diff --git a/changes-entries/ssl_proxy.txt b/changes-entries/ssl_proxy.txt new file mode 100644 index 00000000000..a82f4b1b1a2 --- /dev/null +++ b/changes-entries/ssl_proxy.txt @@ -0,0 +1,16 @@ + *) core/mod_proxy/mod_ssl: + Adding `outgoing` flag to conn_rec, indicating a connection is + initiated by the server to somewhere, in contrast to incoming + connections from clients. + Adding 'ap_ssl_bind_outgoing()` function that marks a connection + as outgoing and is used by mod_proxy instead of the previous + optional function `ssl_engine_set`. This enables other SSL + module to secure proxy connections. + The optional functions `ssl_engine_set`, `ssl_engine_disable` and + `ssl_proxy_enable` are now provided by the core to have backward + compatibility with non-httpd modules that might use them. mod_ssl + itself no longer registers these functions, but keeps them in its + header for backward compatibility. + The core provided optional function wrap any registered function + like it was done for `ssl_is_ssl`. + [Stefan Eissing] \ No newline at end of file diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 70447b845e9..f874f96f2df 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -577,6 +577,7 @@ * 20120211.114 (2.4.49-dev) Add optional balancer_manage function. * 20120211.115 (2.4.49-dev) Add ap_proxy_get_worker_ex() and * ap_proxy_define_worker_ex() to mod_proxy.h + * 20120211.116 (2.4.49-dev) add conn_rec->outgoing and ap_ssl_bind_outgoing() */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ @@ -584,7 +585,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20120211 #endif -#define MODULE_MAGIC_NUMBER_MINOR 115 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 116 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/http_ssl.h b/include/http_ssl.h index 556a58bdb73..0b5379379fd 100644 --- a/include/http_ssl.h +++ b/include/http_ssl.h @@ -34,6 +34,8 @@ extern "C" { #endif +struct ap_conf_vector_t; + /** * This hook allows modules that manage SSL connection to register their * inquiry function for checking if a connection is using SSL from them. @@ -49,6 +51,41 @@ AP_DECLARE_HOOK(int,ssl_conn_is_ssl,(conn_rec *c)) */ AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c); +/** + * This hook declares a connection to be outgoing and the configuration that applies to it. + * This hook can be called several times in the lifetime of an outgoing connection, e.g. + * when it is re-used in different request contexts. It will at least be called after the + * connection was created and before the pre-connection hooks is invoked. + * All outgoing-connection hooks are run until one returns something other than DECLINE. + * if enable_ssl != 0, a hook that sets up SSL for the connection needs to return OK + * to prevent subsequent hooks from doing the same. + * + * @param c The connection on which requests/data are to be sent. + * @param dir_conf The directory configuration in which this connection is being used. + * @param enable_ssl If != 0, the SSL protocol should be enabled for this connection. + * @return DECLINED, OK when ssl was enabled + */ +AP_DECLARE_HOOK(int, ssl_bind_outgoing, + (conn_rec *c, struct ap_conf_vector_t *dir_conf, int enable_ssl)) + +/** + * Assures the connection is marked as outgoing and invokes the ssl_bind_outgoing hook. + * This may be called several times on an outgoing connection with varying dir_conf + * values. require_ssl is not allowed to change on the same connection. + * + * @param c The connection on which requests/data are to be sent. + * @param dir_conf The directory configuration in which this connection is being used. + * @param require_ssl != 0 iff this connection needs to be secured by SSL/TLS protocol. + * @return OK iff ssl was required and is enabled, DECLINED otherwise + */ +AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf, + int require_ssl); + +/** + * Return != 0 iff handlers/hooks for outgoing connections are registered. + */ +AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void); + /** * This hook allows modules