www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Wood <...@lanl.gov>
Subject general/2269: Some modifcations to 1.3b6 and the Apache-SSL patch from Ben Laurie <ben@algroup.co.uk>
Date Fri, 22 May 1998 23:34:43 GMT

>Number:         2269
>Category:       general
>Synopsis:       Some modifcations to 1.3b6 and the Apache-SSL patch from Ben Laurie <ben@algroup.co.uk>
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Fri May 22 16:40:00 PDT 1998
>Last-Modified:
>Originator:     cpw@lanl.gov
>Organization:
apache
>Release:        1.3b6
>Environment:
Linux cynosure.lanl.gov 2.0.27 #1 Fri Dec 12 09:15:43 MST 1997 i686 unknown
>Description:
diff -u -r apache_1.3b6/Makefile.tmpl apache_1.3b6+SSL/Makefile.tmpl
--- apache_1.3b6/Makefile.tmpl  Tue Apr 14 13:17:36 1998
+++ apache_1.3b6+SSL/Makefile.tmpl      Thu May 14 09:46:40 1998
@@ -194,6 +194,10 @@
            echo "+--------------------------------------------------------+"; \
        fi
 
+CERTCONF=../conf
+certificate:
+       (cd src;make CERTCONF=$(CERTCONF) certificate)
+
 #   the non-verbose variant for package maintainers
 install-quiet:
        @$(MAKE) -f $(MKF) QUIET=1 install
diff -u -r apache_1.3b6/conf/httpd.conf-dist apache_1.3b6+SSL/conf/httpd.conf-dist
--- apache_1.3b6/conf/httpd.conf-dist   Wed Apr  1 06:16:39 1998
+++ apache_1.3b6+SSL/conf/httpd.conf-dist       Fri May 22 16:56:22 1998
@@ -1,3 +1,7 @@
+##
+## httpd.conf -- Apache HTTP server configuration file
+##
+
 # This is the main server configuration file. See URL http://www.apache.org/
 # for instructions.
 
@@ -25,6 +29,7 @@
 # need httpd to be run as root initially.
 
 Port 80
+Listen 80
 
 # HostnameLookups: Log the names of clients or just their IP numbers
 #   e.g.   www.apache.org (on) or 204.62.129.132 (off)
@@ -41,8 +46,8 @@
 #  On HPUX you may not be able to use shared memory as nobody, and the
 #  suggested workaround is to create a user www and use that user.
 
-User nobody
-Group #-1
+User www-data
+Group www-data
 
 # ServerAdmin: Your address, where problems with the server should be
 # e-mailed.
@@ -67,7 +72,7 @@
 # ErrorLog: The location of the error log file. If this does not start
 # with /, ServerRoot is prepended to it.
 
-ErrorLog logs/error_log
+ErrorLog var/logs/error_log
 
 # LogLevel: Control the number of messages logged to the error_log.
 # Possible values include: debug, info, notice, warn, error, crit,
@@ -86,27 +91,27 @@
 # The location of the access logfile (Common Logfile Format).
 # If this does not start with /, ServerRoot is prepended to it.
 
-CustomLog logs/access_log common
+CustomLog var/logs/access_log common
 
 # If you would like to have an agent and referer logfile uncomment the
 # following directives.
 
-#CustomLog logs/referer_log referer
-#CustomLog logs/agent_log agent
+#CustomLog var/logs/referer_log referer
+#CustomLog var/logs/agent_log agent
 
 # If you prefer a single logfile with access, agent and referer information
 # (Combined Logfile Format) you can use the following directive.
 
-#CustomLog logs/access_log combined
+#CustomLog var/logs/access_log combined
 
 # PidFile: The file the server should log its pid to
-PidFile logs/httpd.pid
+PidFile var/run/httpd.pid
 
 # ScoreBoardFile: File used to store internal server process information.
 # Not all architectures require this.  But if yours does (you'll know because
 # this file is created when you run Apache) then you *must* ensure that
 # no two invocations of Apache share the same scoreboard file.
-ScoreBoardFile logs/apache_runtime_status
+ScoreBoardFile var/logs/apache_runtime_status
 
