OpenBSD-4.6/usr.sbin/httpd/src/CHANGES.SSL
_ _
_ __ ___ ___ __| | ___ ___| | mod_ssl
| '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
| | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
|_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
|_____|
_____________________________________________________________________________
``The difference between a career
and a job is about 20 hours a week.''
CHANGES
This file summarizes *all* types of changes to the mod_ssl package, i.e.
changes between each betalevel and patchlevel, i.e. changes between
2.x.y->2.x.(y+1) and 2.x.y->2.(x+1).0. Take this list as a reference for
concrete and detailed information about every single change. There are
_INTENTIONALLY_ no contributor names attached to the entries. Instead all
contributors are listed in the CREDITS file.
____ ___
|___ \ ( _ )
__) | / _ \
/ __/ | (_) |
__ |_____(_)___/ ___________________________________________
Changes with mod_ssl 2.8.16 (18-Jul-2003 to 01-Nov-2003)
*) Upgraded to Apache 1.3.29
*) Avoid memory corruption in certificate handling caused by a heap
memory double-freeing situation.
*) Allow "HTTPS" variable to be passed through by suEXEC.
*) Clear the OpenSSL error code in pass phrase reading code to
workaround the following situation: multiple keys, all with
different passphrases -- entering the correct pass phrase at each
prompt leads to an OpenSSL error message after the last prompt.
*) Reverted the recent change where ap_cleanup_for_exec() called
ap_kill_alloc_shared(). This caused nasty side-effects in other
processes and is not necessary at all (because shared memory
segments are not inherited across exec).
*) mod_ssl was checking the OpenSSL error reason code against
SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since
OpenSSL reason codes are not unique, this isn't always the case.
It now additionally checks that the library is the SSL library.
Changes with mod_ssl 2.8.15 (21-Mar-2003 to 18-Jul-2003)
*) Upgraded to Apache 1.3.28
*) Take over security fix from Apache 2.0 related
to per-directory renogotiations.
Changes with mod_ssl 2.8.14 (18-Mar-2003 to 21-Mar-2003)
*) Fixed logic in the destruction of a temporary certificate
structure and this way avoid a crash due to freeing NULL object.
*) Removed one newly introduced X509_free() call in the context of
SSL_get_certificate(), because this function does not increment a
reference count (although SSL_get_peer_certificate() does).
*) Fixed hash-table based shared memory session cache (shmht)
implementation by making sure that the underlying hash table
library does not crash if memory cannot be allocated.
Changes with mod_ssl 2.8.13 (23-Oct-2002 to 18-Mar-2003)
*) Always enforce RSA blinding on RSA private keys in order to be
resistent to timing attacks.
*) Added timeout also to the "pre-sucking" of the trailing data in
POST request handling.
*) Correctly shutdown shared memory pools on fork+exec situations.
*) Bugfix SSL client certificate verification: OpenSSL was not
informed with SSL_set_verify_result(ssl, X509_V_OK) in case
mod_ssl forced the verification to be ok.
*) Consistently use OPENSSL_free() instead of plain free() to
deallocate memory chunks allocated inside OpenSSL.
*) Fixed various memory leaks related to X509 certificates.
Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002)
*) Fixed potential Cross-Site-Scripting bug.
*) Allow also 8192 bytes of shared memory data size.
Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002)
*) Upgraded to Apache 1.3.27.
*) Fixed internal error handling for CRL verification.
*) Initialize OpenSSL ENGINE before initializing OpenSSL
to workaround problems with the PRNG.
*) Also find "openssl" executable in "sbin" directories.
*) Honor specified number of maximum bytes on SSLRandomSeed
if reading from EGD.
*) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002)
*) Fixed off-by-one buffer overflow bug in the compatibility
functionality (mapping of old directives to new ones).
*) Fixed memory leak in processing of CA certificates.
*) In case there is actually a certificate chain in the session cache,
we now use the value of SSL_get_peer_certificate(ssl) to verify as
it will have been removed from the chain before it was put in the
cache.
*) Seed the PRNG with a maximum of 1K from the internal scoreboard.
Changes with mod_ssl 2.8.9 (27-Mar-2002 to 19-Jun-2002)
*) Upgraded to Apache 1.3.26.
*) Support for OpenSSL 0.9.7.
*) Open random files in binary mode under Win32 to not
stop on EOS characters.
*) Additional internal consistency check on vhost sanity checking
in case no DNS entries are found for virtual hosts.
*) Fixed detection of a faked "Faked Basic Auth" situation for
internal redirection situations.
Changes with mod_ssl 2.8.8 (23-Feb-2002 to 27-Mar-2002)
*) Upgraded to Apache 1.3.24
*) Support leading whitespaces in commands of SSLLog "|..."
directives.
*) Fixed timeout handling on connection establishment
by correctly resetting the timeout on errors.
*) Fixed two memory leaks related to CA certificate configuration.
*) Fixed memory leak related to temporary DH key handling.
*) Fixed memory leak on shutdown if CRLs are used.
*) Fixed remaining SIGBUS problems on SPARC inside SHMCB session
cache implementation.
Changes with mod_ssl 2.8.7 (01-Feb-2002 to 23-Feb-2002)
*) Support for the latest OpenSSL 0.9.7 snapshots.
*) Fixed potential buffer overflow in DBM and SHMHT session
cache if very very large certificate chains are used.
*) Compliance with POSIX 1003.1-2001 (SUSv3) by replacing obsolete
"head -1" and "tail -1" constructs with sed variants in scripts.
*) Fixed file descriptor leakage under Win32.
Changes with mod_ssl 2.8.6 (16-Oct-2001 to 01-Feb-2002)
*) Upgraded to Apache 1.3.23
*) Fixed a subtle indexing bug in SHMCB. Each sub-cache used an
indexing structure that (correctly) used index values (and ranges)
as "unsigned int", but the meta-structure in the header had these
ranged as "unsigned char".
*) Perform the SHMCB remove operation under mutual exclusion
to prevent a inter-process synchronization problem.
*) Made sure that mod_ssl does not segfault in case of
SCOREBOARD_SIZE < 1024.
*) Merged in the SDBM patch from Uwe Ohse which fixes a problem with
sdbms .dir file, which arrises when a second .dir block is needed
for the first time. read() returns 0 in that case, and the library
forgot to initialize that new block. A related problem is that the
calculation of db->maxbno is wrong. It just appends 4096*BYTESIZ
bits, which is not enough except for small databases (.dir
basically doubles everytime it's too small).
Changes with mod_ssl 2.8.5 (20-May-2001 to 16-Oct-2001)
*) Upgraded to Apache 1.3.22
*) Fixed check whether server certificate wildcard CommonName (CN)
matches the configured server name.
*) Use correct ANSI C prototypes also in (semi-automatically
generated) ssl_engine_dh.c
*) Fixed buffer overflow in ssl_expr_eval_func_file().
Changes with mod_ssl 2.8.4 (04-May-2001 to 20-May-2001)
*) Removed old db1/ndbm.h kludge from mod_ssl.h, because it should be
not needed at all, because mod_ssl downgrades to SDBM anyway on all
Linux platforms. Additionally made the Linux check more accurate
by using src/Configure's $PLAT variable instead of $OS.
*) Upgraded to Apache 1.3.20
*) +------------------------------------------------------------------+
| Officially moved mod_ssl to Apache 2.0: |
| The mod_ssl 2.8.x source tree is now frozen for development |
| and will only be updated for bugfixes and Apache 1.3.x version |
| upgrades. The last release (2.8.3) was imported to the ASF CVS |
| repository under httpd-2.0/modules/ssl/. All development efforts |
| are now directed to the Apache 2.0 area. Nevertheless, mod_ssl |
| 2.8.x releases will occur as long as Apache 1.3.x releases occur.|
+------------------------------------------------------------------+
Changes with mod_ssl 2.8.3 (30-Mar-2001 to 04-May-2001)
*) Allow loadcacert.cgi script to work inside mod_perl.
*) Fixed typo in the directive descriptions in mod_ssl.c
*) Fixed EAPI context usage in http_request.c: a context pointer
potentially can be NULL requests and can cause a segfault if
dereferenced.
*) Fixed ENGINE support: the engine support is are now already
loaded at configure time. Else mod_ssl fails to find them.
*) Fixed typo in httpd.conf-dist.
Changes with mod_ssl 2.8.2 (03-Mar-2001 to 30-Mar-2001)
*) Moved the Shared Memory Cyclic Buffer (SHMCB) session cache
variant from "experimental" state to "production" by removing the
`#ifdef SSL_EXPERIMENTAL_SHMCB ...#endif' wrappers. This means
that now `SSLSessionCache shmcb:...' is unconditionally available.
*) Modified (only) Win32's specific function SSL_recvwithtimeout()
to use the same retry logic as SSL_writewithtimeout(). This
fixes some problems with MSIE 5.x clients.
*) Made the mutex handling more robust by retrying the
semaphore-based operations in interrupt situations
(errno == EINTR).
*) Also log the OpenSSL error message if the RSA temporary
key(s) cannot be generated.
*) Mention in INSTALL document that building OpenSSL with
`no-threads' increased performance without negative side-effects
because Apache 1.3 is never multi-threaded.
*) Fixed mod_ssl Auth handler: it now returns DECLINED instead of
OK if authentication is passed successfully to allow other modules
(usually mod_auth) to still deny the request.
*) Allow IPC semaphore support also under Tru64 5.x.
*) Fixed certificate DN handling under EBCDIC platforms.
*) Try to avoid casting warnings by using "unsigned long" type
instead of "unsigned int" in the EAPI macros AP_CTX_XXXX.
*) Make sure that the default path /usr/include is never added to
CFLAGS with an explicit -I options to avoid conflicts with vendor
include paths.
*) Make extra sure the ssl_expr_parse.[ch] and ssl_expr_scan.c
files are not regenerated for regular users by timestamping
them in a little bit more conservative way.
*) More fixes to configure.bat and Makefile.win32 to
make mod_ssl work again under Win32.
Changes with mod_ssl 2.8.1 (30-Jan-2001 to 03-Mar-2001)
*) Conditionally adjusted source to build quietly also under
latest OpenSSL 0.9.7-dev versions.
*) Added a bunch of (untested!) adjustments and fixes for
the Win32 platform as posted to modssl-users some time
ago by various people.
*) Fixed SSLCipherSuite example in httpd.conf-dist:
The string EXP56 is actually EXPORT56, although OpenSSL
internally the variable is named SSL_TXT_EXP56.
*) Upgraded to Apache 1.3.19 as base version.
*) Extended FAQ entry for MSIE problems.
*) Added FAQ entry for questions "Why do I get lots of random SSL
errors under heavy load?"
Changes with mod_ssl 2.8.0 (14-Oct-2000 to 30-Jan-2001)
*) Upgraded to Apache 1.3.17 as base version.
*) Changed ApacheModuleSSL.dll to mod_ssl.so in Makefile.Win32 to
make mod_ssl not too broken after Apache 1.3.16's Win32 changes.
*) Enhanced ApacheCore.def patch for Win32 folks.
*) Upgraded to Apache 1.3.16 as base version.
*) Fixed ssl_intro.wml: DES uses 56 bit, not 54 bit.
*) Allow %{ENV:variable} in SSLRequire expressions, too.
*) Fixed version parsing for APXS stuff in configure.
*) Fixed Geoff Thorpe's Email addresses in various places.
*) Fixed typo in INSTALL document.
*) Make sure the user is not able to fake the client certificate
based authentication by just entering an X.509 Subject DN
("/XX=YYY/XX=YYY/..") as the username and "password" as the
password if "SSLVerifyClient optional" is used in combination
with "SSLOptions +FakeBasicAuth".
*) Fixed URLs in FAQ.
*) Various fixes for the Win32 world:
reflect renaming of "makefile.nt" to "makefile.win"; scache
reorganisation adjustments; etc.
____ _____
|___ \ |___ |
__) | / /
/ __/ _ / /
__ |_____(_)_/______________________________________________
Changes with mod_ssl 2.7.1 (13-Oct-2000 to 14-Oct-2000)
*) Fixed the parsing of SSLSessionCache directives. The prefixes were
incorrectly skipped and leaded to "unable to open semaphore file"
errors.
Changes with mod_ssl 2.7.0 (12-Aug-2000 to 13-Oct-2000)
*) Upgraded to Apache 1.3.14 as base version.
*) Added new Cyclic Buffer based Shared Memory Session Cache
as ssl_scache_shmcb.c. This was contributed by Geoff Thorpe
<geoff@geoffthorpe.net> and is derived from the "c2shm" variant
used in Stronghold V3. It uses a fixed size cyclic buffer placed
over a shared memory segment for storing SSL session ids. This
way it is even more efficient and faster than the old hash table
based shared memory cache (ssl_scache_shmht.c). It can be used
by building mod_ssl with --enable-rule=SSL_EXPERIMENTAL and then
using "SSLSessionCache shmcb:<path-to-temp-file>(<bytes>)".
*) Cleaned up and restructured the session cache implementation.
ssl_engine_scache.c was split into ssl_scache.c (the abstraction
layer), ssl_scache_dbm.c (the DBM-based implementation) and
ssl_scache_shmht.c (the shared memory based implementation which
uses a hash table).
*) Added experimental support for the ENGINE branch of OpenSSL 0.9.6.
A new SSLCryptoDevice configuration directive is available if the
OpenSSL-ENGINE 0.9.6 package and --enable-rule=SSL_EXPERIMENTAL
is used. The default is "SSLCryptoDevice builtin". To enable
to use of a crypto device use "SSLCryptoDevice <name>",
where <name> is its ID as used with the OpenSSL command line
option "-engine <name>".
*) Completely removed RSAref support to make sure US residents no
longer try to use this ancient piece of restricted/buggy code.
*) mod_ssl failed to start if two certificate keys are encrypted
with different pass phrases and SSLProxyVerify was specified.
____ __
|___ \ / /_
__) || '_ \
/ __/ | (_) |
__ |_____(_)___/____________________________________________
Changes with mod_ssl 2.6.6 (04-Jul-2000 to 12-Aug-2000)
*) Fixed experimental HTTPS proxy code: A segfault was
produced by an incorrect logging command.
*) Fixed server restarts: Under non-DSO run-time situation, the
OpenSSL library was shutdown (and never re-initialized) and this
way caused segfaults on server restarts. This affected only
installations where mod_ssl+OpenSSL were built as a static module
instead of a DSO. This nasty bug was unfortunately introduced in
2.6.5 as a side-effect of an (otherwise correct) memory leak bugfix.
*) Upgraded both the user manual sources and the website
www.modssl.org from WML 1.6 to WML 2.0 format.
*) Various typo fixes in user manual.
*) Typo fix in INSTALL document related to RSAref.
Changes with mod_ssl 2.6.5 (01-May-2000 to 04-Jul-2000)
*) Removed more memory leaks by freeing even more stuff
from the OpenSSL toolkit on module shutdown.
*) Added missing TLSv1, EXP40 and EXP56 keywords to
ssl_reference's documentation of SSLCipherSuite.
*) Updated INSTALL document for MM 1.1.x.
*) Added hints about MSIE workarounds (-SSLv3, !EXP56, etc.)
to the FAQ entry about MSIE errors.
*) Added !EXP56 to pre-configured SSLCipherSuite in order to avoid
MSIE5.x problems in advance.
*) Fixed typos in INSTALL: sbin -> bin for apachectl.
*) mod_ssl's configure script now touches also ssl_expr_scan.l and
ssl_expr_parse.y when applying the sources corrupted timestamps do
not trigger the lex/yacc Makefile rules (which are intended for
developer use only).
*) Allow spaces in ServerRoot and SSLPassPhraseDialog arguments
which is especially important for the Win32 environment.
*) Fixed syntax errors in ssl_howto.wml: "Deny all" -> "Deny from all"
*) Be aware of extended SERVER_BASEVERSION strings in configure.
*) Removed a left-over ssl_scache_expire() call in ssl_scache_init()
which made the life of vendors complicated.
*) Allow more fine-tuned overriding of ap_server_root_relative calls
by providing the context of the call.
Changes with mod_ssl 2.6.4 (16-Apr-2000 to 01-May-2000)
*) Fixed Win32 build by adding gdi32.lib to the libraries
and an additional include for <winsock2.h>.
*) Added Equifax Secure CA certificates to ca-bundle.crt.
*) Let the pass phrase dialog force the prompt to occur only once
(no verification step), because mod_ssl uses the dialog only for
pass phrases which are required for reading private keys. This as a
side-effect should fix a problem under Win32 where a second prompt
occured for unknown reasons.
*) Added more compatibility to Stronghold v2's SSL_SessionCache.
*) Added two more EAPI hools under SSL_VENDOR: one for overriding
ap_server_root_relative calls and one for hooking into the server
configuration step.
*) Fixed SSL display for mod_status in `short report' situation.
*) Made the SSL_EXPERIMENTAL stuff more flexible by checking
for particular subset SSL_EXPERIMENTAL_xxxx defines and let
SSL_EXPERIMENTAL define all those per default. This reduces the
amount of patching vendors have to do in order to just enable a
subset of the experimental code.
*) Added hint to INSTALL document about port specifiers in test URLs
(`:8080' and `:8443') if the installation is done under a non-root
user.
*) Fixed Win32's configure.bat: the check for OpenSSL
header and libraries is now extended.
*) Fixed --with-apxs under Solaris where libssl.module
has to know $CC in order to enable the libgcc.a workaround.
*) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
support (ssl_engine_ext.c/mod_proxy) under _NOT_ SSL_EXPERIMENTAL.
Changes with mod_ssl 2.6.3 (02-Mar-2000 to 16-Apr-2000)
*) Moved the session cache expire time calculation and handling in
ssl_engine_scache.c down to the particular cache-type dependent
expire functions to allow a custom vendor supplied cache to perform
its own expire handling.
*) The sub-shells from libssl.module are now called with an
explicitly determined Bourne Shell (instead of the implicit she-bang
line). This both avoids problems on brain-dead platforms where
/bin/sh is broken (Ultrix, etc.) and workarounds a CVS problem in
OpenBSD where on read-only checkouts the x-bits sometimes get lost.
*) Do a slightly better initialization of the random file
in src/support/mkcert.sh if $HOME/.rnd doesn't exist.
*) Be aware of OpenSSL 0.9.5's X509_V_ERR_CERT_UNTRUSTED error.
*) Cleaned up and optimized ssl_engine_vars.c by kicking out the old
static cipher table and calculating the cipher bits dynamically. This
avoids lots of string comparisons, reduces further maintainance costs
and makes the code smaller.
*) Cleaned up pkg.contrib/truerand.c: volatile variables,
correct function return types, etc.
*) Fix HTTPS proxy support: if SSLProxyVerify is Off, we don't need
to log any errors if the certification fails. Additionally we now
don't free the proxy context after a connection, because we will need
it for the next proxy connection we make.
*) Activate `SSLMutex sem' also on HPUX.
*) Allow libssl.module to handle CFLAGS="cc -flags".
*) Fixed typo in ssl_intro.wml: "message" was written twice
*) Added two eval casts for ap_md5() calls.
*) Fixed typo in ssl_faq.wml: SSLRandSeed -> SSLRandomSeed.
*) Add final messages also under "configure --with-eapi-only" which
give a hint to proceed with --enable-module=so --enable-rule=EAPI in
the Apache source tree.
Changes with mod_ssl 2.6.2 (29-Feb-2000 to 02-Mar-2000)
*) Updated the conf/ssl.crt/ca-bundle.crt file (containing the CA
Root Certificates of over 60 popular CAs) to the contents extracted
from Netscape Communicator 4.72's cert7.db file.
*) Fixed compilation of the new HTTPS proxy code (SSL_EXPERIMENTAL):
The SSL_VENDOR was required without need if SSL_EXPERIMENTAL was
enabled. This is now fixed and only SSL_EXPERIMENTAL is requied again
for the new HTTPS proxy stuff.
*) Added an FAQ entry about the "less entropy for the PRNG"
problem which now becomes "popular" ;) with OpenSSL 0.9.5.
