static SSLConnRec *ssl_get_effective_config(conn_rec *c) { SSLConnRec *sslconn = myConnConfig(c); if (!(sslconn && sslconn->ssl) && c->master) { /* use master connection if no SSL defined here */ sslconn = myConnConfig(c->master); } return sslconn; }
static int modssl_register_alpn(conn_rec *c, ssl_alpn_propose_protos advertisefn, ssl_alpn_proto_negotiated negotiatedfn) { #if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN) SSLConnRec *sslconn = myConnConfig(c); if (!sslconn) { return DECLINED; } if (!sslconn->alpn_proposefns) { sslconn->alpn_proposefns = apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos)); sslconn->alpn_negofns = apr_array_make(c->pool, 5, sizeof(ssl_alpn_proto_negotiated)); } if (advertisefn) APR_ARRAY_PUSH(sslconn->alpn_proposefns, ssl_alpn_propose_protos) = advertisefn; if (negotiatedfn) APR_ARRAY_PUSH(sslconn->alpn_negofns, ssl_alpn_proto_negotiated) = negotiatedfn; return OK; #else return DECLINED; #endif }
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) { SSLConnRec *sslconn = myConnConfig(c); if (sslconn) { return sslconn; } sslconn = apr_pcalloc(c->pool, sizeof(*sslconn)); sslconn->server = c->base_server; myConnConfigSet(c, sslconn); return sslconn; }
static int ssl_hook_process_connection(conn_rec* c) { SSLConnRec *sslconn = myConnConfig(c); if (sslconn && !sslconn->disabled) { /* On an active SSL connection, let the input filters initialize * themselves which triggers the handshake, which again triggers * all kinds of useful things such as SNI and ALPN. */ apr_bucket_brigade* temp; temp = apr_brigade_create(c->pool, c->bucket_alloc); ap_get_brigade(c->input_filters, temp, AP_MODE_INIT, APR_BLOCK_READ, 0); apr_brigade_destroy(temp); } return DECLINED; }
static int ssl_hook_pre_connection(conn_rec *c, void *csd) { SSLSrvConfigRec *sc; SSLConnRec *sslconn = myConnConfig(c); if (sslconn) { sc = mySrvConfig(sslconn->server); } else { sc = mySrvConfig(c->base_server); } /* * Immediately stop processing if SSL is disabled for this connection */ if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE || (sslconn && sslconn->is_proxy)))) { return DECLINED; } /* * Create SSL context */ if (!sslconn) { sslconn = ssl_init_connection_ctx(c); } if (sslconn->disabled) { return DECLINED; } /* * Remember the connection information for * later access inside callback functions */ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964) "Connection to child %ld established " "(server %s)", c->id, sc->vhost_id); return ssl_init_ssl_connection(c, NULL); }
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) { SSLConnRec *sslconn = myConnConfig(c); SSLSrvConfigRec *sc; if (sslconn) { return sslconn; } sslconn = apr_pcalloc(c->pool, sizeof(*sslconn)); sslconn->server = c->base_server; sslconn->verify_depth = UNSET; sc = mySrvConfig(c->base_server); sslconn->cipher_suite = sc->server->auth.cipher_suite; myConnConfigSet(c, sslconn); return sslconn; }
int ssl_engine_disable(conn_rec *c) { SSLSrvConfigRec *sc; SSLConnRec *sslconn = myConnConfig(c); if (sslconn) { sc = mySrvConfig(sslconn->server); } else { sc = mySrvConfig(c->base_server); } if (sc->enabled == SSL_ENABLED_FALSE) { return 0; } sslconn = ssl_init_connection_ctx(c); sslconn->disabled = 1; return 1; }
int ssl_init_ssl_connection(conn_rec *c) { SSLSrvConfigRec *sc; SSL *ssl; SSLConnRec *sslconn = myConnConfig(c); char *vhost_md5; modssl_ctx_t *mctx; server_rec *server; if (!sslconn) { sslconn = ssl_init_connection_ctx(c); } server = sslconn->server; sc = mySrvConfig(server); /* * Seed the Pseudo Random Number Generator (PRNG) */ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, ""); mctx = sslconn->is_proxy ? sc->proxy : sc->server; /* * Create a new SSL connection with the configured server SSL context and * attach this to the socket. Additionally we register this attachment * so we can detach later. */ if (!(ssl = SSL_new(mctx->ssl_ctx))) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to create a new SSL connection from the SSL " "context"); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; return DECLINED; /* XXX */ } vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, sc->vhost_id_len); if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5, APR_MD5_DIGESTSIZE*2)) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to set session id context to `%s'", vhost_md5); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; return DECLINED; /* XXX */ } SSL_set_app_data(ssl, c); SSL_set_app_data2(ssl, NULL); /* will be request_rec */ sslconn->ssl = ssl; /* * Configure callbacks for SSL connection */ SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); SSL_set_verify_result(ssl, X509_V_OK); ssl_io_filter_init(c, ssl); return APR_SUCCESS; }