diff options
| author |   beck <beck@openbsd.org> | 1999-12-08 02:45:48 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 1999-12-08 02:45:48 +0000 |
| commit | 69fe16e6f86413aa00dca3a3ae2292edea53059f (patch) | |
| tree | 9f81d76784a617777075a3bf694aaa8e6e580ba2 | |
| parent | AH finished, a couple of cosmetic changes in ESP. (diff) | |
| download | wireguard-openbsd-69fe16e6f86413aa00dca3a3ae2292edea53059f.tar.xz wireguard-openbsd-69fe16e6f86413aa00dca3a3ae2292edea53059f.zip | |
mod_ssl 2.4.9 merge
17 files changed, 434 insertions, 203 deletions
diff --git a/usr.sbin/httpd/INSTALL.SSL b/usr.sbin/httpd/INSTALL.SSL index 39e845aed37..2e55ce7d4d7 100644 --- a/usr.sbin/httpd/INSTALL.SSL +++ b/usr.sbin/httpd/INSTALL.SSL @@ -63,9 +63,7 @@ Description: RSA Reference Implementation Reason: Deprecated RSA library for US citizens Homepage: - - Distribution: ftp://ftp.replay.com/pub/crypto/crypto/LIBS/rsa/ - ftp://utopia.hacktic.nl/pub/replay/pub/crypto/LIBS/rsa/ - Or ask http://ftpsearch.lycos.com/ for "rsaref20.tar.Z" !! + Distribution: Search on http://ftpsearch.lycos.com/ for "rsaref20.tar.Z" !! Tarball: rsaref20.tar.Z Location: Netherlands (because no longer distributed by RSA DSI) Author(s): RSA DSI @@ -176,10 +174,11 @@ $ cd .. ALL NOTE: OpenSSL understands a lot more options on the `config' - command line. For instance you can add some command line options - (like `-DSSL_FORBID_ENULL' for not allowing Null encryptions, etc) - to adjust the OpenSSL internals (see OpenSSL's top-level Makefile - for details). + command line. For instance you can add some command line + options (like `-DSSL_FORBID_ENULL' for not allowing Null + encryptions, or adding `-DSSL_ALLOW_ADH' for allowing + Anonymous Diffie-Hellman ciphers, etc) to adjust the OpenSSL + internals (see OpenSSL's top-level Makefile for details). NOTE: When your system already has OpenSSL installed (for instance some Linux distributions ship with OpenSSL installed out-of-the-box) in @@ -271,7 +270,7 @@ When this is the case for you, then try to recompile OpenSSL with Position Independent Code (PIC) by adding a `-fPIC' (for GCC) or `-KPIC' (for SVR4-style compilers) to the platform - configuration line in OpenSSL's `Configure' script. The the + configuration line in OpenSSL's `Configure' script. The -fPIC option above when you build OpenSSL. NOTE: The --disable-rule=SSL_COMPAT option disables the building of @@ -349,7 +348,7 @@ When this is the case for you, then try to recompile OpenSSL with Position Independent Code (PIC) by adding a `-fPIC' (for GCC) or `-KPIC' (for SVR4-style compilers) to the platform - configuration line in OpenSSL's `Configure' script. The the + configuration line in OpenSSL's `Configure' script. The -fPIC option above when you build OpenSSL. NOTE: The --disable-rule=SSL_COMPAT option disables the building of diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html index 7d08eb79059..aa17eb4b275 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html @@ -289,41 +289,42 @@ author. <a href="#ToC9"><strong>Core dumps for Apache+mod_ssl+PHP3?</strong></a><br> <a href="#ToC10"><strong>Undefined symbols on startup?</strong></a><br> <a href="#ToC11"><strong>Permission problem on SSLMutex</strong></a><br> - <a href="#ToC12"><strong>shared memory and process size?</strong></a><br> + <a href="#ToC12"><strong>Shared memory and process size?</strong></a><br> <a href="#ToC13"><strong>About Configuration</strong></a><br> <a href="#ToC14"><strong>HTTP and HTTPS with a single server?</strong></a><br> <a href="#ToC15"><strong>Where is the HTTPS port?</strong></a><br> <a href="#ToC16"><strong>How to test HTTPS manually?</strong></a><br> <a href="#ToC17"><strong>Why does my connection hang?</strong></a><br> - <a href="#ToC18"><strong>How to switch with relative hyperlinks?</strong></a><br> - <a href="#ToC19"><strong>About Certificates</strong></a><br> - <a href="#ToC20"><strong>What are Keys, CSRs and Certs?</strong></a><br> - <a href="#ToC21"><strong>Difference on startup?</strong></a><br> - <a href="#ToC22"><strong>How to create a dummy cert?</strong></a><br> - <a href="#ToC23"><strong>How to create a real cert?</strong></a><br> - <a href="#ToC24"><strong>How to create my own CA?</strong></a><br> - <a href="#ToC25"><strong>How to change a pass phrase?</strong></a><br> - <a href="#ToC26"><strong>How to remove a pass phrase?</strong></a><br> - <a href="#ToC27"><strong>How to verify a key/cert pair?</strong></a><br> - <a href="#ToC28"><strong>Bad Certificate Error?</strong></a><br> - <a href="#ToC29"><strong>Why does a 2048-bit key not work?</strong></a><br> - <a href="#ToC30"><strong>Why is client auth broken?</strong></a><br> - <a href="#ToC31"><strong>How to convert from PEM to DER?</strong></a><br> - <a href="#ToC32"><strong>Verisign and the magic getca program?</strong></a><br> - <a href="#ToC33"><strong>Global IDs or SGC?</strong></a><br> - <a href="#ToC34"><strong>About SSL Protocol</strong></a><br> - <a href="#ToC35"><strong>Why has the server a higher load?</strong></a><br> - <a href="#ToC36"><strong>Which ciphers are supported?</strong></a><br> - <a href="#ToC37"><strong>HTTPS and name-based vhosts</strong></a><br> - <a href="#ToC38"><strong>The lock icon in Netscape locks very late</strong></a><br> - <a href="#ToC39"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br> - <a href="#ToC40"><strong>Why do I get I/O errors with my NS clients?</strong></a><br> - <a href="#ToC41"><strong>About Support</strong></a><br> - <a href="#ToC42"><strong>Resources in case of problems?</strong></a><br> - <a href="#ToC43"><strong>Support in case of problems?</strong></a><br> - <a href="#ToC44"><strong>How to write a problem report?</strong></a><br> - <a href="#ToC45"><strong>I got a core dump, can you help me?</strong></a><br> - <a href="#ToC46"><strong>How to get a backtrace?</strong></a><br> + <a href="#ToC18"><strong>Why do I get connection refused?</strong></a><br> + <a href="#ToC19"><strong>How to switch with relative hyperlinks?</strong></a><br> + <a href="#ToC20"><strong>About Certificates</strong></a><br> + <a href="#ToC21"><strong>What are Keys, CSRs and Certs?</strong></a><br> + <a href="#ToC22"><strong>Difference on startup?</strong></a><br> + <a href="#ToC23"><strong>How to create a dummy cert?</strong></a><br> + <a href="#ToC24"><strong>How to create a real cert?</strong></a><br> + <a href="#ToC25"><strong>How to create my own CA?</strong></a><br> + <a href="#ToC26"><strong>How to change a pass phrase?</strong></a><br> + <a href="#ToC27"><strong>How to remove a pass phrase?</strong></a><br> + <a href="#ToC28"><strong>How to verify a key/cert pair?</strong></a><br> + <a href="#ToC29"><strong>Bad Certificate Error?</strong></a><br> + <a href="#ToC30"><strong>Why does a 2048-bit key not work?