*) Fixed conf/ssl.crl/Makefile: the files which have to be
checked for existance are named foo.rNNN and not just foo.NNN
*) Fixed a typo related to a RAND_status call in ssl_engine_rand.c
which was introduced in 2.6.1 and which caused mod_ssl fail to
compile if OpenSSL >= 0.9.5 was used [Sorry, my gcc hasn't caught
this typo :-(...]
*) Added also some random files which exists under Mach/Rhapshody
platforms to the list of files in src/support/mkcert.sh to make
sure enough entropy is available on these platforms under "make
certificate" with OpenSSL 0.9.5
*) Enhanced SSLRequire (SH2) -> SSLRequireSSL (mod_ssl)
directive compatibility mapping.
Changes with mod_ssl 2.6.1 (25-Feb-2000 to 29-Feb-2000)
*) Added support for OpenSSL 0.9.5's RAND_egd() which is now used
to read entropy from the EGD Unix domain socket if `SSLRandSeed
egd:/path/to/socket' is configured.
*) Extended builtin PRNG seeding with a run-time stack based source.
This way the builtin source now creates more entropy and usually
enough to make OpenSSL >= 0.9.5 happy again. If OpenSSL is still not
happy (i.e. still not sufficient entropy exists), a warning message
is logged by mod_ssl now.
*) Fixed Tanenbaum's name on the quote in ssl_intro.wml
*) Updated Thawte's sxnet stuff for latest OpenSSL.
*) Allow mod_ssl to compile also under Win32 & VC++ 6.0
*) Fix OS/2 support and this way make mod_ssl again work
also under this platform.
Changes with mod_ssl 2.6.0 (24-Feb-2000 to 25-Feb-2000)
*) Merged in enhanced HTTPS Proxy Support which is derived from
Stronghold 2.x and was originally contributed by C2Net over one
year ago. This is still _EXPERIMENTAL_ stuff, so it is entirely
wrapped with SSL_EXPERIMENTAL sections and has to be abled under
built-time with --enable-rule=SSL_EXPERIMENTAL. Then the following
new configuration directives are provided to fine-tune the HTTPS
proxy support:
o SSLProxyProtocol [+-][SSLv2|SSLv3|TLSv1] ...
(enable or disable SSL protocol flavors)
o SSLProxyCipherSuite XXX:...:XXX
(colon-delimited list of permitted SSL ciphers)
o SSLProxyVerify on|off
(whether to verify the remote certificate)
o SSLProxyVerifyDepth N
(maximum certificate verification depth)
o SSLProxyCACertificateFile /path/to/file
(file containing server certificates)
o SSLProxyCACertificatePath /path/to/dir
(directory containing server certificates)
o SSLProxyMachineCertificateFile /path/to/file
(file containing client certificates)
o SSLProxyMachineCertificatePath /path/to/dir
(directory containing client certificates)
This stuff is declared experimental, because it was still _NOT_
tested in depth and is still _UNDOCUMENTED_. So keep in mind what
SSL_EXPERIMENTAL means and use this with care!
*) Extended the EAPI patches to mod_proxy to allow the new
HTTPS proxy support to be merged in.
*) Fixed ssl_io_suck() prototype scope in mod_ssl.h by changing
the old #ifdef SSL_EXPERIMENTAL to the now correct #ifndef
SSL_CONSERVATIVE.
*) Added "cons" and "nocons" development target to
src/modules/ssl/Makefile.tmpl.
*) Upgraded to Apache version 1.3.12.
____ ____
|___ \ | ___|
__) | |___ \
/ __/ _ ___) |
__ |_____(_)____/___________________________________________
Changes with mod_ssl 2.5.1 (22-Jan-2000 to 24-Feb-2000)
*) Made sure OpenSSL's Pseudo Random Number Generator (PRNG) is
seeded already before the temporary RSA keys are generated.
*) Fixed possible security hole in mkcert.sh script (make
certificate) by making sure we already generate the foo.key files
with proper umask instead of chmod them later (and this way
perhaps too late).
*) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
support (ssl_engine_ext.c/mod_proxy).
*) Fixed quotation author in ssl_glossary.html: it's Richard Nixon,
as Lukas Bradley pointed out.
*) Use "/usr/local/ssl" as the default for $SSL_BASE only if this
path really exists. Else use "SYSTEM" and this way be more
flexible. This is especially interesting for RedHat/RPM users
where OpenSSL stays often directly under /usr.
*) Make sure libssl.module also detects OpenSSL correctly
if OpenSSL was built as shared libraries (.so)
*) Let configure script more accurately check for -h, -v and
-q options on command line.
*) Make `SSLSessionCache none' really work as expected.
*) Added support for the latest OpenSSL snapshot (>= version 0.9.4).
*) Removed the removal of "#ifdef lint.. #endif" lines from
src/modules/ssl/Makefile.tmpl to make the life of the
OpenBSD guys easier in the future.
*) Removed Unix Bourne-Shell construct "2>&1" from Win32's
configure.bat script because Win32 hates this.
*) Fixed ApacheCore.def for Win32: Some numbers occured
multiple times.
Changes with mod_ssl 2.5.0 (08-Jan-2000 to 22-Jan-2000)
*) Switched the old "POST for HTTPS" support code from
defined(SSL_EXPERIMENTAL) to !defined(SSL_CONSERVATIVE), because this
code is both already stable (even it's not a conservative approach) and
important. This way POST support is now available per default, but still
can be disabled/removed by very conservative people with an easy
--enable-rule=SSL_CONSERVATIVE.
*) Added SSL_CONSERVATIVE rule to src/Configuration.tmpl which
complements SSL_EXPERIMENTAL. Both rules are per default set
to "no", i.e. disabled. But while SSL_EXPERIMENTAL still enables
experimental code, enables SSL_CONSERVATIVE conservative code. That is,
actually per default some non-conservative things might be enabled which
can be _disabled_ by forcing mod_ssl to use only conservative
approaches.
*) Added entry about "no shared ciphers" to FAQ.
*) Upgraded to the new Apache version: 1.3.11 (BTW, Apache 1.3.10
was never released). This moves the mod_ssl community to the
latest Apache state and this way implicitly provides them over 70
bugfixes and cleanups which 1.3.11 provides over 1.3.9.
____ _ _
|___ \ | || |
__) || || |_
/ __/ |__ _|
__ |_____(_) |_| ___________________________________________
Changes with mod_ssl 2.4.10 (24-Nov-1999 to 08-Jan-2000)
*) Mentioned MD5-encrypted password in ssl_reference.wml in addition
to DES-encrypted password.
*) Added a new FAQ entry about the path internally pre-defined by
EAPI_MM_CORE_PATH.
*) Adjust the name-based-vhost complain: Talk say "you should not
use" instead of "you cannot use", because first there are
situations where it can be reasonable to use name-based vhosts with
SSL and second there is no technical restriction on the mod_ssl side,
of course.
*) Changed the license on mod_define.c from the BSD/Apache-style
license to a even less restrictive MIT-style license to allow
everyone to do with this module what they want.
*) Fixed a compile-time warning under very strict compilers by using
a more correct `ssl_verify_t' (enum based) instead of `int' in
ssl_engine_config.c.
*) Various minor documentation updates.
*) Made the EAPI-vs-plain-API complain in mod_so more clear.
*) Adjusted all copyright messages to contain the new year 2000 ;)
*) Fixed INSTALL.W32 document for latest OpenSSL versions.
*) Fixed SSL session id context configuration: the value is now an
MD5 of `server:port' and this way always a string of just 32 bytes,
so OpenSSL's SSL_set_session_id_context() doesn't fail.
*) Removed old CVS informations from etc/patch.tar tarball.
Changes with mod_ssl 2.4.9 (05-Nov-1999 to 24-Nov-1999)
*) Fixed SSLRequire expression evaluation for number strings.
Expressions like `SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128'
didn't work if SSL_CIPHER_USEKEYSIZE was "40" because the evaluation
used strcmp(3) and this fails to compare numbers of different length.
An own comparison function is now used to avoid this problem.
*) Now on Win32 a warning is logged once on startup that mod_ssl is
NOT officially supported under Win32 and people have to use it there on
their own risk (and so shouldn't complain if it doesn't work). Because
only the Unix platform is officially supported and mod_ssl is checked
for security issues only related this platform.
*) For performance reasons it is unreasonable to create the SSL_*
CGI/SSI variables _all the time_, because their creation is
a rather expensive operation which slows down the server
noticeable. Instead it is more reasonable to let them create for
CGI and SSI requests _only_. For consistency reason with other
`SSLOptions' variables (which all have positive names) and to
avoid necessary cleanups changes in the future, I decided to make
the incompatibility change _NOW_ (sorry).
In short: With mod_ssl 2.4.9 per default no SSI/CGI variables
SSL_* are created any longer (only the special "HTTPS" variable is
always created). Instead one has to use `SSLOptions +StdEnvVars'
to switch the creation on.
*) Added an `SSLOptions' variable `StdEnvVars' which now controls
the creation of the numerious SSL_* CGI/SSI variables.
*) Renamed old variable SSL_{CLIENT,SERVER}_{S,I}_DN_SP to more
correct SSL_{CLIENT,SERVER}_{S,I}_DN_ST variable to conform to
RFC2156 and current OpenSSL state (which also prints this OID as
"ST" and no longer "SP").
*) Added support for SSL_{CLIENT,SERVER}_{S,I}_DN_{T,I,G,S,D,UID}
variables (corresponding to X.509 title, initials, givenName, surname,
description and uniqueIdentifier OIDs) to allow the checking of more
X.509 certificate ingredients.
*) Allow mod_rewrite to also lookup the "HTTPS" variable, for instance
via ``RewriteCond %{HTTPS} !=on''.
*) Removed old URL references to rsaref20.tar.Z from INSTALL document.
*) Now an explicit error message is logged also if an SSL session cannot be
stored to the DBM file via dbm_store (and not just if dbm_open failed).
*) Now the pass phrase dialog no longer uses the hard-coded
filedescriptor 10 as the storage for stderr while the pass phrase dialog
is displayed. Instead (at least under Unix) it tries to open /dev/null
and uses this filedescriptor instead. And when this fails (or always
under Win32) it uses the hard-coded filedescriptor 50 (a lot higher than
10 to avoid problems with logfile rotation programs and other things
Apache could have started).
*) Fixed SSL_make_ciphersuite() function: it calculated the required string
length incorrectly and could segfault. BUT THIS FUNCTION IS STILL NOT
USED IN MOD_SSL AT ALL, so don't panic. This function is for debugging
purposes only.
*) Fixed a filedescriptor leak which happened if encrypted private keys
were used. Here the pass phrase dialog forgot to close a temporary
filedescriptor.
*) Added three new OpenSSL log entry annotations: First, "*no start
line*" now triggers "Bad file contents or format - or even just
a forgotten SSLCertificate KeyFile?" and "*bad password read*"
triggers "You entered an incorrect pass phrase!?". Additionally
"*bad mac decode*" now triggers "Browser still remembered details
of a re-created server certificate?" because people often get "bad
data" dialog boxes while (re-)testing with Snake Oil certs.
*) Added hint about possibly blocking /dev/random devices also to
httpd.conf-default to make sure people don't overlook this subtle
platform-dependent problem. Additionally a new FAQ entry was
made about this, too.
*) Added an entry to the FAQ about GIDs and their intermediate
certificate which has to be configured with SSLCertificateChainFile.
*) Fixed some external URLs in the FAQ.
Changes with mod_ssl 2.4.8 (02-Nov-1999 to 05-Nov-1999)
*) ** IMPORTANT BUGFIX **
If (and only if)...
1. a server restart at least once happened
2. a HTTPS request occurs from a 40-bit/export browser
3. the underlaying Unix flavor doesn't map DSOs always
to the same memory address on each restart
...then a segfault was very likely to occur for usually
all previous mod_ssl version.
The reason was that mod_ssl's temporary RSA keys and DH parameters
were stored in the persistent memory pool directly as OpenSSL's
RSA and DH structures. But although these structures successfully
survived restarts, the contained pointers, which were placed there
by OpenSSL and which were referencing _static_ parts of OpenSSL,
pointed to Nirvana after restarts. So on the next need for RSA
temporary keys or DH parameters (usually caused by 40bit clients)
the OpenSSL library internally segfaulted while processing these
structures.
This was a very long-standing bug and is now fixed by storing the
RSA keys and DH parameters as raw (and this way safe) DER-encoded
ASN.1 dats streams (and not structures) in the persistent memory
pool.
*) Added an FAQ entry about Verisign GIDs and the intermediate CA
certificate which is required to fill the gap in the server certificate
chain or browsers will complain.
*) The configure.bat for Win32 now tries to complain if patches were
rejected while they are applied to the Apache source tree.
*) Updated ANNOUNCE and README documents.
Changes with mod_ssl 2.4.7 (22-Oct-1999 to 02-Nov-1999)
*) Added a check to mod_so to complain with a warning if one loads
a plain Apache 1.3 DSO under EAPI (which might work, but can also
segfault).
*) Added more defensive programming checks in the cert/key handling.
*) Added an entry to the FAQ about the commercial alternatives.
*) Disabled SysV IPC semaphore based mutex variant for FreeBSD < 3.0 and
any OpenBSD and NetBSD platforms because of conflicts with their
non-POSIX conforming semctl(2) prototypes.
*) Added an FAQ entry on how to enable Anonymous
Diffie-Hellman (ADH) ciphers.
*) Now `make certificate' allows one to also change the
certificate validity time (default is still 365 days).
*) Recreated the ssl.crt/ca-bundle.crt file with all CA certs found in
Netscape Communicator 4.7's cert7.db file.
Changes with mod_ssl 2.4.6 (01-Oct-1999 to 22-Oct-1999)
*) Re-created RSA and DSA certificates and private keys for both SnakeOil
CA and SnakeOil Server, because the RSA certificate already expired
recently. The cert/keys are now valid for the next 2 years.
*) Freshed up the test welcome page htdocs/index.html with a feather
background image (just for fun ;) and with a few other cosmetic
cleanups.
*) Fixed a few compile warnings under Win32 environment.
*) Fixed interactive terminal based pass phrase dialog on Win32 platform by
explicitly opening `con' (the console) instead of trying to use stdout
(which seems to be no longer connected to the console under Win32).
*) Fixed expiration checks for the session cache. The
calculation and time comparsions were incorrect.
*) Now `httpd -V' also shows the value of EAPI_MM_CORE_PATH
(the path to the MM temporary files) if EAPI_MM is activated.
*) Made sure that `httpd -t' correctly dies, i.e. including a
cleanup of the global MM shared memory pool. Same for
`httpd -V'. This is important to not let temporary files
stay around which confuse `apachectl'.
*) Changed a few checks in ssl_engine_scache.c to be even more
conservative in order to prevent problems in advance.
*) Reduced the size check for DBM session caching from 1024 to 950 bytes,
because most DBM libraries have a limit of 1022. This should make sure
we do not break some requirements some DBM libraries implicitly assume
(even they do not explicitly document it).
*) Fixed SSL_EXPERIMENTAL code related to the POST problem. We now do a
more careful memory management and a segfault-situation was removed,
too.
*) Now the PID is appended to the global MM based shared memory pool
alloc.c allocates. This avoids problems with multiple server instances
run from the same installation.
*) Fixed a few typos in the INSTALL document.
*) Fixed a nasty bug in the fixup phase which caused ``SSLOptions
+ExportCertChain'' to dump core if no client certificates were present.
Changes with mod_ssl 2.4.5 (28-Sep-1999 to 01-Oct-1999)
*) Now ``make certificate'' displays a warning message if one generates a
DSA certificate with it to make sure the user is aware of the fact that
a DSA-only webserver is currently useless because the popular browsers
do not speak DH-based ciphers. A hint is given that a DSA cert/key pair
is only useful in _combination_ with a parallel configured RSA
cert/key pair.
*) Enhanced the pass phrase dialog: Now ``Server <host>:<port> (<algo>)''
is displayed instead of just ``Server <host>:<port>'' and the
``SSLPassPhraseDialog exec:/path/to/program'' is called with arguments
``<host>:<port> <algo>'' instead of just ``<host>:<port>'' to allow the
distinction between RSA and DSA keys both to the user and to the
program. This is important, because a single virtual host can use both
a RSA and a DSA cert/key at the same time.
*) Added pre-configured (but commented out) SSLCertificate[Key]File
directives to conf/httpd.conf-dist which explains the use of the
additional DSA cert/key.
*) Now the default for SSL_SDBM is 'yes' on Linux boxes because it occurrs
too often that Linux boxes with broken DBM libraries are used and people
are wondering why their session cache operations segfault the server. If
you really want to use the vendor DBM library on Linux you now have to
use --disable-rule=SSL_SDBM. But I recommend you to use SDBM except
you know what you're doing.
*) Fixed typo in FAQ: SSLSessioCache -> SSLSessionCache.
*) Enhanced the logging facility: First the "Connection to child x"
messages now also contain the client IP address, second every
logfile entry now has a prefix which contains also the process id in
addition to the time. This way it's easier to identify logfile entries
written by different processes.
*) Fixed ssl_engine_vars.c: SSL3_TXT_RSA_IDEA_128_SHA was contained twice
in a table. Instead the second occurrence should be
SSL2_TXT_IDEA_128_CBC_WITH_MD5.
*) Fixed the `union semun' situation for SSLMutex again, this time for
brain-dead anchient Linux versions which have incorrect semctl(2)
prototypes. We now enable IPC semaphores only on glibc 2.1 boxes.
Changes with mod_ssl 2.4.4 (27-Sep-1999 to 28-Sep-1999)
*) Fixed the `union semun' situation for SSLMutex which was broken in 2.4.3
because Apache's internal NEED_UNION_SEMUN define is horrible
inconsistent (it was defined only for Solaris although it should be for
a lot more platforms). The correct solution actually is this: Some
platforms have a `union semun' pre-defined but Single Unix Specification
(SUSv2) says in semctl(2): `If required, it is of type union semun,
which the application program must explicitly declare'. So we have to
define it always ourself to avoid problems (but under a different name
to avoid a namespace clash, of course).
*) Fixed `make certificate VIEW=1': nested quotes are
disliked by strict(er) Bourne shell flavors.
Changes with mod_ssl 2.4.3 (06-Sep-1999 to 27-Sep-1999)
*) Upgraded pkg.contrib/gid-mkcert.sh to use OpenSSL
instead of SSLeay+cafix+pkcs12.
*) Enabled SSL_USE_SEM (Semaphore based SSLMutex) now explicitly
for FreeBSD, NetBSD, OpenBSD, Linux and Solaris.
*) Fixed ``SSL_CLIENT_CERT_CHAIN<n>'' variable generation under
``SSLOptions +ExportOptions''.
*) Added new ``SSL_CLIENT_VERIFY'' variable which can be used with
SSLRequire to manually check the verify results under ``SSLVerifyClient
optional'' in order to redirect to an enrollment page.
*) Fixed documentation related to SSL_XXX variables.
*) Fixed timeout handling of internal OpenSSL cache.
*) Make sure server.key/ca.key files are stored with explicit
permissions 600 also in conf/ssl.key/ inside the source tree.
*) Added hint about "Connection refused" problem to FAQ.
*) Fixed semaphore based SSLMutex variant: the IPC_CREAT fallback was wrong
and the return code semantics were treated incorrectly. Additionally the
ownership of the semaphore is now set, too.
Changes with mod_ssl 2.4.2 (30-Aug-1999 to 06-Sep-1999)
*) Added hint about -fPIC vs. -fpic to INSTALL document.
*) Changed /sw/bin/perl to the more common /usr/bin/perl
in pkg.contrib/loadcacert.cgi.
*) Fixed two (harmless) compile-time warnings related to
`unsigned char *' vs. `char *'.
*) Added hint about required browser restarts on re-installations.
*) Added quotes to DocumentRoot in conf/httpd.conf-dist
to avoid problems with binbuild.sh.
*) Fixed --with-apxs: configure.stub.sh has to be `sourced' as
`./configure.stub.sh' instead of just `configure.stub.sh' or some
Bourne Shells cannot find it.
