Support OpenSSL 1.1.0.

Changes with Apache 2.4.24

  *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]

  *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query 

     string showing up in SCRIPT_FILENAME. PR59815

    unsigned long err;

    int n;

#if OPENSSL_VERSION_NUMBER < 0x10100000L

    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)

#else

    if ((bio = BIO_new(BIO_s_file())) == NULL)

#endif

        return -1;

    if (BIO_read_filename(bio, file) <= 0) {

        BIO_free(bio);

    SSL_set_accept_state(ssl);

    SSL_do_handshake(ssl);

#if OPENSSL_VERSION_NUMBER < 0x10100000L

    if (SSL_get_state(ssl) != SSL_ST_OK) {

#else

    if (SSL_get_state(ssl) != TLS_ST_OK) {

#endif

    if (!SSL_is_init_finished(ssl)) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)

                      "TLS upgrade handshake failed");

        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

         * forbidden in the latter case, let ap_die() handle

         * this recursive (same) error.

         */

#if OPENSSL_VERSION_NUMBER < 0x10100000L

        if (SSL_get_state(ssl) != SSL_ST_OK) {

#else

        if (SSL_get_state(ssl) != TLS_ST_OK) {

#endif

        if (!SSL_is_init_finished(ssl)) {

            return HTTP_FORBIDDEN;

        }

        ctx = SSL_get_SSL_CTX(ssl);

        }

        else {

#if OPENSSL_VERSION_NUMBER >= 0x10100000L

            int rc;

            char peekbuf[1];

#endif

            const char *reneg_support;

            SSL_renegotiate(ssl);

            SSL_do_handshake(ssl);

#if OPENSSL_VERSION_NUMBER < 0x10100000L

            if (SSL_get_state(ssl) != SSL_ST_OK) {

#else

            if (SSL_get_state(ssl) != TLS_ST_OK) {

#endif

            if (!SSL_is_init_finished(ssl)) {

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)

                              "Re-negotiation request failed");

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

             * It is expected to work without changes with the forthcoming 1.1.0pre3.

             * See: http://marc.info/?t=145493359200002&r=1&w=2

             */

            rc = SSL_peek(ssl, peekbuf, 0);

            ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()

                          "Renegotiation peek result=%d, "

                          "reneg_state=%d, "

                          "in_init=%d, init_finished=%d, "

                          "state=%s, sslconn->ssl=%s, peer_certs=%s",

                          rc, sslconn->reneg_state,

                          SSL_in_init(ssl), SSL_is_init_finished(ssl),

                          SSL_state_string_long(ssl),

                          sslconn->ssl != NULL ? "yes" : "no",

                          SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");

            SSL_peek(ssl, peekbuf, 0);

#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */

            sslconn->reneg_state = RENEG_REJECT;

#if OPENSSL_VERSION_NUMBER < 0x10100000L

            if (SSL_get_state(ssl) != SSL_ST_OK) {

#else

            if (SSL_get_state(ssl) != TLS_ST_OK) {

#endif

            if (!SSL_is_init_finished(ssl)) {

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)

                              "Re-negotiation handshake failed");

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

                      "No cert available to check with OCSP");

        return 1;

    }

#if OPENSSL_VERSION_NUMBER < 0x10100000L

    else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {

#else

    /* No need to check cert->valid, because modssl_verify_ocsp() only

     * is called if OpenSSL already successfully verified the certificate

     * (parameter "ok" in ssl_callback_SSLVerify() must be true).

     */

    else if (X509_check_issued(cert,cert) == X509_V_OK) {

#endif

        /* don't do OCSP checking for valid self-issued certs */

        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,

                      "Skipping OCSP check for valid self-issued cert");

    for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {

        if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)

            && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {

#if OPENSSL_VERSION_NUMBER < 0x10100000L

            for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)

                                                   xsname->entries);

                 j++) {

                xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)

                                                xsname->entries, j);

#else

            for (j = 0; j < X509_NAME_entry_count(xsname); j++) {

                xsne = X509_NAME_get_entry(xsname, j);

#endif

                n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));

static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,

                       X509_NAME *xn, apr_pool_t *p)

{

#if OPENSSL_VERSION_NUMBER < 0x10100000L

    STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;

#endif

    X509_NAME_ENTRY *xsne;

    apr_hash_t *count;

    int i, nid;

    count = apr_hash_make(p);

    /* For each RDN... */

#if OPENSSL_VERSION_NUMBER < 0x10100000L

    for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {

         const char *tag;

         xsne = sk_X509_NAME_ENTRY_value(ents, i);

#else

    for (i = 0; i < X509_NAME_entry_count(xn); i++) {

         const char *tag;

         xsne = X509_NAME_get_entry(xn, i);

#endif

         /* Retrieve the nid, and check whether this is one of the nids

          * which are to be extracted. */

    for (j = 0; j < count; j++) {

        X509_EXTENSION *ext = X509_get_ext(xs, j);

#if OPENSSL_VERSION_NUMBER < 0x10100000L

        if (OBJ_cmp(ext->object, oid) == 0) {

#else

        if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {

#endif

            BIO *bio = BIO_new(BIO_s_mem());

            /* We want to obtain a string representation of the extensions