>Number: 2269
>Category: general
>Synopsis: Some modifcations to 1.3b6 and the Apache-SSL patch from Ben
>Laurie <[EMAIL PROTECTED]>
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: change-request
>Submitter-Id: apache
>Arrival-Date: Fri May 22 16:40:00 PDT 1998
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3b6
>Environment:
Linux cynosure.lanl.gov 2.0.27 #1 Fri Dec 12 09:15:43 MST 1997 i686 unknown
>Description:
diff -u -r apache_1.3b6/Makefile.tmpl apache_1.3b6+SSL/Makefile.tmpl
--- apache_1.3b6/Makefile.tmpl Tue Apr 14 13:17:36 1998
+++ apache_1.3b6+SSL/Makefile.tmpl Thu May 14 09:46:40 1998
@@ -194,6 +194,10 @@
echo "+--------------------------------------------------------+"; \
fi
+CERTCONF=../conf
+certificate:
+ (cd src;make CERTCONF=$(CERTCONF) certificate)
+
# the non-verbose variant for package maintainers
install-quiet:
@$(MAKE) -f $(MKF) QUIET=1 install
diff -u -r apache_1.3b6/conf/httpd.conf-dist
apache_1.3b6+SSL/conf/httpd.conf-dist
--- apache_1.3b6/conf/httpd.conf-dist Wed Apr 1 06:16:39 1998
+++ apache_1.3b6+SSL/conf/httpd.conf-dist Fri May 22 16:56:22 1998
@@ -1,3 +1,7 @@
+##
+## httpd.conf -- Apache HTTP server configuration file
+##
+
# This is the main server configuration file. See URL http://www.apache.org/
# for instructions.
@@ -25,6 +29,7 @@
# need httpd to be run as root initially.
Port 80
+Listen 80
# HostnameLookups: Log the names of clients or just their IP numbers
# e.g. www.apache.org (on) or 204.62.129.132 (off)
@@ -41,8 +46,8 @@
# On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
-User nobody
-Group #-1
+User www-data
+Group www-data
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.
@@ -67,7 +72,7 @@
# ErrorLog: The location of the error log file. If this does not start
# with /, ServerRoot is prepended to it.
-ErrorLog logs/error_log
+ErrorLog var/logs/error_log
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
@@ -86,27 +91,27 @@
# The location of the access logfile (Common Logfile Format).
# If this does not start with /, ServerRoot is prepended to it.
-CustomLog logs/access_log common
+CustomLog var/logs/access_log common
# If you would like to have an agent and referer logfile uncomment the
# following directives.
-#CustomLog logs/referer_log referer
-#CustomLog logs/agent_log agent
+#CustomLog var/logs/referer_log referer
+#CustomLog var/logs/agent_log agent
# If you prefer a single logfile with access, agent and referer information
# (Combined Logfile Format) you can use the following directive.
-#CustomLog logs/access_log combined
+#CustomLog var/logs/access_log combined
# PidFile: The file the server should log its pid to
-PidFile logs/httpd.pid
+PidFile var/run/httpd.pid
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this. But if yours does (you'll know because
# this file is created when you run Apache) then you *must* ensure that
# no two invocations of Apache share the same scoreboard file.
-ScoreBoardFile logs/apache_runtime_status
+ScoreBoardFile var/logs/apache_runtime_status
# The LockFile directive sets the path to the lockfile used when Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
@@ -116,7 +121,7 @@
# DISK. The PID of the main server process is automatically appended to
# the filename.
#
-#LockFile logs/accept.lock
+#LockFile var/run/httpd.lock
# ServerName allows you to set a host name which is sent back to clients for
# your server if it's different than the one the program would get (i.e. use
@@ -205,7 +210,7 @@
# To enable the cache as well, edit and uncomment the following lines:
-#CacheRoot @@ServerRoot@@/proxy
+#CacheRoot var/proxy
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
@@ -235,4 +240,121 @@
#TransferLog logs/host.some_domain.com-access_log
#</VirtualHost>
+# Note that all SSL options can apply to virtual hosts.