Changes with mod_ssl 2.4.1 (18-Aug-1999 to 30-Aug-1999)
*) Added logging hint "too restrictive SSLCipherSuite or using DSA server
certificate?" for "no shared cipher" errors.
*) Added an explicit ap_blush() call to the connection close hook to
make sure that pending outgoing data is flushed _before_ the SSL
layer is closed. This is important to make sure that the pending
data is still transferred through the SSL layer. Else an I/O
error can occur inside the browser because the pending data is
transferred as plain data (at a time where the browser will no
longer expect the data, i.e. after the SSL close notify message
was already received by it).
*) Added new FAQ entries.
*) Show `-D EAPI_MM' on `httpd -V', too.
*) Pass also $(MFLAGS) to src/support/mkcert.sh for consistency.
*) Fixed mod_define.html: `docroot' was doubled.
*) Made sure mkcert.sh handles the algorithm variable more robust in order
to make sure that people do not accidently choose the DSA variant.
*) mod_ssl now complains already at startup if one tries to use ``SSLMutex
file:...'' on Win32 (where the semaphore mutex _has_ to be used).
*) Removed obsolete pkg.ssldoc/ssl_cover_title.gif
Changes with mod_ssl 2.4.0 (03-Aug-1999 to 18-Aug-1999)
*) Upgraded from Apache 1.3.6 to Apache 1.3.9
(Apache versions 1.3.7 and 1.3.8 were not released).
*) Fixed a nasty bug in mod_define.c: the global define variable pool was
never destroyed and this way could lead to segfaults on server restarts.
*) Pass number of bytes from ``SSLRandomSeed exec:/path/to/prog(bytes)'' as
first argument to /path/to/prog in order to allow the program to know
how much bytes of entropy it should provide on stdout.
____ _____
|___ \ |___ /
__) | |_ \
/ __/ _ ___) |
__ |_____(_)____/ __________________________________________
Changes with mod_ssl 2.3.11 (28-Jul-1999 to 03-Aug-1999)
*) Changed pass phrase dialog: Now you're allowed to enter even 1 char pass
phrases, i.e. you're no longer required to enter more than 4 characters.
That's important for encrypted private keys not generated via OpenSSL.
*) Added configuration check: Now mod_ssl checks on startup whether the
CommonName (CN) of a certificate matches the ServerName of the virtual
host. If not, a warning is given, because it will lead to at least
popping up dialog boxes in NS and IE.
*) Added configuration check: Now mod_ssl checks whether more than one
SSL-aware virtual host uses the same IP:port and complains with a
warning, because for SSL name-based virtual hosts cannot be used.
*) Overhauled mod_define: it now uses a global define value table and
this way not works correctly also in <VirtualHost> sections and other
contexts.
*) Added a few more FAQ entries.
*) Cleaned up ssl_init_Module() function: it now no longer
destroys the server_rec argument as a side-effect.
*) Fixed top-level Makefile.tmpl: ssl.crl wasn't created; README.CRL
wasn't installed; incorporated an important escaping bugfix from Apache
1.3.7-dev.
*) Added fallback definitions for TRUE/FALSE to ap_mm.h
*) Fixed I/O pre-sucking for HTTPS proxy situations where
no mod_ssl context is attached to SSL structures.
*) Fixed Mutex acquiring under Win32: the result value
was computed incorrectly and leaded to warning log entries.
*) Catch SIGPIPE in truerand.c (a contrib program in pkg.contrib/) to allow
it behave correctly under `SSLRandomSeed exec:bin/truerand N'.
Changes with mod_ssl 2.3.10 (26-Jul-1999 to 28-Jul-1999)
*) Changed the handling of the `per-URL SSL re-configuration in conjunction
with POST method based HTTP requests' problem: Per default mod_ssl now
returns a METHOD_NOT_ALLOWED HTTP error when one tries to POST to a URL
which has SSL parameters re-configured, because mod_ssl per default
cannot handle this situation (for technical reasons). This way the I/O
errors which occured in the past are now at least replaced by a correct
error message.
But when you build with --enable-rule=SSL_EXPERIMENTAL you get
experimental support for this situation and you then _CAN_ use POST even
in conjunction with per-URL SSL re-configurations.
But nevertheless one have to keep in mind that the POST body is still
transferred under the global SSL parameters and that the renegotiation
(typically to a stronger cipher, etc.) happens only before the response
is sent (and not before the POST data is read!). The rule of thumb is:
per-URL SSL parameters _CANNOT_ be applied to _ANY_ part of the
_REQUEST_, they are only guarrantied to be applied to the _RESPONSE_.
In practice there are situations (for instance when the client resumes
the request already with previously renegotiated parameters, etc.) where
the situation _CAN_ be better. But you cannot _EXPECT_ it to be better
and mod_ssl _CANNOT GUARRANTY_ it to be better, of course.
*) Added support for latest OpenSSL 0.9.4-dev snapshot version.
*) Fixed initialization and cleanup related problems with SSLMutex: The
mutex is now closed before the chown and the mutex is removed only in
the parent on module shutdown.
*) Removed HTTPD_ROOT from EAPI_MM_CORE_PATH definition in httpd.h
because it is redundant and can cause problems.
Changes with mod_ssl 2.3.9 (25-Jul-1999 to 26-Jul-1999)
*) Compile ap_make_shared_sub_pool() only under -DEAPI
and added it to httpd.exp.
*) Fixed alloc.c again: the ap_mm_destroy has to be used only for
defined(EAPI) && defined(EAPI_MM) and not just for defined(EAPI).
Changes with mod_ssl 2.3.8 (25-Jul-1999 to 25-Jul-1999)
*) Fixed a nasty problem with early pool cleanups during
startup when shared memory session caches are configured.
Changes with mod_ssl 2.3.7 (14-Jul-1999 to 25-Jul-1999)
*) Optimization for logfile handling: We now short-circuit the
filedescriptors for inherited logfiles in order to save filedescriptors.
This is important for mass virtual hosting situations where we really
have to reduce the resource consumption.
*) Enhanced the DBM-based SSL Session Cache:
o the cache DBM files are removed on shutdowns and restarts now
to prevent the occurance of DBM inconsistencies over long runs.
o the DBM store operation now stores only data which has
sizeof(key)+sizeof(data) < 1024 to make sure some broken vendor DBM
libraries do not segfault on large entries. Only with the built-in
SDBM library up to 8KB are stored.
o the expiry procedure was rewritten to prevent problems with
less smart DBM libraries: Instead of iterating and deleting in
parallel (which causes some DBM libraries to become totally crazy) a
two pass approach is used. In the first pass the DBM library is
scanned and expired elements are remembered only. In the second pass
the rememebered elements are actually deleted.
*) Fixed SSL mutex handling: the mutex file was not removed on shutdown.
*) Fixed global shared memory pool handling in alloc.c: The shared memory
related temporary files of MM were not removed because ap_mm_destroy()
was missing on exit.
*) A few adjustments anf fixes to the FAQ and added hint to OpenSA
to INSTALL.Win32.
*) Fixed ``SSLRandomSeed exec:..'' for OS/2 and Win32.
*) Fixed shared memory pool handling in alloc.c:
Two realloc() calls were not shared memory aware.
Changes with mod_ssl 2.3.6 (22-Jun-1999 to 14-Jul-1999)
*) Enhanced ap_mm_create() failure messages in alloc.c
*) Fixed a core dump for the rare situation where mod_ssl was build
statically into Apache but not enabled (AddModule).
*) Perform more tries to chown() used DBM files.
*) Fixed memory leaks on restarts related to shared memory session cache:
the MM object wasn't removed at all.
*) Allow SSL_DBM_FILE_SUFFIX_DIR and SSL_DBM_FILE_SUFFIX_PAG
to be overridden via CFLAGS.
*) Fixed grammar and typos in ssl_reference.wml
*) Done a blind update of the INSTALL.Win32 document.
*) Added five new FAQ entries.
*) Fixed EAPI MM related permission problems.
*) On startup the configured cipher suite is now also
displayed under log level "trace".
*) Let the Win32 configure.bat complain when --with-apache or
--with-ssl is missing.
*) Added new `SSLCertificateChainFile /path/to/file' directive. This can
point to a file containing the concatenation of PEM encoded CA
certificates which explicitly form the server certificate chain. This is
intended for instance for the Global-ID situation where one _has_ to
send the intermediate CA of Verisign with the GID while one wants to
avoid that under client authentication all clients issued by this CA are
accepted (which would happen when one references the CA cert via
SSLCACertificatePath or SSLCACertificateFile instead of
SSLCertificateChainFile).
*) Changed the "Interrupted by system" `error' to `info' level in
case errno is not > 0.
Changes with mod_ssl 2.3.5 (18-Jun-1999 to 22-Jun-1999)
*) Rewritten the DBM and SHM expiration functions in ssl_engine_scache.c to
avoid problematic situation where one deletes an entry before the
iteration counter was incremented. This was perhaps also another reasons
for the session cache related core dumps.
*) Fixed a nasty bug in ssl_util_table.c: A static (heap-based) calloc()
call was forgotten to be converted to a dynamic (shared memory based)
table->calloc() call. This leaded to various core dumps once the session
cache's hash table was filled as had to be resized (which occured
only after some time of operation, of course).
*) Now mod_ssl displays an info logfile entry when the server certificate
is a SCG one and warning logfile entries when the server certificate has
BasicConstraints CA:TRUE or pathlen>0.
*) Fixed FakeBasicAuth handling: ssl::client::dn wasn't
set correctly and wasn't set at all in renegotiation context.
*) Fixed HowTo example with +FakeBasicAuth: AuthName was
missing and typos
Changes with mod_ssl 2.3.4 (09-Jun-1999 to 18-Jun-1999)
*) The Fake Basic Auth stuff now is logging it's operation.
*) Fixed pkg.contrib/cca.sh script: CA:TRUE was incorrect
for a client certificate, of course.
*) Added session cache status display to the pages generated by mod_status.
When "ExtendedStatus on" is used mod_ssl appends session cache
information (supported for both DBM and SHM).
*) Fixed ``SSLVerifyClient optional_no_ca'' for per-directory context.
*) Added ``SSLOptions +OptRenegotiate'':
This enables optimized SSL connection renegotiation handling when SSL
directives are used in per-directory context. Per default a strict
handling is enabled where every per-directory reconfiguration of SSL
parameters cause a full SSL renegotiation handshake. When this option
is used mod_ssl tries to avoid unnecessary handshakes by doing more
granular (but still safe) parameter checks. This should reduce
the renegotiation overhead a little bit.
*) Also print SSL errors on SSL_ERROR_SYSCALL situation.
*) Make sure EAPI_MM=SYSTEM doesn't add -I/usr/include to CFLAGS (which
occurrs for instance under Debian where MM is installed in system
locations).
*) The SSL session context is now also set on session renegotiations.
Changes with mod_ssl 2.3.3 (08-Jun-1999 to 09-Jun-1999)
*) Various type fixes for Session Cache code.
*) A few fixes to make the Win32 world happy again.
*) Fixed glibc 2.1 ndbm.h inclusion problems.
*) Make sure that in "SSLSessionCache shm:/path/to/file(NNN)"
the size NNN cannot be specified greater than the maximum
possible shared memory segment (which is platform
dependent, of course).
Changes with mod_ssl 2.3.2 (28-May-1999 to 08-Jun-1999)
*) Removed obsolete mca.sh script and updated cca.sh script to current
OpenSSL state.
*) Now "SSLSessionCache none" really disables _all_ caching,
i.e. including the internal OpenSSL cache.
*) Added Shared Memory based SSL Session Cache: A new "SSLSessionCache
shm:/path/to/file(bytes)" variant of the SSL session cache was added.
This uses a high-performance hash table inside a shared memory segment
to provide the fastest inter-process session cache which is possible.
For this Apache+EAPI has to be built with EAPI_MM (linked against the MM
library, the shared memory abstraction).
*) Fixed the EAPI_MM related patches to Apache's src/Configure:
The variables were overridden instead of extended.
*) Added hint to FAQ to make sure people enter the FQDN for CommonName when
generating a server certificate. Added hint to EGD to reference chapter.
*) Some more Win32 fixes.
*) Fixed a session cache problem on shutdowns.
*) Fixed mod_ssl's ``configure --with-mm=DIR''
Changes with mod_ssl 2.3.1 (25-Apr-1999 to 28-May-1999)
*) Fixed two memory leaks in ssl_util_ssl.c related to BIOs.
*) Fixed EAPI sources in src/ap/: They failed to compile
when -DEAPI wasn't used which isn't nice.
*) Fixed Win32 stuff: src/ap/ap.mak missed entries for ap_mm.[ch],
src/modules/ssl/Makefile.win32 missed entry for ssl_engine_dh.c,
configure.bat wasn't aware of the new include/openssl/ layout.
Changes with mod_ssl 2.3.0 (12-Apr-1999 to 25-May-1999)
*) Upgraded to final OpenSSL 0.9.3 API and made this
version the lowest possible OpenSSL version for mod_ssl.
*) Fixed ap_mm.c stubs.
*) Updated dependencies in src/modules/ssl/Makefile.tmpl
*) Fixed INSTALL document for OpenSSL 0.9.3:
-DNO_IDEA => no-idea and -DRSAref & friends => rsaref.
*) ** Second major step for DH/DSA support **:
The mod_ssl module itself is now aware of multiple certificate/keys when
they are of a different type (one RSA, the other DSA). All internal
cert/key related handling which was hard-coded for RSA was replaced by
generic code which supports both RSA and DSA. This way now all SSL
ciphers, including the real Diffie-Hellman ciphers like
EDH-DSS-DES-CBC3-SHA are supported by mod_ssl.
*) Upgraded Thawte's sxnet stuff in pkg.contrib/
*) Added new variable SSL_SESSION_ID which contains the hex-encoded SSL
session id. This variable is also exported to the SSI/CGI environment
and can be used as a session-unique key.
*) Added more error checking for SSL_XXX variable lookups.
*) ** First major step for DH/DSA support **:
1) snakeoil.{crt,key} was renamed to snakeoil-rsa.{crt,key} and a
snakeoil-dsa.{crt,key} was created. 2) src/support/ca-fix.c was kicked
out (it's obsolete with OpenSSL 0.9.3) and 3) src/support/mkcert.sh was
changed to use the new `openssl x509 -extfile ..' instead of ca-fix and
to support the generation of DSA certs/keys via `openssl gendsa'.
Finally 4) the top-level Makefiles were adjusted to support an
ALGO={RSA,DSA} parameter for selecting the algorithm in batch and a
VIEW=1 parameter for viewing the generated cert/key in plain text
format.
*) Removed more source code relicts of SSLeay by replacing
them with the official OpenSSL variants.
*) Added ap_{mm,MM}* function list to src/support/httpd.exp
*) Update ap_mm.{c,h} for MM 1.0.3, i.e. add stubs for new
ap_{MM,mm,mm_core}_permission() function.
*) Replaced all references to EAY's old email address with the new one.
*) Fixed source tree creation: ap_mm.[ch] wasn't installed.
*) Removed -l option from yacc call in src/modules/ssl/Makefile.tmpl and
touch the pre-generated scanner/parser files so the generation isn't
done for end users.
*) Give more reasonable error message on pass phrase dialog by
distinguishing between "Pass phrase incorrect" and "Private key not
found" situations.
*) Fixed configure and configure.bat scripts: ssl.crl wasn't created
and server.csr wasn't installed under Win32.
*) Added a new ``SSLOptions +StrictRequire'' This _forces_ forbidden
access when SSLRequireSSL or SSLRequire successfully decided that access
should be forbidden. Usually the default is that at least a used
``Satisfy any'' can cancel such access denies (when other access
restrictions were passed), because that's how the Apache Satisfy
mechanism should work. But for strict access restriction you can use
SSLRequireSSL and/or SSLRequire in combination with an ``SSLOptions
+StrictRequire''. Then an additional ``Satisfy Any'' has no chance once
mod_ssl has decided to deny access.
*) Removed all direct Apache-SSL related comparsions from the mod_ssl FAQ
chapter of the user manual to finally avoid any more blames by Ben
Laurie.
*) Upgraded to the forthcoming OpenSSL 0.9.3 API. Because of too much API
changes (constifications, STACK_OF, etc.) we cannot provide support for
older versions any longer without making the mod_ssl source code ugly.
OTOH for mkcert.sh we already want >= 0.9.3, so drop support for all
older versions now.
*) Switched all addresses and references to new modssl.org domain.
*) Updated the User Manual for version 2.3
*) Various stylistic source code cleanups.
*) EBCDIC-related fix for variable lookup functions.
*) Added generic Shared Memory support to Extended API (EAPI) via the new
MM library (available externally). First two new ap_mm.c/ap_mm.h source
files provide new functions ap_mm_xxx() which are either stubs (when no
shared memory support is available via the MM library) or call the
mm_xxx() counterparts of the MM library. Second, shared memory pools
are patched into alloc.c/alloc.h which uses the ap_mm_xxx() functions in
the background.
*) Added support for X.509 CA Certificate Revocation Lists (CRL). For this
the two new directives SSLCARevocationPath and SSLCARevocationFile
(similar to SSLCACertificate{Path,File}) are provided where one can
store CRL files. The preconfigured default directory for CRLs is
PREFIX/conf/ssl.crl. The SSLCARevocationPath is a directory where the
CRLs are looked up via hash symlinks. For this a ssl.crl/Makefile is
provided similar to ssl.crt/Makefile.
*) Kicked out all remaining SSLeay references and dependencies. The
minimum SSL library version which is now required is OpenSSL 0.9.2b.
____ ____
|___ \ |___ \
__) | __) |
/ __/ _ / __/
__ |_____(_)_____| _________________________________________
Changes with mod_ssl 2.2.8 (29-Mar-1999 to 12-Apr-1999)
*) Use SSL_smart_shutdown() also for SSL proxy stuff.
*) Fixed some compat variable mappings and updated ssl_compat.wml
document to reflect the current compat state.
*) Added ssl_log_applies() function in advance for forthcoming feature
commits.
*) Added NEWS file to distribution which summarizes the major changes and
this way gives a faster overview for the impatient users.
*) Added a new pkg.contrib/cca.sh script which I used for client auth
testing with the latest OpenSSL versions. Additionally adjust old
mca.sh script for OpenSSL.
*) Added the missing ssl_template.inc file to the distribution
*) Various source code cleanups to make forthcoming patches more clean.
Changes with mod_ssl 2.2.7 (24-Mar-1999 to 29-Mar-1999)
*) Fixed the ``HTTPS request received for child'' log entries: Now no
longer multiple copies of a message occur, because mod_ssl logs them
only on initial requests (and no longer on sub-requests and internal
redirects).
*) Fixed a few more memory leaks which occured on server restarts.
*) Added entry to the FAQ for the MSIE work-around with
``SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown''.
*) Added support for two SetEnvIf variables: ssl-unclean-shutdown and
ssl-accurate-shutdown. These can be used to for instance force different
shutdown approaches for particular browsers. An ``SetEnvIf User-Agent
".*MSIE.*" ssl-unclean-shutdown'' now forces the old mod_ssl 2.1
behaviour where no close notify messages are sent at all before
connection close. An ``SetEnvIf User-Agent ".*Lynx.*"
ssl-accurate-shutdown'' forces an accurate shutdown when the client is
Lynx+OpenSSL where mod_ssl both sends it's close notify alert and waits
for the close notify alert of the client.
*) Updated source file dependecies in src/modules/ssl/Makefile.tmpl.
Changes with mod_ssl 2.2.6 (18-Mar-1999 to 24-Mar-1999)
*) Now mod_ssl logs the current Apache, mod_ssl and OpenSSL versions at
startup which makes it easier to distinguish which software combination
is actually running by just looking into the log.
*) Added support for new 56/1024 bit export ciphersuites (idea overtaken
from Apache-SSL 1.32) and sign-only-certificate situations where
stronger (1024 instead of 512 bit) temporary keys are reasonable to use.
*) Upgrade to new upstream version Apache 1.3.6 on vendor branch.
