ssl_engine_kernel.c [plain text]
#include "ssl_private.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
#ifndef OPENSSL_NO_TLSEXT
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
#endif
static int has_buffered_data(request_rec *r)
{
apr_bucket_brigade *bb;
apr_off_t len;
apr_status_t rv;
int result;
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
rv = ap_get_brigade(r->connection->input_filters, bb, AP_MODE_SPECULATIVE,
APR_NONBLOCK_READ, 1);
result = rv == APR_SUCCESS
&& apr_brigade_length(bb, 1, &len) == APR_SUCCESS
&& len > 0;
apr_brigade_destroy(bb);
return result;
}
int ssl_hook_ReadReq(request_rec *r)
{
SSLConnRec *sslconn = myConnConfig(r->connection);
#ifndef OPENSSL_NO_TLSEXT
const char *servername;
#endif
SSL *ssl;
if (!sslconn) {
return DECLINED;
}
if (sslconn->non_ssl_request) {
const char *errmsg;
char *thisurl;
char *thisport = "";
int port = ap_get_server_port(r);
if (!ap_is_default_port(port, r)) {
thisport = apr_psprintf(r->pool, ":%u", port);
}
thisurl = ap_escape_html(r->pool,
apr_psprintf(r->pool, "https://%s%s/",
ap_get_server_name(r),
thisport));
errmsg = apr_psprintf(r->pool,
"Reason: You're speaking plain HTTP "
"to an SSL-enabled server port.<br />\n"
"Instead use the HTTPS scheme to access "
"this URL, please.<br />\n"
"<blockquote>Hint: "
"<a href=\"%s\"><b>%s</b></a></blockquote>",
thisurl, thisurl);
apr_table_setn(r->notes, "error-notes", errmsg);
sslconn->non_ssl_request = 0;
return HTTP_BAD_REQUEST;
}
ssl = sslconn->ssl;
if (!ssl) {
return DECLINED;
}
#ifndef OPENSSL_NO_TLSEXT
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
char *host, *scope_id;
apr_port_t port;
apr_status_t rv;
if (!r->hostname) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Hostname %s provided via SNI, but no hostname"
" provided in HTTP request", servername);
return HTTP_BAD_REQUEST;
}
rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
if (rv != APR_SUCCESS || scope_id) {
return HTTP_BAD_REQUEST;
}
if (strcmp(host, servername)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Hostname %s provided via SNI and hostname %s provided"
" via HTTP are different", servername, host);
return HTTP_BAD_REQUEST;
}
}
else if ((((mySrvConfig(r->server))->strict_sni_vhost_check
== SSL_ENABLED_TRUE)
|| (mySrvConfig(sslconn->server))->strict_sni_vhost_check
== SSL_ENABLED_TRUE)
&& r->connection->vhost_lookup_data) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"No hostname was provided via SNI for a name based"
" virtual host");
return HTTP_FORBIDDEN;
}
#endif
SSL_set_app_data2(ssl, r);
if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ?
"Initial (No.1)" :
apr_psprintf(r->pool, "Subsequent (No.%d)",
r->connection->keepalives+1)),
r->connection->id,
ssl_util_vhostid(r->pool, r->server));
}
if (sslconn->shutdown_type == SSL_SHUTDOWN_TYPE_UNSET) {
ssl_configure_env(r, sslconn);
}
return DECLINED;
}
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn)
{
int i;
const apr_array_header_t *arr = apr_table_elts(r->subprocess_env);
const apr_table_entry_t *elts = (const apr_table_entry_t *)arr->elts;
sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_STANDARD;
for (i = 0; i < arr->nelts; i++) {
const char *key = elts[i].key;
switch (*key) {
case 's':
if (!strncmp(key+1, "sl-", 3)) {
key += 4;
if (!strncmp(key, "unclean", 7)) {
sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
}
else if (!strncmp(key, "accurate", 8)) {
sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_ACCURATE;
}
return;
}
break;
}
}
}
int ssl_hook_Access(request_rec *r)
{
SSLDirConfigRec *dc = myDirConfig(r);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLConnRec *sslconn = myConnConfig(r->connection);
SSL *ssl = sslconn ? sslconn->ssl : NULL;
server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
SSL_CTX *ctx = NULL;
apr_array_header_t *requires;
ssl_require_t *ssl_requires;
char *cp;
int ok, i;
BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
X509 *cert;
X509 *peercert;
X509_STORE *cert_store = NULL;
X509_STORE_CTX cert_store_ctx;
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
const SSL_CIPHER *cipher = NULL;
int depth, verify_old, verify, n;
if (ssl) {
ctx = SSL_get_SSL_CTX(ssl);
}
if (dc->bSSLRequired && !ssl) {
if (sc->enabled == SSL_ENABLED_OPTIONAL) {
apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
return HTTP_UPGRADE_REQUIRED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: %s",
r->filename, "SSL connection required");
apr_table_setn(r->notes, "ssl-access-forbidden", "1");
return HTTP_FORBIDDEN;
}
if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
return DECLINED;
}
if (dc->szCipherSuite || (r->server != handshakeserver)) {
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
cipher = SSL_get_current_cipher(ssl);
}
else {
cipher_list_old = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (cipher_list_old) {
cipher_list_old = sk_SSL_CIPHER_dup(cipher_list_old);
}
}
if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
!modssl_set_cipher_list(ssl, dc->szCipherSuite ?
