From 0acd9cb2363683f7fd4c849e740b152717aca732 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Fri, 1 Oct 1999 23:50:45 +0000 Subject: Sync with mod_ssl v2.4.5. ok beck@. --- usr.sbin/httpd/src/CHANGES.SSL | 46 +++++++++++++++++++++- usr.sbin/httpd/src/modules/ssl/libssl.module | 12 +++++- usr.sbin/httpd/src/modules/ssl/libssl.version | 2 +- usr.sbin/httpd/src/modules/ssl/mod_ssl.h | 5 ++- usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c | 9 +++-- usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c | 4 +- .../httpd/src/modules/ssl/ssl_engine_pphrase.c | 43 ++++++++++---------- usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c | 2 +- 8 files changed, 92 insertions(+), 31 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL index 5d1ba553ea3..ee2f9d9ae86 100644 --- a/usr.sbin/httpd/src/CHANGES.SSL +++ b/usr.sbin/httpd/src/CHANGES.SSL @@ -23,6 +23,50 @@ / __/ |__ _| __ |_____(_) |_| ___________________________________________ + Changes with mod_ssl 2.4.5 (28-Sep-1999 to 01-Oct-1999) + + *) Now ``make certificate'' displays a warning message if one generates a + DSA certificate with it to make sure the user is aware of the fact that + a DSA-only webserver is currently useless because the popular browsers + do not speak DH-based ciphers. A hint is given that a DSA cert/key pair + is only useful in _combination_ with a parallel configured RSA + cert/key pair. + + *) Enhanced the pass phrase dialog: Now ``Server : ()'' + is displayed instead of just ``Server :'' and the + ``SSLPassPhraseDialog exec:/path/to/program'' is called with arguments + ``: '' instead of just ``:'' to allow the + distinction between RSA and DSA keys both to the user and to the + program. This is important, because a single virtual host can use both + a RSA and a DSA cert/key at the same time. + + *) Added pre-configured (but commented out) SSLCertificate[Key]File + directives to conf/httpd.conf-dist which explains the use of the + additional DSA cert/key. + + *) Now the default for SSL_SDBM is 'yes' on Linux boxes because it occurrs + too often that Linux boxes with broken DBM libraries are used and people + are wondering why their session cache operations segfault the server. If + you really want to use the vendor DBM library on Linux you now have to + use --disable-rule=SSL_SDBM. But I recommend you to use SDBM except + you know what you're doing. + + *) Fixed typo in FAQ: SSLSessioCache -> SSLSessionCache. + + *) Enhanced the logging facility: First the "Connection to child x" + messages now also contain the client IP address, second every + logfile entry now has a prefix which contains also the process id in + addition to the time. This way it's easier to identify logfile entries + written by different processes. + + *) Fixed ssl_engine_vars.c: SSL3_TXT_RSA_IDEA_128_SHA was contained twice + in a table. Instead the second occurrence should be + SSL2_TXT_IDEA_128_CBC_WITH_MD5. + + *) Fixed the `union semun' situation for SSLMutex again, this time for + brain-dead anchient Linux versions which have incorrect semctl(2) + prototypes. We now enable IPC semaphores only on glibc 2.1 boxes. + Changes with mod_ssl 2.4.4 (27-Sep-1999 to 28-Sep-1999) *) Fixed the `union semun' situation for SSLMutex which was broken in 2.4.3 @@ -200,7 +244,7 @@ *) Added support for latest OpenSSL 0.9.4-dev snapshot version. - *) Fixed initialization and cleanup relazed problems with SSLMutex: The + *) Fixed initialization and cleanup related problems with SSLMutex: The mutex is now closed before the chown and the mutex is removed only in the parent on module shutdown. diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module index 444a3818c5b..d6537529aa4 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.module +++ b/usr.sbin/httpd/src/modules/ssl/libssl.module @@ -229,7 +229,17 @@ ConfigStart exit 1 fi fi - # 4. finally configure the chosen DBM lib + # 4. override decision on a few brain-dead platforms + if [ ".