 # The LockFile directive sets the path to the lockfile used when Apache
 # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
@@ -116,7 +121,7 @@
 # DISK. The PID of the main server process is automatically appended to
 # the filename. 
 #
-#LockFile logs/accept.lock
+#LockFile var/run/httpd.lock
 
 # ServerName allows you to set a host name which is sent back to clients for
 # your server if it's different than the one the program would get (i.e. use
@@ -205,7 +210,7 @@
 
 # To enable the cache as well, edit and uncomment the following lines:
 
-#CacheRoot @@ServerRoot@@/proxy
+#CacheRoot var/proxy
 #CacheSize 5
 #CacheGcInterval 4
 #CacheMaxExpire 24
@@ -235,4 +240,121 @@
 #TransferLog logs/host.some_domain.com-access_log
 #</VirtualHost>
 
+# Note that all SSL options can apply to virtual hosts.
+# which is where I'm going to put them (cpw)
+
+# Disable SSL globally. Useful in combination with virtual hosts.
+# Note that SSLEnable is now also supported.
+
+SSLDisable                                                               
+
+# This configuration applies ssl to a "virtualhost"
+
+Listen 443
+<VirtualHost cynosure.lanl.gov:443>                                   
+ServerAdmin cornett@arpa.net
+DocumentRoot /home/wwws
+ServerName cynosure.lanl.gov
+ErrorLog var/logs/wwws.errors
+TransferLog var/logs/wwws.transfers
+
+SSLEnable
+
+# Set the path for the global cache server executable.
+# If this facility gives you trouble, you can disable it by setting
+# CACHE_SESSIONS to FALSE in apache_ssl.c
+
+#SSLCacheServerPath /usr/sbin/gcache
+
+# Set the global cache server port number
+
+#SSLCacheServerPort 1234
+
+# Set the session cache timeout, in seconds (set to 15 for testing, use a
+# higher value in real life)
+
+#SSLSessionCacheTimeout 300
+
+# Set the CA certificate verification path (must be PEM encoded).
+# (in addition to getenv("SSL_CERT_DIR"), I think).
+
+SSLCACertificatePath etc
+
+# Set the CA certificate verification file (must be PEM encoded).
+# (in addition to getenv("SSL_CERT_FILE"), I think).
+
+#SSLCACertificateFile /some/where/somefile.pem
+
+# Point SSLCertificateFile at a PEM encoded certificate.
+# If the certificate is encrypted, then you will be prompted for a pass phrase.
+# Note that a kill -1 will prompt again.
+# A test certificate can be generated with "make certificate".
+
+#SSLCertificateFile /some/where/somefile.pem
+
+SSLCertificateFile @@ServerRoot@@/etc/httpsd.pem
+
+
+# If the key is not combined with the certificate, use this directive to
+# point at the key file. If this starts with a '/' it specifies an absolute
+# path, otherwise it is relative to the default certificate area. That is, it
+# means "<default>/private/<keyfile>".
+#SSLCertificateKeyFile /some/place/with/your.key
+
+# Set SSLVerifyClient to:
+# 0 if no certicate is required
+# 1 if the client may present a valid certificate
+# 2 if the client must present a valid certificate
+# 3 if the client may present a valid certificate but it is not required to
+#   have a valid CA
+
+SSLVerifyClient 0
+
+# How deeply to verify before deciding they don't have a valid certificate
+
+SSLVerifyDepth 10
+
+# Translate the client X509 into a Basic authorisation. This means that the
+# standard Auth/DBMAuth methods can be used for access control. The user name
+# is the "one line" version of the client's X509 certificate. Note that no
+# password is obtained from the user. Every entry in the user file needs this
+# password: xxj31ZMTZzkVA. See the code for further explanation.
+
+SSLFakeBasicAuth
+
+# List the ciphers that the client is permitted to negotiate. See the source
+# for a definitive list. For example:
+
+#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
+
+# These two can be used per-directory to require or ban ciphers. Note that (at
+# least in the current version) Apache-SSL will not attempt to renegotiate if a
+# cipher is banned (or not required).
+
+#SSLRequireCipher
+#SSLBanCipher                                                              
+
+# A home for miscellaneous rubbish generated by SSL. Much of it is duplicated
+# in the error log file. Put this somewhere where it cannot be used for symlink
+# attacks on a real server (i.e. somewhere where only root can write).
+
+SSLLogFile @@ServerRoot@@/var/logs/sslrubbish.log
+
+# Custom logging                                                             
+
+CustomLog var/logs/ssl_log "%t %{version}c %{cipher}c %{clientcert}c"   
+</VirtualHost>                                  
 
