Author: rjung Date: Fri May 22 17:42:09 2015 New Revision: 1681167 URL: http://svn.apache.org/r1681167 Log: Port mod_ssl improvements to tcnative/ssl:
Partial backport of r1527294 from httpd/mod_ssl: - remove obsolete #defines / macros - in ssl_private.h, regroup definitions based on whether they depend on TLS extension support or not - for ECC support, set HAVE_X and change the rather awkward #ifndef OPENSSL_NO_X lines accordingly For the discussion prior to taking this step, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E In addition: - set and use HAVE_TLSV1_1 and HAVE_TLSV1_2 instead of SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 - set and use HAVE_OCSP_STAPLING based on OCSP availability - drop configure option to enable OCSP in favor of auto-detection Modified: tomcat/native/trunk/native/configure.in tomcat/native/trunk/native/include/ssl_private.h tomcat/native/trunk/native/src/sslcontext.c tomcat/native/trunk/native/src/sslnetwork.c tomcat/native/trunk/native/src/sslutils.c Modified: tomcat/native/trunk/native/configure.in URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/configure.in?rev=1681167&r1=1681166&r2=1681167&view=diff ============================================================================== --- tomcat/native/trunk/native/configure.in (original) +++ tomcat/native/trunk/native/configure.in Fri May 22 17:42:09 2015 @@ -149,17 +149,6 @@ AC_ARG_ENABLE(openssl, esac ]) -AC_ARG_ENABLE(ocsp, -[AS_HELP_STRING([--enable-ocsp],[Turn on OpenSSL OCSP verification support])], -[ - case "${enableval}" in - yes ) - APR_ADDTO(CFLAGS, [-DHAVE_OPENSSL_OCSP]) - AC_MSG_RESULT([Enabling OCSP verification support...]) - ;; - esac -]) - if $use_openssl ; then TCN_CHECK_SSL_TOOLKIT fi Modified: tomcat/native/trunk/native/include/ssl_private.h URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1681167&r1=1681166&r2=1681167&view=diff ============================================================================== --- tomcat/native/trunk/native/include/ssl_private.h (original) +++ tomcat/native/trunk/native/include/ssl_private.h Fri May 22 17:42:09 2015 @@ -201,17 +201,39 @@ "In order to read them you have to provide the pass phrases.\n" \ "Enter password :" -#define OCSP_STATUS_OK 0 -#define OCSP_STATUS_REVOKED 1 -#define OCSP_STATUS_UNKNOWN 2 - #define SSL_CIPHERS_ALWAYS_DISABLED ("!aNULL:!eNULL:!EXP:") -/* ECC: make sure we have at least 1.0.0 */ +#if defined(SSL_OP_NO_TLSv1_1) +#define HAVE_TLSV1_1 +#endif + +#if defined(SSL_OP_NO_TLSv1_2) +#define HAVE_TLSV1_2 +#endif + +/** + * The following features all depend on TLS extension support. + * Within this block, check again for features (not version numbers). + */ +#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) + +#define HAVE_TLSEXT + +/* ECC */ #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) -#define HAVE_ECC 1 +#define HAVE_ECC +#endif + +/* OCSP stapling */ +#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) +#define HAVE_OCSP_STAPLING +#define OCSP_STATUS_OK 0 +#define OCSP_STATUS_REVOKED 1 +#define OCSP_STATUS_UNKNOWN 2 #endif +#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ + typedef struct { /* client can have any number of cert/key pairs */ const char *cert_file; Modified: tomcat/native/trunk/native/src/sslcontext.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681167&r1=1681166&r2=1681167&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslcontext.c (original) +++ tomcat/native/trunk/native/src/sslcontext.c Fri May 22 17:42:09 2015 @@ -110,7 +110,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma SSL_CTX *ctx = NULL; if (protocol == SSL_PROTOCOL_TLSV1_2) { -#ifdef SSL_OP_NO_TLSv1_2 +#ifdef HAVE_TLSV1_2 if (mode == SSL_MODE_CLIENT) ctx = SSL_CTX_new(TLSv1_2_client_method()); else if (mode == SSL_MODE_SERVER) @@ -119,7 +119,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma ctx = SSL_CTX_new(TLSv1_2_method()); #endif } else if (protocol == SSL_PROTOCOL_TLSV1_1) { -#ifdef SSL_OP_NO_TLSv1_1 +#ifdef HAVE_TLSV1_1 if (mode == SSL_MODE_CLIENT) ctx = SSL_CTX_new(TLSv1_1_client_method()); else if (mode == SSL_MODE_SERVER) @@ -159,11 +159,11 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma else ctx = SSL_CTX_new(SSLv2_method()); #endif -#ifndef SSL_OP_NO_TLSv1_2 +#ifndef HAVE_TLSV1_2 } else if (protocol & SSL_PROTOCOL_TLSV1_2) { /* requested but not supported */ #endif -#ifndef SSL_OP_NO_TLSv1_1 +#ifndef HAVE_TLSV1_1 } else if (protocol & SSL_PROTOCOL_TLSV1_1) { /* requested but not supported */ #endif @@ -210,11 +210,11 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3); if (!(protocol & SSL_PROTOCOL_TLSV1)) SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1); -#ifdef SSL_OP_NO_TLSv1_1 +#ifdef HAVE_TLSV1_1 if (!(protocol & SSL_PROTOCOL_TLSV1_1)) SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_1); #endif -#ifdef SSL_OP_NO_TLSv1_2 +#ifdef HAVE_TLSV1_2 if (!(protocol & SSL_PROTOCOL_TLSV1_2)) SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2); #endif Modified: tomcat/native/trunk/native/src/sslnetwork.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1681167&r1=1681166&r2=1681167&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslnetwork.c (original) +++ tomcat/native/trunk/native/src/sslnetwork.c Fri May 22 17:42:09 2015 @@ -704,7 +704,6 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, getA return len; } - #else /* OpenSSL is not supported. * Create empty stubs. Modified: tomcat/native/trunk/native/src/sslutils.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1681167&r1=1681166&r2=1681167&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslutils.c (original) +++ tomcat/native/trunk/native/src/sslutils.c Fri May 22 17:42:09 2015 @@ -30,14 +30,13 @@ extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data); #endif -#ifdef HAVE_OPENSSL_OCSP +#ifdef HAVE_OCSP_STAPLING #include <openssl/bio.h> #include <openssl/ocsp.h> /* defines with the values as seen by the asn1parse -dump openssl command */ #define ASN1_SEQUENCE 0x30 #define ASN1_OID 0x06 #define ASN1_STRING 0x86 -#pragma message("Using OCSP") static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx); static int ssl_ocsp_request(X509 *cert, X509 *issuer); #endif @@ -553,7 +552,7 @@ int SSL_callback_SSL_verify(int ok, X509 SSL_set_verify_result(ssl, X509_V_OK); } -#ifdef HAVE_OPENSSL_OCSP +#ifdef HAVE_OCSP_STAPLING /* First perform OCSP validation if possible */ if (ok) { /* If there was an optional verification error, it's not @@ -651,7 +650,7 @@ void SSL_callback_handshake(const SSL *s } -#ifdef HAVE_OPENSSL_OCSP +#ifdef HAVE_OCSP_STAPLING /* Function that is used to do the OCSP verification */ static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx) @@ -1158,5 +1157,5 @@ static int ssl_ocsp_request(X509 *cert, return OCSP_STATUS_UNKNOWN; } -#endif /* HAS_OCSP_ENABLED */ +#endif /* HAVE_OCSP_STAPLING */ #endif /* HAVE_OPENSSL */ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