dc->szCipherSuite :
sc->server->auth.cipher_suite)) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
if (cipher_list_old) {
sk_SSL_CIPHER_free(cipher_list_old);
}
return HTTP_FORBIDDEN;
}
cipher_list = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
if ((!cipher && cipher_list) ||
(cipher && !cipher_list))
{
renegotiate = TRUE;
}
else if (cipher && cipher_list &&
(sk_SSL_CIPHER_find(cipher_list, cipher) < 0))
{
renegotiate = TRUE;
}
}
else {
if ((!cipher_list_old && cipher_list) ||
(cipher_list_old && !cipher_list))
{
renegotiate = TRUE;
}
else if (cipher_list_old && cipher_list) {
for (n = 0;
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
n++)
{
SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
renegotiate = TRUE;
}
}
for (n = 0;
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
n++)
{
SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
renegotiate = TRUE;
}
}
}
}
if (cipher_list_old) {
sk_SSL_CIPHER_free(cipher_list_old);
}
if (renegotiate) {
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (sc->cipher_server_pref == TRUE) {
SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
#endif
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Reconfigured cipher suite will force renegotiation");
}
}
n = sslconn->verify_depth ?
sslconn->verify_depth :
(mySrvConfig(handshakeserver))->server->auth.verify_depth;
sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
dc->nVerifyDepth : sc->server->auth.verify_depth;
if (sslconn->verify_depth < n) {
renegotiate = TRUE;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Reduced client verification depth will force "
"renegotiation");
}
if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
verify_old = SSL_get_verify_mode(ssl);
verify = SSL_VERIFY_NONE;
if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
(sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
verify |= SSL_VERIFY_PEER_STRICT;
}
if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{
verify |= SSL_VERIFY_PEER;
}
modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
if (!renegotiate && verify != verify_old) {
if (((verify_old == SSL_VERIFY_NONE) &&
(verify != SSL_VERIFY_NONE)) ||
(!(verify_old & SSL_VERIFY_PEER) &&
(verify & SSL_VERIFY_PEER)) ||
(!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
{
renegotiate = TRUE;
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
(verify_old == SSL_VERIFY_NONE) &&
((peercert = SSL_get_peer_certificate(ssl)) != NULL))
{
renegotiate_quick = TRUE;
X509_free(peercert);
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Changed client verification type will force "
"%srenegotiation",
renegotiate_quick ? "quick " : "");
}
}
if ((r->server != handshakeserver)
&& renegotiate
&& ((verify & SSL_VERIFY_PEER) ||
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
(sc1->server->auth.f && \
(!sc2->server->auth.f || \
strNE(sc1->server->auth.f, sc2->server->auth.f)))
if (MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) ||
MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) {
if (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Non-default virtual host with SSLVerify set to "
"'require' and VirtualHost-specific CA certificate "
"list is only available to clients with TLS server "
"name indication (SNI) support");
modssl_set_verify(ssl, verify_old, NULL);
return HTTP_FORBIDDEN;
} else
sslconn->verify_info = "GENEROUS";
}
}
}
#ifdef HAVE_SSL_SET_CERT_STORE
#define MODSSL_CFG_NE(f) \
(dc->f && (!sc->f || (sc->f && strNE(dc->f, sc->f))))
#define MODSSL_CFG_CA(f) \
(dc->f ? dc->f : sc->f)
if (MODSSL_CFG_NE(szCACertificateFile) ||
MODSSL_CFG_NE(szCACertificatePath))
{
STACK_OF(X509_NAME) *ca_list;
const char *ca_file = MODSSL_CFG_CA(szCACertificateFile);
const char *ca_path = MODSSL_CFG_CA(szCACertificatePath);
cert_store = X509_STORE_new();
if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Unable to reconfigure verify locations "
"for client authentication");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
X509_STORE_free(cert_store);
return HTTP_FORBIDDEN;
}
SSL_set_cert_store(ssl, cert_store);
if (!(ca_list = ssl_init_FindCAList(r->server, r->pool,
ca_file, ca_path)))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Unable to determine list of available "
"CA certificates for client authentication");
return HTTP_FORBIDDEN;
}
SSL_set_client_CA_list(ssl, ca_list);