[Version 1.3.5 was not released because of last minute problems]
*) *** SECURITY *** SECURITY *** SECURITY ***
In the OpenSSL project we discovered that a terrible security hole
exists for _all_ SSLeay/OpenSSL server applications that use virtual
hosting. Here sessions could be resumed in the wrong context thus
bypassing client certificate protection! This hole is now fixed in
OpenSSL 0.9.2b by an ad-hoc solution were SSL sessions cannot be resumed
unless the server application tags it with a unique context id per
virtual host. mod_ssl now also performs this tagging to prevent this
exploit.
*) Added the nifty EAPI-based mod_define module to the source tree. This
modules provides variable definitions for arbitrary directive lines,
i.e. you can expand ${xxx} on any(!) directive line. This module is
disabled per default in src/Configuration.tmpl (need an
--enable-module=define) and it lives in the new pkg.addon area.
*) Added Stronghold's table look and feel to mod_status' display page.
This patch is harmless and enabled per default and lives in the new
pkg.addon area.
*) Opened another distribution package subdir: pkg.addon/.
Here addons will be stored which are not directly/physically related to
mod_ssl and EAPI, but indirectly.
*) Cleaned up the generation of the signature table in ap_hook.c
and updated the hook list with the still missing vendor hooks.
*) Renamed recently added vendor hooks to from ssl::vendor::xxx to
ap::mod_ssl::vendor::xxx to be consistent with remaining EAPI hook
names.
*) Upgrade to new upstream version Apache 1.3.5 on vendor branch
*) Fixed a segfault in the HTTPS support for mod_proxy which
occured when the proxy couldn't connect to the remote host.
*) Be 100% conservative and clean and use SSL_clean() after SSL_new().
Changes with mod_ssl 2.2.5 (04-Mar-1999 to 18-Mar-1999)
*) Fixed the situation were we discovered processes consuming
100% CPU time. This occured under various not exactly known
circumstances, but it seems it was always when the client plays bad with
the socket connection and OpenSSL cannot recognize it. Then the state
machine of SSL_shutdown() seems to loop endless. It's now fixed by not
limiting the iterations.
*) Fixed a typo in the SSL_CERTIFICATE_FILE define, although this
variable is still not used.
*) Fixed the POST-problem where kept-alive HTTPS connections hang or
resulted in an I/O error inside the browser because the ``SSL close
notify'' alert couldn't be sent correctly because of Apache's internal
``lingering close'' handling. EAPI was changed to now correctly call the
close_connection module hook also on timeout and linger closes. This
EAPI change means you cannot upgrade your libssl.so with --with-apxs to
this version. A complete Apache rebuild with the updated EAPI code is
necessary.
*) The SSLCertificateFile and SSLCertificateKeyFile directives now can read
PEM (=DER+Base64+headers), DER+Base64 (without headers) and plain DER
format certificate and private key files. This is mostly provided for
convinience reasons.
*) Add FAQ entry: How to convert PEM into DER.
Changes with mod_ssl 2.2.4 (21-Feb-1999 to 04-Mar-1999)
*) Add important note to INSTALL/INSTALL.Win32 that all
documentation references already use the term OpenSSL, the file and
program names `openssl', etc. although most of the users are still using
SSLeay and don't have any `openssl' command, etc.
*) Fixed two export warnings for ssl_expr_parse.c under Win32.
*) In correspondence with the SSLeay to OpenSSL transition
we changed the --with-ssleay=DIR option to --with-ssl=DIR (but the old
variant is still recognized for backward compatibility, of course). For
consistency we also renamed --with-rsaref=DIR to --with-rsa=DIR.
*) Ported src/support/ca-fix tool to OpenSSL 0.9.2, although after final
switching to OpenSSL 0.9.2 as the minimum required toolkit version we
will no longer need this tool. But until then let us be friendly and
support the OpenSSL snapshots ;-)
*) Added the first cut of Vendor extension support. This stuff is
currently _NOT_ compiled in per default. It has to be enabled with the
new APACI --enable-rule=SSL_VENDOR option. The idea is this: the mod_ssl
sources contain EAPI vendor hooks (`ssl::vendor::xxxx') and internal
EAPI context variables which can be used to change or extend mod_ssl by
a vendor without patching the source code. Grep for `ssl::vendor::'
inside src/modules/ssl/ for more details. Additionally vendors can now
add their own source code as files named ssl_vendor.c, ssl_vendor_XXX.c,
etc. The libssl.module script automatically picks these up under
configuration time and mod_ssl under run-time calls the functions `void
ssl_vendor_register(void)' and `void ssl_vendor_unregister(void)' inside
these objects to bootstrap them. Read the src/modules/ssl/README file
for more details.
*) Fixed two old Stronghold directive compatibility mappings, added missing
Stronghold directive mappings and added a bunch of additional Stronghold
variable mappings.
*) Big and official switch from the name `Apache Interface to SSLeay' to
`Apache Interface to OpenSSL', from any SSLeay-references to
OpenSSL-references, etc. There is still support for SSLeay, of course.
But this renaming cleanup has to be done, because in the near future
support for SSLeay has to be completely dropped due to non-optional
support for new features like DSA/DH, etc (which is only possible with
OpenSSL).
*) Made the error messages of `configure' even more idiot-proof :-(
*) Fixed the connection closing phase: First, mod_ssl no longer hooks into
this phase by using ap_register_cleanup() (with the connection pool)
because the cleanup functions are called by Apache's API a lot too late
(actually _after_ the socket was already closed!). Instead a new EAPI
hook `close_connection' was added to register a hook which is run
directly _before_ the socket is closed. Second, the SSL ``Close
Notify'' alert is now always sent (even when older IE browsers display
the message in the window), because not sending the alert is a violation
of the SSL/TLS standard.
!! ATTENTION: THIS HAD TO CHANGE EAPI, SO YOU HAVE TO RECOMPILE APACHE !!
*) Enhance the output of alert messages under `SSLLogLevel trace'.
*) Make mod_ssl aware of the forthcoming OpenSSL 0.9.2 version
where some callback function signatures will be changed
and a few new TLSv1 export ciphers are added.
*) Fixed restarts which were broken due to recent changes to the cert/key
handling (DER/internal conversions). Now mod_ssl again surives server
restarts without problems.
*) Replaced `%0 %*' with `%0 %1 %2 %3 %4 %5 %6 %7 %8 %9' in configure.bat
because Windows 98 is even more braindead than anyone can image.
*) Added AP_HOOK_DECLTMP return code semantic to EAPI's hook mechanism
which is needed in the forthcoming vendor hooks to avoid local temporary
variables.
*) Fixed the `SSLLogLevel debug' output where confusing `Ops, no memory
buffer?' messages occured in the past. The BIO callback function now
only outputs messages for the actual read/write calls.
*) Fixed a warning the `gcc -O -Wall ...' compiler flag combination causes.
*) Fixed confusing terms in the final messages in mkcert.sh
which display a short description of files under `make certificate'.
*) Fixed compilation for SunOS where no RAND_MAX exists.
Changes with mod_ssl 2.2.3 (05-Feb-1999 to 21-Feb-1999)
*) Cleaned up the namespace of mod_ssl structures:
All helper structures are now named ssl_xxxx_t.
*) Fixed hyperlinks to mod_log_config.html in mod_ssl's User Manual
*) Let mod_log_config's %{XXXX}x functions (provided by mod_ssl) correctly
expand to "-" instead of "" in case XXXX is not available as it's the
case for other mod_log_config functions.
*) Unbreak `SSLOptions +CompatEnvVar' by fixing two nasty bugs
and adding a missing variable.
*) Fixed a confusing "not"-typo in the FAQ.
*) Another round to get rid of the core dumps under the DSO situation when
DSOs are loaded to different memory addresses. We now no longer try to
preserve `RSA *' and `X509 *' structures of the SSL library between
Apache's init rounds. Because as we discovered, SSLeay/OpenSSL uses
various static variables inside these structures which is a big NO-NO
for the nasty Apache double-init round situation. Instead we now convert
the internal structures to DER/ASN.1 byte-streams allocated inside
mod_ssl's global memory pool. This now at least fixed the core dumps
under the Solaris/DSO situation for me.
*) Incorporated a few cleanups for the SDBM code Gred Stein sent me
while he was adding SDBM to his mod_dav package.
Changes with mod_ssl 2.2.2 (04-Feb-1999 to 05-Feb-1999)
*) Fixed `SSLOptions +FakeBasicAuth' and related stuff which
was broken because of a typo in a context variable name.
*) Fixed ToC in chapter 1 of the user manual.
*) Fixed export lists src/ApacheCore.def (Win32) and
src/support/httpd.exp (AIX).
Changes with mod_ssl 2.2.1 (27-Jan-1999 to 04-Feb-1999)
*) Now the configure script uses bold mode to mark some
error messages under xterm, vt100 and vt220 terminals.
*) Added a new chapter 5 (`HowTo') to the User Manual where solutions for
typical situations are presented.
*) Now mod_ssl identifies itself to the SCCS `what' and RCS `ident'
commands with a string `mod_ssl/2.2.x'. This allows one for instance to
quickly check what version a libssl.so by typing `what libssl.so' or
`ident libssl.so'.
*) Added a new directive `SSLProtocol' which is compatible to Stronghold
2.x's directive of the same name. It provides a handy way to control the
SSL protocol flavors (SSLv2, SSLv3, TLSv1) mod_ssl should provide on the
server side. It's use is a little bit similar to special cases of
SSLCipherSuite, but it actually directly affects internal behaviour of
the SSL library. So, saying `SSLProtocol all -SSLv3 -TLSv1' to get a
SSLv2 only server is not really equal to an `SSLCipherSuite' where just
all SSLv3 and TLSv1 ciphers are dropped.
*) EAPI functions are now also added to src/ApacheCore.def.
*) Output a warning when `SSLVerifyClient require' is used but no CAs are
configured for verification. Additionally the `peer didn't return a
certificate' message is annotated with a similar hint.
*) Updated the README.dsov.{fig,ps} files to reflect the
additional internal data structure link from SSL* to request_rec*.
Changes with mod_ssl 2.2.0 (21-Jan-1999 to 27-Jan-1999)
*) Commit the long-prepared and long-awaited feature of
per-directory SSL configuration parameters.
The background is this: SSL parameters like the Cipher Suite or the
certificate chain verification parameters up to now could only be
configured on a per-(virtual)server basis and this way apply to all URLs
under https://this-virtual-server/. The drawback is obvious: You've to
find a common denominator for the whole website which isn't usually
possible. For instance just because you need client authentication
(``SSLVerifyClient require'') for https://this-virtual-server/foo/bar/,
this shouldn't mean you have to force client authentication for the
whole server. Same for ciphers: Just because a subarea needs to enforce
a stronger cipher (e.g. no export, no null cipher, etc.) shouldn't mean
that the whole website can only be visited with those requirements. So
the idea is to enforce those (usually stronger) requirements on a
per-directory basis.
The problem is: It's a chicken and egg situation. To decide which
parameters should be enforced in the SSL handshake mod_ssl has first to
find out the requested directory. For this the HTTP request has to be
read. But for this the SSL handshake first has to be performed. Bingo!
The nifty solution known from Netscape Commerce servers now is: We
simply do the standard SSL handshake, then we read the HTTP response,
then we perhaps reconfigure the parameters and enforce a second SSL
handshake (this is called "SSL renegotiation") with it. And only when
this handshake is also successful, the HTTP response is send.
How is this configured? You just put additional SSLVerifyClient,
SSLVerifyDepth and/or SSLCipherSuite directives in <Directory> or
<Location> containers or even .htaccess files. When Apache reaches those
directories, those directives reconfigure the SSL parameters and the SSL
renegotiation is automatically enforced by mod_ssl. The only drawback is
that although an optimization is done to reduce unnecessary
renegotiations (when the parameters were not actually changed), you
usually increase the overhead for a request because a SSL renegotiation
is expensive. So, use the per-directory reconfiguration feature
economically.
Under SSL_EXPERIMENTAL additionally the directives SSLCACertificatePath
and SSLCACertificateFile can be used in per-directory context for
reconfiguration. But it's tagged experimental because SSLeay/OpenSSL
still lacks real support for this. So an ugly kludge has to be done to
support these two directives, too.
*) Give out more information on "Certificate Chain too long" error message.
*) Moved SSLeay/OpenSSL specific stuff to the new source files
ssl_util_ssl.[ch]. !! ATTENTION: NOW SSLeay 0.9.0 or OpenSSL IS NEEDED
!! Because the new internal structures need at least SSL_get_ex_data()
and SSL_set_ex_data() and those are not supported in SSLeay 0.8.x. So
we removed all remaining support for SSLeay 0.8.0. OTOH that's no
problem, because SSLeay 0.8.x is known to be unstable, so it's
reasonable to remove support for it also for other reasons.
*) Added a second SSL context variable which holds (with a delay) a pointer
back to the request_rec structure in Apache. This is needed to reach
the per-directory configuration parameters.
*) Updated the User Manual for mod_ssl 2.2
*) Added SSL_EXPERIMENTAL rule to Configuration.tmpl which
can be used to enable (APACI: ``--enable-rule=SSL_EXPERIMENTAL'')
experimental code inside mod_ssl. Code is declared experimental unless
it is proofed to be stable by the users.
*) Replaced the GNU Bison generated ssl_expr_parse.[ch] files with variants
generated by BSD Yacc. This way we have more portable source because BSD
Yacc doesn't used alloca() and other tricks. This especially should
solve the problems under HP/UX.
*) Updated INSTALL file for recent changes and fixed a few typos there.
*) Add a SSL_SDBM rule to Apache's Configuration.tmpl which can be used
(APACI: ``--enable-rule=SSL_SDBM'') to force mod_ssl to built with the
built-in SDBM instead of the custom defined (DBM_LIB) or vendor supplied
DBM library. This is especially useful when the vendor DBM library is
buggy or restricts the data size too dramatically (BTW, Berkeley-DB/1.x,
Berkely-DB/2.x and GDBM based DBM libraries are ok, because they allow
unlimited data size).
*) Enlarge the SDBM pag/dir blocksize from 1KB/4KB to 8KB/32KB to make sure
SDBM really can deal with SSL sessions containing long certificate
chains. !! ATTENTION: THIS MEANS THAT YOU'VE TO ONCE REMOVE THE FILE YOU
CONFIGURED WITH SSLSessioCache WHEN SDBM WAS USED AND YOU UPGRADE TO
THIS OR A LATER mod_ssl VERSION, BECAUSE THE INTERNAL LAYOUT CHANGED. SO
THE FILE HAS TO BE RECREATED WITH THE NEW LAYOUT !!
*) Make the DBM based session cache more robust by using additional error
situations. This should fix some observed core dumps on Linux boxes
where the vendor DBM library returned strange values.
*) Fixed configuration handling for global directives: Now the correct
memory pools are used and after the first configuration round the global
configuration structure is locked.
*) Added a new `SSLRandomSeed' directive for explicit seeding the Pseudo
Random Number Generator (PRNG) of the SSL library on server startup
and/or connection establishment time. The intent is that this way the
PRNG is better initialized and this way the security of the generated
SSL protocol ingredients are more secure (because less predictable). For
maximum flexibility you can use three seed sources: an internal source,
an external file or an an external program. And you can specify one or
more such sources, of course. For instance under a FreeBSD box you can
now use the following:
SSLRandomSeed startup builtin
SSLRandomSeed startup exec:bin/truerand 16
SSLRandomSeed startup file:/dev/random 512
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random 512
SSLRandomSeed connect file:/dev/urandom 512
This would at server startup-time seed the PRNG first with a few bytes
from the internal source, plus 16 bytes read from stdout of the
`truerand' utility (which is based on the AT&T truerand library and can
be found in the mod_ssl distribution under pkg.contrib/), plus up to 512
bytes from the /dev/random device (it usually only returns a maximum
number of bits of randomness currently contained in the device entropy
pool) plus 512 bytes from the /dev/urandom device (which usually returns
as many bytes as requested, but of low random-quality). Additionally
before any new SSL connection is established the PRNG is again seed from
the internal source plus up to 512 bytes from /dev/random and plus 512
bytes from /dev/urandom. This should give an adequate seed for the PRNG
used for generating the SSL protocol ingredients.
*) Removed some unneccessary defines for `index' and `rindex'
in etc/patch/config.h which caused problems under AIX.
*) Changed a misleading sentence about RSAref in INSTALL
*) Overtake the idea of Apache-SSL 1.30 to log SSL errors also directly
after SSL_read/SSL_write. This way those error messages should no longer
be missed.
____ _
|___ \ / |
__) | | |
/ __/ _| |
__ |_____(_)_| _____________________________________________
Changes with mod_ssl 2.1.8 (11-Jan-1999 to 21-Jan-1999)
*) Added an additional variable REQUEST_SCHEME which can be used for in
SSLRequire, RewriteCond, RewriteRule, etc. to forward or redirect
HTTP/HTTPS requests with the incoming URL scheme.
*) Surrounded ap_hook_[un]register() calls with wrapper macros to
implicitly cast the function pointers to void pointers, because strict
ANSI C requires this.
*) Added AP_HOOK_ALL support which can be used to call all registered
callback-functions for a hooks, independent of any decline value.
This will be used in the future by forthcoming features.
*) Fixed a potential security hole: Both the SSLMutex and SSLSessionCache
files are now created without read access for the group and others.
*) Fixed a typo in the SSL logfile hints and in the terminal
message displayed for the `make certificate' step.
*) Under Extended API situations we now replace the module magic cookie
"AP13" with "EAPI" to let us later distinguish between the EAPI-aware
module structures (which contain additional pointers at the end) and
standard module structures (which lack at least NULL's for the pointers
at the end of the structure). This is important because standard
("AP13") modules would dump core when we dispatch over the additional
hooks because NULL's are missing at the end of the module structure.
But we now to the following: We allow _both_ types of modules to be
loaded by mod_so, but dispatch over the EAPI hooks only when the module
magic cookie indicates "EAPI". This way an Apache+EAPI server can load
module DSOs built with a plain Apache. That's important to allow people
for instance use mod_coldfusion (which is available only as a pre-built
DSO!) or allow the Debian package maintainers to finally build their
Apache package with EAPI without the need to upgrade all other module
packages at the same time.
*) The SSLMutex filename now is internally extended to contain the PID of
the Apache parent process to make the file unique across different
server instances. That's the same approach Apache already uses for the
accept mutex lockfile.
*) We now replace the MODULE_MAGIC_COOKIE ("AP13") with "EAPI" under -DEAPI
to make sure that mod_so only loads modules which were really compiled
with -DEAPI. Because else NULL's at the end of the module structure are
missing, which always will leads to core dumps when the Apache core
dispatches over it.
*) Removed hints to the test suite in INSTALL.Win32 because under this
platform there are more test suite problems before the tests can be
really reasonable.
*) Now mod_rewrite's %{XXXX} construct can also "magically" expand all
variables known to mod_ssl, i.e. especially the SSL_XXXX variables.
This way you can use the same variables in a RewriteRule or RewriteCond
you're used to use in a SSLRequire directive.
*) Fixed a few type problems in ca-fix.c which caused strict ANSI C
compilers (not GCC) to complain and fail. This especially fixed the
problems under AIX 4.2
*) Fixed a syntax problem GCC and VC++ never complained about: A trailing
comma on the last element of an enumeration declaration is not allowed,
of course.
*) Changed the EAPI usage inside mod_log_config.c to no longer store a
foreign function pointer (which belongs to mod_ssl) into internal
structures (because when mod_ssl is unloaded during restarts they evolve
into dangling references).
*) Cleaned up the verbose output of configure & configure.bat
and added also support for -v to configure.bat.
*) Make sure mod_ssl's configure script stops with an error
when Apache's configure (APACI) script stopped with an error.
*) Overtake the important idea from Khimenko Victor's EAPI variant to
_un_register EAPI hooks for the various modules when the module is
unloaded (DSO!). Without this dangling references occur inside the EAPI
hook lists which can cause core-dumps.
*) Fixed the %{errstr}c function provided for mod_log_config
and let %{errcode}c always expand to "-".