</strong></a><br> + <a href="#ToC31"><strong>Why is client auth broken?</strong></a><br> + <a href="#ToC32"><strong>How to convert from PEM to DER?</strong></a><br> + <a href="#ToC33"><strong>Verisign and the magic getca program?</strong></a><br> + <a href="#ToC34"><strong>Global IDs or SGC?</strong></a><br> + <a href="#ToC35"><strong>About SSL Protocol</strong></a><br> + <a href="#ToC36"><strong>Why has the server a higher load?</strong></a><br> + <a href="#ToC37"><strong>Which ciphers are supported?</strong></a><br> + <a href="#ToC38"><strong>HTTPS and name-based vhosts</strong></a><br> + <a href="#ToC39"><strong>The lock icon in Netscape locks very late</strong></a><br> + <a href="#ToC40"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br> + <a href="#ToC41"><strong>Why do I get I/O errors with my NS clients?</strong></a><br> + <a href="#ToC42"><strong>About Support</strong></a><br> + <a href="#ToC43"><strong>Resources in case of problems?</strong></a><br> + <a href="#ToC44"><strong>Support in case of problems?</strong></a><br> + <a href="#ToC45"><strong>How to write a problem report?</strong></a><br> + <a href="#ToC46"><strong>I got a core dump, can you help me?</strong></a><br> + <a href="#ToC47"><strong>How to get a backtrace?</strong></a><br> </font> </td> </tr> @@ -501,8 +502,8 @@ it is originally derived?</strong> a buggy mod_ssl version. But the above situation is often caused by old or broken vendor DBM libraries. To solve it either build mod_ssl with the built-in SDBM library (specify <tt>--enable-rule=SSL_SDBM</tt> at the - APACI command line) or switch from ``<tt>SSLSessioCache dbm:</tt>'' to the - newer ``<tt>SSLSessioCache shm:</tt>'' variant (after you've rebuilt + APACI command line) or switch from ``<tt>SSLSessionCache dbm:</tt>'' to the + newer ``<tt>SSLSessionCache shm:</tt>'' variant (after you've rebuilt Apache with MM, of course). <p> <li><a name="ToC9"></a> @@ -627,6 +628,21 @@ it is originally derived?</strong> your hostname, not localhost (127.0.0.1). <p> <li><a name="ToC18"></a> + <a name="hang"></a> + <strong id="faq">Why do I get ``Connection Refused'' messages when trying to access my freshly +installed Apache+mod_ssl server via HTTPS?</strong> + [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#hang"><b>L</b></a>] + <p> + There can be various reasons. Some of the common mistakes is that people + start Apache with just ``<tt>apachectl start</tt>'' (or + ``<tt>httpd</tt>'') instead of ``<tt>apachectl startssl</tt>'' (or + ``<tt>httpd -DSSL</tt>''. Or you're configuration is not correct. At + least make sure that your ``<tt>Listen</tt>'' directives match your + ``<tt><VirtualHost></tt>'' directives. And if all fails, please do + yourself a favor and start over with the default configuration mod_ssl + provides you. +<p> +<li><a name="ToC19"></a> <a name="relative-links"></a> <strong id="faq">How can I use relative hyperlinks to switch between HTTP and HTTPS?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#relative-links"><b>L</b></a>] @@ -647,10 +663,10 @@ it is originally derived?</strong> </ul> <p> <br> -<H2><a name="ToC19">About Certificates</a></H2> +<H2><a name="ToC20">About Certificates</a></H2> <ul> <p> -<li><a name="ToC20"></a> +<li><a name="ToC21"></a> <a name="what-is"></a> <strong id="faq">What are RSA Private Keys, CSRs and Certificates?</strong></strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#what-is"><b>L</b></a>] @@ -668,7 +684,7 @@ it is originally derived?</strong> See the <a href="ssl_intro.html">Introduction</a> chapter for a general description of the SSL protocol. <p> -<li><a name="ToC21"></a> +<li><a name="ToC22"></a> <a name="startup"></a> <strong id="faq">Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#startup"><b>L</b></a>] @@ -684,7 +700,7 @@ it is originally derived?</strong> below under ``How can I get rid of the pass-phrase dialog at Apache startup time?''. <p> -<li><a name="ToC22"></a> +<li><a name="ToC23"></a> <a name="cert-dummy"></a> <strong id="faq">How can I create a dummy SSL server Certificate for testing purposes?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#cert-dummy"><b>L</b></a>] @@ -706,7 +722,7 @@ it is originally derived?</strong> BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER. <p> -<li><a name="ToC23"></a> +<li><a name="ToC24"></a> <a name="cert-real"></a> <strong id="faq">Ok, I've got my server installed and want to create a real SSL server Certificate for it. How do I do it?</strong> @@ -802,7 +818,7 @@ server Certificate for it. How do I do it?</strong> The <code>server.csr</code> file is no longer needed. </ol> <p> -<li><a name="ToC24"></a> +<li><a name="ToC25"></a> <a name="cert-ownca"></a> <strong id="faq">How can I create and use my own Certificate Authority (CA)?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#cert-ownca"><b>L</b></a>] @@ -852,7 +868,7 @@ server Certificate for it. How do I do it?</strong> This signs the server CSR and results in a <code>server.crt</code> file. </ol> <p> -<li><a name="ToC25"></a> +<li><a name="ToC26"></a> <a name="change-passphrase"></a> <strong id="faq">How can I change the pass-phrase on my private key file?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#change-passphrase"><b>L</b></a>] @@ -868,7 +884,7 @@ server Certificate for it. How do I do it?</strong> prompt enter the old pass-phrase and at the second prompt enter the new pass-phrase. <p> -<li><a name="ToC26"></a> +<li><a name="ToC27"></a> <a name="remove-passphrase"></a> <strong id="faq">How can I get rid of the pass-phrase dialog at Apache startup time?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#remove-passphrase"><b>L</b></a>] @@ -903,7 +919,7 @@ server Certificate for it. How do I do it?</strong> exec:/path/to/program</code>'' facility. But keep in mind that this is neither more nor less secure, of course. <p> -<li><a name="ToC27"></a> +<li><a name="ToC28"></a> <a name="verify-key"></a> <strong id="faq">How do I verify that a private key matches its Certificate?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#verify-key"><b>L</b></a>] @@ -933,7 +949,7 @@ server Certificate for it. How do I do it?</strong> <p> <code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code> <p> -<li><a name="ToC28"></a> +<li><a name="ToC29"></a> <a name="keysize1"></a> <strong id="faq">What does it mean when my connections fail with an "alert bad certificate" error?</strong> @@ -945,7 +961,7 @@ error?</strong> certificate/private-key which perhaps contain a RSA-key not equal to 1024 bits. For instance Netscape Navigator 3.x is one of those browsers. <p> -<li><a name="ToC29"></a> +<li><a name="ToC30"></a> <a name="keysize2"></a> <strong id="faq">Why does my 2048-bit private key not work?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#keysize2"><b>L</b></a>] @@ -956,7 +972,7 @@ error?