renegotiate = TRUE;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Changed client verification locations will force "
"renegotiation");
}
#endif
if (renegotiate && !renegotiate_quick
&& (apr_table_get(r->headers_in, "transfer-encoding")
|| (apr_table_get(r->headers_in, "content-length")
&& strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
&& !r->expecting_100) {
int rv;
apr_size_t rsize;
rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE :
dc->nRenegBufferSize;
if (rsize > 0) {
rv = ssl_io_buffer_fill(r, rsize);
}
else {
rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
}
if (rv) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"could not buffer message body to allow "
"SSL renegotiation to proceed");
return rv;
}
}
if (renegotiate) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Requesting connection re-negotiation");
if (renegotiate_quick) {
STACK_OF(X509) *cert_stack;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Performing quick renegotiation: "
"just re-verifying the peer");
cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
cert = SSL_get_peer_certificate(ssl);
if (!cert_stack && cert) {
cert_stack = sk_X509_new_null();
sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
}
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
if (!(cert_store ||
(cert_store = SSL_CTX_get_cert_store(ctx))))
{
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Cannot find certificate storage");
return HTTP_FORBIDDEN;
}
if (!cert) {
cert = sk_X509_value(cert_stack, 0);
}
X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
depth = SSL_get_verify_depth(ssl);
if (depth >= 0) {
X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
}
X509_STORE_CTX_set_ex_data(&cert_store_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)ssl);
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation verification step failed");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
}
SSL_set_verify_result(ssl, cert_store_ctx.error);
X509_STORE_CTX_cleanup(&cert_store_ctx);
if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
sk_X509_pop_free(cert_stack, X509_free);
}
}
else {
request_rec *id = r->main ? r->main : r;
if (has_buffered_data(r)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"insecure SSL re-negotiation required, but "
"a pipelined request is present; keepalive "
"disabled");
r->connection->keepalive = AP_CONN_CLOSE;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Performing full renegotiation: complete handshake "
"protocol (%s support secure renegotiation)",
#if defined(SSL_get_secure_renegotiation_support)
SSL_get_secure_renegotiation_support(ssl) ?
"client does" : "client does not"
#else
"server does not"
#endif
);
SSL_set_session_id_context(ssl,
(unsigned char *)&id,
sizeof(id));
sslconn->reneg_state = RENEG_ALLOW;
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation request failed");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
r->connection->aborted = 1;
return HTTP_FORBIDDEN;
}
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Awaiting re-negotiation handshake");
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation handshake failed: "
"Not accepted by client!?");
r->connection->aborted = 1;
return HTTP_FORBIDDEN;
}
}
if ((cert = SSL_get_peer_certificate(ssl))) {
if (sslconn->client_cert) {
X509_free(sslconn->client_cert);
}
sslconn->client_cert = cert;
sslconn->client_dn = NULL;
}
if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
(sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
(sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation handshake failed: "
"Client verification failed");
return HTTP_FORBIDDEN;
}
if (do_verify) {
if ((peercert = SSL_get_peer_certificate(ssl)) == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation handshake failed: "
"Client certificate missing");
return HTTP_FORBIDDEN;
}
X509_free(peercert);
}
}
if (cipher_list) {
cipher = SSL_get_current_cipher(ssl);
if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"SSL cipher suite not renegotiated: "
"access to %s denied using cipher %s",
r->filename,
SSL_CIPHER_get_name(cipher));
return HTTP_FORBIDDEN;
}
}
}
if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) {
char *val = ssl_var_lookup(r->pool, r->server, r->connection,
r, (char *)dc->szUserName);
if (val && val[0])
r->user = val;
}
requires = dc->aRequirement;
ssl_requires = (ssl_require_t *)requires->elts;
