Patch for 2.0.54 + OpenSSL 0.9.8

Georg v. Zezschwitz Tue, 05 Jul 2005 05:32:56 -0700

Hi,

the OpenSSL team will pretty soon release 0.9.8 as stable release.


However, currently 2.0.54 cannot be built with 0.9.8beta6, as
a pem.h-definition has changed. The OpenSSL-team considers this
renaming as a bug correction, so compilation of mod_ssl will
go on to fail.

OpenSSL 0.9.8 will introduce SSL compression (which has in
principle been defined since SSLv3, however, concrete compression
methods like DEFLATE were "RFCed" in May 2004).

I have attached a patch to make mod_ssl compile with OpenSSL 0.9.8,
and also added an SSL variable "SSL_COMP_METHOD" to allow logging
(and other usages) of the negotiated compression method.

Moreover, I have - to my best knowledge - extended the documentation.

Could anybody check this and decide if to include?
I guess quite some confusion will happen if OpenSSL 0.9.8 is
finally out and using it with Apache 2.0.54 fails.

Also, please don't kill the messenger :-) - it is not my decision
to change the OpenSSL include file definition...

Regards,


Georg v.Zezschwitz

diff -cr httpd-2.0.54.orig/docs/manual/mod/mod_ssl.xml 
httpd-2.0.54/docs/manual/mod/mod_ssl.xml
*** httpd-2.0.54.orig/docs/manual/mod/mod_ssl.xml       Fri Feb  4 21:21:18 2005
--- httpd-2.0.54/docs/manual/mod/mod_ssl.xml    Tue Jul  5 11:53:55 2005
***************
*** 65,70 ****
--- 65,71 ----
  <tr><td><code>SSL_CIPHER_EXPORT</code></td>             <td>string</td>    
<td><code>true</code> if cipher is an export cipher</td></tr>
  <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td>         <td>number</td>    
<td>Number of cipher bits (actually used)</td></tr>
  <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td>         <td>number</td>    
<td>Number of cipher bits (possible)</td></tr>
+ <tr><td><code>SSL_COMP_METHOD</code></td>               <td>string</td>    
<td>SSL compression method negotiated</td></tr>
  <tr><td><code>SSL_VERSION_INTERFACE</code></td>         <td>string</td>    
<td>The mod_ssl program version</td></tr>
  <tr><td><code>SSL_VERSION_LIBRARY</code></td>           <td>string</td>    
<td>The OpenSSL program version</td></tr>
  <tr><td><code>SSL_CLIENT_M_VERSION</code></td>          <td>string</td>    
<td>The version of the client certificate</td></tr>
diff -cr httpd-2.0.54.orig/docs/manual/ssl/ssl_faq.xml 
httpd-2.0.54/docs/manual/ssl/ssl_faq.xml
*** httpd-2.0.54.orig/docs/manual/ssl/ssl_faq.xml       Fri Feb  4 21:21:18 2005
--- httpd-2.0.54/docs/manual/ssl/ssl_faq.xml    Tue Jul  5 12:14:15 2005
***************
*** 680,685 ****
--- 680,686 ----
  <li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
  <li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
  Hosting to identify different SSL virtual hosts?</a></li>
+ <li><a href="#comp">How do I get SSL compression working?</a></li>
  <li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
  <li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
  <li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
***************
*** 804,809 ****
--- 805,827 ----
      Use different port numbers for different SSL hosts.</p> 
  </section>
  
+ <section id="comp"><title>How do I get SSL compression working?</title>
+ <p>Although SSL compression negotiation was already defined in the 
specification
+ of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as
+ a negotiable standard compression method.
+ </p>
+ <p>OpenSSL 0.9.8 started to support this by default when compiled with the
+ <code>zlib</code> option. If both the client and the server support 
compression,
+ it will be used. However, most clients still try to initially connect with an
+ SSLv2 Hello. As SSLv2 did not include an array of prefered compression 
algorithms
+ in its handshake, compression can not be negotiated with these clients.
+ If the client disables support for SSLv2, based on the used SSL library 
+ a SSLv3 or TLS Hello might be sent and compression might be set up.
+ You can check if clients make use of SSL compression by logging the
+ variable <code>SSL_COMP_METHOD</code>.
+ </p>
+ </section>
+ 
  <section id="lockicon"><title>When I use Basic Authentication over HTTPS the 
lock icon in Netscape browsers
  still shows the unlocked state when the dialog pops up. Does this mean the
  username/password is still transmitted unencrypted?</title>
diff -cr httpd-2.0.54.orig/modules/ssl/ssl_engine_vars.c 
httpd-2.0.54/modules/ssl/ssl_engine_vars.c
*** httpd-2.0.54.orig/modules/ssl/ssl_engine_vars.c     Fri Feb  4 21:21:18 2005
--- httpd-2.0.54/modules/ssl/ssl_engine_vars.c  Tue Jul  5 10:51:40 2005
***************
*** 47,52 ****
--- 47,53 ----
  static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
  static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int 
*algkeysize);
  static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+ static char *ssl_var_lookup_ssl_comp_method(SSL *ssl);
  
  static int ssl_is_https(conn_rec *c)
  {
***************
*** 282,287 ****
--- 283,291 ----
          if ((xs = SSL_get_certificate(ssl)) != NULL)
              result = ssl_var_lookup_ssl_cert(p, xs, var+7);
      }
+     else if (ssl != NULL && strlen(var) >= 11 && strcEQn(var, "COMP_METHOD", 
7)) {
+             result = ssl_var_lookup_ssl_comp_method(ssl);
+     }
      return result;
  }
  
***************
*** 594,599 ****
--- 598,636 ----
      }
      return result;
  }
+ 
+ static char *ssl_var_lookup_ssl_comp_method(SSL *ssl)
+ {
+     char *result = "NULL";
+ #ifdef OPENSSL_VERSION_NUMBER
+ #if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+     SSL_SESSION *pSession = SSL_get_session(ssl);
+ 
+     if (pSession) {
+         switch (pSession->compress_meth) {
+         case 0:
+             /* default "NULL" already set */
+             break;
+ 
+             /* Defined by RFC 3749, deflate is coded by "1" */
+         case 1:
+             result = "DEFLATE";
+             break;
+ 
+             /* IANA assigned compression number for LZS */
+         case 0x40:
+             result = "LZS";
+             break;
+ 
+         default:
+             result = "UNKNOWN";
+             break;
+         }
+     }
+ #endif
+ #endif
+     return result;
+ }
  
  /*  _________________________________________________________________
  **
diff -cr httpd-2.0.54.orig/modules/ssl/ssl_toolkit_compat.h 
httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h
*** httpd-2.0.54.orig/modules/ssl/ssl_toolkit_compat.h  Fri Feb  4 21:21:18 2005
--- httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h       Tue Jul  5 11:33:33 2005
***************
*** 99,104 ****
--- 99,111 ----
  #define HAVE_SSL_X509V3_EXT_d2i
  #endif
  
+ #ifndef PEM_F_DEF_CALLBACK
+ #ifdef PEM_F_PEM_DEF_CALLBACK
+ /* In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
+ #define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK 
+ #endif
+ #endif
+ 
  #elif defined (SSLC_VERSION_NUMBER) /* RSA */
  
  /* sslc does not support this function, OpenSSL has since 9.5.1 */

Patch for 2.0.54 + OpenSSL 0.9.8

Reply via email to