+# which is where I'm going to put them (cpw)
+
+# Disable SSL globally. Useful in combination with virtual hosts.
+# Note that SSLEnable is now also supported.
+
+SSLDisable
+
+# This configuration applies ssl to a "virtualhost"
+
+Listen 443
+<VirtualHost cynosure.lanl.gov:443>
+ServerAdmin [EMAIL PROTECTED]
+DocumentRoot /home/wwws
+ServerName cynosure.lanl.gov
+ErrorLog var/logs/wwws.errors
+TransferLog var/logs/wwws.transfers
+
+SSLEnable
+
+# Set the path for the global cache server executable.
+# If this facility gives you trouble, you can disable it by setting
+# CACHE_SESSIONS to FALSE in apache_ssl.c
+
+#SSLCacheServerPath /usr/sbin/gcache
+
+# Set the global cache server port number
+
+#SSLCacheServerPort 1234
+
+# Set the session cache timeout, in seconds (set to 15 for testing, use a
+# higher value in real life)
+
+#SSLSessionCacheTimeout 300
+
+# Set the CA certificate verification path (must be PEM encoded).
+# (in addition to getenv("SSL_CERT_DIR"), I think).
+
+SSLCACertificatePath etc
+
+# Set the CA certificate verification file (must be PEM encoded).
+# (in addition to getenv("SSL_CERT_FILE"), I think).
+
+#SSLCACertificateFile /some/where/somefile.pem
+
+# Point SSLCertificateFile at a PEM encoded certificate.
+# If the certificate is encrypted, then you will be prompted for a pass phrase.
+# Note that a kill -1 will prompt again.
+# A test certificate can be generated with "make certificate".
+
+#SSLCertificateFile /some/where/somefile.pem
+
+SSLCertificateFile @@ServerRoot@@/etc/httpsd.pem
+
+
+# If the key is not combined with the certificate, use this directive to
+# point at the key file. If this starts with a '/' it specifies an absolute
+# path, otherwise it is relative to the default certificate area. That is, it
+# means "<default>/private/<keyfile>".
+#SSLCertificateKeyFile /some/place/with/your.key
+
+# Set SSLVerifyClient to:
+# 0 if no certicate is required
+# 1 if the client may present a valid certificate
+# 2 if the client must present a valid certificate
+# 3 if the client may present a valid certificate but it is not required to
+# have a valid CA
+
+SSLVerifyClient 0
+
+# How deeply to verify before deciding they don't have a valid certificate
+
+SSLVerifyDepth 10
+
+# Translate the client X509 into a Basic authorisation. This means that the
+# standard Auth/DBMAuth methods can be used for access control. The user name
+# is the "one line" version of the client's X509 certificate. Note that no
+# password is obtained from the user. Every entry in the user file needs this
+# password: xxj31ZMTZzkVA. See the code for further explanation.
+
+SSLFakeBasicAuth
+
+# List the ciphers that the client is permitted to negotiate. See the source
+# for a definitive list. For example:
+
+#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
+
+# These two can be used per-directory to require or ban ciphers. Note that (at
+# least in the current version) Apache-SSL will not attempt to renegotiate if a
+# cipher is banned (or not required).
+
+#SSLRequireCipher
+#SSLBanCipher
+
+# A home for miscellaneous rubbish generated by SSL. Much of it is duplicated
+# in the error log file. Put this somewhere where it cannot be used for symlink
+# attacks on a real server (i.e. somewhere where only root can write).
+
+SSLLogFile @@ServerRoot@@/var/logs/sslrubbish.log
+
+# Custom logging
+
+CustomLog var/logs/ssl_log "%t %{version}c %{cipher}c %{clientcert}c"
+</VirtualHost>
+# Experiment with authorization...