for (i = 0; i < requires->nelts; i++) {
ssl_require_t *req = &ssl_requires[i];
ok = ssl_expr_exec(r, req->mpExpr);
if (ok < 0) {
cp = apr_psprintf(r->pool,
"Failed to execute "
"SSL requirement expression: %s",
ssl_expr_get_error());
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: %s",
r->filename, cp);
apr_table_setn(r->notes, "ssl-access-forbidden", "1");
return HTTP_FORBIDDEN;
}
if (ok != 1) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Access to %s denied for %s "
"(requirement expression not fulfilled)",
r->filename, r->connection->remote_ip);
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Failed expression: %s", req->cpExpr);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: %s",
r->filename,
"SSL requirement expression not fulfilled "
"(see SSL logfile for more details)");
apr_table_setn(r->notes, "ssl-access-forbidden", "1");
return HTTP_FORBIDDEN;
}
}
return DECLINED;
}
int ssl_hook_UserCheck(request_rec *r)
{
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
char *clientdn;
const char *auth_line, *username, *password;
if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
(apr_table_get(r->notes, "ssl-access-forbidden")))
{
return HTTP_FORBIDDEN;
}
if (!ap_is_initial_req(r)) {
return DECLINED;
}
if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) {
if (strcEQ(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
while ((*auth_line == ' ') || (*auth_line == '\t')) {
auth_line++;
}
auth_line = ap_pbase64decode(r->pool, auth_line);
username = ap_getword_nulls(r->pool, &auth_line, ':');
password = auth_line;
if ((username[0] == '/') && strEQ(password, "password")) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Encountered FakeBasicAuth spoof: %s", username);
return HTTP_FORBIDDEN;
}
}
}
if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL)
&& sslconn && sslconn->ssl && sslconn->client_cert) ||
!(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user)
{
return DECLINED;
}
if (!sslconn->client_dn) {
X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
char *cp = X509_NAME_oneline(name, NULL, 0);
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
modssl_free(cp);
}
clientdn = (char *)sslconn->client_dn;
auth_line = apr_pstrcat(r->pool, "Basic ",
ap_pbase64encode(r->pool,
apr_pstrcat(r->pool, clientdn,
":password", NULL)),
NULL);
apr_table_set(r->headers_in, "Authorization", auth_line);
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Faking HTTP Basic Auth header: \"Authorization: %s\"",
auth_line);
return DECLINED;
}
int ssl_hook_Auth(request_rec *r)
{
SSLDirConfigRec *dc = myDirConfig(r);
if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
(apr_table_get(r->notes, "ssl-access-forbidden")))
{
return HTTP_FORBIDDEN;
}
return DECLINED;
}
static const char *ssl_hook_Fixup_vars[] = {
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
"SSL_SECURE_RENEG",
"SSL_COMPRESS_METHOD",
"SSL_CIPHER",
"SSL_CIPHER_EXPORT",
"SSL_CIPHER_USEKEYSIZE",
"SSL_CIPHER_ALGKEYSIZE",
"SSL_CLIENT_VERIFY",
"SSL_CLIENT_M_VERSION",
"SSL_CLIENT_M_SERIAL",
"SSL_CLIENT_V_START",
"SSL_CLIENT_V_END",
"SSL_CLIENT_V_REMAIN",
"SSL_CLIENT_S_DN",
"SSL_CLIENT_I_DN",
"SSL_CLIENT_A_KEY",
"SSL_CLIENT_A_SIG",
"SSL_SERVER_M_VERSION",
"SSL_SERVER_M_SERIAL",
"SSL_SERVER_V_START",
"SSL_SERVER_V_END",
"SSL_SERVER_S_DN",
"SSL_SERVER_I_DN",
"SSL_SERVER_A_KEY",
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
NULL
};
int ssl_hook_Fixup(request_rec *r)
{
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *env = r->subprocess_env;
char *var, *val = "";
#ifndef OPENSSL_NO_TLSEXT
const char *servername;
#endif
STACK_OF(X509) *peer_certs;
SSL *ssl;
int i;
if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)) {
apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
}
if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) {
return DECLINED;
}
apr_table_setn(env, "HTTPS", "on");
#ifndef OPENSSL_NO_TLSEXT
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
apr_table_set(env, "SSL_TLS_SNI", servername);
}
#endif
if (dc->nOptions & SSL_OPT_STDENVVARS) {
modssl_var_extract_dns(env, sslconn->ssl, r->pool);
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
if (!strIsEmpty(val)) {
apr_table_setn(env, var, val);
}
}
}
if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) {
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, "SSL_SERVER_CERT");
apr_table_setn(env, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, "SSL_CLIENT_CERT");