</strong> Navigator and Microsoft Internet Explorer, and with other browsers that use RSA's BSAFE cryptography toolkit. <p> -<li><a name="ToC30"></a> +<li><a name="ToC31"></a> <a name="hash-symlinks"></a> <strong id="faq">Why is client authentication broken after upgrading from SSLeay version 0.8 to 0.9?</strong> @@ -970,7 +986,7 @@ SSLeay version 0.8 to 0.9?</strong> all old hash symlinks and re-create new ones after upgrading. Use the <code>Makefile</code> mod_ssl placed into this directory. <p> -<li><a name="ToC31"></a> +<li><a name="ToC32"></a> <a name="pem-to-der"></a> <strong id="faq">How can I convert a certificate from PEM to DER format?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#pem-to-der"><b>L</b></a>] @@ -982,7 +998,7 @@ SSLeay version 0.8 to 0.9?</strong> corresponding DER file <code>cert.der</code> with the following command: <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code> <p> -<li><a name="ToC32"></a> +<li><a name="ToC33"></a> <a name="verisign-getca"></a> <strong id="faq">I try to install a Verisign certificate. Why can't I find neither the <code>getca</code> nor <code>getverisign</code> programs Verisign mentions?</strong> @@ -1000,7 +1016,7 @@ SSLeay version 0.8 to 0.9?</strong> href="http://www.thawte.com/certs/server/keygen/mod_ssl.html"> Thawte's mod_ssl instructions</a>. <p> -<li><a name="ToC33"></a> +<li><a name="ToC34"></a> <a name="gid"></a> <strong id="faq">Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global ID) also with mod_ssl?</strong> @@ -1014,10 +1030,10 @@ ID) also with mod_ssl?</strong> </ul> <p> <br> -<H2><a name="ToC34">About SSL Protocol</a></H2> +<H2><a name="ToC35">About SSL Protocol</a></H2> <ul> <p> -<li><a name="ToC35"></a> +<li><a name="ToC36"></a> <a name="load"></a> <strong id="faq">Why has my webserver a higher load now that I run SSL there?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#load"><b>L</b></a>] @@ -1027,7 +1043,7 @@ ID) also with mod_ssl?</strong> the images are transfered encrypted. So, when you have a lot of HTTPS traffic the load increases. <p> -<li><a name="ToC36"></a> +<li><a name="ToC37"></a> <a name="ciphers"></a> <strong id="faq">What SSL Ciphers are supported by mod_ssl?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#ciphers"><b>L</b></a>] @@ -1051,7 +1067,7 @@ ID) also with mod_ssl?</strong> <p> <code><strong>$ openssl ciphers -v</strong></code><br> <p> -<li><a name="ToC37"></a> +<li><a name="ToC38"></a> <a name="vhosts"></a> <strong id="faq">Why can't I use SSL with name-based/non-IP-based virtual hosts?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#vhosts"><b>L</b></a>] @@ -1068,7 +1084,7 @@ ID) also with mod_ssl?</strong> handshake is finished. But the information is already needed at the SSL handshake phase. Bingo! <p> -<li><a name="ToC38"></a> +<li><a name="ToC39"></a> <a name="lock-icon"></a> <strong id="faq">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still show the unlocked state when the dialog pops up. Does this mean the @@ -1085,7 +1101,7 @@ username/password is still transmitted unencrypted?</strong> handshake phase and switched to encrypted communication. So, don't get confused by this icon. <p> -<li><a name="ToC39"></a> +<li><a name="ToC40"></a> <a name="io-ie"></a> <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the @@ -1102,7 +1118,7 @@ server". What's the reason?</strong> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </pre> <p> -<li><a name="ToC40"></a> +<li><a name="ToC41"></a> <a name="io-ns"></a> <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I get I/O errors and the message "Netscape has encountered bad data from the @@ -1118,10 +1134,10 @@ server" What's the reason?</strong> </ul> <p> <br> -<H2><a name="ToC41">About Support</a></H2> +<H2><a name="ToC42">About Support</a></H2> <ul> <p> -<li><a name="ToC42"></a> +<li><a name="ToC43"></a> <a name="resources"></a> <strong id="faq">What information resources are available in case of mod_ssl problems?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#resources"><b>L</b></a>] @@ -1150,7 +1166,7 @@ In case of problems you should search here first. someone else already has reported the problem. </ol> <p> -<li><a name="ToC43"></a> +<li><a name="ToC44"></a> <a name="contact"></a> <strong id="faq">What support contacts are available in case of mod_ssl problems?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#contact"><b>L</b></a>] @@ -1184,7 +1200,7 @@ you just like most, please. usually not processed as fast as a posting on modssl-users. </ol> <p> -<li><a name="ToC44"></a> +<li><a name="ToC45"></a> <a name="report-details"></a> <strong id="faq">What information and details I've to provide to the author when writing a bug report?</strong> @@ -1222,7 +1238,7 @@ You have to at least always provide the following information: course. </ul> <p> -<li><a name="ToC45"></a> +<li><a name="ToC46"></a> <a name="core-dumped"></a> <strong id="faq">I got a core dump, can you help me?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#core-dumped"><b>L</b></a>] @@ -1233,7 +1249,7 @@ You have to at least always provide the following information: information it is mostly impossible to find the problem and help you in fixing it. <p> -<li><a name="ToC46"></a> +<li><a name="ToC47"></a> <a name="report-backtrace"></a> <strong id="faq">Ok, I got a core dump but how do I get a backtrace to find out the reason for it?</strong> [<a href="http://www.modssl.org/docs/2.4/ssl_faq.html#report-backtrace"><b>L</b></a>] diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml index c99863e4017..899faa40162 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml @@ -250,8 +250,8 @@ When I access my website the first time via HTTPS I get a core dump? a buggy mod_ssl version. But the above situation is often caused by old or broken vendor DBM libraries. To solve it either build mod_ssl with the built-in SDBM library (specify <tt>--enable-rule=SSL_SDBM</tt> at the - APACI command line) or switch from ``<tt>SSLSessioCache dbm:</tt>'' to the - newer ``<tt>SSLSessioCache shm:</tt>'' variant (after you've rebuilt + APACI command line) or switch from ``<tt>SSLSessionCache dbm:</tt>'' to the + newer ``<tt>SSLSessionCache shm:</tt>'' variant (after you've rebuilt Apache with MM, of course). <faq ref="core-php3" toc="Core dumps for Apache+mod_ssl+PHP3?"> @@ -287,7 +287,7 @@ When I startup Apache I get permission errors related to SSLMutex? set at least for the UID under which Apache's children are running (see the <code>User</code> directive of Apache). -<faq ref="mm" toc="shared memory and process size?"> +<faq ref="mm" toc="Shared memory and process size?"