+<Directory /usr/local/www/webspace/docs/bind>
+deny from all
+allow from .lanl.gov
+AuthType Basic
+AuthName "Network Operations"
+AuthDBMGroupFile /usr/local/www/auth/userbase
+AuthDBMUserFile /usr/local/www/auth/userbase
+<Limit PUT GET>
+require group admin
+#satisfy any
+</Limit>
+</Directory>
Only in apache_1.3b6+SSL/conf: httpsd.pem
diff -u -r apache_1.3b6/conf/srm.conf-dist apache_1.3b6+SSL/conf/srm.conf-dist
--- apache_1.3b6/conf/srm.conf-dist Sat Mar 14 12:02:20 1998
+++ apache_1.3b6+SSL/conf/srm.conf-dist Fri May 22 17:00:23 1998
@@ -212,7 +212,7 @@
# mod_mime_magic allows the server to use various hints from the file itself
# to determine its type.
-#MimeMagicFile conf/magic
+#MimeMagicFile etc/magic
# The following directives disable keepalives and HTTP header flushes.
# The first directive disables it for Netscape 2.x and browsers which
Only in apache_1.3b6+SSL: configure.ssl
diff -u -r apache_1.3b6/src/Configuration apache_1.3b6+SSL/src/Configuration
--- apache_1.3b6/src/Configuration Wed Apr 15 18:22:24 1998
+++ apache_1.3b6+SSL/src/Configuration Thu May 14 08:53:42 1998
@@ -135,6 +135,7 @@
Rule IRIXNIS=no
Rule IRIXN32=yes
Rule PARANOID=no
+Rule SSL=yes
# The following rules should be set automatically by Configure. However, if
# they are not set by Configure (because we don't know the correct value for
@@ -359,4 +360,10 @@
## should be the last (highest priority) module.
AddModule modules/standard/mod_setenvif.o
+
+
+# Damn damn damn. Apache inverts the module list. SSL must go first to fake
+# basic authorization. So, uncomment this line to add SSL.
+
+# AddModule modules/experimental/mod_apache_ssl.o
Only in apache_1.3b6+SSL/src: Configuration.apaci
diff -u -r apache_1.3b6/src/Configuration.tmpl
apache_1.3b6+SSL/src/Configuration.tmpl
--- apache_1.3b6/src/Configuration.tmpl Tue Apr 14 02:27:33 1998
+++ apache_1.3b6+SSL/src/Configuration.tmpl Tue May 12 16:34:16 1998
@@ -135,6 +135,7 @@
Rule IRIXNIS=no
Rule IRIXN32=yes
Rule PARANOID=no
+Rule SSL=yes
# The following rules should be set automatically by Configure. However, if
# they are not set by Configure (because we don't know the correct value for
@@ -359,4 +360,10 @@
## should be the last (highest priority) module.
AddModule modules/standard/mod_setenvif.o
+
+
+# Damn damn damn. Apache inverts the module list. SSL must go first to fake
+# basic authorization. So, uncomment this line to add SSL.
+
+# AddModule modules/experimental/mod_apache_ssl.o
diff -u -r apache_1.3b6/src/Configure apache_1.3b6+SSL/src/Configure
--- apache_1.3b6/src/Configure Wed Apr 15 11:10:18 1998
+++ apache_1.3b6+SSL/src/Configure Wed May 13 14:01:58 1998
@@ -233,6 +233,7 @@
RULE_IRIXN32=`./helpers/CutRule IRIXN32 $file`
RULE_PARANOID=`./helpers/CutRule PARANOID $file`
RULE_SHARED_CORE=`./helpers/CutRule SHARED_CORE $file`
+RULE_SSL=`./helpers/CutRule SSL $file`
####################################################################
## Rule SHARED_CORE implies required DSO support
@@ -1064,6 +1065,25 @@
LIBS="$LIBS -lresolv"
fi
fi
+#
+# Now SSL.