apr_table_setn(env, "SSL_CLIENT_CERT", val);
if ((peer_certs = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) {
for (i = 0; i < sk_X509_num(peer_certs); i++) {
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, var);
if (val) {
apr_table_setn(env, var, val);
}
}
}
}
#ifdef SSL_get_secure_renegotiation_support
apr_table_setn(r->notes, "ssl-secure-reneg",
SSL_get_secure_renegotiation_support(ssl) ? "1" : "0");
#endif
return DECLINED;
}
RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfigFromConn(c);
int idx;
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"handing out temporary %d bit RSA key", keylen);
switch (keylen) {
case 512:
idx = SSL_TMP_KEY_RSA_512;
break;
case 1024:
default:
idx = SSL_TMP_KEY_RSA_1024;
}
return (RSA *)mc->pTmpKeys[idx];
}
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfigFromConn(c);
int idx;
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"handing out temporary %d bit DH key", keylen);
switch (keylen) {
case 512:
idx = SSL_TMP_KEY_DH_512;
break;
case 1024:
default:
idx = SSL_TMP_KEY_DH_1024;
}
return (DH *)mc->pTmpKeys[idx];
}
int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
{
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
server_rec *s = r ? r->server : mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
SSLConnRec *sslconn = myConnConfig(conn);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
int depth, verify;
if (s->loglevel >= APLOG_DEBUG) {
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
char *iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
"Certificate Verification: "
"depth: %d, subject: %s, issuer: %s",
errdepth,
sname ? sname : "-unknown-",
iname ? iname : "-unknown-");
if (sname) {
modssl_free(sname);
}
if (iname) {
modssl_free(iname);
}
}
if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
verify = dc->nVerifyClient;
}
else {
verify = mctx->auth.verify_mode;
}
if (verify == SSL_CVERIFY_NONE) {
return TRUE;
}
if (ssl_verify_error_is_optional(errnum) &&
(verify == SSL_CVERIFY_OPTIONAL_NO_CA))
{
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
"Certificate Verification: Verifiable Issuer is "
"configured as optional, therefore we're accepting "
"the certificate");
sslconn->verify_info = "GENEROUS";
ok = TRUE;
}
if (ok) {
if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) {
errnum = X509_STORE_CTX_get_error(ctx);
}
}
if (!ok) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
"Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum));
if (sslconn->client_cert) {
X509_free(sslconn->client_cert);
sslconn->client_cert = NULL;
}
sslconn->client_dn = NULL;
sslconn->verify_error = X509_verify_cert_error_string(errnum);
}
if (dc && (dc->nVerifyDepth != UNSET)) {
depth = dc->nVerifyDepth;
}
else {
depth = mctx->auth.verify_depth;
}
if (errdepth > depth) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are "
"only %d)",
errdepth, depth);
errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
sslconn->verify_error = X509_verify_cert_error_string(errnum);
ok = FALSE;
}
return ok;
}
int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
{
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
server_rec *s = r ? r->server : mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(c);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
X509_OBJECT obj;
X509_NAME *subject, *issuer;
X509 *cert;
X509_CRL *crl;
EVP_PKEY *pubkey;
int i, n, rc;
if (!mctx->crl) {
return ok;
}
cert = X509_STORE_CTX_get_current_cert(ctx);
subject = X509_get_subject_name(cert);
issuer = X509_get_issuer_name(cert);
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(mctx->crl,
X509_LU_CRL, subject, &obj);
crl = obj.data.crl;
if ((rc > 0) && crl) {
if (s->loglevel >= APLOG_DEBUG) {
char buff[512];
BIO *bio = BIO_new(BIO_s_mem());
BIO_printf(bio, "CA CRL: Issuer: ");
X509_NAME_print(bio, issuer, 0);
BIO_printf(bio, ", lastUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl));
BIO_printf(bio, ", nextUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
n = BIO_read(bio, buff, sizeof(buff) - 1);
buff[n] = '\0';
BIO_free(bio);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff);
}
pubkey = X509_get_pubkey(cert);
rc = X509_CRL_verify(crl, pubkey);
#ifdef OPENSSL_VERSION_NUMBER
if (pubkey)
EVP_PKEY_free(pubkey);
#endif
if (rc <= 0) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"Invalid signature on CRL");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