$my_rule_SSL_SDBM" = .default ]; then + case "$OS" in + Linux ) + # force Linux boxes to use builtin SDBM per default because + # of too much broken vendor DBM libraries on this platform + SSL_DBM_NAME='' + ;; + esac + fi + # 5. finally configure the chosen DBM lib if [ ".$SSL_DBM_NAME" != . ]; then echo "$my_prefix SSL interface plugin: $SSL_DBM_NAME" my_dbm_already_used=`echo $LIBS | grep -- " $SSL_DBM_FLAG"` diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version index e4156ddb315..aaa8f08aab2 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.version +++ b/usr.sbin/httpd/src/modules/ssl/libssl.version @@ -1 +1 @@ -mod_ssl/2.4.4-1.3.9 +mod_ssl/2.4.5-1.3.9 diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 5dac8c81ec7..e49ed932100 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -257,7 +257,8 @@ #endif #if defined(USE_SYSVSEM_SERIALIZED_ACCEPT) ||\ defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) ||\ - (defined(LINUX) && LINUX >= 2) ||\ + (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) && \ + LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\ defined(SOLARIS2) #define SSL_CAN_USE_SEM #define SSL_HAVE_IPCSEM @@ -521,7 +522,7 @@ typedef struct { ssl_ds_table *tPublicCert; ssl_ds_table *tPrivateKey; struct { - void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9; + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; } rCtx; #ifdef SSL_VENDOR ap_ctx *ctx; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index 152a61b1a8e..f404914903a 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -162,8 +162,8 @@ void ssl_hook_NewConnection(conn_rec *conn) * later access inside callback functions */ cpVHostID = ssl_util_vhostid(conn->pool, srvr); - ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d established (server %s)", - conn->child_num, cpVHostID); + ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d established " + "(server %s, client %s)", conn->child_num, cpVHostID, conn->remote_ip); /* * Seed the Pseudo Random Number Generator (PRNG) @@ -505,8 +505,9 @@ void ssl_hook_CloseConnection(conn_rec *conn) /* and finally log the fact that we've closed the connection */ ssl_log(conn->server, SSL_LOG_INFO, - "Connection to child %d closed with %s shutdown (server %s)", - conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server)); + "Connection to child %d closed with %s shutdown (server %s, client %s)", + conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server), + conn->remote_ip); return; } diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c index 7b57f399056..7b18e8b4347 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c @@ -222,7 +222,9 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) tstr[0] = NUL; else { t = ap_get_gmtoff(&timz); - strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S] ", t); + strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t); + i = strlen(tstr); + ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid()); } /* determine whether newline should be writteni */ diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c index 11261aee565..5ff057d0ede 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c @@ -207,15 +207,16 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) * the callback function which serves the pass * phrases to OpenSSL */ - myCtxVarSet(mc, 1, pServ); - myCtxVarSet(mc, 