httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r757380 - in /httpd/httpd/trunk: acinclude.m4 modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_kernel.c
Date Mon, 23 Mar 2009 11:45:05 GMT
Author: jorton
Date: Mon Mar 23 11:45:00 2009
New Revision: 757380

URL: http://svn.apache.org/viewvc?rev=757380&view=rev
Log:
Remove code to support per-dir-CA configuration which relies on a
function which was never included in OpenSSL:

* acinclude.m4: Remove test for fictional function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Remove code.

* modules/ssl/ssl_engine_config.c (MODSSL_SET_CA): Remove unused
  macro.  (ssl_cmd_SSLCACertificatePath,
  ssl_cmd_SSLCACertificateFile): Fail if per-dir-CA is configured.

Modified:
    httpd/httpd/trunk/acinclude.m4
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/acinclude.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/acinclude.m4?rev=757380&r1=757379&r2=757380&view=diff
==============================================================================
--- httpd/httpd/trunk/acinclude.m4 (original)
+++ httpd/httpd/trunk/acinclude.m4 Mon Mar 23 11:45:00 2009
@@ -475,7 +475,6 @@
     AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"])
     AC_CHECK_FUNCS(SSL_set_state)
   fi
-  AC_CHECK_FUNCS(SSL_set_cert_store)
   dnl restore
   CPPFLAGS="$saved_CPPFLAGS"
   LIBS="$saved_LIBS"

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=757380&r1=757379&r2=757380&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Mon Mar 23 11:45:00 2009
@@ -749,22 +749,7 @@
 }
 
 #define NO_PER_DIR_SSL_CA \
-    "Your ssl library does not have support for per-directory CA"
-
-#ifdef HAVE_SSL_SET_CERT_STORE
-#   define MODSSL_HAVE_SSL_SET_CERT_STORE 1
-#else
-#   define MODSSL_HAVE_SSL_SET_CERT_STORE 0
-#endif
-
-#define MODSSL_SET_CA(f) \
-    if (cmd->path) \
-        if (MODSSL_HAVE_SSL_SET_CERT_STORE) \
-            dc->f = arg; \
-        else \
-            return NO_PER_DIR_SSL_CA; \
-    else \
-        sc->f = arg \
+    "Your SSL library does not have support for per-directory CA"
 
 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd,
                                          void *dcfg,
@@ -777,6 +762,10 @@
     if ((err = ssl_cmd_check_dir(cmd, &arg))) {
         return err;
     }
+    
+    if (cmd->path) {
+        return NO_PER_DIR_SSL_CA;
+    }
 
     /* XXX: bring back per-dir */
     sc->server->auth.ca_cert_path = arg;
@@ -796,6 +785,10 @@
         return err;
     }
 
+    if (cmd->path) {
+        return NO_PER_DIR_SSL_CA;
+    }
+
     /* XXX: bring back per-dir */
     sc->server->auth.ca_cert_file = arg;
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757380&r1=757379&r2=757380&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 11:45:00 2009
@@ -540,67 +540,6 @@
         }
     }
 
-    /*
-     * override SSLCACertificateFile & SSLCACertificatePath
-     * This is only enabled if the SSL_set_cert_store() function
-     * is available in the ssl library.  the 1.x based mod_ssl
-     * used SSL_CTX_set_cert_store which is not thread safe.
-     */
-
-#ifdef HAVE_SSL_SET_CERT_STORE
-    /*
-     * check if per-dir and per-server config field are not the same.
-     * if f is defined in per-dir and not defined in per-server
-     * or f is defined in both but not the equal ...
-     */
-#define MODSSL_CFG_NE(f) \
-     (dc->f && (!sc->f || (sc->f && strNE(dc->f, sc->f))))
-
-#define MODSSL_CFG_CA(f) \
-     (dc->f ? dc->f : sc->f)
-
-    if (MODSSL_CFG_NE(szCACertificateFile) ||
-        MODSSL_CFG_NE(szCACertificatePath))
-    {
-        STACK_OF(X509_NAME) *ca_list;
-        const char *ca_file = MODSSL_CFG_CA(szCACertificateFile);
-        const char *ca_path = MODSSL_CFG_CA(szCACertificatePath);
-
-        cert_store = X509_STORE_new();
-
-        if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                          "Unable to reconfigure verify locations "
-                          "for client authentication");
-            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
-
-            X509_STORE_free(cert_store);
-
-            return HTTP_FORBIDDEN;
-        }
-
-        /* SSL_free will free cert_store */
-        SSL_set_cert_store(ssl, cert_store);
-
-        if (!(ca_list = ssl_init_FindCAList(r->server, r->pool,
-                                            ca_file, ca_path)))
-        {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-                         "Unable to determine list of available "
-                         "CA certificates for client authentication");
-
-            return HTTP_FORBIDDEN;
-        }
-
-        SSL_set_client_CA_list(ssl, ca_list);
-        renegotiate = TRUE;
-
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "Changed client verification locations will force "
-                      "renegotiation");
-    }
-#endif /* HAVE_SSL_SET_CERT_STORE */
-
     /* If a renegotiation is now required for this location, and the
      * request includes a message body (and the client has not
      * requested a "100 Continue" response), then the client will be



Mime
View raw message