On Fri, Apr 23, 1999, James Simmons wrote:
> Really. When will this patch become availble in the main stream mod_ssl?
> Do you have some patches for it. I'm willing to try it. I have a test
> secure server to play with.
The stuff is still in my pkg.apache.listen/ source tree and not comitted
because it's not finished. What's missing is a correct matching of host:port's
which isn't trivial when one wants to do it in a general way, i.e. like the
vhost-stuff works in Apache. I append you my current state, but please keep in
mind that it's a diff against the current CVS state and not 2.2.8 (i.e. you
need to checkout a version from CVS) and that I've not tried it since over 6-8
weeks now. So I cannot say what's the current state is with the matching
stuff. But feel free to play with it and finalize it... ;) The general idea is
to provide a SSLListen directive which restricts the "SSLEngine on" and is
similar to Listen in usage.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: src/include/http_vhost.h
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/include/http_vhost.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 http_vhost.h
--- src/include/http_vhost.h 1999/01/10 10:46:44 1.1.1.2
+++ src/include/http_vhost.h 1999/01/10 16:43:41
@@ -87,6 +87,10 @@
*/
API_EXPORT(int) ap_matches_request_vhost(request_rec *r, const char *host,
unsigned port);
+#ifdef EAPI
+API_EXPORT(int) ap_matches_server_vhost(server_rec *s, const char *host,
+ unsigned port);
+#endif
#ifdef __cplusplus
}
Index: src/main/http_vhost.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/main/http_vhost.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 http_vhost.c
--- src/main/http_vhost.c 1999/01/10 10:46:54 1.1.1.2
+++ src/main/http_vhost.c 1999/01/10 16:41:58
@@ -717,13 +717,22 @@
* we just call it a match. But here we require the host:port to match
* the ServerName and/or ServerAliases.
*/
+#ifdef EAPI
+API_EXPORT(int) ap_matches_server_vhost(server_rec *s, const char *host,
+ unsigned port)
+#else
API_EXPORT(int) ap_matches_request_vhost(request_rec *r, const char *host,
unsigned port)
+#endif
{
+#ifndef EAPI
server_rec *s;
+#endif
server_addr_rec *sar;
+#ifndef EAPI
s = r->server;
+#endif
/* search all the <VirtualHost> values */
/* XXX: If this is a NameVirtualHost then we may not be doing the Right Thing
@@ -757,6 +766,13 @@
return matches_aliases(s, host);
}
+#ifdef EAPI
+API_EXPORT(int) ap_matches_request_vhost(request_rec *r, const char *host,
+ unsigned port)
+{
+ return ap_matches_server_vhost(r->server, host, port);
+}
+#endif
static void check_hostalias(request_rec *r)
{
Index: src/modules/ssl/mod_ssl.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.c,v
retrieving revision 1.53
diff -u -r1.53 mod_ssl.c
--- src/modules/ssl/mod_ssl.c 1999/04/12 15:28:13 1.53
+++ src/modules/ssl/mod_ssl.c 1999/04/16 08:40:49
@@ -102,6 +102,9 @@
AP_SRV_CMD(Engine, FLAG,
"SSL switch for the protocol engine "
"(`on', `off')")
+ AP_SRV_CMD(Listen, ITERATE,
+ "restrictions for `SSLEngine on'"
+ "(`host:port')")
AP_ALL_CMD(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
Index: src/modules/ssl/mod_ssl.h
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.90
diff -u -r1.90 mod_ssl.h
--- src/modules/ssl/mod_ssl.h 1999/04/16 08:50:34 1.90
+++ src/modules/ssl/mod_ssl.h 1999/04/23 17:30:24
@@ -95,6 +95,7 @@
#include "http_protocol.h"
#include "http_request.h"
#include "http_main.h"
+#include "http_vhost.h"
#include "http_core.h"
#include "http_log.h"
#include "scoreboard.h"
@@ -409,6 +410,14 @@
} ssl_require_t;
/*
+ * Define the SSLListen structure
+ */
+typedef struct {
+ char *host;
+ unsigned int port;
+} SSLListen;
+
+/*
* Define the SSL random number generator seeding source
*/
typedef enum {
@@ -470,6 +479,7 @@
*/
typedef struct {
