Permalink
Browse files

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether
  they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward
  #ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527294 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information...
1 parent 430144f commit 2648f2946668e35eb8c8e3551c6e28b18faf6d29 Kaspar Brand committed Sep 29, 2013
View
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
+
*) mod_lua: Let the Inter-VM get/set functions work with a global
shared memory pool instead of a per-process pool. [Daniel Gruno]
View
@@ -570,12 +570,12 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[
fi
fi
- AC_MSG_CHECKING([for OpenSSL version >= 0.9.7])
+ AC_MSG_CHECKING([for OpenSSL version >= 0.9.8a])
AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
#if !defined(OPENSSL_VERSION_NUMBER)
#error "Missing OpenSSL version"
#endif
-#if OPENSSL_VERSION_NUMBER < 0x0090700f
+#if OPENSSL_VERSION_NUMBER < 0x0090801f
#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT
#endif],
[AC_MSG_RESULT(OK)
View
@@ -153,7 +153,7 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
"Strict SNI virtual host checking")
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
SSL_CMD_SRV(SRPVerifierFile, TAKE1,
"SRP verifier file "
"('/path/to/file' - created by srptool)")
@@ -148,7 +148,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->stapling_force_url = NULL;
#endif
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
mctx->srp_vfile = NULL;
mctx->srp_unknown_user_seed = NULL;
mctx->srp_vbase = NULL;
@@ -209,7 +209,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET;
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
#endif
#ifdef HAVE_FIPS
@@ -283,7 +283,7 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
cfgMerge(stapling_force_url, NULL);
#endif
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
cfgMergeString(srp_vfile);
cfgMergeString(srp_unknown_user_seed);
#endif
@@ -344,7 +344,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET);
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
#endif
#ifdef HAVE_FIPS
@@ -1664,7 +1664,7 @@ const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)
const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
{
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
@@ -1834,7 +1834,7 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
return NULL;
}
#endif
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
const char *arg)
@@ -1858,7 +1858,7 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,
return NULL;
}
-#endif /* OPENSSL_NO_SRP */
+#endif /* HAVE_SRP */
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{
@@ -35,7 +35,7 @@
** _________________________________________________________________
*/
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
#define KEYTYPES "RSA, DSA or ECC"
#else
#define KEYTYPES "RSA or DSA"
@@ -303,7 +303,7 @@ static void ssl_init_server_check(server_rec *s,
*/
if (mctx->pks->certs[SSL_AIDX_RSA] ||
mctx->pks->certs[SSL_AIDX_DSA]
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
|| mctx->pks->certs[SSL_AIDX_ECC]
#endif
)
@@ -315,7 +315,7 @@ static void ssl_init_server_check(server_rec *s,
}
}
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
static void ssl_init_ctx_tls_extensions(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -349,7 +349,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
}
#endif
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
/*
* TLS-SRP support
*/
@@ -482,7 +482,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
#ifdef SSL_OP_NO_COMPRESSION
/* OpenSSL >= 1.0 only */
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
-#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
+#else
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
#endif
}
@@ -500,7 +500,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
* Configure additional context ingredients
*/
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
#endif
@@ -836,7 +836,7 @@ static void ssl_init_ctx(server_rec *s,
if (mctx->pks) {
/* XXX: proxy support? */
ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
#endif
}
@@ -849,7 +849,7 @@ static int ssl_server_import_cert(server_rec *s,
{
SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
- MODSSL_D2I_X509_CONST unsigned char *ptr;
+ const unsigned char *ptr;
const char *type = ssl_asn1_keystr(idx);
X509 *cert;
@@ -896,12 +896,12 @@ static int ssl_server_import_key(server_rec *s,
{
SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
- MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
+ const unsigned char *ptr;
const char *type = ssl_asn1_keystr(idx);
int pkey_type;
EVP_PKEY *pkey;
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
if (idx == SSL_AIDX_ECC)
pkey_type = EVP_PKEY_EC;
else