+#
+if [ "$RULE_SSL" != "no" ]; then
+ if [ "$RULE_SSL" = "yes" ]; then # assume default ssl install
+ CFLAGS="$CFLAGS -DAPACHE_SSL"
+ SSL_BASE=/usr/local/ssl
+ INCLUDES0="$INCLUDES0 -I$SSL_BASE/include"
+ LDFLAGS="$LDFLAGS -L$SSL_BASE/lib"
+ LIBS="$LIBS -lssl -lcrypto"
+ else
+ CFLAGS="$CFLAGS -DAPACHE_SSL"
+ SSL_BASE=$RULE_SSL
+ INCLUDES0="$INCLUDES0 -I$SSL_BASE/include"
+ LDFLAGS="$LDFLAGS -L$SSL_BASE" # libs are in base
+ LIBS="$LIBS -lssl -lcrypto"
+ fi
+fi
+
####################################################################
## Find out what modules we want and try and configure things for them
@@ -1411,7 +1431,7 @@
##
echo "CFLAGS1=$CFLAGS">> Makefile.config
echo "INCDIR=\$(SRCDIR)/include" >>Makefile.config
-echo "INCLUDES0=-I\$(SRCDIR)/$OSDIR -I\$(SRCDIR)/include">> Makefile.config
+echo "INCLUDES0=-I\$(SRCDIR)/$OSDIR -I\$(SRCDIR)/include $INCLUDES0">>
Makefile.config
echo "INCLUDES1=$INCLUDES">> Makefile.config
echo "LIBS1=$LIBS">> Makefile.config
echo "LDFLAGS1=$LDFLAGS">> Makefile.config
@@ -1471,7 +1491,9 @@
# ./Makefile
$CAT Makefile.config >> Makefile
-sed -e "s#@@Configuration@@#$file#" "Makefile.tmpl" >>Makefile
+sed -e "s#@@Configuration@@#$file#g" \
+ -e "s#@@SSL_BASE@@#$SSL_BASE#g" \
+ < "Makefile.tmpl" >>Makefile
# xxx/Makefile
MAKEDIRS="support main ap regex $OSDIR"
Only in apache_1.3b6+SSL/src: Makefile.config
diff -u -r apache_1.3b6/src/Makefile.tmpl apache_1.3b6+SSL/src/Makefile.tmpl
--- apache_1.3b6/src/Makefile.tmpl Sat Apr 11 13:59:26 1998
+++ apache_1.3b6+SSL/src/Makefile.tmpl Thu May 14 09:48:17 1998
@@ -51,6 +51,14 @@
done; \
fi
+CERTCONF=../conf
+certificate:
+ @@SSL_BASE@@/bin/ssleay req -config @@SSL_BASE@@/lib/ssleay.cnf \
+ -new -x509 -nodes -out $(CERTCONF)/httpsd.pem \
+ -keyout $(CERTCONF)/httpsd.pem; \
+ ln -sf $(CERTCONF)/httpsd.pem $(CERTCONF)/`@@SSL_BASE@@/bin/ssleay \
+ x509 -noout -hash < $(CERTCONF)/httpsd.pem`.0
+
subdirs:
@for i in $(SUBDIRS); do \
echo "===> $(SDP)$$i"; \
Only in apache_1.3b6+SSL/src: apaci
Only in apache_1.3b6+SSL/src/include: ap_config.h
diff -u -r apache_1.3b6/src/include/buff.h apache_1.3b6+SSL/src/include/buff.h
--- apache_1.3b6/src/include/buff.h Sat Apr 11 06:00:18 1998
+++ apache_1.3b6+SSL/src/include/buff.h Fri May 8 16:45:57 1998
@@ -64,6 +64,11 @@
#include <stdarg.h>
+#ifdef APACHE_SSL
+# include <stdio.h>
+# include <ssl.h>
+#endif
+
/* Reading is buffered */
#define B_RD (1)
/* Writing is buffered */
@@ -116,6 +121,13 @@
/* transport handle, for RPC binding handle or some such */
void *t_handle;
+
+#ifdef APACHE_SSL
+ /* Add some context for SSL */
+ SSL *ssl;
+ char *szClientX509;
+ int nVerifyError;
+#endif
#ifdef B_SFIO
Sfio_t *sf_in;
Only in apache_1.3b6+SSL/src/include: gcache.h
diff -u -r apache_1.3b6/src/include/httpd.h apache_1.3b6+SSL/src/include/httpd.h
--- apache_1.3b6/src/include/httpd.h Wed Apr 15 18:15:34 1998
+++ apache_1.3b6+SSL/src/include/httpd.h Mon May 11 13:05:20 1998
@@ -62,6 +62,11 @@
* httpd.h: header for simple (ha! not anymore) http daemon
*/
+/* Needed all over the place */
+typedef unsigned int BOOL;
+#define TRUE 1
+#define FALSE 0
+
/* Headers in which EVERYONE has an interest... */
#include "conf.h"
@@ -120,13 +125,20 @@
#define HTTP_VERSION(major,minor) (1000*(major)+(minor))
-/* -------------- Port number for server running standalone --------------- */
-
+/* -------------- Port number and protocol for server running standalone -- */
+#ifdef APACHE_SSL
+#define DEFAULT_HTTP_PORT 80
+#define DEFAULT_HTTPS_PORT 443
+#define default_port(r) ((r)->connection->client->ssl ?
