ab: Add client certificate support.

                                                         -*- coding: utf-8 -*-

Changes with Apache 2.4.36

  *) ab: Add client certificate support. [Graham Leggett]

  *) ab: Disable printing temp key for OpenSSL before

     version 1.0.2. SSL_get_server_tmp_key is not available

     there. [Rainer Jung]

PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]

  *) ab: Add client certificate support.

     trunk: http://svn.apache.org/r1841784

     2.4.x: svn merge -c r1841784 ^/httpd/httpd/trunk .

     (requires r1738415 and r1826930 above to resolve conflict)

     +1: minfrin, jim, ylavic

PATCHES PROPOSED TO BACKPORT FROM TRUNK:

  [ New proposals should be added at the end of the list ]

    [ -<strong>C</strong> <var>cookie-name</var>=<var>value</var> ]

    [ -<strong>d</strong> ]

    [ -<strong>e</strong> <var>csv-file</var> ]

    [ -<strong>E</strong> <var>client-certificate file</var> ]

    [ -<strong>f</strong> <var>protocol</var> ]

    [ -<strong>g</strong> <var>gnuplot-file</var> ]

    [ -<strong>h</strong> ]

    that percentage of the requests. This is usually more useful than the

    'gnuplot' file; as the results are already 'binned'.</dd>

    <dt><code>-E <var>client-certificate-file</var></code></dt>

    <dd>When connecting to an SSL website, use the provided client certificate

    in PEM format to authenticate with the server. The file is expected to

    contain the client certificate, followed by intermediate certificates,

    followed by the private key. Available in 2.4.36 and later.</dd>

    <dt><code>-f <var>protocol</var></code></dt>

    <dd>Specify SSL/TLS protocol (SSL2, SSL3, TLS1, TLS1.1, TLS1.2, or ALL).

    TLS1.1 and TLS1.2 support available in 2.4.4 and later.</dd>

SSL_CTX *ssl_ctx;

char *ssl_cipher = NULL;

char *ssl_info = NULL;

char *ssl_cert = NULL;

#if OPENSSL_VERSION_NUMBER >= 0x10002000L

char *ssl_tmp_key = NULL;

#endif

    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");

    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");

    fprintf(stderr, "                    (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");

    fprintf(stderr, "    -E certfile     Specify optional client certificate chain and private key\n");

#endif

    exit(EINVAL);

}

    apr_getopt_init(&opt, cntxt, argc, argv);

    while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwiIx:y:z:C:H:P:A:g:X:de:SqB:m:"

#ifdef USE_SSL

            "Z:f:"

            "Z:f:E:"

#endif

            ,&c, &opt_arg)) == APR_SUCCESS) {

        switch (c) {

            case 'Z':

                ssl_cipher = strdup(opt_arg);

                break;

            case 'E':

                ssl_cert = strdup(opt_arg);

                break;

            case 'f':

#if OPENSSL_VERSION_NUMBER < 0x10100000L

                if (strncasecmp(opt_arg, "ALL", 3) == 0) {

    if (verbosity >= 3) {

        SSL_CTX_set_info_callback(ssl_ctx, ssl_state_cb);

    }

    if (ssl_cert != NULL) {

        if (SSL_CTX_use_certificate_chain_file(ssl_ctx, ssl_cert) <= 0) {

            BIO_printf(bio_err, "unable to get certificate from '%s'\n",

            		ssl_cert);

            ERR_print_errors(bio_err);

            exit(1);

        }

        if (SSL_CTX_use_PrivateKey_file(ssl_ctx, ssl_cert, SSL_FILETYPE_PEM) <= 0) {

            BIO_printf(bio_err, "unable to get private key from '%s'\n",

                ssl_cert);

            ERR_print_errors(bio_err);

            exit(1);

        }

        if (!SSL_CTX_check_private_key(ssl_ctx)) {

            BIO_printf(bio_err,

                       "private key does not match the certificate public key in %s\n", ssl_cert);

            exit(1);

        }

    }

#endif

#ifdef SIGPIPE

    apr_signal(SIGPIPE, SIG_IGN);       /* Ignore writes to connections that