Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
On 02/02/2014 13:45, Kaspar Brand wrote: On 01.02.2014 14:37, Dr Stephen Henson wrote: I'm wondering how that could be avoided. Would a way to enumerate all certificates in an SSL_CTX structure in OpenSSL help? Something like SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). That would also set the current certificate at the same time in case applications wanted to inspect the private key or chain. Yes, this sounds like a useful extension - not only for the issue at hand (i.e. SSL_CONF and stapling initialisation), but as a general mechanism for retrieving all certificates of an SSL_CTX. Added now. The API is slightly different, but easy enough to use. To iterate over all certificates in an SSL_CTX something like this will do the trick: X509 *x; int rv; rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); while (rv) { X509 *x = SSL_CTX_get0_certificate(ctx); rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT); } Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: svn commit: r1563894 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_kernel.c ssl_private.h
Hello Jeff, s/limitiations/limitations/ Thanks, Mike Rumph On 2/3/2014 5:50 AM, traw...@apache.org wrote: Author: trawick Date: Mon Feb 3 13:50:14 2014 New Revision: 1563894 URL: http://svn.apache.org/r1563894 Log: fix a few spelling errors Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c httpd/httpd/trunk/modules/ssl/ssl_private.h Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1563894r1=1563893r2=1563894view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Feb 3 13:50:14 2014 @@ -176,8 +176,8 @@ int ssl_hook_ReadReq(request_rec *r) * cause us to end up in a different virtual host as the one that * was used for the handshake causing different SSL parameters to * be applied as SSLProtocol, SSLCACertificateFile/Path and - * SSLCADNRequestFile/Path cannot be renegotioated (SSLCA* due - * to current limitiations in Openssl, see + * SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due + * to current limitiations in OpenSSL, see * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c48592955.2090...@velox.ch%3E * and * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E @@ -207,7 +207,7 @@ int ssl_hook_ReadReq(request_rec *r) /* * We are using a name based configuration here, but no hostname was * provided via SNI. Don't allow that if are requested to do strict - * checking. Check wether this strict checking was setup either in the + * checking. Check whether this strict checking was setup either in the * server config we used for handshaking or in our current server. * This should avoid insecure configuration by accident. */ @@ -1904,7 +1904,7 @@ void ssl_callback_Info(const SSL *ssl, i } } /* If the first handshake is complete, change state to reject any - * subsequent client-initated renegotiation. */ + * subsequent client-initiated renegotiation. */ else if ((where SSL_CB_HANDSHAKE_DONE) scr-reneg_state == RENEG_INIT) { scr-reneg_state = RENEG_REJECT; } @@ -2033,7 +2033,7 @@ static int ssl_find_vhost(void *serverna * vhost we have just switched to. Again, we have to make sure * that we're not overwriting a session id context which was * possibly set in ssl_hook_Access(), before triggering - * a renegotation. + * a renegotiation. */ if (SSL_num_renegotiations(ssl) == 0) { unsigned char *sid_ctx = Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1563894r1=1563893r2=1563894view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original) +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Mon Feb 3 13:50:14 2014 @@ -425,7 +425,7 @@ typedef struct { RENEG_INIT = 0, /* Before initial handshake */ RENEG_REJECT, /* After initial handshake; any client-initiated * renegotiation should be rejected */ -RENEG_ALLOW, /* A server-initated renegotiation is taking +RENEG_ALLOW, /* A server-initiated renegotiation is taking * place (as dictated by configuration) */ RENEG_ABORT /* Renegotiation initiated by client, abort the * connection */
Re: svn commit: r1563894 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_kernel.c ssl_private.h