2, p); - myCtxVarSet(mc, 3, aPassPhrase); - myCtxVarSet(mc, 4, &nPassPhraseCur); - myCtxVarSet(mc, 5, &cpPassPhraseCur); - myCtxVarSet(mc, 6, cpVHostID); - myCtxVarSet(mc, 7, &nPassPhraseDialog); - myCtxVarSet(mc, 8, &nPassPhraseDialogCur); - myCtxVarSet(mc, 9, &bPassPhraseDialogOnce); + myCtxVarSet(mc, 1, pServ); + myCtxVarSet(mc, 2, p); + myCtxVarSet(mc, 3, aPassPhrase); + myCtxVarSet(mc, 4, &nPassPhraseCur); + myCtxVarSet(mc, 5, &cpPassPhraseCur); + myCtxVarSet(mc, 6, cpVHostID); + myCtxVarSet(mc, 7, an); + myCtxVarSet(mc, 8, &nPassPhraseDialog); + myCtxVarSet(mc, 9, &nPassPhraseDialogCur); + myCtxVarSet(mc, 10, &bPassPhraseDialogOnce); nPassPhraseCur = 0; nPassPhraseRetry = 0; @@ -395,6 +396,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) int *pnPassPhraseCur; char **cppPassPhraseCur; char *cpVHostID; + char *cpAlgoType; int *pnPassPhraseDialog; int *pnPassPhraseDialogCur; BOOL *pbPassPhraseDialogOnce; @@ -404,15 +406,16 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) /* * Reconnect to the context of ssl_phrase_Handle() */ - s = myCtxVarGet(mc, 1, server_rec *); - p = myCtxVarGet(mc, 2, pool *); - aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *); - pnPassPhraseCur = myCtxVarGet(mc, 4, int *); - cppPassPhraseCur = myCtxVarGet(mc, 5, char **); - cpVHostID = myCtxVarGet(mc, 6, char *); - pnPassPhraseDialog = myCtxVarGet(mc, 7, int *); - pnPassPhraseDialogCur = myCtxVarGet(mc, 8, int *); - pbPassPhraseDialogOnce = myCtxVarGet(mc, 9, BOOL *); + s = myCtxVarGet(mc, 1, server_rec *); + p = myCtxVarGet(mc, 2, pool *); + aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *); + pnPassPhraseCur = myCtxVarGet(mc, 4, int *); + cppPassPhraseCur = myCtxVarGet(mc, 5, char **); + cpVHostID = myCtxVarGet(mc, 6, char *); + cpAlgoType = myCtxVarGet(mc, 7, char *); + pnPassPhraseDialog = myCtxVarGet(mc, 8, int *); + pnPassPhraseDialogCur = myCtxVarGet(mc, 9, int *); + pbPassPhraseDialogOnce = myCtxVarGet(mc, 10, BOOL *); sc = mySrvConfig(s); (*pnPassPhraseDialog)++; @@ -460,7 +463,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) if (*pbPassPhraseDialogOnce) { *pbPassPhraseDialogOnce = FALSE; fprintf(stderr, "\n"); - fprintf(stderr, "Server %s\n", cpVHostID); + fprintf(stderr, "Server %s (%s)\n", cpVHostID, cpAlgoType); } /* @@ -498,7 +501,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) "Init: Requesting pass phrase from dialog filter program (%s)", sc->szPassPhraseDialogPath); - cmd = ap_psprintf(p, "%s %s", sc->szPassPhraseDialogPath, cpVHostID); + cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); result = ssl_util_readfilter(s, p, cmd); ap_cpystrn(buf, result, bufsize); len = strlen(buf); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c index b5d84ae6e15..207084f8770 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c @@ -592,7 +592,6 @@ static const struct { { SSL3_TXT_RSA_RC4_128_MD5 /*RC4-MD5*/, 128, 128 }, { SSL3_TXT_RSA_RC4_128_SHA /*RC4-SHA*/, 128, 128 }, { SSL3_TXT_RSA_RC2_40_MD5 /*EXP-RC2-CBC-MD5*/, 40, 128 }, - { SSL3_TXT_RSA_IDEA_128_SHA /*IDEA-CBC-MD5*/, 128, 128 }, { SSL3_TXT_RSA_DES_40_CBC_SHA /*EXP-DES-CBC-SHA*/, 40, 56 }, { SSL3_TXT_RSA_DES_64_CBC_SHA /*DES-CBC-SHA*/ , 56, 56 }, { SSL3_TXT_RSA_DES_192_CBC3_SHA /*DES-CBC3-SHA*/ , 168, 168 }, @@ -617,6 +616,7 @@ static const struct { { SSL3_TXT_FZA_DMS_FZA_SHA /*FZA-FZA-CBC-SHA*/, 0, 0 }, { SSL3_TXT_FZA_DMS_RC4_SHA /*FZA-RC4-SHA*/, 128, 128 }, + { SSL2_TXT_IDEA_128_CBC_WITH_MD5 /*IDEA-CBC-MD5*/, 128, 128 }, { SSL2_TXT_DES_64_CFB64_WITH_MD5_1 /*DES-CFB-M1*/, 56, 56 }, { SSL2_TXT_RC2_128_CBC_WITH_MD5 /*RC2-CBC-MD5*/, 128, 128 }, { SSL2_TXT_DES_64_CBC_WITH_MD5 /*DES-CBC-MD5*/, 56, 56 }, -- cgit v1.2.3