Please sign in to comment.
Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:
Streamline ephemeral key handling: - drop support for ephemeral RSA keys (only allowed/needed for export ciphers) - drop pTmpKeys from the per-process SSLModConfigRec, and remove the temp key generation at startup (unnecessary for DHE/ECDHE) - unconditionally disable null and export-grade ciphers by always prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string - do not configure per-connection SSL_tmp_*_callbacks, as it is sufficient to set them for the SSL_CTX - set default curve for ECDHE at startup, obviating the need for a per-handshake callback, for the time being (and also configure SSL_OP_SINGLE_ECDH_USE, previously left out) For additional background, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.email@example.com%3E Follow-up fixes for r1526168: - drop SSL_TMP_KEY_* constants from ssl_private.h, too - make sure we also disable aNULL, eNULL and EXP ciphers for per-directory SSLCipherSuite directives - apply the same treatment to SSLProxyCipherSuite Increase minimum required OpenSSL version to 0.9.8a (in preparation for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y functions added in that release): - remove obsolete #defines / macros - in ssl_private.h, regroup definitions based on whether they depend on TLS extension support or not - for ECC and SRP support, set HAVE_X and change the rather awkward #ifndef OPENSSL_NO_X lines accordingly For the discussion prior to taking this step, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E Improve ephemeral key handling (companion to r1526168): - allow to configure custom DHE or ECDHE parameters via the SSLCertificateFile directive, and adapt its documentation accordingly (addresses PR 49559) - add standardized DH parameters from RFCs 2409 and 3526, use them based on the length of the certificate's RSA/DSA key, and add a FAQ entry for clients which limit DH support to 1024 bits (such as Java 7 and earlier) - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to ssl_util_ssl.c, and add ssl_ec_GetParamFromFile() - drop ssl_engine_dh.c from mod_ssl For the standardized DH parameters, OpenSSL version 0.9.8a or later is required, which was therefore made a new minimum requirement in r1527294. PR 55616 (add missing APLOGNO), part 2 Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
- Loading branch information...
Showing with 318 additions and 719 deletions.
- +12 −0 CHANGES
- +0 −1 LAYOUT
- +0 −22 STATUS
- +36 −6 docs/manual/mod/mod_ssl.xml
- +33 −0 docs/manual/ssl/ssl_faq.xml
- +0 −1 modules/ssl/config.m4
- +1 −10 modules/ssl/mod_ssl.c
- +0 −4 modules/ssl/mod_ssl.dsp
- +13 −9 modules/ssl/ssl_engine_config.c
- +0 −244 modules/ssl/ssl_engine_dh.c
- +67 −211 modules/ssl/ssl_engine_init.c
- +2 −2 modules/ssl/ssl_engine_io.c
- +62 −109 modules/ssl/ssl_engine_kernel.c
- +3 −3 modules/ssl/ssl_engine_pphrase.c
- +4 −4 modules/ssl/ssl_engine_vars.c
- +49 −89 modules/ssl/ssl_private.h
- +1 −1 modules/ssl/ssl_scache.c
- +3 −3 modules/ssl/ssl_util.c
- +32 −0 modules/ssl/ssl_util_ssl.c
Oops, something went wrong.