+# Experiment with authorization...
+<Directory /usr/local/www/webspace/docs/bind>
+deny from all
+allow from .lanl.gov
+AuthType Basic
+AuthName "Network Operations"
+AuthDBMGroupFile /usr/local/www/auth/userbase
+AuthDBMUserFile /usr/local/www/auth/userbase
+<Limit PUT GET>
+require group admin
+#satisfy any
+</Limit>
+</Directory>
Only in apache_1.3b6+SSL/conf: httpsd.pem
diff -u -r apache_1.3b6/conf/srm.conf-dist apache_1.3b6+SSL/conf/srm.conf-dist
--- apache_1.3b6/conf/srm.conf-dist     Sat Mar 14 12:02:20 1998
+++ apache_1.3b6+SSL/conf/srm.conf-dist Fri May 22 17:00:23 1998
@@ -212,7 +212,7 @@
 
 # mod_mime_magic allows the server to use various hints from the file itself
 # to determine its type.
-#MimeMagicFile conf/magic
+#MimeMagicFile etc/magic
 
 # The following directives disable keepalives and HTTP header flushes.
 # The first directive disables it for Netscape 2.x and browsers which
Only in apache_1.3b6+SSL: configure.ssl
diff -u -r apache_1.3b6/src/Configuration apache_1.3b6+SSL/src/Configuration
--- apache_1.3b6/src/Configuration      Wed Apr 15 18:22:24 1998
+++ apache_1.3b6+SSL/src/Configuration  Thu May 14 08:53:42 1998
@@ -135,6 +135,7 @@
 Rule IRIXNIS=no
 Rule IRIXN32=yes
 Rule PARANOID=no
+Rule SSL=yes
 
 # The following rules should be set automatically by Configure. However, if
 # they are not set by Configure (because we don't know the correct value for
@@ -359,4 +360,10 @@
 ## should be the last (highest priority) module.
 
 AddModule modules/standard/mod_setenvif.o
+
+
+# Damn damn damn. Apache inverts the module list. SSL must go first to fake
+# basic authorization. So, uncomment this line to add SSL.
+
+# AddModule modules/experimental/mod_apache_ssl.o
 
Only in apache_1.3b6+SSL/src: Configuration.apaci
diff -u -r apache_1.3b6/src/Configuration.tmpl apache_1.3b6+SSL/src/Configuration.tmpl
--- apache_1.3b6/src/Configuration.tmpl Tue Apr 14 02:27:33 1998
+++ apache_1.3b6+SSL/src/Configuration.tmpl     Tue May 12 16:34:16 1998
@@ -135,6 +135,7 @@
 Rule IRIXNIS=no
 Rule IRIXN32=yes
 Rule PARANOID=no
+Rule SSL=yes
 
 # The following rules should be set automatically by Configure. However, if
 # they are not set by Configure (because we don't know the correct value for
@@ -359,4 +360,10 @@
 ## should be the last (highest priority) module.
 
 AddModule modules/standard/mod_setenvif.o
+
+
+# Damn damn damn. Apache inverts the module list. SSL must go first to fake
+# basic authorization. So, uncomment this line to add SSL.
+
+# AddModule modules/experimental/mod_apache_ssl.o
 
diff -u -r apache_1.3b6/src/Configure apache_1.3b6+SSL/src/Configure
--- apache_1.3b6/src/Configure  Wed Apr 15 11:10:18 1998
+++ apache_1.3b6+SSL/src/Configure      Wed May 13 14:01:58 1998
@@ -233,6 +233,7 @@
 RULE_IRIXN32=`./helpers/CutRule IRIXN32 $file`
 RULE_PARANOID=`./helpers/CutRule PARANOID $file`
 RULE_SHARED_CORE=`./helpers/CutRule SHARED_CORE $file`
+RULE_SSL=`./helpers/CutRule SSL $file`
 