BOOL bEnabled;
+ array_header *aListen;
char *szCertificateFile;
char *szKeyFile;
char *szCACertificatePath;
@@ -537,6 +547,7 @@
const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int flag);
+const char *ssl_cmd_SSLListen(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
Index: src/modules/ssl/ssl_engine_config.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.51
diff -u -r1.51 ssl_engine_config.c
--- src/modules/ssl/ssl_engine_config.c 1999/04/16 07:35:58 1.51
+++ src/modules/ssl/ssl_engine_config.c 1999/04/16 08:40:49
@@ -184,6 +184,7 @@
sc = ap_palloc(p, sizeof(SSLSrvConfigRec));
sc->bEnabled = UNSET;
+ sc->aListen = ap_make_array(p, 4, sizeof(SSLListen));
sc->szCertificateFile = NULL;
sc->szKeyFile = NULL;
sc->szCACertificatePath = NULL;
@@ -225,6 +226,7 @@
SSLSrvConfigRec *new = (SSLSrvConfigRec *)ap_palloc(p, sizeof(SSLSrvConfigRec));
cfgMergeBool(bEnabled);
+ cfgMergeArray(aListen);
cfgMergeString(szCertificateFile);
cfgMergeString(szKeyFile);
cfgMergeString(szCACertificatePath);
@@ -398,6 +400,49 @@
}
else
return "SSLPassPhraseDialog: Invalid argument";
+ return NULL;
+}
+
+const char *ssl_cmd_SSLListen(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ SSLListen *entry;
+ char *cpPort;
+ unsigned int port;
+ char *host;
+
+ cpPort = strchr(arg, ':');
+ if (cpPort != NULL) {
+ if (cpPort == arg)
+ return ap_pstrcat(cmd->pool, "SSLListen: Missing IP address in `",
+ arg, "'", NULL);
+ else if (cpPort[1] == NUL)
+ return ap_pstrcat(cmd->pool, "SSLListen: Address `", arg, "' doesn't"
+ "end in `:<port-number>'", NULL);
+ *(cpPort++) = NUL;
+ }
+ else {
+ cpPort = arg;
+ }
+ if (strEQ(cpPort, "*"))
+ port = 0;
+ else {
+ port = atoi(cpPort);
+ if (port <= 0 || port >= 65536)
+ return ap_pstrcat(cmd->pool, "SSLListen: The port number `", cpPort,
+ "' is outside the appropriate range (i.e., 1..65535).", NULL);
+ }
+
+ if (cpPort != arg)
+ host = arg;
+ else
+ host = NULL;
+
+ entry = ap_push_array(sc->aListen);
+ entry->host = host;
+ entry->port = port;
+
return NULL;
}
Index: src/modules/ssl/ssl_engine_kernel.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.80
diff -u -r1.80 ssl_engine_kernel.c
--- src/modules/ssl/ssl_engine_kernel.c 1999/04/16 07:35:58 1.80
+++ src/modules/ssl/ssl_engine_kernel.c 1999/04/16 08:40:50
@@ -116,6 +116,31 @@
** _________________________________________________________________
*/
+static int ssl_ConnectionEnabled(server_rec *s, pool *p)
+{
+ SSLSrvConfigRec *sc;
+ array_header *apListen;
+ SSLListen *apListenList;
+ SSLListen *pListen;
+ int rc;
+ int i;
+
+ ssl_log(s, SSL_LOG_INFO, "this server: %s", ssl_util_vhostid(p, s));
+ rc = TRUE;
+ sc = mySrvConfig(s);
+ apListen = sc->aListen;
+ apListenList = (SSLListen *)apListen->elts;
+ for (i = 0; i < apListen->nelts; i++) {
+ pListen = &apListenList[i];
+ ssl_log(s, SSL_LOG_INFO, "test server: %s:%s => %s",
+ pListen->host != NULL ? pListen->host : "*",
+ pListen->port != 0 ? ap_psprintf(p, "%d", pListen->port) : "*",
+ ap_matches_server_vhost(s, pListen->host != NULL ?
+ pListen->host : s->server_hostname, pListen->port) ? "yes" :
+"no");
+ }
+ return rc;
+}
+
/*
* Connect Handler:
* Connect SSL to the accepted socket
@@ -153,6 +178,8 @@
* is disabled for this connection
*/
if (sc == NULL || !sc->bEnabled)
+ return;
+ if (!ssl_ConnectionEnabled(srvr, conn->pool))
return;
/*
Index: src/support/httpd.exp
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/support/httpd.exp,v
retrieving revision 1.5
diff -u -r1.5 httpd.exp
--- src/support/httpd.exp 1999/03/21 12:00:13 1.5
+++ src/support/httpd.exp 1999/03/21 12:22:33
@@ -361,6 +361,7 @@
ap_vsnprintf
core_module
top_module
+ap_matches_server_vhost
ap_add_config_define
ap_global_ctx
ap_ctx_new
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