*) Fixed the self-referencing hyperlink in ssl_overview.html
Changes with mod_ssl 2.1.7 (06-Jan-1999 to 11-Jan-1999)
*) Fixed APXS support for configure script: The --with-apxs was broken when
`apxs' wasn't in the PATH.
*) Added hint for DSO/PIC-situation to the INSTALL file.
*) Changed the "you're speaking HTTP to the HTTPS port" error message from
HTTP_INTERNAL_SERVER_ERROR to BAD_REQUEST, because first BAD_REQUEST is
more correct and HTTP_INTERNAL_SERVER_ERROR from Apache 1.3.4 on no
longer displayed the "error-note".
*) Now finally use LIBS_SHLIB for APXS support (because Apache 1.3.4's apxs
is fixed) and also query the target name and no longer hard-code
"httpd".
*) Upgraded to Apache 1.3.4
*) Now the client IP and server virtual host id are displayed
in addition to the general handshake failure logfile message to make it
more meaningful inside the Apache error_log (where no SSL context is
given).
*) Remove the ca-fix "-pathlen 0" option in mkcert.sh when creating the
server cert. It's only useful for the CA certs.
Changes with mod_ssl 2.1.6 (02-Jan-1999 to 06-Jan-1999)
*) Be even more conservative and correct when aborting a connection: We now
set the conn_rec->aborted flag in addition to blocking the
connection/socket buffer.
*) Added some sort of downgrading support to the logging function to no
longer create messages like "(SSLeay error follows)" although no such
message follows (because SSLeay has no one). The same is done for the
System/errno related messages.
*) Removed direct fiddling with the BUFF->flags stuff. Instead we now use
the API conforming way via ap_bsetflag().
*) Added timeout support for the SSL handshake phase. The timeout in
seconds is the same as configured with the standard Apache "Timeout"
directive for the HTTP request phase. This way one can defend against
special DoS attacks (where the attacker just establishes a lot of
parallel connections but doesn't send data) to the HTTPS port the same
way one can already do it for the HTTP ports.
*) Fixed a display error in the `debug' dump messages and made
the debug dumping more robust by explicitly checking for the case where
SSLeay gives us either a NULL memory pointer or a memory length of -1.
*) Fixed the "Exit: ..." trace messages: They wrote out an (unnecessary)
additional newline which optically broke the tracing messages.
*) Fixed the "you're speaking HTTP to the HTTPS port" error handling.
mod_ssl caused a core dump of the Apache child because the request
processing functions were not aware that a dynamically downgraded (from
HTTPS to HTTP) request can exists for error sitiations.
*) Added the EAPI functions to src/support/httpd.exp which is needed to
compile mod_ssl as a DSO under the most non-smart linker: AIX' ld.
*) Fixed internal `host:port' based identification of virtual servers which
caused problems under specific Listen/<VirtualHost> configuration
variants where an implicit port was used. Additionally we now no longer
patch the server_rec->port variable of Apache. Instead we leave it as is
and on-the-fly make our decisions.
*) Fixed APXS/EAPI-related error message in the configure script.
*) More OpenSSL support: Recognize the forthcoming `openssl' program in
addition to `ssleay' when searching for the command line tool.
Changes with mod_ssl 2.1.5 (23-Dec-1998 to 02-Jan-1999)
*) Fixed virtual host configuration merging by removing
the default value for SSLCertificateFile.
*) Replaced index() (non-POSIX) with strchr() (POSIX) function
because it doesn't exists under the Win32 environment.
*) Fixed SSLPassPhraseDialog argument processing: exec:/path/to/program
argument variant was not parsed correctly.
*) Let EAPI hooks also be added to the APXS generated
sample module (`apxs -g -n foo').
Changes with mod_ssl 2.1.4 (05-Nov-1998 to 23-Dec-1998)
*) Added the support for OpenSSL (see http://www.openssl.org/),
the Open Source successor of SSLeay. The package name is no longer
hard-wired and so both the HTTP Server field and the logfile entries
correctly reflect the name OpenSSL, too.
*) Changed the EAPI hook `rewrite_command' from
``char *(*rewrite_command) (cmd_parms *, const char *)'' to
``char *(*rewrite_command) (cmd_parms *, void *config, const char *)''
to allow modules to also access the config structure.
*) Added two AddType directives to httpd.conf-dist for
loading .crt and .crl files into Netscape Communicator.
*) Added an entry about the Wassenaar Agreement to the mod_ssl FAQ. In
short: both mod_ssl and SSLeay are not affected by the Wassenaar
Agreement.
*) Added a few more backslashes to the INSTALL step-by-step lists
to make it more clear which commands are on the same command
line and which are separate commands.
*) Added `Year 2000' and `Netscape Lock Icon' entries to the FAQ and fixed
a few layouting bugs in the FAQ.
*) Lot's of cleanups to make the source more accurate and to remove
thread-unsafe stuff. Especially all global mc->rCtx.pConn and
mc->rCtx.pServ references are now gone. Additionally the SSLeay app_data
facility is used whereever possible to walk from SSLeay data structures
to Apache data structures without the need of global variables.
*) Cleaned up and enhanced the README.GlobalID document with more
information about the Global ID stuff with the help of
additional hints from Dr Stephen N. Henson.
Changes with mod_ssl 2.1.3 (03-Nov-1998 to 05-Dec-1998)
*) Added APXS support: By using the --with-apxs option you can now easily
upgrade the libssl.so file through a stand-alone build process as long
as you actually use DSO and EAPI doesn't change. In other words, a
simple `./configure --with-apxs=/path/to/apache/sbin/apxs
--with-ssleay=/path/to/your/ssleay; make install' can be used to upgrade
the /path/to/apache/libexec/libssl.so.
*) Added support documenation, programs and scripts for the `Global Server
ID' facility as README.GlobalID, pkg.contrib/gid-mkcert.sh,
pkg.contrib/gid-tagcert.c and pkg.contrib/loadcacert.cgi. This way
people can setup their own private `Global Server ID' stuff :)
*) Allowed SSL renegotiations initiated by the client.
This especially adds support for Verisign's `Global Server ID' facility
where Netscape Communicator does a renegotiation to upgrade the SSL
connection parameters (the cipher) from 40-bit to 128-bit encryption.
*) Fix typo in httpd.conf-dist: `</Location />' -> `</Location>'
*) Added new README.dsov.{fig,ps} files: They are intended for those people
who want to hack theirself inside the mod_ssl source. The figure
provides two diagrams which show the lifetime and chaining of the
various Apache, mod_ssl and SSLeay data structures which are used inside
mod_ssl.
*) Cleaned up some documents.
*) Cleaned up ssl_engine_compat.c a little bit more...
Changes with mod_ssl 2.1.2 (30-Nov-1998 to 03-Dec-1998)
*) Let `httpd -V' show `-D EAPI', too.
*) Fixed again the DBM library determination inside libssl.module: A syntax
error caused the fallback (SDBM) to be never used which leaded to
problems on systems where no DBM library exists.
*) Added a check to libssl.module: It now complains with
a warning when SSLeay 0.8 is used because of the known problems (core
dumps on large files, etc.) with these versions.
*) Slightly changed mod_ssl's configure hints displayed as the last step.
*) Removed internal OPTIONAL_SSL stuff which was inherited from Apache-SSL.
I currently cannot see a good reason for allowing subrequests to disable
SSL, so kick out this stuff.
*) Extended Chapter 5 (FAQ List) of the User Manual.
*) Added the Website META Language (WML) sources for the User Manual to the
distribution: This way all sources are available to the user community.
*) Removed one last reference to SSLCACertificateReqFile inside the
httpd.conf-dist file.
Changes with mod_ssl 2.1.1 (17-Nov-1998 to 30-Nov-1998)
*) Fixed typos in pass phrase dialog.
*) Added support to APACI for overriding the conf/ssl.crt/server.crt
default certificate path.
*) Added another logging level `trace' (between `info' and `debug')
and converted all existing `debug' messages to this level. Additionally
the internal SSLeay processing is now logged to this level, too. The
`debug' level now consists of deepest-level I/O dumps where you can even
see every read/write byte on the BIO (the buffer above the SSL record
layer).
*) Changed buffer I/O: Previously NO_WRITEV was forced
because there is no real SSL_writev() available. But the drawback of
this was that writev() (which nevertheless is available on mostly all
platforms) wasn't used for non-SSL requests. The result was bad network
I/O performance when Apache was built with EAPI/mod_ssl. This is now
changed: When writev() is available it is used for non-SSL requests
(this way we gain maximum performance) while for SSL requests the output
is still done via SSL_write().
*) Fixed DBM library determination and build. This especially fixed the
problems with DSO support under Linux platforms where libdbm was
previously not linked against libssl.
*) Added a README.Patents document to the distribution
which tries to explain some RSA patent issues.
*) Fixed Thawte sxnet stuff to work with recent EAPI changes.
*) Fixed documentation: X.509 field was incorrect: SP -> ST.
*) Fixed SSL support for mod_proxy: It was broken because
the "ssl_enable" ctx-flag was set too late.
*) Ported a recent change in Apache-SSL 1.29 to mod_ssl:
``Send CA list to client when SSLCACertificatePath is used (this was
only done for SSLCACertificateFile up to now)''. I've implemented it
with a new ssl_init_FindCAList() function in ssl_engine_init.c where the
main difference is that it _merges_ the list entries from both
directives together while in Apache-SSL the SSLCACertificatePath would
override the SSLCACertificateFile for this list generation. I use them
in parallel for the list generation (by merging their entries) because
they are used in parallel by SSLeay under the verification process, too.
Additionally I've now removed SSLCACertifiateReqFile because it was
oversize.
*) Added a similar SSL_accept() check as was recently added to Apache-SSL
1.29, but in a different way: Under the SSL_ERROR_ZERO_RETURN error
don't log it as an error. A "info"-level log entry is enough.
*) Extended the Compatibility chapter of the User Manual to now also
contain information about environment variable derivation.
*) Overhauled the SSL part in the http.conf-dist file.
*) Fixed pkg.sslcfg/ssl.key/server.key: It contained a dummy key
instead of the intended dummy text "THIS FILE SHOULD ...".
*) Fixed httpd.conf-dist: The SSLRequire is only allowed in
<Location> or <Directory> sections there.
*) Fixed documentation: sign.sh instead of ca.sign, SSLRequire uses
braces and not parenthesis for word groups, etc.
*) Use the commonly used .crt extension also in the sign.sh script
*) Fixed backward compatibility code: half-way matching could occur (Sioux'
"RequireSSL" matched the correct "SSLRequireSSL" and leaded to
"SSLSSLRequireSSL") and the SSLRequireCipher/SSLBanCipher directives
were not matched correctly.
*) Don't do I/O read-aheads in SSLeay under Win32 because it's not safe
for this platform (we use select() there).
*) Fixed two memory leaks in ssl_engine_var.c by copying over
malloc-allocated buffers from X509_NAME_oneline() to Apache
pool-allocated buffers.
*) Fixed RSAref handling: the -L path to the librsaref.a library
file was configured incorrectly (a bogus "/lib" was there)
*) Fixed some ANSI C portability issues which popped up with IRIX vendor
compiler while good-old GCC was happy. This way other compilers should
be quiet now, too.
*) Added notice and workarounds for RSAref portability problem to the
INSTALL document. This is especially important to people using platforms
with non-Intel CPUs (like the Alpha-boxes of DEC).
Changes with mod_ssl 2.1.0 (15-Nov-1998 to 17-Nov-1998)
*) Updated all distribution documents for the final release.
*) Fixed configure.bat script: It failed for version strings like 2.1.0 (no
"b" for beta contained), failed to patch Apache's src/Makefile.nt file
correctly and used not necessary options in nmake calls. Additionally
it now creates .orig files for the patched DevStudio Makefiles, too.
Changes with mod_ssl 2.1b9 (04-Nov-1998 to 15-Nov-1998)
*) Replaced the pkg.ssldoc/* stuff with the new mod_ssl 2.1 User Manual.
*) Fixed patching of Makefile.nt under Win32.
*) Changed test `-e' option to more portable `-r' option.
*) Fixed again the init round handling: The SSLeay initialization
has to be done _every_ time under DSO/DLL situation because
there SSLeay is part of the mod_ssl DSO/DLL which is re-loaded.
*) Under DSO situation the LoadModule directive for libssl.so
is now surrounded by <IfDefine SSL>, too. This way when
-DSSL is not used not even the module is loaded.
*) Replaced the last global var (ssl_ModConfig) with an ap_global_ctx
based approach. This way thread-safety for Win32 and Apache 2.0
can be made more easily.
*) Added compile time check for EAPI:
mod_ssl now can only be compiled when EAPI is active.
*) Forward port from 2.0 branch:
Now SSLVerifyDepth defaults to 1 and this means the client certificate
has to be signed directly by the root CA. The verify depth now is the
max number of CAs which are checked: 0 = self-signed only, 1 =
self-signed or signed by root-CA, 2 = signed by root-CA or signed by a
CA which is signed by the root-CA, etc.
*) Forward port from 2.0 branch:
Now SSLSessionCacheTime defaults to 300s.
*) Forward port from 2.0 branch:
Fixed RSAref instructions in INSTALL file and added more support for
implicitly finding the RSA_BASE to the libssl.module script.
*) Added a SSL_COMPAT configuration rule which is enabled per
default. But when you disable it via --disable-rule=SSL_COMPAT the
backward compatibility code is not build into mod_ssl. This provides a
little bit better performance for those people who don't need the compat
stuff.
*) Removed the patch from mod_auth.c by not spreading the -I option for
SSLeay. Because with the EAPI only the mod_ssl needs to include SSLeay
headers. So we no longer have a conflict with the vendors
crypt.h stuff ;-)
*) Moved the patch from ap_config.h into libssl.module.
*) Overhauled the mod_ssl distribution tree: Now four packages exists
(eapi, sslmod, ssldoc, sslcfg, sslsup) and each contains the patches and
corresponding files. Especially the EAPI stuff is now stand-alone and
doesn't contain any crypto-related stuff.
*) Fixed version parsing in configure.bat script (Win32)
*) Fixed default value for SSLCertificateFile directive.
*) Added real contents for the environment variable mapping. Now all
Apache-SSL 1.x and mod_ssl 2.0.x and the most important Stronghold 2.0.x
variables (the ones corresponding to certificate DN fields) are mapped
to mod_ssl 2.1 variables.
*) Added on-the-fly mapping for the Apache-SSL 1.x and mod_ssl
2.0.x SSLRequireCipher and SSLBanCipher directives.
*) Added a useful SSL_CIPHER_EXPORT variable.
*) Fixed compatibility on-the-fly directive mapping: Now comment and blank
lines are correctly recognized by the mapping mechanism so the user no
longer gets confusing warnings about obsolete directives when they still
occured in comments.
*) Fixed complex situation where the SSL logfile cannot be opened but the
error message should be still logged: to the Apache general error log.
*) Forward port from 2.0 branch:
Make sure the mkcert.sh can only be used by `make certificate' _inside_
the Apache source tree.
Changes with mod_ssl 2.1b8 (30-Oct-1998 to 04-Nov-1998)
*) Replaced the per-server context Fake-Basic-Authentication stuff with a
per-directory mechanism which can be now enabled on-demand and on a
per-directory basis with `SSLOptions +FakeBasicAuth'. This way the
`Cert-Subject-DN to Basic-Auth-Username' mapping is more useful to the
users. The SSLFakeBasicAuth directive was removed. But the mod_ssl
compatibility code automatically maps Apache-SSL's `SSLFakeBasicAuth'
directive to `SSLOptions +FakeBasicAuth' on-the-fly.
*) Added support for exporting the client and server certificates
(not the CA chain; currently only the end certificates) via `SSLOptions
+ExportCertData' in PEM format through the environment variables
SSL_SERVER_CERT and SSL_CLIENT_CERT. This way we bloat up the
environment with certificate stuff only on demand. Additionally the
mod_ssl compatibility code automatically maps Apache-SSL's new
`SSLExportClientCertificates' directive to `SSLOptions +ExportCertData'
on-the-fly.
*) Added backward compatibility mappings for environment variables
of Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x (where
possible). This can be now enabled by the user on-demand via `SSLOptions
+CompatEnvVars' - typically inside the .htaccess context of a CGI
script. This way we bloat up the environment with compat stuff only on
demand.
*) Added a generic `SSLOptions [+-]option [...]' directive which can be
used in the `Options' context, i.e. _everywhere_. It is intended to
control various SSL engine parameters.
*) Enhanced the `make depend' author Makefile target: Now dependencies are
also generated for .lo files (DSO object files). This way Make recogizes
the dependencies also under the DSO situation.
*) Now under `make certificate' an interactive prompt is given which asks
whether the private key should be encrypted (the default) or not. This
way it's a little bit easier to setup test servers, at least for me ;-)
*) Make sure all filenames can be ServerRoot relative _and_ get checked for
existence directly inside the directive handlers (and not under
request-time).
*) Changed per-directory directives SSLRequireSSL and SSLRequire from
`FileInfo' to `AuthConfig' context (see AllowOverride), because they are
really authentication directives.
*) Replaced hard-coded r->server->is_virtual and similar checks with more
API-like ap_check_cmd_context()-based checks. Also added some more
configuration checks to make sure directives cannot be placed into the
wrong context.
*) Added a special kludge for the GCC+DSO situation to libssl.module: Under
some platforms (like Solaris) libssl.so has to be explicitly linked
against the libgcc.a in order to resolve internal symbols.
*) Made a lot of coding style cleanups in the ssl_expr_*.c sources.
*) Fixed a nasty bug in ap_hook_use() and ap_hook_call().
*) Backport from 2.0 branch:
Upgraded to included Thawte Strong Extranet sources (ssl.contrib/sxnet/)
from version 1.2.2 to the current 1.2.3.
*) Backport from Apache-SSL:
Incorporation of recent Base64 (uuencode) encoding bugfixes.
*) Added more hints about EAPI and upgrade problems with DSO/DDLs
to the INSTALL and INSTALL.W32 files.
*) Changed the building of mod_ssl under Win32 from static (.LIB)
to dynamic (.DLL), i.e. mod_ssl is now build as a stand-alone Win32 DSO
(DLL in Windows terms) containing SSLeay instead of statically linked
into the apache.exe binary.
Changes with mod_ssl 2.1b7 (09-Oct-1998 to 30-Oct-1998)
*) Fixed DBM access stuff: An invalid argument was given by the
NDBM emulation layer of DB under FreeBSD 2.2.6.
*) Moved all Crypto/SSL stuff from mod_log_config.c, mod_proxy.c and
proxy_http.c to the new ssl_engine_ext.c file. Now SSLeay is _ONLY_
needed for linking the mod_ssl code itself. There is no more any SSLeay
symbol reference outside mod_ssl.
*) Rewrote the ap_hook mechanism to provide support for loosly coupling
modules together, too. Also support is now provided for up to 8
arguments in function signatures.
*) Added support for a SSL Product ID. To the mod_ssl/x.x.x-y.y.y
string inside libssl.version you now can append a string <product>/x.x.x
and then you get -DSSL_PRODUCT=<hex-value-of-x.x.x>,
-DSSL_PRODUCT_NAME="<product>", -DSSL_PRODUCT_VERSION="x.x.x" and a HTTP
Server field similar to this one: ``Server: Apache/1.3.3 (Unix)
MyStuff/1.0.0 mod_ssl/2.1b7 SSLeay/0.9.0b''. This can be used by RH SWS
or the other forthcoming mod_ssl based SSL product to add the version
string without patching ;-)
*) The ca-fix tool is now generated at the `make certificate' step
on-demand only because it's only needed here. And when mod_ssl is not
enabled this tool cannot be build at all (no SSLeay stuff known).
*) Created a new ssl_engine_io.c source file which now contains
all I/O and buffer related code, i.e. the new EAPI-based stuff plus
the Win32/SSLeay functions for buffer I/O.
*) Because with the help of the EAPI we were now able to add Dynamic Shared
Object (DSO) support for mod_ssl. For this the
src/modules/ssl/Makefile.tmpl, src/modules/ssl/libssl.module and
top-level configure files were adjusted.