> When I use the MM library and the shared memory cache each process grows 1.5MB according to `top' although I specified 512000 as the cache size? </faq> @@ -370,6 +370,20 @@ Why does the connection hang when I connect to my SSL-aware Apache server? virtual server that supports SSL, which is probably the IP associated with your hostname, not localhost (127.0.0.1). +<faq ref="hang" toc="Why do I get connection refused?"> +Why do I get ``Connection Refused'' messages when trying to access my freshly +installed Apache+mod_ssl server via HTTPS? +</faq> + + There can be various reasons. Some of the common mistakes is that people + start Apache with just ``<tt>apachectl start</tt>'' (or + ``<tt>httpd</tt>'') instead of ``<tt>apachectl startssl</tt>'' (or + ``<tt>httpd -DSSL</tt>''. Or you're configuration is not correct. At + least make sure that your ``<tt>Listen</tt>'' directives match your + ``<tt><VirtualHost></tt>'' directives. And if all fails, please do + yourself a favor and start over with the default configuration mod_ssl + provides you. + <faq ref="relative-links" toc="How to switch with relative hyperlinks?"> How can I use relative hyperlinks to switch between HTTP and HTTPS? </faq> diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html index 9ca35b63905..1633b75fd98 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html @@ -412,12 +412,14 @@ which can be configured by <em>type</em>: <li><code>exec:/path/to/program</code> <p> Here an external program is configured which is called at startup for each - encrypted Private Key file. It is called with an argument of - ``<code>servername:portnumber</code>'' for which it has to print the - corresponding Pass Phrase to <code>stdout</code>. The intent is that this - external program first runs security checks to make sure that the system - is not compromised by an attacker, and only when these checks were passed - successfully it provides the Pass Phrase. + encrypted Private Key file. It is called with two arguments (the first is + of the form ``<code>servername:portnumber</code>'', the second is either + ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which + server and algorithm it has to print the corresponding Pass Phrase to + <code>stdout</code>. The intent is that this external program first runs + security checks to make sure that the system is not compromised by an + attacker, and only when these checks were passed successfully it provides + the Pass Phrase. <p> Both these security checks, and the way the Pass Phrase is determined, can be as complex as you like. Mod_ssl just defines the interface: an @@ -2014,13 +2016,15 @@ The available <em>option</em>s are: <p> <li><code>ExportCertData</code> <p> - When this option is enabled, two additional CGI/SSI environment variables - are created: <code>SSL_CLIENT_CERT</code> and - <code>SSL_SERVER_CERT</code>. These contain the PEM-encoded X.509 - Certificates of client and server for the current HTTPS connection and can - be used by CGI scripts for deeper Certificate checking. This bloats up - the environment a little bit which is why you have to use this option to - enable it on demand. + When this option is enabled, additional CGI/SSI environment variables are + created: <code>SSL_SERVER_CERT</code>, <code>SSL_CLIENT_CERT</code> and + <code>SSL_CLIENT_CERT_CHAIN</code><i>n</i> (with <i>n</i> = 0,1,2,..). + These contain the PEM-encoded X.509 Certificates of server and client for + the current HTTPS connection and can be used by CGI scripts for deeper + Certificate checking. Additionally all other certificates of the client + certificate chain are provided, too. This bloats up the environment a + little bit which is why you have to use this option to enable it on + demand. <p> <li><code>FakeBasicAuth</code> <p> @@ -2272,29 +2276,31 @@ REQUEST_FILENAME </pre> <em>SSL-related variables:</em> <pre> -HTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION - SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL -SSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START -SSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END -SSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN -SSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C -SSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_SP SSL_SERVER_S_DN_SP -SSL_VERSION_LIBRARY SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L -SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O - SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU - SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN - SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email - SSL_CLIENT_I_DN SSL_SERVER_I_DN - SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C - SSL_CLIENT_I_DN_SP SSL_SERVER_I_DN_SP - SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L - SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O - SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU - SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN - SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email - SSL_CLIENT_A_SIG SSL_SERVER_A_SIG - SSL_CLIENT_A_KEY SSL_SERVER_A_KEY - SSL_CLIENT_CERT SSL_SERVER_CERT +HTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION + SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL +SSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START +SSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END +SSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN +SSL_CIPHER_EXPORT SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C +SSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_SP SSL_SERVER_S_DN_SP +SSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L +SSL_VERSION_LIBRARY SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O +SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU + SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN + SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email + SSL_CLIENT_I_DN SSL_SERVER_I_DN + SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C + SSL_CLIENT_I_DN_SP SSL_SERVER_I_DN_SP + SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L + SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O + SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU + SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN + SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email + SSL_CLIENT_A_SIG SSL_SERVER_A_SIG + SSL_CLIENT_A_KEY SSL_SERVER_A_KEY + SSL_CLIENT_CERT SSL_SERVER_CERT + SSL_CLIENT_CERT_CHAIN<b>n</b> + SSL_CLIENT_VERIFY </pre> </td></tr></table></td> </tr></table> @@ -2328,6 +2334,7 @@ compatibility variables. <tr id="H"><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr> <tr id="H"><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr> <tr id="D"><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr> +<tr id="D"><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr> <tr