if (i == 0) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"Found CRL has invalid nextUpdate field");
X509_STORE_CTX_set_error(ctx,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
if (i < 0) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"Found CRL is expired - "
"revoking all certificates until you get updated CRL");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
X509_OBJECT_free_contents(&obj);
}
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(mctx->crl,
X509_LU_CRL, issuer, &obj);
crl = obj.data.crl;
if ((rc > 0) && crl) {
n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
for (i = 0; i < n; i++) {
X509_REVOKED *revoked =
sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
if (s->loglevel >= APLOG_DEBUG) {
char *cp = X509_NAME_oneline(issuer, NULL, 0);
long serial = ASN1_INTEGER_get(sn);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s",
serial, serial, cp);
modssl_free(cp);
}
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
}
X509_OBJECT_free_contents(&obj);
}
return ok;
}
#define SSLPROXY_CERT_CB_LOG_FMT \
"Proxy client certificate callback: (%s) "
static void modssl_proxy_info_log(server_rec *s,
X509_INFO *info,
const char *msg)
{
SSLSrvConfigRec *sc = mySrvConfig(s);
char name_buf[256];
X509_NAME *name;
char *dn;
if (s->loglevel < APLOG_DEBUG) {
return;
}
name = X509_get_subject_name(info->x509);
dn = X509_NAME_oneline(name, name_buf, sizeof(name_buf));
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
SSLPROXY_CERT_CB_LOG_FMT "%s, sending %s",
sc->vhost_id, msg, dn ? dn : "-uknown-");
}
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
X509_reference_inc(*cert); \
*pkey = info->x_pkey->dec_pkey; \
EVP_PKEY_reference_inc(*pkey)
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
X509_NAME *ca_name, *issuer;
X509_INFO *info;
STACK_OF(X509_NAME) *ca_list;
STACK_OF(X509_INFO) *certs = sc->proxy->pkp->certs;
int i, j;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
SSLPROXY_CERT_CB_LOG_FMT "entered",
sc->vhost_id);
if (!certs || (sk_X509_INFO_num(certs) <= 0)) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
SSLPROXY_CERT_CB_LOG_FMT
"downstream server wanted client certificate "
"but none are configured", sc->vhost_id);
return FALSE;
}
ca_list = SSL_get_client_CA_list(ssl);
if (!ca_list || (sk_X509_NAME_num(ca_list) <= 0)) {
info = sk_X509_INFO_value(certs, 0);
modssl_proxy_info_log(s, info, "no acceptable CA list");
modssl_set_cert_info(info, x509, pkey);
return TRUE;
}
for (i = 0; i < sk_X509_NAME_num(ca_list); i++) {
ca_name = sk_X509_NAME_value(ca_list, i);
for (j = 0; j < sk_X509_INFO_num(certs); j++) {
info = sk_X509_INFO_value(certs, j);
issuer = X509_get_issuer_name(info->x509);
if (X509_NAME_cmp(issuer, ca_name) == 0) {
modssl_proxy_info_log(s, info, "found acceptable cert");
modssl_set_cert_info(info, x509, pkey);
return TRUE;
}
}
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
SSLPROXY_CERT_CB_LOG_FMT
"no client certificate found!?", sc->vhost_id);
return FALSE;
}
static void ssl_session_log(server_rec *s,
const char *request,
unsigned char *id,
unsigned int idlen,
const char *status,
const char *result,
long timeout)
{
char buf[SSL_SESSION_ID_STRING_LEN];
char timeout_str[56] = {'\0'};
if (s->loglevel < APLOG_DEBUG) {
return;
}
if (timeout) {
apr_snprintf(timeout_str, sizeof(timeout_str),
"timeout=%lds ", (timeout - time(NULL)));
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"Inter-Process Session Cache: "
"request=%s status=%s id=%s %s(session %s)",
request, status,
SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
timeout_str, result);
}
int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
{
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
long timeout = sc->session_cache_timeout;
BOOL rc;
unsigned char *id;
unsigned int idlen;
SSL_set_timeout(session, timeout);
id = SSL_SESSION_get_session_id(session);
idlen = SSL_SESSION_get_session_id_length(session);
timeout += modssl_session_get_time(session);
rc = ssl_scache_store(s, id, idlen, timeout, session);
ssl_session_log(s, "SET", id, idlen,
rc == TRUE ? "OK" : "BAD",
"caching", timeout);
return 0;
}
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
unsigned char *id,
int idlen, int *do_copy)
{
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(conn);
SSL_SESSION *session;
