SSLCADNRequestFile and SSLCADNRequestPath.

* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.

* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.

PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@125165 13f79535-47bb-0310-9956-ffa450edef68

  It's perferable to use a debug build of ssleay32/libeay32, but offer
  a fallback if they are built as release libraries for creating
  mod_ssl in debug mode.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@124284 13f79535-47bb-0310-9956-ffa450edef68

  FINALLY Correct ap_http_method()!  It is NOT a method, it's a SCHEME!

  Bumped mmn, and ap module cookie, for this function rename.

  It's not a deprecation, as ap_http_method would be a lovely function
  name sometime in the future: to determine what the function name implies.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@123882 13f79535-47bb-0310-9956-ffa450edef68

passed-brigade-reuse "fix" which is currently unnecessary.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@111962 13f79535-47bb-0310-9956-ffa450edef68

from using ap_log_cerror from a c->pool cleanup; the debug message
triggers too often anyway so just remove it.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@111959 13f79535-47bb-0310-9956-ffa450edef68

X509_STORE_CTX_get_ex_data() and SSL_get_ex_data_X509_STORE_CTX_idx()
to use the correct ex_data index from the context in pathological
cases where SSL_get_ex_data_X509_STORE_CTX_idx() does not return 0.

PR: 32529


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@111241 13f79535-47bb-0310-9956-ffa450edef68

Upgrade header check; allow upgrades on any method; don't drop the
ap_pass_brigade return value.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@111159 13f79535-47bb-0310-9956-ffa450edef68

unnecessary check of the Connection request header.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@109499 13f79535-47bb-0310-9956-ffa450edef68

The first client I tested was sending 'upgrade'.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@109447 13f79535-47bb-0310-9956-ffa450edef68

Improve error messages.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@106573 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@106103 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105796 13f79535-47bb-0310-9956-ffa450edef68

change to mod_proxy_http):

* modules/ssl/ssl_engine_io.c (bio_filter_in_read): Return an error if
the read would block so that the SSL_read() caller checks for
SSL_ERROR_WANT_READ, rather than 0, which is treated like EOF.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105768 13f79535-47bb-0310-9956-ffa450edef68

configured SSL certificates to stdout, useful for cron-ing through a
"do I need to renew any of my certificates this week" tool:

* modules/ssl/ssl_engine_config.c (ssl_hook_ConfigTest): New function.

* modules/ssl/mod_ssl.c (ssl_register_hooks): ...register it as a
test_config hook.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105741 13f79535-47bb-0310-9956-ffa450edef68

hide all global symbols defined by mod_ssl other than the module
structure (where possible).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105740 13f79535-47bb-0310-9956-ffa450edef68

modules/mod_ssl.c: Switch to using ap_log_cerror() in place of
ap_log_error() everywhere that the conn_rec * is available.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105739 13f79535-47bb-0310-9956-ffa450edef68

defined and documented and can't be changed.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105683 13f79535-47bb-0310-9956-ffa450edef68

NULL pointer dereference in some configurations.

PR: 31848


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105663 13f79535-47bb-0310-9956-ffa450edef68

Add a check for SSL_ENABLED_OPTIONAL to the http_method and default_port hook so that they return the correct values for an upgradeable connection.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105426 13f79535-47bb-0310-9956-ffa450edef68

* modules/mappers/mod_rewrite.c, modules/ssl/ssl_engine_mutex.c: Use
AP_NEED_SET_MUTEX_PERMS to determine whether unixd_set_*_mutex_perms
calls are necessary.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105411 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.

Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105396 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105354 13f79535-47bb-0310-9956-ffa450edef68

502 not 501 if SSL_connect() fails for a proxy connection.

PR: 31083


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105252 13f79535-47bb-0310-9956-ffa450edef68

shm is not supported, always remove the named segment first to cope
with unclean shutdowns.

PR: 21335 (continued)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105249 13f79535-47bb-0310-9956-ffa450edef68

(2.5.4.45) for old and new versions of OpenSSL.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105244 13f79535-47bb-0310-9956-ffa450edef68

function.  (ssl_var_lookup_ssl_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.

* modules/ssl_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if
+StdEnvVars is configured.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104700 13f79535-47bb-0310-9956-ffa450edef68

handling for AP_MODE_SPECULATIVE.

PR: 30134


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104687 13f79535-47bb-0310-9956-ffa450edef68

* server/log.c (ap_log_pid),
* server/mpm/prefork/prefork.c (accept_mutex_on, accept_mutex_off),
* support/htdbm.c (htdbm_list):
Fix some non-literal format strings (warnings from gcc -Wformat-security).

PR: 30585
Submitted by: Ulf Harnhammar (SITIC), Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104548 13f79535-47bb-0310-9956-ffa450edef68

infinite loop in ssl_io_input_getline if connection is aborted without
inctx->rc being set.

PR: 29964


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104547 13f79535-47bb-0310-9956-ffa450edef68

Tokenize the header while parsing it for the upgrade tokens and once the protocol has been upgraded, allow the request to complete encrypted.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104273 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104082 13f79535-47bb-0310-9956-ffa450edef68

brigade for sending output after passing on the current one.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103967 13f79535-47bb-0310-9956-ffa450edef68

environment variable name.

* modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add
szUserName field.

* modules/ssl/ssl_engine_config.c (ssl_config_perdir_create,
ssl_config_perdir_merge): Initialize and merge szUserName field.
(ssl_cmd_SSLUserName): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to
 the value of the chosen SSL environment variable.

* modules/ssl/mod_ssl.c: Add SSLUserName config directive.

PR: 20957
Submitted by: Martin v. Loewis <martin v.loewis.de>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103834 13f79535-47bb-0310-9956-ffa450edef68

which uses the server's cipher preference order rather than the
client's.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.

PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103832 13f79535-47bb-0310-9956-ffa450edef68

never implemented in 2.0 and never needed to be.

* docs/ssl/ssl-std.conf.in: Remove CompatEnvVars examples.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Don't allow
the CompatEnvVars argument.

* modules/ssl/ssl_private.h: Remove SSL_OPT_COMPATENVVARS macro.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103829 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_expire): Likewise.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_expire): Likewise.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_expire): Make static.

* modules/ssl/ssl_private.h: Remove prototypes.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103793 13f79535-47bb-0310-9956-ffa450edef68

functions ssl_util_strupper, ssl_util_ptxtstub, and
ssl_util_uuencode*.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103755 13f79535-47bb-0310-9956-ffa450edef68

overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103754 13f79535-47bb-0310-9956-ffa450edef68

strict-aliasing warning.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103688 13f79535-47bb-0310-9956-ffa450edef68

When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68