I think the following change is also valid: s/setup/set up/when used as a verb. On 2/3/2014 7:55 AM, Mike Rumph wrote: Hello Jeff, s/limitiations/limitations/ Thanks, Mike Rumph On 2/3/2014 5:50 AM, traw...@apache.org wrote: Author: trawick Date: Mon Feb 3 13:50:14 2014 New Revision: 1563894 URL: http://svn.apache.org/r1563894 Log: fix a few spelling errors Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c httpd/httpd/trunk/modules/ssl/ssl_private.h Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1563894r1=1563893r2=1563894view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Feb 3 13:50:14 2014 @@ -176,8 +176,8 @@ int ssl_hook_ReadReq(request_rec *r) * cause us to end up in a different virtual host as the one that * was used for the handshake causing different SSL parameters to * be applied as SSLProtocol, SSLCACertificateFile/Path and - * SSLCADNRequestFile/Path cannot be renegotioated (SSLCA* due - * to current limitiations in Openssl, see + * SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due + * to current limitiations in OpenSSL, see * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c48592955.2090...@velox.ch%3E * and * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E @@ -207,7 +207,7 @@ int ssl_hook_ReadReq(request_rec *r) /* * We are using a name based configuration here, but no hostname was * provided via SNI. Don't allow that if are requested to do strict - * checking. Check wether this strict checking was setup either in the + * checking. Check whether this strict checking was setup either in the * server config we used for handshaking or in our current server. * This should avoid insecure configuration by accident. */ @@ -1904,7 +1904,7 @@ void ssl_callback_Info(const SSL *ssl, i } } /* If the first handshake is complete, change state to reject any - * subsequent client-initated renegotiation. */ + * subsequent client-initiated renegotiation. */ else if ((where SSL_CB_HANDSHAKE_DONE) scr-reneg_state == RENEG_INIT) { scr-reneg_state = RENEG_REJECT; } @@ -2033,7 +2033,7 @@ static int ssl_find_vhost(void *serverna * vhost we have just switched to. Again, we have to make sure * that we're not overwriting a session id context which was * possibly set in ssl_hook_Access(), before triggering - * a renegotation. + * a renegotiation. */ if (SSL_num_renegotiations(ssl) == 0) { unsigned char *sid_ctx = Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1563894r1=1563893r2=1563894view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original) +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Mon Feb 3 13:50:14 2014 @@ -425,7 +425,7 @@ typedef struct { RENEG_INIT = 0, /* Before initial handshake */ RENEG_REJECT, /* After initial handshake; any client-initiated * renegotiation should be rejected */ -RENEG_ALLOW, /* A server-initated renegotiation is taking +RENEG_ALLOW, /* A server-initiated renegotiation is taking * place (as dictated by configuration) */ RENEG_ABORT /* Renegotiation initiated by client, abort the * connection */
Re: svn commit: r1562174 - in /httpd/httpd/branches/2.4.x: ./ STATUS docs/manual/ docs/manual/howto/ docs/manual/mod/ docs/manual/mod/mod_macro.xml docs/manual/rewrite/ docs/manual/rewrite/flags.xml m
Le 28/01/2014 20:40, j...@apache.org a écrit : Author: jim Date: Tue Jan 28 19:40:17 2014 New Revision: 1562174 URL: http://svn.apache.org/r1562174 Log: Merge r1556206 from trunk: avoid a tight busy loop with memory allocations when the [N] flag isn't making progress. If backported, probably increase the hard-coded limit to 32k from 10k. Modified: httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c?rev=1562174r1=1562173r2=1562174view=diff == --- httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c (original) +++ httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c Tue Jan 28 19:40:17 2014 @@ -231,6 +231,9 @@ static const char* really_last_key = re #define subreq_ok(r) (!r-main || \ (r-main-uri r-uri strcmp(r-main-uri, r-uri))) +#ifndef REWRITE_MAX_ROUNDS +#define REWRITE_MAX_ROUNDS 32000 +#endif Should trunk be synch with 2.4.x with this 32000 limit ? CJ
Re: svn commit: r1562174 - in /httpd/httpd/branches/2.4.x: ./ STATUS docs/manual/ docs/manual/howto/ docs/manual/mod/ docs/manual/mod/mod_macro.xml docs/manual/rewrite/ docs/manual/rewrite/flags.xml m
19:40:17 2014 @@ -231,6 +231,9 @@ static const char* really_last_key = re #define subreq_ok(r) (!r-main || \ (r-main-uri r-uri strcmp(r-main-uri, r-uri))) +#ifndef REWRITE_MAX_ROUNDS +#define REWRITE_MAX_ROUNDS 32000 +#endif Should trunk be synch with 2.4.x with this 32000 limit ? Intentionally different, being more paranoid in 2.4.x to not surprise anyone applying a new fix level.