Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
On 02/02/2014 13:45, Kaspar Brand wrote:
On 01.02.2014 14:37, Dr Stephen Henson wrote:
I'm wondering how that could be avoided. Would a way to enumerate all
certificates in an SSL_CTX structure in OpenSSL help? Something like
SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). That
would
also set the current certificate at the same time in case applications
wanted to
inspect the private key or chain.
Yes, this sounds like a useful extension - not only for the issue at
hand (i.e. SSL_CONF and stapling initialisation), but as a general
mechanism for retrieving all certificates of an SSL_CTX.
Added now. The API is slightly different, but easy enough to use.
To iterate over all certificates in an SSL_CTX something like this will do the
trick:
X509 *x;
int rv;
rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
while (rv)
{
X509 *x = SSL_CTX_get0_certificate(ctx);
rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT);
}
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
Re: svn commit: r1563894 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_kernel.c ssl_private.h
Hello Jeff,
s/limitiations/limitations/
Thanks,
Mike Rumph
On 2/3/2014 5:50 AM, traw...@apache.org wrote:
Author: trawick
Date: Mon Feb 3 13:50:14 2014
New Revision: 1563894
URL: http://svn.apache.org/r1563894
Log:
fix a few spelling errors
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1563894r1=1563893r2=1563894view=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Feb 3 13:50:14 2014
@@ -176,8 +176,8 @@ int ssl_hook_ReadReq(request_rec *r)
* cause us to end up in a different virtual host as the one that
* was used for the handshake causing different SSL parameters to
* be applied as SSLProtocol, SSLCACertificateFile/Path and
- * SSLCADNRequestFile/Path cannot be renegotioated (SSLCA* due
- * to current limitiations in Openssl, see
+ * SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due
+ * to current limitiations in OpenSSL, see
*
http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c48592955.2090...@velox.ch%3E
* and
*
http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E
@@ -207,7 +207,7 @@ int ssl_hook_ReadReq(request_rec *r)
/*
* We are using a name based configuration here, but no hostname
was
* provided via SNI. Don't allow that if are requested to do
strict
- * checking. Check wether this strict checking was setup either in
the
+ * checking. Check whether this strict checking was setup either
in the
* server config we used for handshaking or in our current server.
* This should avoid insecure configuration by accident.
*/
@@ -1904,7 +1904,7 @@ void ssl_callback_Info(const SSL *ssl, i
}
}
/* If the first handshake is complete, change state to reject any
- * subsequent client-initated renegotiation. */
+ * subsequent client-initiated renegotiation. */
else if ((where SSL_CB_HANDSHAKE_DONE) scr-reneg_state ==
RENEG_INIT) {
scr-reneg_state = RENEG_REJECT;
}
@@ -2033,7 +2033,7 @@ static int ssl_find_vhost(void *serverna
* vhost we have just switched to. Again, we have to make sure
* that we're not overwriting a session id context which was
* possibly set in ssl_hook_Access(), before triggering
- * a renegotation.
+ * a renegotiation.
*/
if (SSL_num_renegotiations(ssl) == 0) {
unsigned char *sid_ctx =
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1563894r1=1563893r2=1563894view=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Mon Feb 3 13:50:14 2014
@@ -425,7 +425,7 @@ typedef struct {
RENEG_INIT = 0, /* Before initial handshake */
RENEG_REJECT, /* After initial handshake; any client-initiated
* renegotiation should be rejected */
-RENEG_ALLOW, /* A server-initated renegotiation is taking
+RENEG_ALLOW, /* A server-initiated renegotiation is taking
* place (as dictated by configuration) */
RENEG_ABORT /* Renegotiation initiated by client, abort the
* connection */
Re: svn commit: r1563894 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_kernel.c ssl_private.h
I think the following change is also valid:
s/setup/set up/when used as a verb.