to look up SSL related variables for a * server/connection/request, depending on what they inquire. Some diff --git a/include/httpd.h b/include/httpd.h index 02cde256ed6..d03626a62b5 100644 --- a/include/httpd.h +++ b/include/httpd.h @@ -1238,6 +1238,8 @@ struct conn_rec { /** The "real" master connection. NULL if I am the master. */ conn_rec *master; + + int outgoing; }; /** diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index e38622fae70..3fb84c85935 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -3061,20 +3061,15 @@ PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c) * if c == NULL just check if the optional function was imported * else run the optional function so ssl filters are inserted */ - if (proxy_ssl_enable) { - return c ? proxy_ssl_enable(c) : 1; + if (c == NULL) { + return ap_ssl_has_outgoing_handlers(); } - - return 0; + return ap_ssl_bind_outgoing(c, NULL, 1) == OK; } PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c) { - if (proxy_ssl_disable) { - return proxy_ssl_disable(c); - } - - return 0; + return ap_ssl_bind_outgoing(c, NULL, 0) == OK; } PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c, @@ -3085,20 +3080,10 @@ PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c, * if c == NULL just check if the optional function was imported * else run the optional function so ssl filters are inserted */ - if (proxy_ssl_engine) { - return c ? proxy_ssl_engine(c, per_dir_config, 1, enable) : 1; + if (c == NULL) { + return ap_ssl_has_outgoing_handlers(); } - - if (!per_dir_config) { - if (enable) { - return ap_proxy_ssl_enable(c); - } - else { - return ap_proxy_ssl_disable(c); - } - } - - return 0; + return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK; } PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c) diff --git a/modules/proxy/mod_proxy_hcheck.c b/modules/proxy/mod_proxy_hcheck.c index b78147beedd..24c99b1b3c6 100644 --- a/modules/proxy/mod_proxy_hcheck.c +++ b/modules/proxy/mod_proxy_hcheck.c @@ -20,6 +20,7 @@ #if APR_HAS_THREADS #include "apr_thread_pool.h" #endif +#include "http_ssl.h" module AP_MODULE_DECLARE_DATA proxy_hcheck_module; @@ -603,7 +604,7 @@ static int hc_get_backend(const char *proxy_function, proxy_conn_rec **backend, (*backend)->addr = hc->cp->addr; (*backend)->hostname = hc->s->hostname_ex; if (strcmp(hc->s->scheme, "https") == 0 || strcmp(hc->s->scheme, "wss") == 0 ) { - if (!ap_proxy_ssl_enable(NULL)) { + if (!ap_ssl_has_outgoing_handlers()) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ctx->s, APLOGNO(03252) "mod_ssl not configured?"); return !OK; diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 3dd57d3f77e..3e5c0567175 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -1867,7 +1867,7 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, "HTTP: declining URL %s", url); return DECLINED; /* only interested in HTTP, WS or FTP via proxy */ } - if (is_ssl && !ap_proxy_ssl_enable(NULL)) { + if (is_ssl && !ap_ssl_has_outgoing_handlers()) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112) "HTTP: declining URL %s (mod_ssl not configured?)", url); return DECLINED; diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 12617b234d7..049578f9c5f 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -461,7 +461,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, static SSLConnRec *ssl_init_connection_ctx(conn_rec *c, ap_conf_vector_t *per_dir_config, - int new_proxy) + int reinit) { SSLConnRec *sslconn = myConnConfig(c); int need_setup = 0; @@ -477,7 +477,7 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c, sslconn = apr_pcalloc(c->pool, sizeof(*sslconn)); need_setup = 1; } - else if (!new_proxy) { + else if (!reinit) { return sslconn; } @@ -495,8 +495,7 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c, if (need_setup) { sslconn->server = c->base_server; sslconn->verify_depth = UNSET; - if (new_proxy) { - sslconn->is_proxy = 1; + if (c->outgoing) { sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite; } else { @@ -516,10 +515,11 @@ static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn) return