSrc != SSL_RSSRC_BUILTIN) if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath)) @@ -526,7 +526,7 @@ const char *ssl_cmd_SSLCertificateFile( char *cpPath; int i; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '", cpPath, "' not exists or empty", NULL); @@ -547,7 +547,7 @@ const char *ssl_cmd_SSLCertificateKeyFile( char *cpPath; int i; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '", cpPath, "' not exists or empty", NULL); @@ -567,7 +567,7 @@ const char *ssl_cmd_SSLCertificateChainFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '", cpPath, "' not exists or empty", NULL); @@ -581,7 +581,7 @@ const char *ssl_cmd_SSLCACertificatePath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '", cpPath, "' not exists", NULL); @@ -602,7 +602,7 @@ const char *ssl_cmd_SSLCACertificateFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '", cpPath, "' not exists or empty", NULL); @@ -623,7 +623,7 @@ const char *ssl_cmd_SSLCARevocationPath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '", cpPath, "' not exists", NULL); @@ -637,7 +637,7 @@ const char *ssl_cmd_SSLCARevocationFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '", cpPath, "' not exists or empty", NULL); @@ -703,14 +703,14 @@ const char *ssl_cmd_SSLSessionCache( else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) { mc->nSessionCacheMode = SSL_SCMODE_DBM; mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, - ssl_util_server_root_relative(cmd->pool, arg+4)); + ssl_util_server_root_relative(cmd->pool, "scache", arg+4)); } else if (strlen(arg) > 4 && strcEQn(arg, "shm:", 4)) { if (!ap_mm_useable()) return "SSLSessionCache: shared memory cache not useable on this platform"; mc->nSessionCacheMode = SSL_SCMODE_SHM; mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, - ssl_util_server_root_relative(cmd->pool, arg+4)); + ssl_util_server_root_relative(cmd->pool, "scache", arg+4)); mc->tSessionCacheDataTable = NULL; mc->nSessionCacheDataSize = 1024*512; /* 512KB */ if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) { @@ -980,7 +980,7 @@ const char *ssl_cmd_SSLProxyCACertificateFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '", cpPath, "' not exists or empty", NULL); @@ -994,7 +994,7 @@ const char *ssl_cmd_SSLProxyCACertificatePath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '", cpPath, "' does not exists", NULL); @@ -1008,7 +1008,7 @@ const char *ssl_cmd_SSLProxyMachineCertificateFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '", cpPath, "' not exists or empty", NULL); @@ -1022,7 +1022,7 @@ const char *ssl_cmd_SSLProxyMachineCertificatePath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ssl_util_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '", cpPath, "' does not exists", NULL); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index 125d8c41160..1baf203680d 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -1026,6 +1026,14 @@ void ssl_init_ModuleKill(void *data) sc->pSSLCtx = NULL; } } + + /* + * Try to kill the internals of the SSL library. + */ + ERR_free_strings(); + ERR_remove_state(0); + EVP_cleanup(); + return; } diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c index 4fcb2685866..ceb5cb9c8c1 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c @@ -98,7 +98,7 @@ void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) if (strEQ(sc->szLogFile, "/dev/null")) return; else if (sc->szLogFile[0] == '|') { - szLogFile = ssl_util_server_root_relative(p, sc->szLogFile+1); + szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile+1); if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open reliable pipe to SSL logfile filter %s", szLogFile); @@ -108,7 +108,7 @@ void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) setbuf(sc->fileLogFile, NULL); } else { - szLogFile = ssl_util_server_root_relative(p, sc->szLogFile); + szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile); if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSL logfile %s", szLogFile); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c index dc2927e66b1..234e39bb118 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c @@ -523,7 +523,10 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) "Init: Requesting pass phrase from dialog filter program (%s)", sc->szPassPhraseDialogPath); - cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); + if (strchr(sc->szPassPhraseDialogPath, ' ') != NULL) + cmd = ap_psprintf(p, "\"%s\" %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); + else + cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); result = ssl_util_readfilter(s, p, cmd); ap_cpystrn(buf, result, bufsize); len = strlen(buf); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c index 478e82d7d47..34ab0da2486 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c @@ -86,7 +86,6 @@ void ssl_scache_init(server_rec *s, pool *p) ssl_scache_dbm_init(s, p); else if (mc->nSessionCacheMode == SSL_SCMODE_SHM) ssl_scache_shm_init(s, p); - ssl_scache_expire(s, time(NULL)); #ifdef SSL_VENDOR ap_hook_use("ap::mod_ssl::vendor::scache_init", @@ -338,6 +337,8 @@ void ssl_scache_dbm_init(server_rec *s, pool *p) } #endif ssl_mutex_off(s); + + ssl_scache_dbm_expire(s, time(NULL)); return; } diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util.c b/usr.sbin/httpd/src/modules/ssl/ssl_util.c index 045ec60ed58..8818b11b1ff 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util.c @@ -116,13 +116,13 @@ ** _________________________________________________________________ */ -char *ssl_util_server_root_relative(pool *p, char *arg) +char *ssl_util_server_root_relative(pool *p, char *what, char *arg) { char *rv = NULL; #ifdef SSL_VENDOR ap_hook_use("ap::mod_ssl::vendor::ssl_server_root_relative", - AP_HOOK_SIG3(ptr,ptr,ptr), AP_HOOK_ALL, &rv, p, arg); + AP_HOOK_SIG4(ptr,ptr,ptr,ptr), AP_HOOK_ALL, &rv, p, what, arg); if (rv != NULL) return rv; #endif |