 ####################################################################
 ## Rule SHARED_CORE implies required DSO support
@@ -1064,6 +1065,25 @@
        LIBS="$LIBS -lresolv"
     fi
 fi
+#
+# Now SSL.
+#
+if [ "$RULE_SSL" != "no" ]; then
+  if [ "$RULE_SSL" = "yes" ]; then # assume default ssl install
+    CFLAGS="$CFLAGS -DAPACHE_SSL"
+    SSL_BASE=/usr/local/ssl
+    INCLUDES0="$INCLUDES0 -I$SSL_BASE/include"
+    LDFLAGS="$LDFLAGS -L$SSL_BASE/lib"
+    LIBS="$LIBS -lssl -lcrypto"
+  else
+    CFLAGS="$CFLAGS -DAPACHE_SSL"
+    SSL_BASE=$RULE_SSL
+    INCLUDES0="$INCLUDES0 -I$SSL_BASE/include"
+    LDFLAGS="$LDFLAGS -L$SSL_BASE" # libs are in base
+    LIBS="$LIBS -lssl -lcrypto"
+  fi
+fi
+
 
 ####################################################################
 ## Find out what modules we want and try and configure things for them
@@ -1411,7 +1431,7 @@
 ##
 echo "CFLAGS1=$CFLAGS">> Makefile.config
 echo "INCDIR=\$(SRCDIR)/include" >>Makefile.config
-echo "INCLUDES0=-I\$(SRCDIR)/$OSDIR -I\$(SRCDIR)/include">> Makefile.config
+echo "INCLUDES0=-I\$(SRCDIR)/$OSDIR -I\$(SRCDIR)/include $INCLUDES0">> Makefile.config
 echo "INCLUDES1=$INCLUDES">> Makefile.config
 echo "LIBS1=$LIBS">> Makefile.config
 echo "LDFLAGS1=$LDFLAGS">> Makefile.config
@@ -1471,7 +1491,9 @@
 
 # ./Makefile
 $CAT Makefile.config >> Makefile
-sed -e "s#@@Configuration@@#$file#" "Makefile.tmpl" >>Makefile
+sed -e "s#@@Configuration@@#$file#g" \
+    -e "s#@@SSL_BASE@@#$SSL_BASE#g" \
+    < "Makefile.tmpl" >>Makefile
 
 # xxx/Makefile
 MAKEDIRS="support main ap regex $OSDIR"
Only in apache_1.3b6+SSL/src: Makefile.config
diff -u -r apache_1.3b6/src/Makefile.tmpl apache_1.3b6+SSL/src/Makefile.tmpl
--- apache_1.3b6/src/Makefile.tmpl      Sat Apr 11 13:59:26 1998
+++ apache_1.3b6+SSL/src/Makefile.tmpl  Thu May 14 09:48:17 1998
@@ -51,6 +51,14 @@
                done; \
        fi
 
+CERTCONF=../conf
+certificate:   
+       @@SSL_BASE@@/bin/ssleay req -config @@SSL_BASE@@/lib/ssleay.cnf \
+       -new -x509 -nodes -out $(CERTCONF)/httpsd.pem \
+       -keyout $(CERTCONF)/httpsd.pem; \
+       ln -sf $(CERTCONF)/httpsd.pem $(CERTCONF)/`@@SSL_BASE@@/bin/ssleay \
+       x509 -noout -hash < $(CERTCONF)/httpsd.pem`.0
+
 subdirs:
        @for i in $(SUBDIRS); do \
                echo "===> $(SDP)$$i"; \
Only in apache_1.3b6+SSL/src: apaci
Only in apache_1.3b6+SSL/src/include: ap_config.h
diff -u -r apache_1.3b6/src/include/buff.h apache_1.3b6+SSL/src/include/buff.h
--- apache_1.3b6/src/include/buff.h     Sat Apr 11 06:00:18 1998
+++ apache_1.3b6+SSL/src/include/buff.h Fri May  8 16:45:57 1998
@@ -64,6 +64,11 @@
 
 #include <stdarg.h>
 
+#ifdef APACHE_SSL
+# include <stdio.h>
+# include <ssl.h>
+#endif
+
 /* Reading is buffered */
 #define B_RD     (1)
 /* Writing is buffered */
@@ -116,6 +121,13 @@
 