On 2/3/2014 7:55 AM, Mike Rumph wrote:
Hello Jeff,
s/limitiations/limitations/
Thanks,
Mike Rumph
On 2/3/2014 5:50 AM, traw...@apache.org wrote:
Author: trawick
Date: Mon Feb 3 13:50:14 2014
New Revision: 1563894
URL: http://svn.apache.org/r1563894
Log:
fix a few spelling errors
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1563894r1=1563893r2=1563894view=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Feb 3
13:50:14 2014
@@ -176,8 +176,8 @@ int ssl_hook_ReadReq(request_rec *r)
* cause us to end up in a different virtual host as
the one that
* was used for the handshake causing different SSL
parameters to
* be applied as SSLProtocol, SSLCACertificateFile/Path
and
- * SSLCADNRequestFile/Path cannot be renegotioated
(SSLCA* due
- * to current limitiations in Openssl, see
+ * SSLCADNRequestFile/Path cannot be renegotiated
(SSLCA* due
+ * to current limitiations in OpenSSL, see
*
http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c48592955.2090...@velox.ch%3E
* and
*
http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E
@@ -207,7 +207,7 @@ int ssl_hook_ReadReq(request_rec *r)
/*
* We are using a name based configuration here, but no
hostname was
* provided via SNI. Don't allow that if are requested
to do strict
- * checking. Check wether this strict checking was setup
either in the
+ * checking. Check whether this strict checking was
setup either in the
* server config we used for handshaking or in our
current server.
* This should avoid insecure configuration by accident.
*/
@@ -1904,7 +1904,7 @@ void ssl_callback_Info(const SSL *ssl, i
}
}
/* If the first handshake is complete, change state to reject any
- * subsequent client-initated renegotiation. */
+ * subsequent client-initiated renegotiation. */
else if ((where SSL_CB_HANDSHAKE_DONE) scr-reneg_state ==
RENEG_INIT) {
scr-reneg_state = RENEG_REJECT;
}
@@ -2033,7 +2033,7 @@ static int ssl_find_vhost(void *serverna
* vhost we have just switched to. Again, we have to make sure
* that we're not overwriting a session id context which was
* possibly set in ssl_hook_Access(), before triggering
- * a renegotation.
+ * a renegotiation.
*/
if (SSL_num_renegotiations(ssl) == 0) {
unsigned char *sid_ctx =
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1563894r1=1563893r2=1563894view=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Mon Feb 3 13:50:14 2014
@@ -425,7 +425,7 @@ typedef struct {
RENEG_INIT = 0, /* Before initial handshake */
RENEG_REJECT, /* After initial handshake; any client-initiated
* renegotiation should be rejected */
-RENEG_ALLOW, /* A server-initated renegotiation is taking
+RENEG_ALLOW, /* A server-initiated renegotiation is taking
* place (as dictated by configuration) */
RENEG_ABORT /* Renegotiation initiated by client, abort the
* connection */
Re: svn commit: r1562174 - in /httpd/httpd/branches/2.4.x: ./ STATUS docs/manual/ docs/manual/howto/ docs/manual/mod/ docs/manual/mod/mod_macro.xml docs/manual/rewrite/ docs/manual/rewrite/flags.xml m
Le 28/01/2014 20:40, j...@apache.org a écrit : Author: jim Date: Tue Jan 28 19:40:17 2014 New Revision: 1562174 URL: http://svn.apache.org/r1562174 Log: Merge r1556206 from trunk: avoid a tight busy loop with memory allocations when the [N] flag isn't making progress. If backported, probably increase the hard-coded limit to 32k from 10k. Modified: httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c?rev=1562174r1=1562173r2=1562174view=diff == --- httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c (original) +++ httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c Tue Jan 28 19:40:17 2014 @@ -231,6 +231,9 @@ static const char* really_last_key = re #define subreq_ok(r) (!r-main || \ (r-main-uri r-uri strcmp(r-main-uri, r-uri))) +#ifndef REWRITE_MAX_ROUNDS +#define REWRITE_MAX_ROUNDS 32000 +#endif Should trunk be synch with 2.4.x with this 32000 limit ? CJ
Re: svn commit: r1562174 - in /httpd/httpd/branches/2.4.x: ./ STATUS docs/manual/ docs/manual/howto/ docs/manual/mod/ docs/manual/mod/mod_macro.xml docs/manual/rewrite/ docs/manual/rewrite/flags.xml m
19:40:17 2014 @@ -231,6 +231,9 @@ static const char* really_last_key = re #define subreq_ok(r) (!r-main || \ (r-main-uri r-uri strcmp(r-main-uri, r-uri))) +#ifndef REWRITE_MAX_ROUNDS +#define REWRITE_MAX_ROUNDS 32000 +#endif Should trunk be synch with 2.4.x with this 32000 limit ? Intentionally different, being more paranoid in 2.4.x to not surprise anyone applying a new fix level.