id="H"><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr> <tr id="D"><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr> <tr id="H"><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr> @@ -2342,16 +2349,20 @@ compatibility variables. <tr id="D"><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr> <tr id="H"><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr> <tr id="D"><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> -<tr id="H"><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> -<tr id="D"><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> -<tr id="H"><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> -<tr id="D"><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr> -<tr id="H"><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> -<tr id="D"><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr> -<tr id="H"><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> -<tr id="D"><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr> -<tr id="H"><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> -<tr id="D"><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr> +<tr id="H"><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> +<tr id="D"><td><code>SSL_CLIENT_CERT_CHAIN</code><i>n</i></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> +<tr id="H"><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><tt>NONE</tt>, <tt>SUCCESS</tt>, <tt>GENEROUS</tt> or <tt>FAILED:</tt><i>reason</i></td></tr> +<tr id="D"><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> +<tr id="H"><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> +<tr id="D"><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> +<tr id="H"><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr> +<tr id="D"><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> +<tr id="H"><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr> +<tr id="D"><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> +<tr id="H"><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr> +<tr id="D"><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> +<tr id="H"><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr> +<tr id="D"><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr> </table> [ where <em>x509</em> is a component of a X.509 DN: <code>C, SP, L, O, OU, CN, Email</code> ]</td> </tr></table> diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml index 8276e824690..e7e0fa080ac 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml @@ -135,12 +135,14 @@ which can be configured by <em>type</em>: <li><code>exec:/path/to/program</code> <p> Here an external program is configured which is called at startup for each - encrypted Private Key file. It is called with an argument of - ``<code>servername:portnumber</code>'' for which it has to print the - corresponding Pass Phrase to <code>stdout</code>. The intent is that this - external program first runs security checks to make sure that the system - is not compromised by an attacker, and only when these checks were passed - successfully it provides the Pass Phrase. + encrypted Private Key file. It is called with two arguments (the first is + of the form ``<code>servername:portnumber</code>'', the second is either + ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which + server and algorithm it has to print the corresponding Pass Phrase to + <code>stdout</code>. The intent is that this external program first runs + security checks to make sure that the system is not compromised by an + attacker, and only when these checks were passed successfully it provides + the Pass Phrase. <p> Both these security checks, and the way the Pass Phrase is determined, can be as complex as you like. Mod_ssl just defines the interface: an @@ -1209,13 +1211,15 @@ The available <em>option</em>s are: <p> <li><code>ExportCertData</code> <p> - When this option is enabled, two additional CGI/SSI environment variables - are created: <code>SSL_CLIENT_CERT</code> and - <code>SSL_SERVER_CERT</code>. These contain the PEM-encoded X.509 - Certificates of client and server for the current HTTPS connection and can - be used by CGI scripts for deeper Certificate checking. This bloats up - the environment a little bit which is why you have to use this option to - enable it on demand. + When this option is enabled, additional CGI/SSI environment variables are + created: <code>SSL_SERVER_CERT</code>, <code>SSL_CLIENT_CERT</code> and + <code>SSL_CLIENT_CERT_CHAIN</code><i>n</i> (with <i>n</i> = 0,1,2,..). + These contain the PEM-encoded X.509 Certificates of server and client for + the current HTTPS connection and can be used by CGI scripts for deeper + Certificate checking. Additionally all other certificates of the client + certificate chain are provided, too. This bloats up the environment a + little bit which is why you have to use this option to enable it on + demand. <p> <li><code>FakeBasicAuth</code> <p> @@ -1412,29 +1416,31 @@ REQUEST_FILENAME <em>SSL-related variables:</em> <pre> -HTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION - SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL -SSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START -SSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END -SSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN -SSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C -SSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_SP SSL_SERVER_S_DN_SP -SSL_VERSION_LIBRARY SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L -SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O - SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU - SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN - SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email - SSL_CLIENT_I_DN SSL_SERVER_I_DN - SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C - SSL_CLIENT_I_DN_SP SSL_SERVER_I_DN_SP - SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L - SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O - SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU - SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN - SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email - SSL_CLIENT_A_SIG SSL_SERVER_A_SIG - SSL_CLIENT_A_KEY SSL_SERVER_A_KEY - SSL_CLIENT_CERT SSL_SERVER_CERT +HTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION + SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL +SSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START +SSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END +SSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN +SSL_CIPHER_EXPORT SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C +SSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_SP SSL_SERVER_S_DN_SP +SSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L +SSL_VERSION_LIBRARY SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O +SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU + SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN + SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email + SSL_CLIENT_I_DN SSL_SERVER_I_DN + SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C + SSL_CLIENT_I_DN_SP SSL_SERVER_I_DN_SP + SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L + SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O + SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU + SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN + SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email + SSL_CLIENT_A_SIG SSL_SERVER_A_SIG + SSL_CLIENT_A_KEY SSL_SERVER_A_KEY + SSL_CLIENT_CERT SSL_SERVER_CERT + SSL_CLIENT_CERT_CHAIN<b>n</b> + SSL_CLIENT_VERIFY </pre> </td></tr></table> </float> @@ -1465,6 +1471,7 @@ compatibility variables. <tr id=H><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr> <tr id=H><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr> <tr id=D><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr> +<tr id=D><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr> <tr id=H><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr> <tr id=D><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr> <tr id=H><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr> @@ -1479,16 +1486,20 @@ compatibility variables. <tr id=D><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr> <tr id=H><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr> <tr id=D><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> -<tr id=H><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> -<tr id=D><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> -<tr id=H><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> -<tr id=D><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr> -<tr id=H><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> -<tr id=D><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr> -<tr id=H><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> -<tr id=D><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr> -<tr id=H><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> -<tr id=D><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr> +<tr id=H><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> +<tr id=D><td><code>SSL_CLIENT_CERT_CHAIN</code><i>n</i></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> +<tr id=H><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><tt>NONE</tt>, <tt>SUCCESS</tt>, <tt>GENEROUS</tt> or <tt>FAILED:</tt><i>reason</i></td></tr> +<tr id=D><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> +<tr id=H><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> +<tr id=D><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> +<tr id=H><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr> +<tr id=D><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> +<tr id=H><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr> +<tr id=D><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> +<tr id=H><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr> +<tr id=D><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> +<tr id=H><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr> +<tr id=D><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr> </table> [ where <em>x509</em> is a component of a X.509 DN: <code>C, SP, L, O, OU, CN, Email</code> ] </float> diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL index 3e4f2c8c851..f66fd5cf107 100644 --- a/usr.sbin/httpd/src/CHANGES.SSL +++ b/usr.sbin/httpd/src/CHANGES.SSL @@ -23,6 +23,90 @@ / __/ |__ _| __ |_____(_) |_| ___________________________________________ + Changes with mod_ssl 2.4.9 (05-Nov-1999 to 24-Nov-1999) + + *) Fixed SSLRequire expression evaluation for number strings. + Expressions like `SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128' + didn't work if SSL_CIPHER_USEKEYSIZE was "40" because the evaluation + used strcmp(3) and this fails to compare numbers of different length. + An own comparison function is now used to avoid this problem. + + *) Now on Win32 a warning is logged once on startup that mod_ssl is + NOT officially supported under Win32 and people have to use it there on + their own risk (and so shouldn't complain if it doesn't work). Because + only the Unix platform is officially supported and mod_ssl is checked + for security issues only related this platform. + + *) For performance reasons it is unreasonable to create the SSL_* + CGI/SSI variables _all the time_, because their creation is + a rather expensive operation which slows down the server + noticeable. Instead it is more reasonable to let them create for + CGI and SSI requests _only_. For consistency reason with other + `SSLOptions' variables (which all have positive names) and to + avoid necessary cleanups changes in the future, I decided to make + the incompatibility change _NOW_ (sorry). + + In short: With mod_ssl 2.4.9 per default no SSI/CGI variables + SSL_* are created any longer (only the special "HTTPS" variable is + always created). Instead one has to use `SSLOptions +StdEnvVars' + to switch the creation on. + + *) Added an `SSLOptions' variable `StdEnvVars' which now controls + the creation of the numerious SSL_* CGI/SSI variables. + + *) Renamed old variable SSL_{CLIENT,SERVER}_{S,I}_DN_SP to more + correct SSL_{CLIENT,SERVER}_{S,I}_DN_ST variable to conform to + RFC2156 and current OpenSSL state (which also prints this OID as + "ST" and no longer "SP"). + + *) Added support for SSL_{CLIENT,SERVER}_{S,I}_DN_{T,I,G,S,D,UID} + variables (corresponding to X.509 title, initials, givenName, surname, + description and uniqueIdentifier OIDs) to allow the checking of more + X.509 certificate ingredients. + + *) Allow mod_rewrite to also lookup the "HTTPS" variable, for instance + via ``RewriteCond %{HTTPS} !