     /* transport handle, for RPC binding handle or some such */
     void *t_handle;
+
+#ifdef APACHE_SSL
+    /* Add some context for SSL */
+    SSL *ssl;
+    char *szClientX509;
+    int nVerifyError;
+#endif
 
 #ifdef B_SFIO
     Sfio_t *sf_in;
Only in apache_1.3b6+SSL/src/include: gcache.h
diff -u -r apache_1.3b6/src/include/httpd.h apache_1.3b6+SSL/src/include/httpd.h
--- apache_1.3b6/src/include/httpd.h    Wed Apr 15 18:15:34 1998
+++ apache_1.3b6+SSL/src/include/httpd.h        Mon May 11 13:05:20 1998
@@ -62,6 +62,11 @@
  * httpd.h: header for simple (ha! not anymore) http daemon
  */
 
+/* Needed all over the place */
+typedef unsigned int BOOL;
+#define TRUE           1
+#define FALSE          0
+ 
 /* Headers in which EVERYONE has an interest... */
 
 #include "conf.h"
@@ -120,13 +125,20 @@
 #define HTTP_VERSION(major,minor) (1000*(major)+(minor))
 
 
-/* -------------- Port number for server running standalone --------------- */
-
+/* -------------- Port number and protocol for server running standalone -- */
+#ifdef APACHE_SSL
+#define DEFAULT_HTTP_PORT      80
+#define DEFAULT_HTTPS_PORT     443
+#define default_port(r)        ((r)->connection->client->ssl ? DEFAULT_HTTPS_PORT
: DEFAULT_HTTP_PORT)
+#define is_default_port(port,r) ((port) == default_port(r))
+#define http_method(r)         ((r)->connection->client->ssl ? "https" : "http")
+#else
 #define DEFAULT_HTTP_PORT      80
 #define DEFAULT_HTTPS_PORT     443
 #define is_default_port(port,r)        ((port) == default_port(r))
 #define http_method(r) "http"
 #define        default_port(r) DEFAULT_HTTP_PORT
+#endif
 
 /* --------- Default user name and group name running standalone ---------- */
 /* --- These may be specified as numbers by placing a # before a number --- */
@@ -362,7 +374,11 @@
  * Example: "Apache/1.1.0 MrWidget/0.1-alpha" 
  */
 
+#ifdef APACHE_SSL
+#define SERVER_BASEVERSION "Apache/1.3b6 Ben-SSL/1.16" /* SEE COMMENTS ABOVE */
+#else
 #define SERVER_BASEVERSION "Apache/1.3b6"      /* SEE COMMENTS ABOVE */
+#endif
 #ifdef SERVER_SUBVERSION
 #define SERVER_VERSION SERVER_BASEVERSION " " SERVER_SUBVERSION
 #else
@@ -742,6 +758,11 @@
 #define DEFAULT_VHOST_ADDR 0xfffffffful
 
 typedef struct server_addr_rec server_addr_rec;
+
+#ifdef APACHE_SSL
+int ApacheSSLSetupConnection(conn_rec *conn);
+void LaunchGlobalCache(pool *pPool);
+#endif
 struct server_addr_rec {
     server_addr_rec *next;
     struct in_addr host_addr;  /* The bound address, for this server */
diff -u -r apache_1.3b6/src/main/Makefile.tmpl apache_1.3b6+SSL/src/main/Makefile.tmpl
--- apache_1.3b6/src/main/Makefile.tmpl Sat Apr 11 13:59:26 1998
+++ apache_1.3b6+SSL/src/main/Makefile.tmpl     Fri May  8 14:33:36 1998
@@ -14,7 +14,7 @@
       http_config.o http_core.o http_log.o \
       http_main.o http_protocol.o http_request.o http_vhost.o \
       util.o util_date.o util_script.o util_uri.o util_md5.o \
-      md5c.o rfc1413.o fnmatch.o
+      md5c.o rfc1413.o fnmatch.o gcacheclient.o gcachecommon.o
 
 .c.o:
        $(CC) -c $(INCLUDES) $(CFLAGS) $(SPACER) $<
diff -u -r apache_1.3b6/src/main/buff.c apache_1.3b6+SSL/src/main/buff.c
--- apache_1.3b6/src/main/buff.c        Sat Apr 11 06:00:28 1998
+++ apache_1.3b6+SSL/src/main/buff.c    Fri May 22 13:50:11 1998
@@ -227,7 +227,7 @@
     return (rv);
 }
 