DEFAULT_HTTPS_PORT : DEFAULT_HTTP_PORT)
+#define is_default_port(port,r) ((port) == default_port(r))
+#define http_method(r) ((r)->connection->client->ssl ? "https" :
"http")
+#else
#define DEFAULT_HTTP_PORT 80
#define DEFAULT_HTTPS_PORT 443
#define is_default_port(port,r) ((port) == default_port(r))
#define http_method(r) "http"
#define default_port(r) DEFAULT_HTTP_PORT
+#endif
/* --------- Default user name and group name running standalone ---------- */
/* --- These may be specified as numbers by placing a # before a number --- */
@@ -362,7 +374,11 @@
* Example: "Apache/1.1.0 MrWidget/0.1-alpha"
*/
+#ifdef APACHE_SSL
+#define SERVER_BASEVERSION "Apache/1.3b6 Ben-SSL/1.16" /* SEE COMMENTS ABOVE */
+#else
#define SERVER_BASEVERSION "Apache/1.3b6" /* SEE COMMENTS ABOVE */
+#endif
#ifdef SERVER_SUBVERSION
#define SERVER_VERSION SERVER_BASEVERSION " " SERVER_SUBVERSION
#else
@@ -742,6 +758,11 @@
#define DEFAULT_VHOST_ADDR 0xfffffffful
typedef struct server_addr_rec server_addr_rec;
+
+#ifdef APACHE_SSL
+int ApacheSSLSetupConnection(conn_rec *conn);
+void LaunchGlobalCache(pool *pPool);
+#endif
struct server_addr_rec {
server_addr_rec *next;
struct in_addr host_addr; /* The bound address, for this server */
diff -u -r apache_1.3b6/src/main/Makefile.tmpl
apache_1.3b6+SSL/src/main/Makefile.tmpl
--- apache_1.3b6/src/main/Makefile.tmpl Sat Apr 11 13:59:26 1998
+++ apache_1.3b6+SSL/src/main/Makefile.tmpl Fri May 8 14:33:36 1998
@@ -14,7 +14,7 @@
http_config.o http_core.o http_log.o \
http_main.o http_protocol.o http_request.o http_vhost.o \
util.o util_date.o util_script.o util_uri.o util_md5.o \
- md5c.o rfc1413.o fnmatch.o
+ md5c.o rfc1413.o fnmatch.o gcacheclient.o gcachecommon.o
.c.o:
$(CC) -c $(INCLUDES) $(CFLAGS) $(SPACER) $<
diff -u -r apache_1.3b6/src/main/buff.c apache_1.3b6+SSL/src/main/buff.c
--- apache_1.3b6/src/main/buff.c Sat Apr 11 06:00:28 1998
+++ apache_1.3b6+SSL/src/main/buff.c Fri May 22 13:50:11 1998
@@ -227,7 +227,7 @@
return (rv);
}
-#endif /* WIN32 */
+#endif
/* the lowest level reading primitive */
@@ -235,6 +235,11 @@
{
int rv;
+#ifdef APACHE_SSL
+ if (fb->ssl)
+ rv = SSL_read(fb->ssl, buf, nbyte);
+ else
+#endif
rv = read(fb->fd_in, buf, nbyte);
return rv;
@@ -266,6 +271,11 @@
#if defined (B_SFIO)
rv = sfwrite(fb->sf_out, buf, nbyte);
#else
+#ifdef APACHE_SSL
+ if(fb->ssl)
+ rv = SSL_write(fb->ssl, buf, nbyte);
+ else
+#endif
rv = write(fb->fd, buf, nbyte);
#endif
@@ -341,6 +351,11 @@
fb->fd = -1;
fb->fd_in = -1;
+#ifdef APACHE_SSL
+ fb->ssl = NULL;
+ fb->szClientX509 = NULL;
+#endif
+
#ifdef B_SFIO
fb->sf_in = NULL;
fb->sf_out = NULL;
@@ -1013,7 +1028,6 @@
return 0;
}
#endif
-
/* A wrapper for buff_write which deals with error conditions and
* bytes_sent. Also handles non-blocking writes.