@@ -1005,30 +1005,30 @@ static void ssl_init_server_certs(server_rec *s,
modssl_ctx_t *mctx)
{
const char *rsa_id, *dsa_id;
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
const char *ecc_id;
#endif
const char *vhost_id = mctx->sc->vhost_id;
int i;
int have_rsa, have_dsa;
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
int have_ecc;
#endif
rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
#endif
have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
#endif
if (!(have_rsa || have_dsa
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
|| have_ecc
#endif
)) {
@@ -1044,12 +1044,12 @@ static void ssl_init_server_certs(server_rec *s,
have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
#endif
if (!(have_rsa || have_dsa
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
|| have_ecc
#endif
)) {
@@ -1058,7 +1058,7 @@ static void ssl_init_server_certs(server_rec *s,
ssl_die(s);
}
-#ifndef OPENSSL_NO_EC
+#ifdef HAVE_ECC
/* Enable ECDHE by configuring a default curve */
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
@@ -1370,7 +1370,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
klen = strlen(key);
if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
-#ifdef OPENSSL_NO_TLSEXT
+#ifndef HAVE_TLSEXT
int level = APLOG_WARNING;
const char *problem = "conflict";
#else
@@ -1394,7 +1394,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
}
if (conflict) {
-#ifdef OPENSSL_NO_TLSEXT
+#ifndef HAVE_TLSEXT
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
"Init: You should not use name-based "
"virtual hosts in conjunction with SSL!!");
@@ -1543,7 +1543,7 @@ static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
{
MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
if (mctx->srp_vbase != NULL) {
SRP_VBASE_free(mctx->srp_vbase);
mctx->srp_vbase = NULL;
@@ -1113,15 +1113,15 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
server = sslconn->server;
if (sslconn->is_proxy) {
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
apr_ipsubnet_t *ip;
#endif
const char *hostname_note = apr_table_get(c->notes,
"proxy-request-hostname");
BOOL proxy_ssl_check_peer_ok = TRUE;
sc = mySrvConfig(server);
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
/*
* Enable SNI for backend requests. Make sure we don't do it for
* pure SSLv3 connections, and also prevent IP addresses
@@ -33,7 +33,7 @@
#include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
#endif
@@ -120,7 +120,7 @@ int ssl_hook_ReadReq(request_rec *r)
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLConnRec *sslconn;
const char *upgrade;
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
const char *servername;
#endif
SSL *ssl;
@@ -163,7 +163,7 @@ int ssl_hook_ReadReq(request_rec *r)
if (!ssl) {
return DECLINED;
}
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
char *host, *scope_id;
apr_port_t port;
@@ -330,7 +330,7 @@ int ssl_hook_Access(request_rec *r)
return DECLINED;
}
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
/*
* Support for per-directory reconfigured SSL connection parameters
*
@@ -1114,7 +1114,7 @@ static const char *ssl_hook_Fixup_vars[] = {
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
"SSL_SESSION_RESUMED",
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
"SSL_SRP_USER",
"SSL_SRP_USERINFO",
#endif
@@ -1128,7 +1128,7 @@ int ssl_hook_Fixup(request_rec *r)
SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *env = r->subprocess_env;
char *var, *val = "";
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
const char *servername;
#endif
STACK_OF(X509) *peer_certs;
@@ -1157,7 +1157,7 @@ int ssl_hook_Fixup(request_rec *r)
/* the always present HTTPS (=HTTP over SSL) flag! */
apr_table_setn(env, "HTTPS", "on");
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
/* add content of SNI TLS extension (if supplied with ClientHello) */
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
apr_table_set(env, "SSL_TLS_SNI", servername);
@@ -1851,7 +1851,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
}
}
-#ifndef OPENSSL_NO_TLSEXT
+#ifdef HAVE_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended
* client hello with a server name indication extension ("SNI", cf. RFC 4366).
@@ -2002,7 +2002,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
return 0;
}
-#endif /* OPENSSL_NO_TLSEXT */
+#endif /* HAVE_TLSEXT */
#ifdef HAVE_TLS_SESSION_TICKETS
/*
@@ -2165,7 +2165,7 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
#endif /* HAVE_TLS_NPN */
-#ifndef OPENSSL_NO_SRP
+#ifdef HAVE_SRP
int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
{
@@ -2189,4 +2189,4 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
return SSL_ERROR_NONE;
}
-#endif /* OPENSSL_NO_SRP */
+#endif /* HAVE_SRP */
Oops, something went wrong.

0 comments on commit 2648f29

Please sign in to comment.