*) Replaced SSL code inside mod_log_config.c with EAPI based
code which mainly tries to lookup mod_ssl variables. For this the
ssl_engine_vars.c stuff now exports the ssl_var_lookup() function as the
"ssl::var::lookup" hook.
*) Replaced all hard r->connection->client->ssl references with the
now loosely based ap_ctx_get(r->connection->client->ctx, "ssl").
*) SSL patches -> Generic Extended API patches:
Completely rewrote the Apache code patches: Instead of patching in SSL
specific hooks we now patch in an Extended API which provides mainly the
following new features:
- generic low-level hooks mechanism:
ap_hook_{init,kill},
ap_hook_{configure,register,unregister},
ap_hook_{configured,registered,call}
- buffer hooks:
ap::buff::{read,write,recvwithtimeout,sendwithtimeout}
- generic context mechanism:
ap_ctx_{new,set,get}
- structure context variables:
BUFF->ctx, conn_rec->ctx, request_rec->ctx, server->ctx
ap_global_ctx
- four new high-level module hooks:
add_module, remove_module,
rewrite_command, new_connection
- a new function ap_add_config_define() which does what
option -D does on the command line.
*) Added new backward compatibility stuff to ssl_engine_compat.c:
We use wildcard configuration directive handlers which are used by us to
provide backward compatibility to old obsolete directives via on-the-fly
mapping. Those wildcard handlers are an additional (patched in)
functionality inside the Apache core, of course ;-)
*) Renamed snakeoil.{crt,key} to snakeoil-ca.{crt,key} and created a real
dummy server certificate/key pair as snakeoil.{crt,key} which is now
used under `make certificate TYPE=dummy'. This fixes the recently
occured problem where Netscape rejected the dummy certificates because
they had the CA flag set.
*) Fixed CRYPTO_malloc_init() call for Win32 environment.
*) Added a small stand-alone patch.exe (v2.1) to etc/patch/ for the Win32
port. This is now used per default by configure.bat, but the user can
override it with --with-patch=FILE as under Unix. This way the patching
problems caused by incompatible patch utils should be solved.
*) Fix pathname seperators (slashes) in Win32's configure.bat script
and make configure.bat script accept also Perl 5.003 because 5.004 is
not really needed.
*) Fix `uchar' redefinition problem under AIX.
*) Now a warning is done when HTTPS is configured on a HTTP port.
*) Added configuration parameter checks for various the directives.
Changes with mod_ssl 2.1b6 (01-Oct-1998 to 09-Oct-1998)
*) Added a --expert option which disables the user hint messages.
This can be used by package maintainers to get rid of the final
configure messages.
*) Forward port from 2.0 branch:
Recreated the Snake Oil CA certificate: it's now a X.509 v3
certificate with the CA flag set and pathlen 0.
*) Forward port from 2.0 branch:
With special permission from Dr Stephen N. Henson his excellent ca-fix
program was now added to src/support/ and is used by
src/support/mkcert.sh (`make certificate') to fixup the generated
certificates. Especially X.509 v3 certificates can be now generated
where nsCertType and CA pathlen is correctly set. Additionally `ssleay
verify' and `ssleay ... -modulus' checks are performed to make sure the
generated certificates are valid.
*) Forward port from 2.0 branch:
Fixed portability problems with prop.sh aux script.
*) Fixed SSLeay memory setup for Win32 environment.
*) Upgraded to Apache 1.3.3.
*) Added a --force option to mod_ssl's configure script to let developers
apply mod_ssl also to different Apache versions (especially 1.3.x-dev
versions).
Changes with mod_ssl 2.1b5 (17-Sep-1998 to 01-Oct-1998)
*) Created a configure.bat script which tries to resemble the
Unix configure script. Enhanced the INSTALL.W32 document.
*) Incorporated the third feeback for the Win32 port from
Trung Tran-Duc <trung.tranduc@prague.ixos.cz>.
*) Incorporated the second cut of the Win32 port from
Trung Tran-Duc <trung.tranduc@prague.ixos.cz>. Now the buffer code is
finally SSL-aware and a Makefile.nt is provided to build the mod_ssl
sources into a DLL.
*) Replaced some ugly hacking for SSL_CLIENT_CERT_SERIAL
by a more safe and straight-foreward BIO based approach.
Additionally replaced BIO_ctrl stuff with BIO_pending.
*) Use a more graceful shutdown approach when the SSL handshake
or re-negotiation fails instead of immediately dropping the socket
communication.
*) Cleaned up the log messages and levels.
*) Fixed the "SSLVerifyType optional_no_ca" situation: The situation
has to be checked against more SSLeay errors, because under SSLv3
certificate chain loading leads to the presentation of the client CA
certs, too. Here SSLeay gives different errors.
*) Replaced the first cut of the `Recognize HTTP to HTTPS port' stuff with
the real (=clean) variant which doesn't use SSLeay internal hex values,
etc.
*) Upgrade from Apache 1.3.1 to Apache 1.3.2
*) Forward-port from 2.0 branch:
Changed HTTPS support in mod_proxy: the ap_proxy_http_handler() function
is (illegally because of DSO, of course) called used by third-party
modules (like Apache::Proxy). So make make sure we don't change the
signature of this function.
*) Forward-port from 2.0 branch:
Added answer to FAQ `Why is client auth broken after upgrading from
SSLeay 0.8 to 0.9'. Because of the changed hash algorithm used for the
symlinks.
*) Forward-port from 2.0 branch:
Now when `make certificate TYPE=custom' is used the generated
ca.crt/ca.key files are installed, too.
*) Forward-port from 2.0 branch:
Make sure mkcert.sh removes temporary files after work.
*) Enhanced the ssl.crt/Makefile: now <hash>.N extensions are
created when conflicts occur and not only <hash>.0
*) Included a first cut of a port to the Win32 platform by
courtesy of Trung Tran-Duc <trung.tranduc@prague.ixos.cz>. Up to know
these are only source changes to make it compile under Win32. No support
for the build process itself (Makefiles, etc.). But the port already
runs on Trung's Windows NT box.
*) Forward port from 2.0 branch:
Enhanced the INSTALL file: Now an example section describes the
installation with mod_perl and PHP3. Beside this some bugs were fixed
and some more NOTEs were added.
Changes with mod_ssl 2.1b4 (08-Sep-1998 to 17-Sep-1998)
*) Now mod_ssl is more friendly to the typical user error: Using HTTP
instead of HTTPS to access an SSL-server. In the past the client has
just seen an I/O error which often confused a lot of people (including
the author of mod_ssl ;-). Now when the SSL_accept of SSLeay fails
mod_ssl recognizes the fact that SSLeay already recognized the HTTP
protocol. Then mod_ssl does a trick: It does some sort of a request
roll-back: It reads the remaining bytes of the request, fakes it with an
own error-request, lets Apache process this error-request and finally
puts out a HTML error page with a clear description of the problem plus
a hyperlink to the HTTPS URL. Currently this check works only with
SSLeay 0.9 until the error code determination can be made more general.
*) Fixed session cache timeout calculation.
*) Fixed session cache DBM file initialization.
*) Forward port from 2.0 branch:
Make the SSL_HOOK_SetupConnection more robust.
*) Forward port from 2.0 branch:
Added checks to APACI to automatically disable DSO for mod_proxy and
mod_log_config when SSL is used (because they have to be built against
SSLeay which is not supported in Apache 1.3.1). But we allow the user to
explicitly use --enable-shared=.., but then at least he gets a warning.
This way we protect the average user but don't hurt the experts.
Especially with Apache 1.3.2 the experts want to use
--enable-rule=SHARED_CHAIN for linking the DSO's against SSLeay.
*) Forward port from 2.0 branch:
Renamed `aux' directory to `etc' because `aux' is a special name under
Windows filesystems (and people at least wanted to extract the stuff
under windows).
*) Forward port from 2.0 branch:
Added Thawte's Strong Extranet module (mod_sxnet.c) to
the ssl.contrib area. This module can be used together
with mod_ssl.
*) Forward port from 2.0 branch:
In order to
- reduce the confusion with sslcerts/server.pem and sslkeys/server.pem
- provide less-problematic non-self-signed certificates on `make certificate'
- prepare for mod_ssl 2.1 and the forthcoming client auth & CA scripts
the following cleanups were done:
1. The files for the SSL certificate system are now stored in the
following thee subdirs of the configuration directory:
ssl.crt/ ...... contains the X.509 certificate(s)
ssl.csr/ ...... contains the X.509 certificate signing requests(s)
ssl.key/ ...... contains the RSA private key(s)
Each directory contains a README file which describes the purpose and
the contents.
2. A ssl.crt/snakeoil.crt and ssl.key/snakeoil.key demo CA certificate
and key is distributed with mod_ssl which is used to sign the test
certificates the `make certificate' target creates. This avoids the
problems with MSIE users because MSIE doesn't like self-signed
server-certificates very well.
3. A ssl.crt/ca-bundle.crt is now installed (but not enabled!) which
contains all 33 CA root certificates of known public CAs. They were
extracted from Netscape Communicator 4.06 with my certbundle stuff.
4. The `make certificate' command now can create four types
of certificate setups:
$ make certificate TYPE=dummy (dummy self-signed Snake Oil cert)
$ make certificate TYPE=test (test cert signed by Snake Oil CA)
$ make certificate TYPE=custom (custom cert signed by own CA)
$ make certificate TYPE=existing (existing official cert)
CRT=/path/to/your.crt
[KEY=/path/to/your.key]
The default is TYPE=test which is equivalent to the old `make
certificate' with the exception that now the generated certificate is
no longer a self-signed one. This overview text is also now
displayed under built-time. When KEY is missing it is assumed that
it's present in the file from CRT and is extracted from there.
5. For consistency with 4.) the mod_ssl configure script now
uses --with-crt=FILE and --with-key=FILE options. When
--with-key is missing it is assumed that it's present in
the file from --with-crt and is extracted from there.
*) Forward port from 2.0 branch:
Changed the <VirtualHost> example in the conf/httpd.conf-dist file so it
now uses _default_ instead of the server name. This is more portable and
totally sufficient for our default configuration where only one virtual
host is present.
*) Fixed INSTALL document: rsaref.a has to be copied to librsaref.a
*) Totally revised my mod_sslcompat idea because it's not really
practical to have the backward compatibility stuff outside the standard
mod_ssl code. Another reason is that by including it again into the
mod_ssl stuff the code gets easier.
*) Fixed pass phrase dialog: The server name was always displayed
for a new pass phrase.
*) Added support for the idea of SSL_CLIENT_CERT_CHAIN<N> variables (Mark
Shuttleworth, Thawte Consulting) which enables CGI scripts to verify the
client certificate chain up to the root:
SSL_CLIENT_CERT_CHAIN_0 = end entity cert
SSL_CLIENT_CERT_CHAIN_1 = issuer cert
SSL_CLIENT_CERT_CHAIN_2 = issuer's issuer cert ...
But because of problems with system resource limits this is currently
disabled.
*) Added support for automatically determining the DBM library.
When a vendor DBM library is available we now use this one (because
typically this is a better and faster one than SDBM). Only when no
vendor DBM library could be found we fallback to our built-in SDBM
library (which is slow, but portable).
*) Splitted the mod_ssl.html document into smaller parts for easier
reading and maintaining. Same for the CHANGES file. The entries for
mod_ssl 2.0.x are now stores in CHANGES.20 while mod_ssl 2.1bx entries
are staying in the CHANGES file.
*) Fixed some pre-processor and variable declaration inconsitencies
which forced portability problems under some non-GCC compilers.
Changes with mod_ssl 2.1b3 (06-Sep-1998 to 08-Sep-1998)
*) Removed a few unneccessary local buffer usages in the mod_ssl-related
code in mod_log_config.c.
*) Updated the documentation for the recent changes, especially for the new
SSLRequire directive and the new provided CGI/SSI variables. I've now
also added a new FAQ which tries to explain why SSL cannot be used
together with name-based virtual hosts (IP-based virtual hosts have to
be used).
*) Fixed ssl_log() (the function which is used produce all kinds of
SSL logfile messages): It failed for messages with "%" because
it insecurely used fprintf at some points.
*) Added --quiet|-q, --verbose|-v and --help|-h options to mod_ssl's
`configure' script for controlling the verbosity and for more user
friendlyness.
*) Now the mod_ssl `configure' script creates a `config.status' script as
APACI does. This can be used for re-configuring mod_ssl the same way one
does it for Apache.
*) The top-level APACI Makefile now gives a hint for `apachectl start-SSL'
(which internally uses the `httpd -DSSL' command).
*) Now on `make certificate' the hash symlinks in conf/sslcerts/ are
generated via the provided Makefile instead of directly linking (which
fails under some platforms).
*) Added boolean expression scanning/parsing/evaluation as ssl_expr_*
sources and a new SSLRequire directive which now uses this
functionality. This directive can be used in both per-server and
per-directory context and has the syntax ``SSLRequire <expr>'' where
<expr> is defined as:
expr ::= "true" | "false"
| "!" expr
| expr "&&" expr
| expr "||" expr
| "(" expr ")"
| comp
comp ::= word "==" word | word "eq" word
| word "!=" word | word "ne" word
| word "<" word | word "lt" word
| word "<=" word | word "le" word
| word ">" word | word "gt" word
| word ">=" word | word "ge" word
| word "in" "{" wordlist "}"
| word "=~" regex
| word "!~" regex
wordlist ::= word
| wordlist "," word
word ::= digit
| cstring
| variable
| function
digit ::= [0-9]+
cstring ::= "..."
variable ::= "%{" [a-zA-Z][a-zA-Z0-9_-]* "}"
function ::= funcname "(" funcargs ")"
Here for %{XXXX} mostly _all_ possible server variables can be looked
up: the standard CGI variables, the SSL CGI variables, the internal
variables known from mod_rewrite, etc. pp. The intent is the following:
With <expr> one can specifiy an arbitrary complex boolean expression
which is evaluated under runtime. When it evaluates to "true" access for
the current request is granted. If it evaluates to "false" access for
the current request is denied. The main use for this is for flexible
certificate screening (because one can lookup all certificate X.509
fields via %{SSL_CLIENT_xxx}). But it can be used for other
authentication schemes, too.
This is now the general authentication workhorse. With it we were able
to remove the too special SSLRequireCipher and SSLBanCipher directives
because their functionalities are just special cases of a boolean
expressions:
SSLRequireCipher C1 C2 ... => SSLRequire %{SSL_CIPHER} in ("C1", "C2", ...)
SSLBanCipher C1 C2 ... => SSLRequire not %{SSL_CIPHER} in ("C1", "C2", ...)
For mod_ssl 2.1.0 (the release version) the above mapping will be done
automatically on the fly by the backward-compatibility code.
*) Removed the __SSLeay prefix inside the source now that the function
prefixes are documented in the README file.
Changes with mod_ssl 2.1b2 (02-Sep-1998 to 06-Sep-1998)
*) Added the first cut of HTTPS support for the proxy module. This is
currently done by making the generic HTTP handler SSL-aware. But it
still doesn't provide support for client or server authentication nor
does it provide a way to configure it. Later we'll add perhaps
SSLProxyXXXXX directives to allow the users to configure the SSL client
inside the proxy. But beside this it's full functional. One can use it
for proxying https://xxx URLs and also use `ProxyPass https://xxxx'.
(the sources of SSLeay's s_client and cURL were my friends ;-)
*) Replaced old kludges in mod_log_config.c and mod_ssl sources to
determine SSL protocol name with the clean SSL_get_version() which
already exists in SSLeay 0.8 and 0.9.
*) As a of the new ssl_var_lookup() the function ssl_ExpandCert() with the
old less-portable and unclean parsing stuff (parsed the DN into the
fields on a string basis instead of correctly determining the fields
from SSLeay structures) was kicked out and the environment annotation is
now done with generic variable lookups.
*) Added a new source file named ssl_engine_vars.c which contains
a waterfall approach to expanding arbitrary server+SSL variables. The
main function is ssl_var_lookup() which can operate in different
contexts. The idea is to resolve information mainly through this
function when it's required. Currently the usage is: logfile entries,
environment annotation. In the future this will be also used for the
SSLRequire directive.
*) Cleaned up the API command configuration and shortened the code by using
#defines. Additionally removed the polymorphic command handling
functions with real ones (less pointer arithmetic and preparation for
more config-time syntax checks).
Changes with mod_ssl 2.1b1 (26-Aug-1998 to 02-Sep-1998)
*) Again completely rewrote the pass phrase handling. This time because the
recent dicussions on the sw-mod-ssl mailing lists showed that the direct
caching of pass phrases under run-time and the forcing of the
administrator to use a single pass phrase for all private key files is
not really reasonable. Now the pass phrase handling looks this way:
1. A directive `SSLPassPhraseDialog builtin|exec:/path/to/program'
is used for configuring the pass phrase dialog. The `builtin' is a
terminal based dialog while `exec:/path/to/program' runs an external
program (which gets `servername:port' as the argument for which the
pass phrase has to be given on stdout).
2. The `builtin' terminal dialog is now a lot different:
First it detacts wrong pass phrases and gives reasonable error
messages and second it uses Holger Reif's maximum-reuse idea for the
pass phrase query:
When a private key file is encrypted, all known pass phrases (at the
beginner there are none, of course) are tried. If one of those known
pass phrases succeeds no dialog pops up for this file. If none
succeeded, another pass phrase is queried and remembered for the next
round (where it perhaps can be reused). This scheme allows mod_ssl
to be maximum flexible (because for N encrypted private key files you
_can_ use N different pass phrases - but then you have to enter all
of them, of course) while minimizing the dialog (i.e. when you use a
single pass phrase for all N private key files this pass phrase is
queried only once).
3. After the pass phrase dialog the temporarily remembered pass phrases
are immediately wiped out from memory. Instead only the
SSLeay-internal representation of the RSA private key and the X.509
certificate are stored (as SSLeay already does itself). For this a
per-module global configuration pool is used which survives Apache
server restarts. This means that Apache will again no longer fall
down on restarts.
*) Beside the per-directory and per-server context configurations
we now use a per-module global configuration pool which survives both
the Apache API 2nd init round and server restarts. This is done by using
an own permanent memory sub-pool. The idea for this tricky approach
which came from Philip Gwyn. This global configuration pool now holds
_all_ previous global variables (ssl_g_xxx). This way mod_ssl now uses
only a single global variable.
*) Added ssl_engine_ds.c source which contains new data structures (array
and table) which are based on Apache's API arrays but can contain
arbitrary data (important especially for the tables).
*) Removed all explicit ap_clear_pool() calls which are no longer
necessary because we already got rid of the gcache stuff
which required it.
*) Moved all pass phrase handling stuff into own file ssl_engine_pphrase.c
source file
*) Now the error messages which are duplicated to the general
Apache error logfile are prefixed with "mod_ssl:" there to
indicate from where they come.
*) Forward-port from 2.0.6: Added RSAref support for the US-citizens:
mod_ssl now automatically recognizes an SSLeay compiled with -DRSAref,
automatically finds libRSAglue and librsaref.a or rsaref.a.
Additionally beside SSL_BASE now the variable RSA_BASE can be used to
select a particular RSAref source tree (if not installed under system
locations). This way mod_ssl provides out-of-the-box support for
SSLeay+RSAref.
*) Changed SSLSessionCacheDefault from 0 (none) to a reasonable
300s default.
*) The socket connection message in the SSL Engine logfile now
also displays the Cipher keysizes for even more information
about the connection.
Changes with mod_ssl 2.1b0 (17-Aug-1998 to 26-Aug-1998)
*) Added a few files to the distribution: First my PGP public key as
ssl.contrib/rse.pgp to the distribution so people can use it on
forthcoming releases to verify the tarballs signature. Second the files
WISHES and TODO which contain the mod_ssl wishlist and the ToDo-list for
2.1.0.
*) Finally fixed the SSL connection deallocation and removed the old
FREE_SESSION stuff.
*) Added support for annotating SSLeay error messages. Now some
of the raw-level SSLeay error messages are automatically annotated with
high-level hints. For instance the unmeaningly message
``error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt'' now reads ``...routines:EVP_DecryptFinal:bad decrypt [Hint:
wrong pass phrase!?]'' etc.