DECLINED; } if (sslconn) { + /* This connection has already been configured. Check what applies. */ if (sslconn->disabled) { return SUSPENDED; } - if (sslconn->is_proxy) { + if (c->outgoing) { if (!sslconn->dc->proxy_enabled) { return DECLINED; } @@ -531,53 +531,41 @@ static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn) } } else { - if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) { + /* we decline by default for outgoing connections and for incoming + * where the base_server is not enabled. */ + if (c->outgoing || mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) { return DECLINED; } } return OK; } -static int ssl_engine_set(conn_rec *c, - ap_conf_vector_t *per_dir_config, - int proxy, int enable) +static int ssl_hook_ssl_bind_outgoing(conn_rec *c, + ap_conf_vector_t *per_dir_config, + int enable_ssl) { SSLConnRec *sslconn; int status; - - if (proxy) { - sslconn = ssl_init_connection_ctx(c, per_dir_config, 1); - } - else { - sslconn = myConnConfig(c); - } + sslconn = ssl_init_connection_ctx(c, per_dir_config, 1); status = ssl_engine_status(c, sslconn); - - if (proxy && status == DECLINED) { - if (enable) { + if (enable_ssl) { + if (status != OK) { SSLSrvConfigRec *sc = mySrvConfig(sslconn->server); - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961) - "SSL Proxy requested for %s but not enabled " - "[Hint: SSLProxyEngine]", sc->vhost_id); + sslconn->disabled = 1; + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(10272) + "SSL Proxy requested for %s but not enabled for us.", + sc->vhost_id); + } + else { + sslconn->disabled = 0; + return OK; } - sslconn->disabled = 1; } - else if (sslconn) { - sslconn->disabled = !enable; + else { + sslconn->disabled = 1; } - - return status != DECLINED; -} - -static int ssl_proxy_enable(conn_rec *c) -{ - return ssl_engine_set(c, NULL, 1, 1); -} - -static int ssl_engine_disable(conn_rec *c) -{ - return ssl_engine_set(c, NULL, 0, 0); + return DECLINED; } int ssl_init_ssl_connection(conn_rec *c, request_rec *r) @@ -601,9 +589,9 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) * Seed the Pseudo Random Number Generator (PRNG) */ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, - sslconn->is_proxy ? "Proxy: " : "Server: "); + c->outgoing ? "Proxy: " : "Server: "); - mctx = myCtxConfig(sslconn, sc); + mctx = myConnCtxConfig(c, sc); /* * Create a new SSL connection with the configured server SSL context and @@ -621,7 +609,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) return DECLINED; /* XXX */ } - rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0); + rc = ssl_run_pre_handshake(c, ssl, c->outgoing ? 1 : 0); if (rc != OK && rc != DECLINED) { return rc; } @@ -753,10 +741,7 @@ static void ssl_register_hooks(apr_pool_t *p) APR_HOOK_MIDDLE); ssl_var_register(p); - - APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); - APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); - APR_REGISTER_OPTIONAL_FN(ssl_engine_set); + ap_hook_ssl_bind_outgoing (ssl_hook_ssl_bind_outgoing, NULL, NULL, APR_HOOK_MIDDLE); ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl", AUTHZ_PROVIDER_VERSION, diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index d84bcb90a74..8fad43ef427 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1171,7 +1171,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) } server = sslconn->server; - if (sslconn->is_proxy) { + if (c->outgoing) { #ifdef HAVE_TLSEXT apr_ipsubnet_t *ip; #ifdef HAVE_TLS_ALPN diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index da3d3e180d0..5211a0db348 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1747,7 +1747,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) SSLSrvConfigRec *sc = mySrvConfig(s); SSLConnRec *sslconn = myConnConfig(conn); SSLDirConfigRec *dc = r ? myDirConfig(r) : sslconn->dc; - modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); + modssl_ctx_t *mctx = myConnCtxConfig(conn, sc); int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS; /* Get verify ingredients */ @@ -1771,7 +1771,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) * Check for optionally acceptable non-verifiable issuer situation */ if (dc) { - if (sslconn->is_proxy) { + if (conn->outgoing) { verify = dc->proxy->auth.verify_mode; } else { @@ -1883,7 +1883,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) * Finally check the depth of the certificate verification */ if (dc) { - if (sslconn->is_proxy) { + if (conn->outgoing) { depth = dc->proxy->auth.verify_depth; } else { @@ -2292,7 +2292,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) /* If the reneg state is to reject renegotiations, check the SSL * state machine and move to ABORT if a Client Hello is being * read. */ - if (!sslconn->is_proxy && + if (!c->outgoing && (where & SSL_CB_HANDSHAKE_START) && sslconn->reneg_state == RENEG_REJECT) { sslconn->reneg_state = RENEG_ABORT; @@ -2534,7 +2534,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) * Don't switch the protocol if none is configured for this vhost, * the default in this case is still the base server's SSLProtocol. */ - if (myCtxConfig(sslcon, sc)->protocol_set) { + if (myConnCtxConfig(c, sc)->protocol_set) { SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx)); SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx)); } @@ -2620,8 +2620,7 @@ int ssl_callback_SessionTicket(SSL *ssl, conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); server_rec *s = mySrvFromConn(c); SSLSrvConfigRec *sc = mySrvConfig(s); - SSLConnRec *sslconn = myConnConfig(c); - modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); + modssl_ctx_t *mctx = myConnCtxConfig(c, sc); modssl_ticket_key_t *ticket_key = mctx->ticket_key; if (mode == 1) { diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 827d8318cf5..99b22a2c7df 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -65,10 +65,10 @@ static SSLConnRec *ssl_get_effective_config(conn_rec *c) return sslconn; } -static int ssl_is_https(conn_rec *c) +static int ssl_conn_is_ssl(conn_rec *c) { - SSLConnRec *sslconn = ssl_get_effective_config(c); - return sslconn && sslconn->ssl; + const SSLConnRec *sslconn = ssl_get_effective_config(c); + return (sslconn && sslconn->ssl)? OK : DECLINED; } static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION; @@ -137,7 +137,7 @@ void ssl_var_register(apr_pool_t *p) { char *cp, *cp2; - APR_REGISTER_OPTIONAL_FN(ssl_is_https); + ap_hook_ssl_conn_is_ssl(ssl_conn_is_ssl, NULL, NULL, APR_HOOK_MIDDLE); APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); APR_REGISTER_OPTIONAL_FN(ssl_ext_list); diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index f6d5244fbcc..c19427063d6 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -311,8 +311,8 @@ APLOG_USE_MODULE(ssl); ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)) #define myDirConfig(req) \ ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)) -#define myCtxConfig(sslconn, sc) \ - (sslconn->is_proxy ? sslconn->dc->proxy : sc->server) +#define myConnCtxConfig(c, sc) \ + (c->outgoing ? myConnConfig(c)->dc->proxy : sc->server) #define myModConfig(srv) mySrvConfig((srv))->mc #define mySrvFromConn(c) myConnConfig(c)->server #define myDirConfigFromConn(c) myConnConfig(c)->dc @@ -533,7 +533,6 @@ typedef struct { const char *verify_info; const char *verify_error; int verify_depth; - int is_proxy; int disabled; enum { NON_SSL_OK = 0, /* is SSL request, or error handling completed */ diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index 7bd16d41228..ab77e4a10af 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -810,8 +810,7 @@ static int stapling_cb(SSL *ssl, void *arg) conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); server_rec *s = mySrvFromConn(conn); SSLSrvConfigRec *sc = mySrvConfig(s); - SSLConnRec *sslconn = myConnConfig(conn); - modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); + modssl_ctx_t *mctx = myConnCtxConfig(conn, sc); UCHAR idx[SHA_DIGEST_LENGTH]; ocsp_resp resp; certinfo *cinf = NULL; diff --git a/server/ssl.c b/server/ssl.c index d62cfe01767..edf958b4b74 100644 --- a/server/ssl.c +++ b/server/ssl.c @@ -36,6 +36,7 @@ #include "httpd.h" #include "http_config.h" #include "http_core.h" +#include "http_connection.h" #include "http_protocol.h" #include "http_request.h" #include "http_main.h" @@ -64,10 +65,20 @@ APR_HOOK_STRUCT( APR_HOOK_LINK(ssl_answer_challenge) APR_HOOK_LINK(ssl_ocsp_prime_hook) APR_HOOK_LINK(ssl_ocsp_get_resp_hook) + APR_HOOK_LINK(ssl_bind_outgoing) ) APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); static APR_OPTIONAL_FN_TYPE(ssl_is_https) *module_ssl_is_https; +APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); +static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *module_ssl_proxy_enable; +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); +static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *module_ssl_engine_disable; +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *, + ap_conf_vector_t *, + int proxy, int enable)); +static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *module_ssl_engine_set; + static int ssl_is_https(conn_rec *c) { @@ -85,6 +96,78 @@ AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c) return r; } +static int ssl_engine_set(conn_rec *c, + ap_conf_vector_t *per_dir_config, + int proxy, int enable) +{ + if (proxy) { + return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK; + } + else if (module_ssl_engine_set) { + return module_ssl_engine_set(c, per_dir_config, 0, enable); + } + else if (enable && module_ssl_proxy_enable) { + return module_ssl_proxy_enable(c); + } + else if (!enable && module_ssl_engine_disable) { + return module_ssl_engine_disable(c); + } + return 0; +} + +static int ssl_proxy_enable(conn_rec *c) +{ + return ap_ssl_bind_outgoing(c, NULL, 1); +} + +static int ssl_engine_disable(conn_rec *c) +{ + return ap_ssl_bind_outgoing(c, NULL, 0); +} + +AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf, + int enable_ssl) +{ + int rv, enabled = 0; + + c->outgoing = 1; + rv = ap_run_ssl_bind_outgoing(c, dir_conf, enable_ssl); + enabled = (rv == OK); + if (enable_ssl && !enabled) { + /* the hooks did not take over. Is there an old skool optional that will? */ + if (module_ssl_engine_set) { + enabled = module_ssl_engine_set(c, dir_conf, 1, 1); + } + else if (module_ssl_proxy_enable) { + enabled = module_ssl_proxy_enable(c); + } + } + else { + /* !enable_ssl || enabled + * any existing optional funcs need to not enable here */ + if (module_ssl_engine_set) { + module_ssl_engine_set(c, dir_conf, 1, 0); + } + else if (module_ssl_engine_disable) { + module_ssl_engine_disable(c); + } + } + if (enable_ssl && !enabled) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, + c, APLOGNO(01961) " failed to enable ssl support " + "[Hint: if using mod_ssl, see SSLProxyEngine]"); + return DECLINED; + } + return OK; +} + +AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void) +{ + apr_array_header_t *hooks = ap_hook_get_ssl_bind_outgoing(); + return (hooks && hooks->nelts > 0) + || module_ssl_engine_set || module_ssl_proxy_enable; +} + APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup, (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, @@ -128,6 +211,13 @@ AP_DECLARE(void) ap_setup_ssl_optional_fns(apr_pool_t *pool) module_ssl_var_lookup = (fn_ssl_var_lookup && fn_ssl_var_lookup != ssl_var_lookup)? fn_ssl_var_lookup : NULL; APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + + module_ssl_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + module_ssl_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + module_ssl_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set); + APR_REGISTER_OPTIONAL_FN(ssl_engine_set); } AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, @@ -191,3 +281,5 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_ocsp_get_resp_hook, (server_rec *s, conn_rec *c, const char *id, apr_size_t id_len, ap_ssl_ocsp_copy_resp *cb, void *userdata), (s, c, id, id_len, cb, userdata), DECLINED) +AP_IMPLEMENT_HOOK_RUN_FIRST(int,ssl_bind_outgoing,(conn_rec *c, ap_conf_vector_t *dir_conf, int require_ssl), + (c, dir_conf, require_ssl), DECLINED)