-#endif /* WIN32 */
+#endif
 
 
 /* the lowest level reading primitive */
@@ -235,6 +235,11 @@
 {
     int rv;
     
+#ifdef APACHE_SSL
+      if (fb->ssl)
+       rv = SSL_read(fb->ssl, buf, nbyte);
+      else
+#endif
     rv = read(fb->fd_in, buf, nbyte);
     
     return rv;
@@ -266,6 +271,11 @@
 #if defined (B_SFIO)
     rv = sfwrite(fb->sf_out, buf, nbyte);
 #else
+#ifdef APACHE_SSL
+       if(fb->ssl)
+           rv = SSL_write(fb->ssl, buf, nbyte);
+       else
+#endif
     rv = write(fb->fd, buf, nbyte);
 #endif
     
@@ -341,6 +351,11 @@
     fb->fd = -1;
     fb->fd_in = -1;
 
+#ifdef APACHE_SSL
+    fb->ssl = NULL;
+    fb->szClientX509 = NULL;
+#endif
+
 #ifdef B_SFIO
     fb->sf_in = NULL;
     fb->sf_out = NULL;
@@ -1013,7 +1028,6 @@
     return 0;
 }
 #endif
-
 /* A wrapper for buff_write which deals with error conditions and
  * bytes_sent.  Also handles non-blocking writes.
  */
@@ -1061,8 +1075,11 @@
     if (!(fb->flags & B_CHUNK)) {
        return write_with_errors(fb, buf, nbyte);
     }
+#ifdef APACHE_SSL                                                        
+    if (fb->ssl) {                   
+#endif
 
-#ifdef NO_WRITEV
+#if defined(NO_WRITEV) || defined(APACHE_SSL)
     /* without writev() this has poor performance, too bad */
 
     ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012", nbyte);
@@ -1076,8 +1093,14 @@
        return -1;
     if (write_it_all(fb, "\015\012", 2) == -1)
        return -1;
+#ifdef APACHE_SSL
+    }
+#endif
     return nbyte;
 #else
+#ifdef APACHE_SSL
+    }
+#endif
     vec[0].iov_base = chunksize;
     vec[0].iov_len = ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012",
                                 nbyte);
@@ -1196,10 +1219,18 @@
  * us to use writev() too frequently.  In those cases we really should just
  * start a new buffer.
  */
+#ifdef APACHE_SSL
+    if (!fb->ssl) {
+#endif
+
     if (fb->outcnt > 0 && nbyte > LARGE_WRITE_THRESHOLD
        && nbyte + fb->outcnt >= fb->bufsiz) {
        return large_write(fb, buf, nbyte);
     }
+#ifdef APACHE_SSL
+    }
+#endif
+
 #endif
 
 /*
@@ -1394,6 +1425,13 @@
     fb->flags |= B_EOF | B_EOUT;
     fb->fd = -1;
     fb->fd_in = -1;
+#ifdef APACHE_SSL
+    if (fb->ssl) {
+       SSL_free(fb->ssl);
+       fb->ssl = NULL;
+    }
+#endif
+
 
 #ifdef B_SFIO
     sfclose(fb->sf_in);
Only in apache_1.3b6+SSL/src/main: gcache.c
Only in apache_1.3b6+SSL/src/main: gcacheclient.c
Only in apache_1.3b6+SSL/src/main: gcachecommon.c
diff -u -r apache_1.3b6/src/main/http_config.c apache_1.3b6+SSL/src/main/http_config.c
--- apache_1.3b6/src/main/http_config.c Mon Apr 13 12:05:10 1998
+++ apache_1.3b6+SSL/src/main/http_config.c     Mon May 11 10:13:10 1998
@@ -1325,7 +1325,11 @@
 {
     server_rec *s = (server_rec *) ap_pcalloc(p, sizeof(server_rec));
 