*/
@@ -1061,8 +1075,11 @@
if (!(fb->flags & B_CHUNK)) {
return write_with_errors(fb, buf, nbyte);
}
+#ifdef APACHE_SSL
+ if (fb->ssl) {
+#endif
-#ifdef NO_WRITEV
+#if defined(NO_WRITEV) || defined(APACHE_SSL)
/* without writev() this has poor performance, too bad */
ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012", nbyte);
@@ -1076,8 +1093,14 @@
return -1;
if (write_it_all(fb, "\015\012", 2) == -1)
return -1;
+#ifdef APACHE_SSL
+ }
+#endif
return nbyte;
#else
+#ifdef APACHE_SSL
+ }
+#endif
vec[0].iov_base = chunksize;
vec[0].iov_len = ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012",
nbyte);
@@ -1196,10 +1219,18 @@
* us to use writev() too frequently. In those cases we really should just
* start a new buffer.
*/
+#ifdef APACHE_SSL
+ if (!fb->ssl) {
+#endif
+
if (fb->outcnt > 0 && nbyte > LARGE_WRITE_THRESHOLD
&& nbyte + fb->outcnt >= fb->bufsiz) {
return large_write(fb, buf, nbyte);
}
+#ifdef APACHE_SSL
+ }
+#endif
+
#endif
/*
@@ -1394,6 +1425,13 @@
fb->flags |= B_EOF | B_EOUT;
fb->fd = -1;
fb->fd_in = -1;
+#ifdef APACHE_SSL
+ if (fb->ssl) {
+ SSL_free(fb->ssl);
+ fb->ssl = NULL;
+ }
+#endif
+
#ifdef B_SFIO
sfclose(fb->sf_in);
Only in apache_1.3b6+SSL/src/main: gcache.c
Only in apache_1.3b6+SSL/src/main: gcacheclient.c
Only in apache_1.3b6+SSL/src/main: gcachecommon.c
diff -u -r apache_1.3b6/src/main/http_config.c
apache_1.3b6+SSL/src/main/http_config.c
--- apache_1.3b6/src/main/http_config.c Mon Apr 13 12:05:10 1998
+++ apache_1.3b6+SSL/src/main/http_config.c Mon May 11 10:13:10 1998
@@ -1325,7 +1325,11 @@
{
server_rec *s = (server_rec *) ap_pcalloc(p, sizeof(server_rec));
- s->port = 0;
+#ifdef APACHE_SSL
+ s->port=0;
+#else
+ s->port = DEFAULT_HTTP_PORT;
+#endif
s->server_admin = DEFAULT_ADMIN;
s->server_hostname = NULL;
s->error_fname = DEFAULT_ERRORLOG;
diff -u -r apache_1.3b6/src/main/http_main.c
apache_1.3b6+SSL/src/main/http_main.c
--- apache_1.3b6/src/main/http_main.c Sat Apr 11 06:00:29 1998
+++ apache_1.3b6+SSL/src/main/http_main.c Mon May 11 10:28:43 1998
@@ -3418,6 +3418,15 @@
(struct sockaddr_in *) &sa_client,
(struct sockaddr_in *) &sa_server,
my_child_num);
+#ifdef APACHE_SSL
+ /*
+ * This returns false if the connection cannot be setup,
+ * so maybe we should do something with this here...
