httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1555463 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Date Sun, 05 Jan 2014 07:16:00 GMT
Author: kbrand
Date: Sun Jan  5 07:15:59 2014
New Revision: 1555463

URL: http://svn.apache.org/r1555463
Log:
Remove per-certificate chain handling code (obsoleted by
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1555463&r1=1555462&r2=1555463&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Jan  5 07:15:59 2014
@@ -911,34 +911,6 @@ static apr_status_t ssl_init_server_cert
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
                 return APR_EGENERAL;
             }
-
-#if defined(SSL_CTX_set1_chain)
-            /*
-             * OpenSSL 1.0.2 and later supports certificate-specific
-             * chains with intermediate CA certificates.
-             * SSL_CTX_use_certificate_chain_file currently (Dec 2013)
-             * loads them to ctx->extra_certs, however, which possibly
-             * overwrites a previously configured chain.
-             * If more than one SSLCertificateFile is configured for
-             * this server_rec, we manually "convert" the chain
-             * to a per-certificate setting.
-             */
-            if (mctx->pks->cert_files->nelts > 1) {
-                STACK_OF(X509) *extra_certs;
-                if ((SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx,
-                                                   &extra_certs) > 0) &&
-                    (sk_X509_num(extra_certs) > 0) &&
-                    (SSL_CTX_set1_chain(mctx->ssl_ctx, extra_certs) > 0)) {
-                        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                                     APLOGNO(02563)
-                                     "Per-certificate chain for %s configured "
-                                     "(%d certificate[s])",
-                                     key_id, sk_X509_num(extra_certs));
-                        /* clear the "global" chain for this SSL_CTX */
-                        SSL_CTX_clear_extra_chain_certs(mctx->ssl_ctx);
-                }
-            }
-#endif
         }
 
         /* and second, the private key */
@@ -1325,54 +1297,6 @@ static apr_status_t ssl_init_server_ctx(
                          "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
                          param->name, param->value, sc->vhost_id);
         }
-        if (!strcasecmp(param->name, "Certificate")) {
-            /*
-             * Special case: a certificate has been loaded via
-             * SSLOpenSSLConfCmd. Two potential tweaks are needed
-             * (similar to what is done in ssl_init_server_certs,
-             * see the comments there for the rationale):
-             * a) "fixing up" the per-certificate chain
-             * b) configure OCSP stapling for the cert
-             */
-#if defined(SSL_CTX_set1_chain)
-            STACK_OF(X509) *extra_certs;
-            if ((SSL_CTX_get_extra_chain_certs(sc->server->ssl_ctx,
-                                               &extra_certs) > 0) &&
-                (sk_X509_num(extra_certs) > 0) &&
-                (SSL_CTX_set1_chain(sc->server->ssl_ctx, extra_certs) > 0)) {
-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02570)
-                                 "Per-certificate chain for certificate "
-                                 "loaded from %s for %s configured "
-                                 "(%d certificate[s])",
-                                 param->value, sc->vhost_id,
-                                 sk_X509_num(extra_certs));
-                    /* clear the "global" chain for this SSL_CTX */
-                    SSL_CTX_clear_extra_chain_certs(sc->server->ssl_ctx);
-            }
-#endif
-#ifdef HAVE_OCSP_STAPLING
-            if (sc->server->stapling_enabled == TRUE) {
-                X509 *cert;
-#ifndef HAVE_SSL_CONF_CMD
-                SSL *ssl;
-                if (!(ssl = SSL_new(sc->server->ssl_ctx)) ||
-                    !(cert = SSL_get_certificate(ssl)) ||
-#else
-                if (!(cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx)) ||
-#endif
-                    !ssl_stapling_init_cert(s, sc->server, cert)) {
-                    ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571)
-                                 "Unable to configure certificate loaded "
-                                 "from %s for %s for stapling",
-                                 param->value, sc->vhost_id);
-                }
-#ifndef HAVE_SSL_CONF_CMD
-                if (ssl)
-                    SSL_free(ssl);
-#endif
-            }
-#endif
-        }
     }
     if (SSL_CONF_CTX_finish(cctx) == 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)



Mime
View raw message