-    s->port = 0;
+#ifdef APACHE_SSL
+    s->port=0;
+#else
+    s->port = DEFAULT_HTTP_PORT;
+#endif
     s->server_admin = DEFAULT_ADMIN;
     s->server_hostname = NULL;
     s->error_fname = DEFAULT_ERRORLOG;
diff -u -r apache_1.3b6/src/main/http_main.c apache_1.3b6+SSL/src/main/http_main.c
--- apache_1.3b6/src/main/http_main.c   Sat Apr 11 06:00:29 1998
+++ apache_1.3b6+SSL/src/main/http_main.c       Mon May 11 10:28:43 1998
@@ -3418,6 +3418,15 @@
                                          (struct sockaddr_in *) &sa_client,
                                          (struct sockaddr_in *) &sa_server,
                                          my_child_num);
+#ifdef APACHE_SSL
+        /*
+         * This returns false if the connection cannot be setup,
+         * so maybe we should do something with this here...
+         * however it also blocks the BUFF connections
+         * so the next bit should fall out anyway!
+         */
+        ApacheSSLSetupConnection(current_conn);
+#endif
 
        /*
         * Read and process each request found on our connection
@@ -3762,14 +3771,17 @@
            ap_kill_cleanups_for_fd(pconf, scoreboard_fd);
        }
 #endif
-       ap_clear_pool(pconf);
-       ptrans = ap_make_sub_pool(pconf);
-
-       server_conf = ap_read_config(pconf, ptrans, ap_server_confname);
+        ap_clear_pool(pconf);                                               
+        ptrans = ap_make_sub_pool(pconf);
+    
+        server_conf = ap_read_config(pconf, ptrans, ap_server_confname);
        setup_listeners(pconf);
        ap_open_logs(server_conf, pconf);
        ap_log_pid(pconf, ap_pid_fname);
-       ap_init_modules(pconf, server_conf);
+        ap_init_modules (pconf, server_conf);
+#ifdef APACHE_SSL
+        LaunchGlobalCache(pconf);
+#endif
        SAFE_ACCEPT(accept_mutex_init(pconf));
        if (!is_graceful) {
            reinit_scoreboard(pconf);
diff -u -r apache_1.3b6/src/modules/experimental/Makefile.tmpl apache_1.3b6+SSL/src/modules/experimental/Makefile.tmpl
--- apache_1.3b6/src/modules/experimental/Makefile.tmpl Thu Apr  9 02:20:27 1998
+++ apache_1.3b6+SSL/src/modules/experimental/Makefile.tmpl     Mon May 11 10:00:28 1998
@@ -22,3 +22,5 @@
  $(INCDIR)/http_config.h $(INCDIR)/http_log.h \
  $(INCDIR)/http_protocol.h $(INCDIR)/http_request.h \
  $(INCDIR)/http_core.h
+
+mod_apache_ssl.o: mod_apache_ssl.c
Only in apache_1.3b6+SSL/src/modules/experimental: mod_apache_ssl.c
diff -u -r apache_1.3b6/src/modules/standard/mod_auth.c apache_1.3b6+SSL/src/modules/standard/mod_auth.c
--- apache_1.3b6/src/modules/standard/mod_auth.c        Sat Apr 11 06:00:44 1998
+++ apache_1.3b6+SSL/src/modules/standard/mod_auth.c    Fri May  8 22:47:50 1998
@@ -75,7 +75,13 @@
 #include "http_log.h"
 #include "http_protocol.h"
 #if defined(HAVE_CRYPT_H)
+#if defined(APACHE_SSL)
+#define des_encrypt    BASE_des_encrypt
 #include <crypt.h>
+#undef des_encrypt
+#else
+#include <crypt.h>
+#endif /* APACHE_SSL */
 #endif
 
 typedef struct auth_config_struct {
diff -u -r apache_1.3b6/src/modules/standard/mod_log_config.c apache_1.3b6+SSL/src/modules/standard/mod_log_config.c
--- apache_1.3b6/src/modules/standard/mod_log_config.c  Sat Apr 11 06:00:48 1998
+++ apache_1.3b6+SSL/src/modules/standard/mod_log_config.c      Mon May 11 15:21:10 1998
@@ -127,6 +127,15 @@
  * %...l:  remote logname (from identd, if supplied)
  * %...{Foobar}n:  The contents of note "Foobar" from another module.
  * %...{Foobar}o:  The contents of Foobar: header line(s) in the reply.
+ *
+ * Additional SSL directives:
+ *
+ * %...{cipher}c:  cipher used (SSL_get_cipher)
+ * %...{clientcert}c: client certificate information
+ * %...{errcode}c: X509 verify error code
+ * %...{errstr}c: X509 verify error string
+ * %...{version}c: SSL version (SSLeay 0.8.0 and above)
+ *
  * %...p:  the port the request was served to
  * %...P:  the process ID of the child that serviced the request.
  * %...r:  first line of request
@@ -172,6 +181,9 @@
 #include "http_core.h"          /* For REMOTE_NAME */
 #include "http_log.h"
 #include <limits.h>
+#ifdef APACHE_SSL
+#include <crypto.h>
+#endif
 
