Apache2
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Collaboration diagram for mod_ssl:

Modules

 Private
 
 Utilities
 

Macros

#define SSL_DECLARE(type)   type
 
#define SSL_DECLARE_NONSTD(type)   type
 
#define SSL_DECLARE_DATA
 
#define SSL_CERT_HOOKS
 

Functions

const char * ssl_var_lookup (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)
 
 AP_FN_ATTR_NONNULL ((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT
 
apr_array_header_tssl_ext_list (apr_pool_t *p, conn_rec *c, int peer, const char *extension)
 
int ssl_is_https (conn_rec *)
 
apr_status_t ssl_get_tls_cb (apr_pool_t *p, conn_rec *c, const char *type, unsigned char **buf, apr_size_t *size)
 
int ssl_proxy_enable (conn_rec *)
 
int ssl_engine_disable (conn_rec *)
 
int ssl_engine_set (conn_rec *, ap_conf_vector_t *, int proxy, int enable)
 
int ssl_hook_add_cert_files (server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
 
int ssl_hook_add_fallback_cert_files (server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
 
int ssl_hook_init_server (server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx)
 
int ssl_hook_pre_handshake (conn_rec *c, SSL *ssl, int is_proxy)
 
int ssl_hook_proxy_post_handshake (conn_rec *c, SSL *ssl)
 
int ssl_hook_answer_challenge (conn_rec *c, const char *server_name, X509 **pcert, EVP_PKEY **pkey)
 
int ssl_hook_init_stapling_status (server_rec *s, apr_pool_t *p, X509 *cert, X509 *issuer)
 
int ssl_hook_get_stapling_status (unsigned char **pder, int *pderlen, conn_rec *c, server_rec *s, X509 *cert)
 

Detailed Description

Macro Definition Documentation

#define SSL_CERT_HOOKS
#define SSL_DECLARE (   type)    type
#define SSL_DECLARE_DATA
#define SSL_DECLARE_NONSTD (   type)    type

Function Documentation

AP_FN_ATTR_NONNULL ( (1, 2, 5)  )
int ssl_engine_disable ( conn_rec )
int ssl_engine_set ( conn_rec ,
ap_conf_vector_t ,
int  proxy,
int  enable 
)
apr_array_header_t* ssl_ext_list ( apr_pool_t p,
conn_rec c,
int  peer,
const char *  extension 
)

The ssl_ext_list() optional function attempts to build an array of all the values contained in the named X.509 extension. The returned array will be created in the supplied pool. The client certificate is used if peer is non-zero; the server certificate is used otherwise. Extension specifies the extensions to use as a string. This can be one of the "known" long or short names, or a numeric OID, e.g. "1.2.3.4", 'nsComment' and 'DN' are all valid. A pointer to an apr_array_header_t structure is returned if at least one matching extension is found, NULL otherwise.

apr_status_t ssl_get_tls_cb ( apr_pool_t p,
conn_rec c,
const char *  type,
unsigned char **  buf,
apr_size_t size 
)

A function that returns the TLS channel binding data as per RFC5929. A buffer containing the Channel Binding Token for the given type will be allocated from the pool and returned to the caller, along with the size. Returns APR_SUCCESS on success; buf and size are not adjusted on error.

int ssl_hook_add_cert_files ( server_rec s,
apr_pool_t p,
apr_array_header_t cert_files,
apr_array_header_t key_files 
)

Lets others add certificate and key files to the given server. For each cert a key must also be added.

Parameters
cert_fileand array of const char* with the path to the certificate chain
key_fileand array of const char* with the path to the private key file
int ssl_hook_add_fallback_cert_files ( server_rec s,
apr_pool_t p,
apr_array_header_t cert_files,
apr_array_header_t key_files 
)

In case no certificates are available for a server, this lets other modules add a fallback certificate for the time being. Regular requests against this server will be answered with a 503.

Parameters
cert_fileand array of const char* with the path to the certificate chain
key_fileand array of const char* with the path to the private key file
int ssl_hook_answer_challenge ( conn_rec c,
const char *  server_name,
X509 **  pcert,
EVP_PKEY **  pkey 
)

On TLS connections that do not relate to a configured virtual host, allow other modules to provide a X509 certificate and EVP_PKEY to be used on the connection. This first hook which does not return DECLINED will determine the outcome.

int ssl_hook_get_stapling_status ( unsigned char **  pder,
int pderlen,
conn_rec c,
server_rec s,
X509 *  cert 
)

Anyone answering positive to ssl_init_stapling_status for a certificate, needs to register here and supply the actual OCSP stapling status data (OCSP_RESP) for a new connection. A hook supplying the response data must return APR_SUCCESS. The data is returned in DER encoded bytes via pder and pderlen. The returned pointer may be NULL, which indicates that data is (currently) unavailable. If DER data is returned, it MUST come from a response with status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means errors in OCSP retrieval are to be handled/logged by the hook and are not done by mod_ssl. Any DER bytes returned MUST be allocated via malloc() and ownership passes to mod_ssl. Meaning, the hook must return a malloced copy of the data it has. mod_ssl (or OpenSSL) will free it.

int ssl_hook_init_server ( server_rec s,
apr_pool_t p,
int  is_proxy,
SSL_CTX *  ctx 
)

init_server hook – allow SSL_CTX-specific initialization to be performed by a module for each SSL-enabled server (one at a time)

Parameters
sSSL-enabled [virtual] server
ppconf pool
is_proxy1 if this server supports backend connections over SSL/TLS, 0 if it supports client connections over SSL/TLS
ctxOpenSSL SSL Context for the server
int ssl_hook_init_stapling_status ( server_rec s,
apr_pool_t p,
X509 *  cert,
X509 *  issuer 
)

During post_config phase, ask around if someone wants to provide OCSP stapling status information for the given cert (with the also provided issuer certificate). The first hook which does not return DECLINED promises to take responsibility (and respond in later calls via hook ssl_get_stapling_status). If no hook takes over, mod_ssl's own stapling implementation will be applied (if configured).

int ssl_hook_pre_handshake ( conn_rec c,
SSL *  ssl,
int  is_proxy 
)

pre_handshake hook

Parameters
cconn_rec for new connection from client or to backend server
sslOpenSSL SSL Connection for the client or backend server
is_proxy1 if this handshake is for a backend connection, 0 otherwise
int ssl_hook_proxy_post_handshake ( conn_rec c,
SSL *  ssl 
)

proxy_post_handshake hook – allow module to abort after successful handshake with backend server and subsequent peer checks

Parameters
cconn_rec for connection to backend server
sslOpenSSL SSL Connection for the client or backend server
int ssl_is_https ( conn_rec )

An optional function which returns non-zero if the given connection is using SSL/TLS.

int ssl_proxy_enable ( conn_rec )

The ssl_proxy_enable() and ssl_engine_{set,disable}() optional functions are used by mod_proxy to enable use of SSL for outgoing connections.

const char* ssl_var_lookup ( apr_pool_t p,
server_rec s,
conn_rec c,
request_rec r,
const char *  name 
)

The ssl_var_lookup() optional function retrieves SSL environment variables. The pool in which to allocate the return value must be non-NULL since httpd 2.5.1. c and/or r may be NULL.