*) Removed ERR_load_crypto_strings() call because it's already contained in
SSL_load_error_string() from SSLeay 0.8 and 0.9. Additionally now a
ERR_clear_error() is done after each logfile entry was written to make
sure no unread SSLeay errors are kept and occur with later messages
(where they would confuse people).
*) Renamed `SSLLogFile' to `SSLLog' because it isn't always a file,
it also can have an argument "|/path/to/filter" and act as
a reliable pipe to a logging filter program.
*) Renamed `SSLRequiredCiphers' directive to `SSLCipherSuite'
because the Apache-SSL directivename `SSLRequiredCiphers' was a full
accident. Because first it always got intermixed with the per-directory
context directive `SSLRequireCipher'. And second this sets not Ciphers
which are all `required'. It just sets the Ciphers the clients is
permitted to negotiate (the client actually chooses only _one_ Cipher).
*) Added SSLMutex for mutal expclusion of server process operations.
This is currently used only for synchronizing access to the new Session
Cache stuff. Three variants can be configured: `SSLMutex none' (no mutex
at all - works but risky), `SSLMutex file:/path/to/lockfile' (portable)
and `SSLMutex ipcsem' (elegant but not portable).
*) Moved the backward compatibility stuff into its own module:
mod_sslcompat. This module now already provides configuration directive
compatibility for both Apache-SSL and Sioux. More (Stronghold?) can be
add later, too. Additionally a mod_sslcompat.html document was written
which described the provided configuration directive mapping.
*) Split the mod_ssl sources from its large 70KB file into smaller chunks,
which are now mainly named accoring to the logical modules they contain.
This way the source inside src/modules/ssl/ is easier to overview. Just
one minor drawback: We lose a lot of nice `static' and have to prefix
really _all_ functions with `ssl_' now.
*) Replaced the gcache stuff from Apache-SSL days and replaced it
by a more simple but even more flexible approach. Now the new
`SSLSessionCache' directive replaces `SSLCacheServerPath' and
`SSLCacheServerPort'. The SSLSessionCacheTimeout remains and has the
old semantics. So, where is the difference? The old gcache stuff was
like this: An extra process (ssl_gcache) was running in parallel to the
httpd server processes and listening to a socket. Through SSLeay
callbacks the internal SSLeay caches of all server processes were synced
with this global cache. For this socket connections were established.
The drawback of this approach were:
1. The nasty fiddling with the extra child process was totally buggy
2. The gcache program itself used another local memory cache. This
was totally unnecessary because SSLeay already caches the stuff in a
local memory cache. So, under Apache-SSL three cache layers were used
(1: SSLeay internal, 2: gcache internal, 3: gcache external) while
layer 2 is not needed.
So the intent now was to replace this with a better solution. The idea
came from Stronghold: We either cache the information never (the
default), in a hashfile on the local disk (the portable variant -
already implemented) or even in a hash structure inside a shared memory
segment ( (non-portable, but fast and elegant - still not implemented,
only stubs were created to plug this in later).
*) CORRECTLY SOLVE THE PASS PHRASE DIALOG PROBLEM (the problem is that
Apache detaches from the terminal before the SSLeay pass phrase dialog
pops up). First I got rid of the ugly and unsuccessful filedescriptor
hacks Ben added recently to Apache-SSL because they do not work under
all platforms as expected. Second I re-ordered the control flow to allow
the following processing:
Now at the 1st round of the Apache API init cycle the servers are
scanned for certificate and key files and the first one which uses an
encrypted key forces the pass phrase dialog to pop up. This dialog is
either an interactive builtin terminal dialog (`SSLPassPhraseDialog
builtin' - which is similar to SSLeay default dialog) or can be driven
in batch by a filtering program which is run once and has to provide the
pass phrase on stdout (`SSLPassPhraseDialog /path/to/program'). After
this the pass phrase is _temporarily_ stored in memory for use later in
the 2nd round of the Apache API init cycle. Now additionally this pass
phrase can be kept in memory (`SSLPassPhraseCaching on') for forthcoming
server restarts (`kill -HUP') or is explicitly wiped out from memory
(`SSLPassPhraseCaching off' - for the paranoid users).
The following combinations are possible:
1. THE SMART DEFAULT VARIANT:
`SSLPassPhraseDialog builtin' + `SSLPassPhraseCaching on':
This is the default which is reasonable for most of the users. This
way on Apache startup time the pass phrase is requested on the
terminal but kept in memory for all forthcoming restarts.
2. THE THEORY VARIANT:
`SSLPassPhraseDialog builtin' + `SSLPassPhraseCaching off':
This combination leads to a server fall-down on any occuring restarts
because the terminal dialog _cannot_ be done at restart time (Apache
is already detached). So, this combination is only interesting in
theory but should be avoided because its not really useful in
practice.
3. THE BATCH VARIANT:
`SSLPassPhraseDialog /path/to/program' + `SSLPassPhraseCaching on':
This is for users who want to remote control the Apache startup or
make it automatic by controlling the dialog from within a program.
This program is run only once at startup. Then the pass phrase is
kept in memory for forthcoming restarts.
4. THE PARANOIA VARIANT:
`SSLPassPhraseDialog /path/to/program' + `SSLPassPhraseCaching off':
This is for the really paranoid users who want avoid any pass phrase
caching. Instead both on startup and restart time the pass phrase has
to be provided by an external program.
*) The SSL logfile is now placed in the main server instead of the virtual
host because its actually a global logfile, even when it could be used
only inside a virtual server.
*) The expensive operation of generating the temporary RSA key is now done
before Apache forks the server processes. This speeds up the startup
phase a little bit.
*) Added new SSLCACertificateReqFile directive which defaults to the value
of SSLCACertificateFile. It sets the all-in-one file where one can
assemble the Certificates of Certification Authorities (CA) whose
servers you deal with. These are optionally used by the clients for
SSLv3 Server Authentication to speedup processing. The file is requested
by the client via the "SSLv3 write certificate request A" for loading
intermediate CA certificates in the certificate chain (only SSLv3). It
is simply the concatenation of the various PEM-encoded certification
files, in order of preference.
*) Inlined some functions like init_SSLeay() and init_VerifyType() because
they were really small functions and only used once in mod_ssl. These
were stand-alone functions in Apache-SSL without real need.
*) Made `SSLEnable'/`SSLDisable' directives obsolete by adding the simpler
`SSEngine on|off'. The old directives are now deprecated but still can
be used for backward-compatibility with Apache-SSL. Additionally the
default is now `SSLEngine off' (formerly `SSLDisable') instead of the
Apache-SSL default of `SSLEngine on'. This breaks a little bit with
Apache-SSL semantics, but doesn't hurt as much as it sounds. Because
people run SSL inside a virtual hosts and thus already have a SSLDisable
in their main (non-SSL) server. The difference is just that with mod_ssl
one no longer has to add SSLDisable to all non-SSL virtual hosts (which
is nasty). OTOH SSL is an additional feature, so the logic of "disabled
per default and have to be enabled explicity" is more useful and what is
expected.
*) The "SSL rubbish logfile" of Apache-SSL was now replaced by real
dedicated SSL logfile which contains no longer "rubbish". For this the
logging mechanism in mod_ssl was completely re-written from scratch and
now looks like this:
1. `SSLogFile <file>' is optional
2. `SSLogFile /dev/null' disables the logging _without_ overheads
3. `SSLLogLevel <level>' controls the degree of verbosity in SSLLogFile
4. `SSLogLevel none' disables the logging _without_ overheads and is the
default.
5. Log messages of type `error' are _always_ duplicated to
the Apache general error logfile, even under `SSLLogLevel none'.
6. The maximum logging can be now achieved by using `SSLLogLevel debug'.
Additionally obsolete logging stuff from Apache-SSL was removed from the
source code. Finally the logfiles in the provided default config were
changed: ssl_log is now the dedicated SSL protocol logfile (SSLLogFile)
while the custom logfile (CustomLog) containing only one line per
request is now named ssl_req_log.
____ ___
|___ \ / _ \
__) || | | |
/ __/ | |_| |
___ |_____(_)___/ __________________________________________
Changes with mod_ssl 2.0.16 (07-Nov-1998 to 09-Nov-1998)
*) Fixed documenation: SSLRequireSSL can be used in .htaccess
files when the `FileInfo' context is enabled for it.
*) Revised my recent RSAref fix to INSTALL file a little bit.
*) Backport of an Apache-SSL bugfix:
Fix file-descriptor leak for stderr.
Changes with mod_ssl 2.0.15 (01-Nov-1998 to 07-Nov-1998)
*) Fixed some long-standing inconsistencies in mod_ssl.html
*) Now SSLVerifyDepth defaults to 1 and this means the client certificate
has to be signed directly by the root CA. The verify depth now is the
max number of CAs which are checked: 0 = self-signed only, 1 =
self-signed or signed by root-CA, 2 = signed by root-CA or signed by a
CA which is signed by the root-CA, etc.
*) Now SSLSessionCacheTime defaults to 300s.
*) Fixed RSAref instructions in INSTALL file and added more support for
implicitly finding the RSA_BASE to the libssl.module script.
*) Backport from 2.1 branch:
Now under `make certificate' an interactive prompt is given which asks
whether the private key should be encrypted (the default) or not. This
way it's a little bit easier to setup test servers, at least for me ;-)
*) Fixed SSLRequiredCiphers: The server configuration entry wasn't
correctly merged internally which lead to the effect that it got
ignored.
Changes with mod_ssl 2.0.14 (09-Oct-1998 to 01-Nov-1998)
*) Backport from 2.1 branch:
Renamed snakeoil.{crt,key} to snakeoil-ca.{crt,key} and created a real
dummy server certificate/key pair as snakeoil.{crt,key} which is now
used under `make certificate TYPE=dummy'. This fixes the recently
occured problem where Netscape rejected the dummy certificates because
they had the CA flag set.
*) Upgraded to included Thawte Strong Extranet sources (ssl.contrib/sxnet/)
from version 1.2.2 to the current 1.2.3.
*) Backport from Apache-SSL:
Incorporation of recent Base64 (uuencode) encoding bugfixes.
*) Backport from 2.1 branch:
Fixed the "SSLVerifyType optional_no_ca" situation: The situation
has to be checked against more SSLeay errors, because under SSLv3
certificate chain loading leads to the presentation of the client CA
certs, too. Here SSLeay gives different errors.
*) Fixed documentation of SSL_CLIENT_I<x509> and SSL_SERVER_I<x509>
environment variables.
*) Fixed mod_proxy source for the situation where
no --enable-module=ssl is used.
*) Make sure the stand-alone ssl_gcache program compiles
correctly even under SunOS where no strerror() exists.
*) Backport from 2.1 branch:
Fix "uchar" redefinition problem under AIX.
Changes with mod_ssl 2.0.13 (02-Oct-1998 to 09-Oct-1998)
*) Fixed some more race conditions in ssl_gcache, cleaned
up the error logging and namespace in ssl_gcache.
*) Overtaken the SIGPIPE handling patch from Apache-SSL 1.27
*) Recreated the Snake Oil CA certificate: it's now a X.509 v3
certificate with the CA flag set and pathlen 0.
*) With special permission from Dr Stephen N. Henson his excellent ca-fix
program was now added to src/support/ and is used by
src/support/mkcert.sh (`make certificate') to fixup the generated
certificates. Especially X.509 v3 certificates can be now generated
where nsCertType and CA pathlen is correctly set. Additionally `ssleay
verify' and `ssleay ... -modulus' checks are performed to make sure the
generated certificates are valid.
*) Upgraded to Apache 1.3.3.
*) Fixed again some RSAref hints in the INSTALL file.
*) Fixed `SSLLogFile /dev/null' situation: it now works as expected: No
logging is done. But not by writing to /dev/null. Instead no logging at
all is done, of course.
Changes with mod_ssl 2.0.12 (23-Sep-1998 to 02-Oct-1998)
*) Cleaned up gcache stuff again and fixed a few problematic things
by adding extra runtime checks. Now gcache should no longer dump core.
At least I've now found no more bug...
*) Changed gcache communication from TCP-sockets to Unix domain
sockets in default configuration (httpd.conf-dist), because
this is more reliable and safe.
*) Incorporated reasonable change from Apache-SSL 1.25:
Allow up to three retries at the pass phrase prompt.
[The other main change in Apache-SSL 1.25 (the client cert export via
env variables) is intentionally not overtaken for mod_ssl because of
three reasons: 1. it's a too large patch which is not acceptable for the
stable mod_ssl 2.0 branch; 2. it still has some flaws Ben is still
fixing for 1.26; 3. I'm still not convinced that providing complete
Base64 encoded certs (greated than 1KB) via a set of environment
variables is really reasonable (because of performance and system
resource limits). Instead I'm still seeking for a real on-demand
solution, but for mod_ssl 2.1, of course.]
*) Backport from 2.1 branch:
Added a --force option to mod_ssl's configure script to let developers
apply mod_ssl also to different Apache versions (especially 1.3.x-dev
versions).
*) Fixed portability problems with prop.sh aux script.
*) Fixed gcache expiring: A static variable was not initialized.
*) Fixed a few inconsistencies in the mod_ssl.html document.
*) Fixed RSAref installation instructions in INSTALL file and a little big
in libssl.module which caused problems for RSAref installations, too.
*) Fixed mod_perl part in INSTALL file.
*) Changed some Apache-SSL wordings in mod_ssl.html on request
by Ben Laurie.
Changes with mod_ssl 2.0.11 (17-Sep-1998 to 23-Sep-1998)
*) Upgrade from Apache 1.3.1 to Apache 1.3.2
*) Back-port from 2.1:
Enhanced the ssl.crt/Makefile: now <hash>.N extensions are
created when conflicts occur and not only <hash>.0
*) Changed HTTPS support in mod_proxy: the ap_proxy_http_handler() function
is (illegally because of DSO, of course) called used by third-party
modules (like Apache::Proxy). So make make sure we don't change the
signature of this function.
*) Added answer to FAQ `Why is client auth broken after upgrading from
SSLeay 0.8 to 0.9'. Because of the changed hash algorithm used for the
symlinks.
*) Now when `make certificate TYPE=custom' is used the generated
ca.crt/ca.key files are installed, too.
*) Make sure mkcert.sh removes temporary files after work.
*) Enhanced the INSTALL file: Now an example section describes the
installation with mod_perl and PHP3. Beside this some bugs were fixed
and some more NOTEs were added.
Changes with mod_ssl 2.0.10 (13-Sep-1998 to 17-Sep-1998)
*) Temporarily added a fix from 1.3.2-dev for APACI's configure script to
allow the `Group' directive to be adjusted correctly even under Linux
boxes. Without this Linux users always have to fix the `Group' directive
manually which is nasty.
*) Added checks to APACI to automatically disable DSO for mod_proxy and
mod_log_config when SSL is used (because they have to be built against
SSLeay which is not supported in Apache 1.3.1). But we allow the user to
explicitly use --enable-shared=.., but then at least he gets a warning.
This way we protect the average user but don't hurt the experts.
Especially with Apache 1.3.2 the experts want to use
--enable-rule=SHARED_CHAIN for linking the DSO's against SSLeay.
*) Make the SSL_HOOK_SetupConnection a little bit more robust.
*) Avoid confusing "unable to load 'random state'" messages
from `ssleay genrsa' command.
*) Renamed `aux' directory to `etc' because `aux' is a special name under
Windows filesystems (and people at least wanted to extract the stuff
under windows).
*) Fix top-level Makefile.tmpl: replace `make' with `$(MAKE)'
and grep out SSL_PROGRAM variable from src/Makefile.config directly
(instead of running a subtarget) to avoid problems with Make output
messages. This especially fixed the `make install' problems under Linux
platforms (where GNU Make is used which gives nasty messages).
*) Update INSTALL file: Use apachectl and add hint to
the Apache general error logfile.
*) Allow ServerRoot relative path for SSLCertificateFile.
Changes with mod_ssl 2.0.9 (12-Sep-1998 to 13-Sep-1998)
*) Portability fixes: The ssl.crt/Makefile didn't work on
all platforms because of braindead shells and the mkcert.sh script
failed to use /dev/random because this device doesn't work as expected
on some platforms.
Changes with mod_ssl 2.0.8 (09-Sep-1998 to 12-Sep-1998)
*) Make the whole build process (including `make certificate')
independent of any installed ssleay.cnf file (some systems have it in
non-standard locations and we don't need it any longer at all).
*) Added Thawte's Strong Extranet module (mod_sxnet.c) to
the ssl.contrib area. This module can be used together
with mod_ssl.
*) Fixed hash symlink generation under `make certificate'
and `make install' for the cases where `ssleay' is not in $PATH.
*) Fixed INSTALL document: rsaref.a has to be copied to librsaref.a
*) Added more information to the mod_ssl.html file about the
SSLCACertificateFile: It's also used implicitly for the "SSLv3 write
certificate request A" where it's contents is sent to the client to
enable him to verify a possible issuer chain on the server certificate.
*) Fixed a few bugs in the new mkcert.sh script, enhanced it's
dialogs and added a lot error checks.
Changes with mod_ssl 2.0.7 (29-Aug-1998 to 09-Sep-1998)
*) Changed the <VirtualHost> example in the conf/httpd.conf-dist
file so it now uses _default_ instead of the server name. This is more
portable and totally sufficient for our default configuration where
only one virtual host is present.
*) Backport from 2.1b branch: Now the mod_ssl `configure' script creates a
`config.status' script as APACI does. This can be used for
re-configuring mod_ssl the same way one does it for Apache.
*) Backport from 2.1b branch: Added the first cut of HTTPS support for the
proxy module. This is currently done by making the generic HTTP handler
SSL-aware. But it still doesn't provide support for client or server
authentication nor does it provide a way to configure it. Later we'll
add perhaps SSLProxyXXXXX directives to allow the users to configure the
SSL client inside the proxy. But beside this it's full functional. One
can use it for proxying https://xxx URLs and also use `ProxyPass
https://xxxx'. (the sources of SSLeay's s_client and cURL were my
friends ;-)
*) In order to
- reduce the confusion with sslcerts/server.pem and sslkeys/server.pem
- provide less-problematic non-self-signed certificates on `make certificate'
- prepare for mod_ssl 2.1 and the forthcoming client auth & CA scripts
the following cleanups were done:
1. The files for the SSL certificate system are now stored in the
following thee subdirs of the configuration directory:
ssl.crt/ ...... contains the X.509 certificate(s)
ssl.csr/ ...... contains the X.509 certificate signing requests(s)
ssl.key/ ...... contains the RSA private key(s)
Each directory contains a README file which describes the purpose and
the contents.
2. A ssl.crt/snakeoil.crt and ssl.key/snakeoil.key demo CA certificate
and key is distributed with mod_ssl which is used to sign the test
certificates the `make certificate' target creates. This avoids the
problems with MSIE users because MSIE doesn't like self-signed
server-certificates very well.
3. A ssl.crt/ca-bundle.crt is now installed (but not enabled!) which
contains all 33 CA root certificates of known public CAs. They were
extracted from Netscape Communicator 4.06 with my certbundle stuff.
4. The `make certificate' command now can create four types
of certificate setups:
$ make certificate TYPE=dummy (dummy self-signed Snake Oil cert)
$ make certificate TYPE=test (test cert signed by Snake Oil CA)
$ make certificate TYPE=custom (custom cert signed by own CA)
$ make certificate TYPE=existing (existing official cert)
CRT=/path/to/your.crt
[KEY=/path/to/your.key]
The default is TYPE=test which is equivalent to the old `make
certificate' with the exception that now the generated certificate is
no longer a self-signed one. This overview text is also now
displayed under built-time. When KEY is missing it is assumed that
it's present in the file from CRT and is extracted from there.
5. For consistency with 4.) the mod_ssl configure script now
uses --with-crt=FILE and --with-key=FILE options. When
--with-key is missing it is assumed that it's present in
the file from --with-crt and is extracted from there.
*) Removed unnecessary DEBUG_XXXX stuff which gets replaced in
mod_ssl 2.1b with ssl_log().