=on''. + + *) Removed old URL references to rsaref20.tar.Z from INSTALL document. + + *) Now an explicit error message is logged also if an SSL session cannot be + stored to the DBM file via dbm_store (and not just if dbm_open failed). + + *) Now the pass phrase dialog no longer uses the hard-coded + filedescriptor 10 as the storage for stderr while the pass phrase dialog + is displayed. Instead (at least under Unix) it tries to open /dev/null + and uses this filedescriptor instead. And when this fails (or always + under Win32) it uses the hard-coded filedescriptor 50 (a lot higher than + 10 to avoid problems with logfile rotation programs and other things + Apache could have started). + + *) Fixed SSL_make_ciphersuite() function: it calculated the required string + length incorrectly and could segfault. BUT THIS FUNCTION IS STILL NOT + USED IN MOD_SSL AT ALL, so don't panic. This function is for debugging + purposes only. + + *) Fixed a filedescriptor leak which happened if encrypted private keys + were used. Here the pass phrase dialog forgot to close a temporary + filedescriptor. + + *) Added three new OpenSSL log entry annotations: First, "*no start + line*" now triggers "Bad file contents or format - or even just + a forgotten SSLCertificate KeyFile?" and "*bad password read*" + triggers "You entered an incorrect pass phrase!?". Additionally + "*bad mac decode*" now triggers "Browser still remembered details + of a re-created server certificate?" because people often get "bad + data" dialog boxes while (re-)testing with Snake Oil certs. + + *) Added hint about possibly blocking /dev/random devices also to + httpd.conf-default to make sure people don't overlook this subtle + platform-dependent problem. Additionally a new FAQ entry was + made about this, too. + + *) Added an entry to the FAQ about GIDs and their intermediate + certificate which has to be configured with SSLCertificateChainFile. + + *) Fixed some external URLs in the FAQ. + Changes with mod_ssl 2.4.8 (02-Nov-1999 to 05-Nov-1999) *) ** IMPORTANT BUGFIX ** diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version index 482255d17b1..048d140c25d 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.version +++ b/usr.sbin/httpd/src/modules/ssl/libssl.version @@ -1 +1 @@ -mod_ssl/2.4.8-1.3.9 +mod_ssl/2.4.9-1.3.9 diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 256a12c0fa6..503615d0b5e 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -401,12 +401,13 @@ typedef int ssl_algo_t; */ #define SSL_OPT_NONE (0) #define SSL_OPT_RELSET (1<<0) -#define SSL_OPT_COMPATENVVARS (1<<1) -#define SSL_OPT_EXPORTCERTDATA (1<<2) -#define SSL_OPT_FAKEBASICAUTH (1<<3) -#define SSL_OPT_STRICTREQUIRE (1<<4) -#define SSL_OPT_OPTRENEGOTIATE (1<<5) -#define SSL_OPT_ALL (SSL_OPT_COMPATENVVAR|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE) +#define SSL_OPT_STDENVVARS (1<<1) +#define SSL_OPT_COMPATENVVARS (1<<2) +#define SSL_OPT_EXPORTCERTDATA (1<<3) +#define SSL_OPT_FAKEBASICAUTH (1<<4) +#define SSL_OPT_STRICTREQUIRE (1<<5) +#define SSL_OPT_OPTRENEGOTIATE (1<<6) +#define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_COMPATENVVAR|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE) typedef int ssl_opt_t; /* diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index 95c6c265f54..0d53222cb8a 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -778,7 +778,9 @@ const char *ssl_cmd_SSLOptions( first = FALSE; } - if (strcEQ(w, "CompatEnvVars")) + if (strcEQ(w, "StdEnvVars")) + opt = SSL_OPT_STDENVVARS; + else if (strcEQ(w, "CompatEnvVars")) opt = SSL_OPT_COMPATENVVARS; else if (strcEQ(w, "ExportCertData")) opt = SSL_OPT_EXPORTCERTDATA; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index 16680c607c8..350a6957ce1 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -164,11 +164,17 @@ void ssl_init_Module(server_rec *s, pool *p) /* * Identification */ - if (mc->nInitCount == 1) + if (mc->nInitCount == 1) { ssl_log(s, SSL_LOG_INFO, "Server: %s, Interface: %s, Library: %s", SERVER_BASEVERSION, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"), ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY")); +#ifdef WIN32 + ssl_log(s, SSL_LOG_WARN, "You are using mod_ssl under Win32. " + "This combination is *NOT* officially supported. " + "Use it at your own risk!"); +#endif + } /* * Initialization round information diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index 8ef93eb3045..2561a43cbd3 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -641,8 +641,8 @@ int ssl_hook_Access(request_rec *r) X509_STORE *certstore; X509_STORE_CTX certstorectx; int depth; - STACK_OF(SSL_CIPHER) *skCipherOld; - STACK_OF(SSL_CIPHER) *skCipher; + STACK_OF(SSL_CIPHER) *skCipherOld; + STACK_OF(SSL_CIPHER) *skCipher; SSL_CIPHER *pCipher; ap_ctx *apctx; int nVerifyOld; @@ -1169,19 +1169,31 @@ static const char *ssl_hook_Fixup_vars[] = { "SSL_CLIENT_V_END", "SSL_CLIENT_S_DN", "SSL_CLIENT_S_DN_C", - "SSL_CLIENT_S_DN_SP", + "SSL_CLIENT_S_DN_ST", "SSL_CLIENT_S_DN_L", "SSL_CLIENT_S_DN_O", "SSL_CLIENT_S_DN_OU", "SSL_CLIENT_S_DN_CN", + "SSL_CLIENT_S_DN_T", + "SSL_CLIENT_S_DN_I", + "SSL_CLIENT_S_DN_G", + "SSL_CLIENT_S_DN_S", + "SSL_CLIENT_S_DN_D", + "SSL_CLIENT_S_DN_UID", "SSL_CLIENT_S_DN_Email", "SSL_CLIENT_I_DN", "SSL_CLIENT_I_DN_C", - "SSL_CLIENT_I_DN_SP", + "SSL_CLIENT_I_DN_ST", "SSL_CLIENT_I_DN_L", "SSL_CLIENT_I_DN_O", "SSL_CLIENT_I_DN_OU", "SSL_CLIENT_I_DN_CN", + "SSL_CLIENT_I_DN_T", + "SSL_CLIENT_I_DN_I", + "SSL_CLIENT_I_DN_G", + "SSL_CLIENT_I_DN_S", + "SSL_CLIENT_I_DN_D", + "SSL_CLIENT_I_DN_UID", "SSL_CLIENT_I_DN_Email", "SSL_CLIENT_A_KEY", "SSL_CLIENT_A_SIG", @@ -1191,19 +1203,31 @@ static const char *ssl_hook_Fixup_vars[] = { "SSL_SERVER_V_END", "SSL_SERVER_S_DN", "SSL_SERVER_S_DN_C", - "SSL_SERVER_S_DN_SP", + "SSL_SERVER_S_DN_ST", "SSL_SERVER_S_DN_L", "SSL_SERVER_S_DN_O", "SSL_SERVER_S_DN_OU", "SSL_SERVER_S_DN_CN", + "SSL_SERVER_S_DN_T", + "SSL_SERVER_S_DN_I", + "SSL_SERVER_S_DN_G", + "SSL_SERVER_S_DN_S", + "SSL_SERVER_S_DN_D", + "SSL_SERVER_S_DN_UID", "SSL_SERVER_S_DN_Email", "SSL_SERVER_I_DN", "SSL_SERVER_I_DN_C", - "SSL_SERVER_I_DN_SP", + "SSL_SERVER_I_DN_ST", "SSL_SERVER_I_DN_L", "SSL_SERVER_I_DN_O", "SSL_SERVER_I_DN_OU", "SSL_SERVER_I_DN_CN", + "SSL_SERVER_I_DN_T", + "SSL_SERVER_I_DN_I", + "SSL_SERVER_I_DN_G", + "SSL_SERVER_I_DN_S", + "SSL_SERVER_I_DN_D", + "SSL_SERVER_I_DN_UID", "SSL_SERVER_I_DN_Email", "SSL_SERVER_A_KEY", "SSL_SERVER_A_SIG", @@ -1233,12 +1257,16 @@ int ssl_hook_Fixup(request_rec *r) /* * Annotate the SSI/CGI environment with standard SSL information */ - ap_table_set(e, "HTTPS", "on"); /* the HTTPS (=HTTP over SSL) flag! */ - for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) { - var = (char *)ssl_hook_Fixup_vars[i]; - val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); - if (!strIsEmpty(val)) - ap_table_set(e, var, val); + /* the always present HTTPS (=HTTP over SSL) flag! */ + ap_table_set(e, "HTTPS", "on"); + /* standard SSL environment variables */ + if (dc->nOptions & SSL_OPT_STDENVVARS) { + for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) { + var = (char *)ssl_hook_Fixup_vars[i]; + val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); + if (!strIsEmpty(val)) + ap_table_set(e, var, val); + } } /* diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c index 7b18e8b4347..31ac31cef83 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c @@ -139,10 +139,13 @@ static struct { { "*envelope*bad*decrypt*", "wrong pass phrase!?" }, { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" }, { "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" }, - { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name!?" }, + { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" }, { "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" }, { "*peer