+ * however it also blocks the BUFF connections
+ * so the next bit should fall out anyway!
+ */
+ ApacheSSLSetupConnection(current_conn);
+#endif
/*
* Read and process each request found on our connection
@@ -3762,14 +3771,17 @@
ap_kill_cleanups_for_fd(pconf, scoreboard_fd);
}
#endif
- ap_clear_pool(pconf);
- ptrans = ap_make_sub_pool(pconf);
-
- server_conf = ap_read_config(pconf, ptrans, ap_server_confname);
+ ap_clear_pool(pconf);
+ ptrans = ap_make_sub_pool(pconf);
+
+ server_conf = ap_read_config(pconf, ptrans, ap_server_confname);
setup_listeners(pconf);
ap_open_logs(server_conf, pconf);
ap_log_pid(pconf, ap_pid_fname);
- ap_init_modules(pconf, server_conf);
+ ap_init_modules (pconf, server_conf);
+#ifdef APACHE_SSL
+ LaunchGlobalCache(pconf);
+#endif
SAFE_ACCEPT(accept_mutex_init(pconf));
if (!is_graceful) {
reinit_scoreboard(pconf);
diff -u -r apache_1.3b6/src/modules/experimental/Makefile.tmpl
apache_1.3b6+SSL/src/modules/experimental/Makefile.tmpl
--- apache_1.3b6/src/modules/experimental/Makefile.tmpl Thu Apr 9 02:20:27 1998
+++ apache_1.3b6+SSL/src/modules/experimental/Makefile.tmpl Mon May 11
10:00:28 1998
@@ -22,3 +22,5 @@
$(INCDIR)/http_config.h $(INCDIR)/http_log.h \
$(INCDIR)/http_protocol.h $(INCDIR)/http_request.h \
$(INCDIR)/http_core.h
+
+mod_apache_ssl.o: mod_apache_ssl.c
Only in apache_1.3b6+SSL/src/modules/experimental: mod_apache_ssl.c
diff -u -r apache_1.3b6/src/modules/standard/mod_auth.c
apache_1.3b6+SSL/src/modules/standard/mod_auth.c
--- apache_1.3b6/src/modules/standard/mod_auth.c Sat Apr 11 06:00:44 1998
+++ apache_1.3b6+SSL/src/modules/standard/mod_auth.c Fri May 8 22:47:50 1998
@@ -75,7 +75,13 @@
#include "http_log.h"
#include "http_protocol.h"
#if defined(HAVE_CRYPT_H)
+#if defined(APACHE_SSL)
+#define des_encrypt BASE_des_encrypt
#include <crypt.h>
+#undef des_encrypt
+#else
+#include <crypt.h>
+#endif /* APACHE_SSL */
#endif
typedef struct auth_config_struct {
diff -u -r apache_1.3b6/src/modules/standard/mod_log_config.c
apache_1.3b6+SSL/src/modules/standard/mod_log_config.c
--- apache_1.3b6/src/modules/standard/mod_log_config.c Sat Apr 11 06:00:48 1998
+++ apache_1.3b6+SSL/src/modules/standard/mod_log_config.c Mon May 11
15:21:10 1998
@@ -127,6 +127,15 @@
* %...l: remote logname (from identd, if supplied)
* %...{Foobar}n: The contents of note "Foobar" from another module.
* %...{Foobar}o: The contents of Foobar: header line(s) in the reply.