session = ssl_scache_retrieve(s, id, idlen);
ssl_session_log(s, "GET", id, idlen,
session ? "FOUND" : "MISSED",
session ? "reuse" : "renewal", 0);
*do_copy = 0;
return session;
}
void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
SSL_SESSION *session)
{
server_rec *s;
SSLSrvConfigRec *sc;
unsigned char *id;
unsigned int idlen;
if (!(s = (server_rec *)SSL_CTX_get_app_data(ctx))) {
return;
}
sc = mySrvConfig(s);
id = SSL_SESSION_get_session_id(session);
idlen = SSL_SESSION_get_session_id_length(session);
ssl_scache_remove(s, id, idlen);
ssl_session_log(s, "REM", id, idlen,
"OK", "dead", 0);
return;
}
static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
server_rec *s, int where, int rc)
{
if (where & SSL_CB_HANDSHAKE_START) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Handshake: start", SSL_LIBRARY_NAME);
}
else if (where & SSL_CB_HANDSHAKE_DONE) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Handshake: done", SSL_LIBRARY_NAME);
}
else if (where & SSL_CB_LOOP) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Loop: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_READ) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Read: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_WRITE) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Write: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_ALERT) {
char *str = (where & SSL_CB_READ) ? "read" : "write";
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Alert: %s:%s:%s",
SSL_LIBRARY_NAME, str,
SSL_alert_type_string_long(rc),
SSL_alert_desc_string_long(rc));
}
else if (where & SSL_CB_EXIT) {
if (rc == 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Exit: failed in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (rc < 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"%s: Exit: error in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
}
if (where & SSL_CB_HANDSHAKE_DONE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Connection: Client IP: %s, Protocol: %s, "
"Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
}
}
void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
{
conn_rec *c;
server_rec *s;
SSLConnRec *scr;
if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
return;
}
if ((scr = myConnConfig(c)) == NULL) {
return;
}
if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
int state = SSL_get_state(ssl);
if (state == SSL3_ST_SR_CLNT_HELLO_A
|| state == SSL23_ST_SR_CLNT_HELLO_A) {
scr->reneg_state = RENEG_ABORT;
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"rejecting client initiated renegotiation");
}
}
else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
scr->reneg_state = RENEG_REJECT;
}
s = mySrvFromConn(c);
if (s && s->loglevel >= APLOG_DEBUG) {
log_tracing_state(ssl, c, s, where, rc);
}
}
#ifndef OPENSSL_NO_TLSEXT
int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
{
const char *servername =
SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (servername) {
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
if (c) {
if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
(void *)servername)) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"SSL virtual host for servername %s found",
servername);
return SSL_TLSEXT_ERR_OK;
}
else {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"No matching SSL virtual host for servername "
"%s found (using default/first virtual host)",
servername);
return SSL_TLSEXT_ERR_ALERT_WARNING;
}
}
}
return SSL_TLSEXT_ERR_NOACK;
}
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
{
SSLSrvConfigRec *sc;
SSL *ssl;
BOOL found = FALSE;
apr_array_header_t *names;
int i;
SSLConnRec *sslcon;
if (!strcasecmp(servername, s->server_hostname)) {
found = TRUE;
}
if (!found) {
names = s->names;
if (names) {
char **name = (char **)names->elts;
for (i = 0; i < names->nelts; ++i) {
if (!name[i])
continue;
if (!strcasecmp(servername, name[i])) {
found = TRUE;
break;
}
}
}
}
if (!found) {
names = s->wild_names;
if (names) {
char **name = (char **)names->elts;
for (i = 0; i < names->nelts; ++i) {
if (!name[i])
continue;
if (!ap_strcasecmp_match(servername, name[i])) {
found = TRUE;
break;
}
}
}
}
sslcon = myConnConfig(c);
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
SSL_CTX_get_verify_callback(ssl->ctx));
}
sslcon->server = s;
if (s->loglevel >= APLOG_DEBUG) {
BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
}
return 1;
}
return 0;
}
#endif