did not return a certificate*", "No CAs known to server for verification?" }, { "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" }, + { "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" }, + { "*bad password read*", "You entered an incorrect pass phrase!?" }, + { "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" }, { NULL, NULL } }; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c index 8bcd2058cd2..570cabe3fa9 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c @@ -72,7 +72,7 @@ ** _________________________________________________________________ */ -#define STDERR_FILENO_STORE 10 +#define STDERR_FILENO_STORE 50 #define BUILTIN_DIALOG_BACKOFF 2 #define BUILTIN_DIALOG_RETRIES 5 @@ -400,6 +400,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) int *pnPassPhraseDialog; int *pnPassPhraseDialogCur; BOOL *pbPassPhraseDialogOnce; + int stderr_store; char **cpp; int len = -1; @@ -448,7 +449,13 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) * at our init stage Apache already connected STDERR * to the general error logfile. */ - dup2(STDERR_FILENO, STDERR_FILENO_STORE); +#ifdef WIN32 + stderr_store = STDERR_FILENO_STORE; +#else + if ((stderr_store = open("/dev/null", O_WRONLY)) == -1) + stderr_store = STDERR_FILENO_STORE; +#endif + dup2(STDERR_FILENO, stderr_store); #ifdef WIN32 if ((con = fopen("con", "w")) != NULL) dup2(fileno(con), STDERR_FILENO); @@ -497,9 +504,11 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) /* * Restore STDERR to Apache error logfile */ - dup2(STDERR_FILENO_STORE, STDERR_FILENO); + dup2(stderr_store, STDERR_FILENO); + close(stderr_store); #ifdef WIN32 - fclose(con); + if (con != NULL) + fclose(con); #endif } diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c index 3a98909cb64..593245d3e21 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c @@ -404,7 +404,15 @@ BOOL ssl_scache_dbm_store(server_rec *s, ssl_scinfo_t *SCI) free(dbmval.dptr); return FALSE; } - ssl_dbm_store(dbm, dbmkey, dbmval, DBM_INSERT); + if (ssl_dbm_store(dbm, dbmkey, dbmval, DBM_INSERT) < 0) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot store SSL session to DBM file `%s'", + mc->szSessionCacheDataFile); + ssl_dbm_close(dbm); + ssl_mutex_off(s); + free(dbmval.dptr); + return FALSE; + } ssl_dbm_close(dbm); ssl_mutex_off(s); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c index 207084f8770..84fa17c39e7 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c @@ -189,6 +189,12 @@ char *ssl_var_lookup(pool *p, server_rec *s, conn_rec *c, request_rec *r, char * result = c->ap_auth_type; else if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)) result = ssl_var_lookup_ssl(p, c, var+4); + else if (strcEQ(var, "HTTPS")) { + if (ap_ctx_get(c->client->ctx, "ssl") != NULL) + result = "on"; + else + result = "off"; + } } /* @@ -390,11 +396,18 @@ static const struct { int nid; } ssl_var_lookup_ssl_cert_dn_rec[] = { { "C", NID_countryName }, - { "SP", NID_stateOrProvinceName }, + { "ST", NID_stateOrProvinceName }, /* officially (RFC2156) */ + { "SP", NID_stateOrProvinceName }, /* compatibility (SSLeay) */ { "L", NID_localityName }, { "O", NID_organizationName }, { "OU", NID_organizationalUnitName }, { "CN", NID_commonName }, + { "T", NID_title }, + { "I", NID_initials }, + { "G", NID_givenName }, + { "S", NID_surname }, + { "D", NID_description }, + { "UID", NID_uniqueIdentifier }, { "Email", NID_pkcs9_emailAddress }, { NULL, 0 } }; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c index 8fd58a59768..6e1fc60384b 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c @@ -70,9 +70,10 @@ ** _________________________________________________________________ */ -static BOOL ssl_expr_eval_comp(request_rec *r, ssl_expr *node); -static char *ssl_expr_eval_word(request_rec *r, ssl_expr *node); -static char *ssl_expr_eval_func_file(request_rec *r, char *filename); +static BOOL ssl_expr_eval_comp(request_rec *, ssl_expr *); +static char *ssl_expr_eval_word(request_rec *, ssl_expr *); +static char *ssl_expr_eval_func_file(request_rec *, char *); +static int ssl_expr_eval_strcmplex(char *, char *); BOOL ssl_expr_eval(request_rec *r, ssl_expr *node) { @@ -124,22 +125,22 @@ static BOOL ssl_expr_eval_comp(request_rec *r, ssl_expr *node) case op_LT: { ssl_expr *e1 = (ssl_expr *)node->node_arg1; ssl_expr *e2 = (ssl_expr *)node->node_arg2; - return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) < 0); + return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) < 0); } case op_LE: { ssl_expr *e1 = (ssl_expr *)node->node_arg1; ssl_expr *e2 = (ssl_expr *)node->node_arg2; - return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) <= 0); + return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) <= 0); } case op_GT: { ssl_expr *e1 = (ssl_expr *)node->node_arg1; ssl_expr *e2 = (ssl_expr *)node->node_arg2; - return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) > 0); + return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) > 0); } case op_GE: { ssl_expr *e1 = (ssl_expr *)node->node_arg1; ssl_expr *e2 = (ssl_expr *)node->node_arg2; - return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) >= 0); + return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) >= 0); } case op_IN: { ssl_expr *e1 = (ssl_expr *)node->node_arg1; @@ -255,3 +256,27 @@ static char *ssl_expr_eval_func_file(request_rec *r, char *filename) return buf; } +/* a variant of strcmp(3) which works correctly also for number strings */ +static int ssl_expr_eval_strcmplex(char *cpNum1, char *cpNum2) +{ + int i, n1, n2; + + if (cpNum1 == NULL) + return -1; + if (cpNum2 == NULL) + return +1; + n1 = strlen(cpNum1); + n2 = strlen(cpNum2); + if (n1 > n2) + return 1; + if (n1 < n2) + return -1; + for (i = 0; i < n1; i++) { + if (cpNum1[i] > cpNum2[i]) + return 1; + if (cpNum1[i] < cpNum2[i]) + return -1; + } + return 0; +} + diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c index 18a83ac8d5f..a357be08c7f 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c @@ -279,14 +279,15 @@ char *SSL_make_ciphersuite(pool *p, SSL *ssl) if (ssl == NULL) return ""; - sk = SSL_get_ciphers(ssl); - if (sk == NULL) + if ((sk = SSL_get_ciphers(ssl)) == NULL) return ""; l = 0; for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { c = sk_SSL_CIPHER_value(sk, i); - l += strlen(c->name+2+1); + l += strlen(c->name)+2+1; } + if (l == 0) + return ""; cpCipherSuite = (char *)ap_palloc(p, l+1); cp = cpCipherSuite; for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { @@ -298,7 +299,7 @@ char *SSL_make_ciphersuite(pool *p, SSL *ssl) *cp++ = (c->valid == 1 ? '1' : '0'); *cp++ = ':'; } - *cp = NUL; + *(cp-1) = NUL; return cpCipherSuite; } |