+ *
+ * Additional SSL directives:
+ *
+ * %...{cipher}c: cipher used (SSL_get_cipher)
+ * %...{clientcert}c: client certificate information
+ * %...{errcode}c: X509 verify error code
+ * %...{errstr}c: X509 verify error string
+ * %...{version}c: SSL version (SSLeay 0.8.0 and above)
+ *
* %...p: the port the request was served to
* %...P: the process ID of the child that serviced the request.
* %...r: first line of request
@@ -172,6 +181,9 @@
#include "http_core.h" /* For REMOTE_NAME */
#include "http_log.h"
#include <limits.h>
+#ifdef APACHE_SSL
+#include <crypto.h>
+#endif
module MODULE_VAR_EXPORT config_log_module;
@@ -415,6 +427,10 @@
return ap_psprintf(r->pool, "%ld", (long) getpid());
}
+#ifdef APACHE_SSL
+extern char *log_ssl_info(request_rec *r, char *a);
+#endif
+
/*****************************************************************
*
* Parsing the log format string
@@ -480,6 +496,11 @@
{
'P', log_child_pid, 0
},
+#ifdef APACHE_SSL
+ {
+ 'c', log_ssl_info, 0
+ },
+#endif
{
'\0'
}
@@ -626,6 +647,53 @@
return a;
}
+#ifdef APACHE_SSL
+char *log_ssl_info(request_rec *r, char *a)
+ {
+ char str[MAX_STRING_LEN];
+
+ if(!r->connection->client->ssl)
+ return NULL;
+
+ if(!strcmp(a, "cipher"))
+ return SSL_get_cipher(r->connection->client->ssl);
+
+ if(!strcmp(a, "clientcert"))
+ return r->connection->client->szClientX509;
+
+ if(!strcmp(a, "errcode"))
+ if(r->connection->client->nVerifyError)
+ {
+ sprintf(str, "%d", r->connection->client->nVerifyError);
+ return ap_pstrdup(r->pool,str);
+ }
+ else
+ return NULL;
+
+ if(!strcmp(a, "errstr"))
+ if(r->connection->client->nVerifyError)
+#if SSLEAY_VERSION_NUMBER < 0x0800
+ return
X509_cert_verify_error_string(r->connection->client->nVerifyError);
+#else
+ return
X509_verify_cert_error_string(r->connection->client->nVerifyError);
+#endif
+ else
+ return NULL;
+
+#if SSLEAY_VERSION_NUMBER >= 0x0800
+ if(!strcmp(a, "version"))
+ {
+ static char v[2];
+
+ v[0]='0'+r->connection->client->ssl->session->ssl_version;
+ v[1]='\0';
+ return v;
+ }
+#endif
+
+ return NULL;
+}
+#endif
/*****************************************************************
*
* Actually logging.
Only in apache_1.3b6+SSL/src: modules.c
diff -u -r apache_1.3b6/src/support/dbmmanage
apache_1.3b6+SSL/src/support/dbmmanage
--- apache_1.3b6/src/support/dbmmanage Tue Mar 31 05:53:47 1998
+++ apache_1.3b6+SSL/src/support/dbmmanage Fri May 15 14:32:16 1998
@@ -62,7 +62,7 @@
package dbmmanage;
# -ldb -lndbm -lgdbm
-BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File) }
+BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File DBM_File) }
use strict;
use Fcntl;
use AnyDBM_File ();
>How-To-Repeat:
Not relevant But, the configure.ssl script sets things up for the ssl httpd
compile.
#!/bin/sh
#
# This assumes SSLeay-0.8.0 is installed in /usr/local/ssl
#
sh configure \
--prefix=/usr/local/apache \
--enable-module=status \
--enable-module=proxy \
--enable-module=rewrite \
--enable-module=auth_anon \
--enable-module=auth_dbm \
--enable-module=digest \
--enable-module=cern_meta \
--enable-module=expires \
--enable-module=headers \
--enable-module=usertrack \
--enable-module=apache_ssl
>Fix:
I had a problem integrating the patches cause I missed a "writev" which had
to be avoided if in ssl mode.
I found some problems with the default httpd.conf. Example: CustomLog was set
to logs/access_log and should have been var/logs/error_log.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