 module MODULE_VAR_EXPORT config_log_module;
 
@@ -415,6 +427,10 @@
     return ap_psprintf(r->pool, "%ld", (long) getpid());
 }
 
+#ifdef APACHE_SSL
+extern char *log_ssl_info(request_rec *r, char *a);
+#endif
+
 /*****************************************************************
  *
  * Parsing the log format string
@@ -480,6 +496,11 @@
     {
         'P', log_child_pid, 0
     },
+#ifdef APACHE_SSL
+    {
+        'c', log_ssl_info, 0
+    },
+#endif
     {
         '\0'
     }
@@ -626,6 +647,53 @@
     return a;
 }
 
+#ifdef APACHE_SSL
+char *log_ssl_info(request_rec *r, char *a)
+    {
+    char str[MAX_STRING_LEN];
+
+    if(!r->connection->client->ssl)
+       return NULL;
+
+    if(!strcmp(a, "cipher"))
+       return SSL_get_cipher(r->connection->client->ssl);
+
+    if(!strcmp(a, "clientcert"))
+       return r->connection->client->szClientX509;
+
+    if(!strcmp(a, "errcode"))
+       if(r->connection->client->nVerifyError)
+           {
+           sprintf(str, "%d", r->connection->client->nVerifyError);
+           return ap_pstrdup(r->pool,str);
+           }
+       else
+           return NULL;
+
+    if(!strcmp(a, "errstr"))
+       if(r->connection->client->nVerifyError)
+#if SSLEAY_VERSION_NUMBER < 0x0800
+           return X509_cert_verify_error_string(r->connection->client->nVerifyError);
+#else
+           return X509_verify_cert_error_string(r->connection->client->nVerifyError);
+#endif
+       else
+           return NULL;
+
+#if SSLEAY_VERSION_NUMBER >= 0x0800
+    if(!strcmp(a, "version"))
+       {
+       static char v[2];
+
+       v[0]='0'+r->connection->client->ssl->session->ssl_version;
+       v[1]='\0';
+       return v;
+       }
+#endif
+    
+    return NULL;
+}
+#endif
 /*****************************************************************
  *
  * Actually logging.
Only in apache_1.3b6+SSL/src: modules.c
diff -u -r apache_1.3b6/src/support/dbmmanage apache_1.3b6+SSL/src/support/dbmmanage
--- apache_1.3b6/src/support/dbmmanage  Tue Mar 31 05:53:47 1998
+++ apache_1.3b6+SSL/src/support/dbmmanage      Fri May 15 14:32:16 1998
@@ -62,7 +62,7 @@
 
 package dbmmanage;
 #                               -ldb    -lndbm    -lgdbm
-BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File) }
+BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File DBM_File) }
 use strict;
 use Fcntl;
 use AnyDBM_File ();
>How-To-Repeat:
Not relevant  But, the configure.ssl script sets things up for the ssl httpd
compile.
#!/bin/sh
#
# This assumes SSLeay-0.8.0 is installed in /usr/local/ssl
#
sh configure \
            --prefix=/usr/local/apache \
            --enable-module=status \
            --enable-module=proxy \
            --enable-module=rewrite \
            --enable-module=auth_anon \
            --enable-module=auth_dbm \
            --enable-module=digest \
            --enable-module=cern_meta \
            --enable-module=expires \
            --enable-module=headers \
            --enable-module=usertrack \
            --enable-module=apache_ssl

>Fix:
I had a problem integrating the patches cause I missed a "writev" which had
to be avoided if in ssl mode.

I found some problems with the default httpd.conf.  Example: CustomLog was set
to logs/access_log and should have been var/logs/error_log.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message