*) Backport from 2.1b branch: Now on `make certificate' the hash symlinks
in conf/sslcerts/ are generated via the provided Makefile instead of
directly linking (which fails under some platforms).
*) Backport from 2.1b branch: The top-level APACI Makefile now gives a hint
for `apachectl start-SSL' (which internally uses the `httpd -DSSL'
command).
*) Backport from 2.1b branch: Replaced old kludges in mod_log_config.c
to determine SSL protocol name with the clean SSL_get_version() which
already exists in SSLeay 0.8 and 0.9. And removed a few unneccessary
local buffer usages in the mod_ssl-related code in mod_log_config.c.
*) Merge in changes from Apache-SSL 1.23 to 1.24: Cache private keys over
init rounds and restarts. This means you now can use enrypted private
key files (where pass phrases are needed to read them in) and both
survive the terminal detachment and the restart rounds of Apache. This
is achieved by using an own permanent memory pool which survives server
restarts and holds the private key files. Remember that this is _not_ a
backported full-featured pass phrase handling from mod_ssl 2.1b.
Instead it's exactly the easier handling from Apache-SSL 1.24. Because
the mod_ssl 2.1b pass phrase handling is too complex to be backported to
the 2.0 branch. At least it could lead to side-effects in 2.0 which I
want to avoid.
*) Fixed some pre-processor and variable declaration inconsitencies
which forced portability problems under some non-GCC compilers.
*) Minor correction to the README, SUPPORT, etc. files.
Changes with mod_ssl 2.0.6 (25-Aug-1998 to 29-Aug-1998)
*) Added RSAref support for the US-citizens: mod_ssl now automatically
recognizes an SSLeay compiled with -DRSAref, automatically finds
libRSAglue and librsaref.a or rsaref.a. Additionally beside SSL_BASE
now the variable RSA_BASE can be used to select a particular RSAref
source tree (if not installed under system locations). This way mod_ssl
provides out-of-the-box support for SSLeay+RSAref.
*) Back-port from 2.1: Replaced assert()ions with non-process-terminating
runtime checks and removed some unnecessary debugging stuff.
*) Back-port from 2.1: Finally fixed the SSL connection deallocation and
removed the old FREE_SESSION stuff by back-porting the change from the
2.1 track.
*) Added PGP public key as ssl.contrib/rse.pgp to the distribution
so people can use it on forthcoming releases to verify the tarballs
signature.
*) Taken over a change between Apache-SSL 1.22 and 1.23: Move the call for
launching the gcache program to a later point in processing.
*) Back-port from 2.1: Removed ERR_load_crypto_strings() call because it's
already contained in SSL_load_error_string() from SSLeay 0.8 and 0.9.
Changes with mod_ssl 2.0.5
*) Fix per-server configuration structure merging.
*) Added support for reliable piped logs to SSLLogFile directive which can
be used to plug-in a filter program which receives the logfile entries.
*) Removed per-server check for valid SSLVerifyClient argument because in
mod_ssl it's no longer possible that an invalid argument can exit under
run-time because the argument is already validated under config-time.
*) Removed DEBUG_SSLEAY stuff from Apache-SSL because SSL_debug() does no
longer exist in SSLeay 0.9.x.
*) Added one more digit at the MOD_SSL define value to indicate beta or
release versions. The scheme now is the following (only important when
one has to check against the version of an SSL-aware Apache from within
an own module): <version>.<revision><type><level> where <version>,
<revision> and <level> are numbers between 0 and 99 while <type> is
either `b' (for beta versions) or `.' (for release versions). From
this the MOD_SSL define is created similar to this command:
sprintf("%d%02d%c%02d", <version>, <revision>,
<type> == `b' ? 0 : 1, <level>);
As an example: the beta version 2.1b3 has MOD_SSL=201003 while
the release version 2.1.4 has MOD_SSL=201104.
*) Fixed typos in mod_ssl.html document.
*) Fixed typos in mod_ssl.c source.
*) Created two buttons similar to the existing "Includes SSLeay
encryption software" button: One for Apache ("Powered by Apache
Webserver Software") and one for mod_ssl ("Secured by mod_ssl
Interface"). These are now put on the default frontdoor webpage at
install time.
*) Removed half done DSO-related stuff from Apache-SSL because it's
useless. Why? Because mod_ssl currently _cannot_ be build as a DSO,
because:
1. Because SSLeay is directly called from within Apache's buffer code
(SSL_write/SSL_read) because the Apache API lacks a hook for this.
But direct calls from the core to modules and libraries is tabu under
DSO situation.
2. Because mod_ssl is directly called from within Apache's main loop
for setting up the SSL protocol after the socket connection was
established because the Apache API lacks a hook for this. But
direct calls from the core to modules and libraries is tabu under
DSO situation.
3. Because the pass-phrase dialog can be done only before Apache
detaches from the terminal. But the general order is this:
a) ap_read_config (where LoadModule is done)
b) ap_init_modules (where mod_ssl can do the pass-phrase dialog)
c) detaching
d) ap_read_config (where DSOs are unloaded and reloaded)
e) ap_init_modules (where mod_ssl no longer can do the dialog)
When mod_ssl is not a DSO it can do the pass-phrase dialog in step
b), but when it's a DSO (assuming 1. and 2. are already solved) then
it cannot preserve information between b) and e) because it is
unloaded in the meantime.
So, for DSO the Apache kernel has to be bloated up with some more
features. Currently I want to avoid this because DSO is still not not
really worth the effort (there are other things which can be improved in
mod_ssl first).
Changes with mod_ssl 2.0.4
*) Added VERSIONS file to the distribution which contains the
release date and version numbers for reference.
*) Make sure the server.pem certificate files in sysconfdir/sslcerts/ is
not overridden on APACI re-installs. Now a message simular to other
existing APACI messages informs the user that his certificates are
preserved.
*) Added support for SSL_BASE=SYSTEM which means that SSLeay header files,
libraries, configuration and binary files were not searched under a
single SSL_BASE root. Instead they are searched inside the common system
directories like /etc/, /usr/etc, /lib, /usr/lib, /usr/local/lib,
/usr/include, etc. pp.
*) Replaced even more old Apache-SSL relicts to make mod_ssl really secure,
stable and robust: sprintf -> ap_snprinf, srcpy -> ap_cpystrn, fopen ->
ap_pfopen.
*) Added U.S. export law information to SUPPORT file to make sure
mailing list users inside the United States remember the U.S. export law.
Changes with mod_ssl 2.0.3
*) Fixed a view ap_log_error() calls where APLOG_NOERRNO was missing.
*) For better compatibility with Stronghold and because it is really more
intuitive we now also provide the CustomLog directives %{subjectdn}c and
%{issuerdn}c: The (more intuitive) %{subjectdn}c replaced the (confusing)
%{clientcert}c directive (although %{clientcert}c is still accepted as an
alias). And the %{issuerdn}c was added (with the alias %{cacert}c :-( ).
This way custom logfiles now can contain the certificate issuer as well.
*) For better configuration sharing with Stronghold (which uses
the name mod_ssl.c for its module, too) mod_ssl now defines not only the
C Pre-Processor define MOD_SSL, it now also pre-defines the Apache
configuration define MOD_SSL. This now can be used with <IfDefine
MOD_SSL>..</IfDefine> sections without the need to startup Apache
explicitly with an -DSSL or -DMOD_SSL option.
*) ANSI C doesn't allow one to forward declare an array variable without
specifying the actual array size. GCC didn't complain, but other vendor
compilers (like /bin/cc under IRIX) do. This is now fixed by re-ordering
the definitions in the code to make the forward declaration not
necessary.
*) Let APACI adjust the port 443 to 8443 when installing under a non-root
UID similar to what Apache already does with adjusting port 80 to 8080.
*) Fix patch tool location for the situation where the user
has to compile manually the stuff because of platforms errors.
*) Incorporated changes from Apache-SSL 1.20 to 1.21:
Was only a single register_cleanup -> ap_register_cleanup rename,
because all other changes were either already in mod_ssl or will be done
totally different with the next mod_ssl changes (for instance the
logging stuff which gets replaced by a more improved version the next
days - because Ben's idea to now log anything to Apache's error_log
sounds not reasonable to me).
*) Fixed variable arg usage in logging functions: va_end was missing.
Changes with mod_ssl 2.0.2
*) Make egrep arguments more safe because they failed under
Solaris and other platforms.
*) Replaced basename() and dirname() functions in aux/patch/backupfile.c
to avoid conflicts with glibc2's versions of these functions.
*) Removed ssl.contrib/ssleay.diff because it was only needed
for the temporary broken SSLeay 0.9.0b which was staying around on the
net.
*) Now the sslcerts dir is created with permissions 755 and sslkeys
with 700 for security reasons.
*) Now the FAQ inside the mod_ssl.html document has corresponding ToC
entries. Additionally now the question "What is different between mod_ssl
and Apache-SSL" is tried to be answered. And a few hints were added on how
to check HTTPS manually.
*) Make the building of the 'patch' tool more robust by checking for
success and providing a log of the failure. Additionally in case of
problems the user now can use a --with-patch option to force the usage
of a vendor patch program.
*) Cleaned up the gcache stuff even more: reduced #includes
to minimum and moved some stuff to the header file.
*) Cleaned up the httpd.conf-dist entries for SSL.
*) Cleanup mod_log_config.c patch and fixed %{version}c construct:
It now says "SSLX" even under SSLeay 0.8.0.
*) Misc. doc ajdustments: Fixed a few comment typos in apache.patch file;
Added Announcement text as ANNOUNCE file to distribution; Fixed
hyperlinks in mod_ssl.html document and added more useful hyperlinks to
the README file.
*) Replaced a lot of C constructs into shorthand defines to
make the code even more readable and reviewable:
o ``strcmp ... == 0'' -> ``strEQ''
o ``\0'' -> ``NUL''
o ``ap_get_module_config(...)'' -> ``myXXConfig''
o ``ap_overlay_tables'' -> ``cfgMergeTable''
*) Fixed dependencies in src/modules/ssl/Makefile.tmpl
*) Add Ben Laurie's copyright message to gcache sources, even when Ben
missed it here. It's from Ben, so his copyright applies and credit has
to be given.
Changes with mod_ssl 2.0.1
*) Minor documentation updates.
*) Now the ssl.patch/apache.diff file is named ssl.patch/apache.patch
and contains descriptive annotations for each patches file. This way
even the patches are easier reviewable.
*) The configure patch was not 100% correct: The SSL has not to be
disabled for --enable-module=most (where it should be enabled, of
course). Instead it has to be disabled automatically for
--enable-shared=max.
Changes with mod_ssl 2.0.0
*) Added "SSL library type" message to the configuration process
to inform the user how we recognized the SSLeay location.
*) Added support for conf/sslkeys/ directory both to configure
script, Makefile.tmpl and default config files. Additionally now on
"make install" the hash symlinks are created and a dummy server cert
file is skipped.
*) Fixed prop.sh script.
*) Cleaned up mod_ssl.html document for release.
*) Cleaned up the README file and added a situation report
about the author conflict with Ben.
*) Incorporated changes from Apache-SSL 1.19 to 1.20:
- Do a cleanup before starting gcache.
- Make gcache die when httpd dies.
This failing in previous versions appears to be a bug in Apache.
- Document the biz with passphrases and sleep.
- Do Apache-SSL on inetd connections.
ALL OTHER CHANGES BETWEEN APACHE-SSL 1.19 AND 1.20 WERE ALREADY DONE
FOR MOD_SSL IN THE PAST BY Ralf S. Engelschall. Because it seems Ben
just has drawn level Apache-SSL with the mod_ssl pre-release I sent to
him last week. Hmmmm...
*) Minor cleanups to README and mod_ssl.html file.
*) Now create the CHANGES.SSL in <apache>/src/ instead in <apache>/.
*) Moved patch to a subdir aux/patch/ and added prop.sh for
a visual process indicator while building the aux tools.
*) Slightly fixed the configure scripts messages
*) Added support for checking the Apache version: Now mod_ssl can
only be applied to the correct matching Apache source tree.
*) Added configurable support for mod_ssl version strings: Now
a libssl.version file is created inside src/modules/ssl/ which holds
the mod_ssl version. From this the libssl.module script creates a
MOD_SSL_VERSION define holding the value as a string ("X.Y.Z") and a
MOD_SSL define holding the value with a zero-spaced numerical value
(XYYZZ). This way the mod_ssl received the string for the Server field
and other modules can check against certain mod_ssl versions via #ifdef
or more granular via #if MOD_SSL >= 20000 or whatever.
*) Added support for named to SSLVerifyClient directive: Now the ogly
numerical levels 0-2 are still valid but can be replaced by better
readable names: "none", "optional", "require" and "optional_no_ca".
*) Added Makefile for conf/sslcerts/ directory to keep <hash>.0
symlinks up-to-date.
*) Translated the FAQ into HTML format and appended it to mod_ssl.html.
Additionally I created a ca.sign script and a Makefile for sslcert/ in
relation to the FAQ.
*) Enhanced the logfile support: First I've converted nasty
fprintf(stderr,..) to ap_log_error() variants. Second I've moved the
fprintf(pConfig->fileLogfile,...) to ssl_log_own(pConfig,...) calls.
And third error messages are now consistently prefixed with "mod_ssl:"
and "SSLeay:" - dependend from which an error comes. And forth I've
added the word "SSL" to a lot of messages to indicate that the
SSL-relationship. Additionally I removed doubled ERR_print_xxx calls.
*) Cleanup up namespace by added lots of `static's, so only the
module structure and the SSL_HOOK_xxx symbols are now exported.
*) Fixed up Apache API structures for Apache 1.3: added MODULE_VAR_EXPORT
for consistency and missing module structure dispatch pointers.
*) Completely renamed the functions to use common prefixes which
indicate their relationship and ordered the functions according to this
relationship. Additionally a complete list of prototypes is now
provided in mod_ssl.h. The order of functions now reflects the logical
order when one wants to review the module: 1. API structures, 2. config
handing, 3. directive handling, 4. init functions, 5. API hooks, 6.
internals, 7. caching support, 8. logfile support and 9. utility
functions. Additionally I cleanup up the namespace of global data
symbols: They now all have the prefix "_g": bFirstTime -> g_bFirstTime,
szCacheServerPort -> g_szCacheServerPort, szCacheServerPath ->
g_szCacheServerPath, s_pServer -> g_pServer.
*) Now all stuff for SSLEay < 0.8.0 is removed because an #error was
already given and there is now real need to support these versions any
longer. As a consequence we now also could remove the CACHE_SESSIONS
#ifdef mess because this was enabled for >= 0.8.0 since a long time.
*) Cleaned up the mess inside ap_config.h where TRUE, FALSE and BOOL
where globally defined even when they were only used my mod_ssl. Now
all stuff mod_ssl needs is inside mod_ssl.h and not spread over the
Apache sources without need. I've also cleaned up the "uchar"
definition because this was defined only by coincidence. I've also
replaced ugly return 0's with return FALSE and -1 by UNSET when the
context was the one for UNSET (like for VerifyType). Additionally I
replaced some incorrect declarations (extern uid_t ap_user_id) by
including the correct header file (http_config_globals.h). In the same
spirit for cleaness I've replaced the numerical filedescriptor numbers
by the STDXX_FILENO aliases.
*) Fixed a nasty bug: When a startup error occured an exit() was done.
But an already started ssl_gcache program was not terminated because
the exit() doesn't give Apache a chance to cleanup the pools (where the
program is registered). Fixed by adding a bunch of ap_clear_pool()
calls before the exit() calls. Additionally some more missing exit()'s
were added to config checks. And last but not least a termination
message is now created by ssl_gcache when it is terminated so one now
see both the start and the termination of ssl_gcache program in the
logfiles.
*) Replaced various sprintf()'s by the more safe and correct ap_snprintf()
variants. Same for fopen() and ap_pfopen() and other such functions.
*) Prefixed all SSLeay function calls with __SSLeay to mark them
for reviewing. I'm still not happy with this long and ugly reading
prefix but need to use an initial one which doesn't conflict.
Additionally I've then grep'ed out all __SSLeay prefixed symbols,
sorted them by group and inserted them into a README which can help
identifiying the used SSLeay API functions. The whole intent is
just to make reviewing of the code more easier, because this is
really important for security related sources.
*) A lot of various minor cleanups and fixes: For instance I've corrected the
directive descriptions, added some descriptive source comments, etc.
Really to much of these minor cleanups to write them down, sorry.
*) Added an FAQ file, assembled from some information found
on www.apache-ssl.org
*) Incorporated the changes between Apache-SSL 1.18-1.19
*) Added back support for the old Apache 1.2 way of configuring and
building by placing the SSL_BASE into src/Configuration.tmpl and
providing steps in INSTALL, too.
*) Added a complete Apache-style mod_ssl.html document which describes all
mod_ssl directives in detail. I've also painted a nice mod_ssl logo out
of the old mod_rewrite logo parts and a safety lock which secures the
feather. The SSLeay logo is also part of the document to give credit.
*) Added a `configure' frontend script for easy applying the mod_ssl
source extension and patches to the Apache source tree. It also can
replace APACI's configure script by running it in the background.
Additionally a slightly changed GNU patch 2.1 tool is distributed under
aux/ subdir to make sure the source patching works reliable because
newer patches have problems with the apache.diff file and some systems
have no "patch" at all.
*) Split definitions from mod_ssl.c into own mod_ssl.h and converted all
source files to the Apache coding styles to be consistent with the
officially distributed Apache sources.
*) Generation of a certificate is supported via top-level "make
certificate" which correctly finds SSLeay both when SSLeay tree is the
source tree or the installed tree.
*) Added SSLNeedsSSL to config files and cleaned up the
SSL-related stuff at the end of httpd.conf-dist.
*) Out-of-the-box installation for a SSL-aware Apache is provided by
automatically installing the certificate and the ssl_gcache program.
Additionally the SSL-related directives in the extended httpd.conf file
is adjusted, so one immediately can fire up an SSL-aware httpd.
*) The name of the binary is now again "httpd" instead of the "httpsd"
because "httpsd" reads ugly and confuses APACI. And there is no real
need to distinguish between them, because one still can compile a
standard Apache even after mod_ssl was applied to the Apache source
tree. Or why isn't everybody using httppd just because mod_perl is
built in? Bingo!
*) Added Apache 1.3 Autoconf-style Interface (APACI) support to
automatically enable the SSL module via --enable-module=ssl. This also
triggers the MOD_PERL define, so without this APACI option you still
can build a standard Apache.
*) Use the official Apache 1.3 way of adding strings to the
HTTP Server header: via ap_add_version_component() instead of patching
the defines in httpd.h. Additionally it now creates a header like
``Server: Apache/1.3.1-dev (Unix) mod_ssl/2.0.0 SSLeay/0.9.0a'' i.e.
SSLeay is part of the Server header. Because SSLeay's version is more
important than mod_ssl's.
*) Removed all broken parts in the original Ben-SSL patch, for instance
incorrectly added newlines, incorrectly moved SecureWare, etc.
*) Removed nasty terminal messages like "Skip first time initialization",
"Launching ....", etc. These can be enabled in the future by using the
ap_log_error stuff.
*) Fixed incorrect log_ssl_info prototypes in mod_log_config.c from
Ben-SSL patch and fixed minor other things.
*) Cleaned up mod_ssl.c (formerly apache_ssl.c): removed unused variables
mod_ssl.c, added prototypes, moved extern prototypes. Actually I've
made it run quietly through ``gcc -Wall -Wshadow -Wpointer-arith
-Wcast-align -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs -Winline'', etc.
*) Renamed apache_ssl.c to mod_ssl.c for consistency and also
to avoid problems inside APACI. Additionally the APACHE_SSL define was
renamed to MOD_SSL which is also consistent which the behaviour of
mod_perl which uses MOD_PERL.
*) *GENESIS*: Based the complete code on Ben Laurie's latest Apache-SSL
patch (Ben-SSL) version "apache_1.3.0+ssl_1.18". To avoid confusion and
to show that its second generation stuff the mod_ssl version starts
with 2.0.0. I've merged in all my previous work on Apache-SSL for
Apache 1.3b, i.e. especially the APACI stuff.