|
|
@ -1,177 +0,0 @@ |
|
|
|
--- a/modules/ssl/mod_ssl.c
|
|
|
|
+++ b/modules/ssl/mod_ssl.c
|
|
|
|
@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void)
|
|
|
|
|
|
|
|
static apr_status_t ssl_cleanup_pre_config(void *data) |
|
|
|
{ |
|
|
|
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
|
|
/* |
|
|
|
* Try to kill the internals of the SSL library. |
|
|
|
*/ |
|
|
|
@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL |
|
|
|
#ifndef OPENSSL_NO_COMP |
|
|
|
SSL_COMP_free_compression_methods(); |
|
|
|
-#endif
|
|
|
|
#endif |
|
|
|
|
|
|
|
/* Usually needed per thread, but this parent process is single-threaded */ |
|
|
|
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL |
|
|
|
ERR_remove_thread_state(NULL); |
|
|
|
#else |
|
|
|
@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
|
|
|
|
* (when enabled) at this late stage in the game: |
|
|
|
* CRYPTO_mem_leaks_fp(stderr); |
|
|
|
*/ |
|
|
|
+#endif
|
|
|
|
return APR_SUCCESS; |
|
|
|
} |
|
|
|
|
|
|
|
@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
|
|
|
|
#else |
|
|
|
OPENSSL_malloc_init(); |
|
|
|
#endif |
|
|
|
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
|
|
|
ERR_load_crypto_strings(); |
|
|
|
SSL_load_error_strings(); |
|
|
|
SSL_library_init(); |
|
|
|
+ OpenSSL_add_all_algorithms();
|
|
|
|
+ OPENSSL_load_builtin_modules();
|
|
|
|
+#endif
|
|
|
|
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES |
|
|
|
ENGINE_load_builtin_engines(); |
|
|
|
#endif |
|
|
|
- OpenSSL_add_all_algorithms();
|
|
|
|
- OPENSSL_load_builtin_modules();
|
|
|
|
|
|
|
|
if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { |
|
|
|
(void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", |
|
|
|
--- a/modules/ssl/ssl_engine_init.c
|
|
|
|
+++ b/modules/ssl/ssl_engine_init.c
|
|
|
|
@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
|
|
|
|
|
|
|
|
return 1; |
|
|
|
} |
|
|
|
+
|
|
|
|
+#define OpenSSL_version_num SSLeay
|
|
|
|
#endif |
|
|
|
|
|
|
|
/* |
|
|
|
@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
|
|
|
apr_status_t rv; |
|
|
|
apr_array_header_t *pphrases; |
|
|
|
|
|
|
|
- if (SSLeay() < MODSSL_LIBRARY_VERSION) {
|
|
|
|
+ if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {
|
|
|
|
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882) |
|
|
|
"Init: this version of mod_ssl was compiled against " |
|
|
|
"a newer library (%s, version currently loaded is %s)" |
|
|
|
--- a/modules/ssl/ssl_engine_io.c
|
|
|
|
+++ b/modules/ssl/ssl_engine_io.c
|
|
|
|
@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
|
|
|
|
if (dc->proxy->ssl_check_peer_expire != FALSE) { |
|
|
|
if (!cert |
|
|
|
|| (X509_cmp_current_time( |
|
|
|
- X509_get_notBefore(cert)) >= 0)
|
|
|
|
+ X509_get0_notBefore(cert)) >= 0)
|
|
|
|
|| (X509_cmp_current_time( |
|
|
|
- X509_get_notAfter(cert)) <= 0)) {
|
|
|
|
+ X509_get0_notAfter(cert)) <= 0)) {
|
|
|
|
proxy_ssl_check_peer_ok = FALSE; |
|
|
|
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004) |
|
|
|
"SSL Proxy: Peer certificate is expired"); |
|
|
|
--- a/modules/ssl/ssl_engine_log.c
|
|
|
|
+++ b/modules/ssl/ssl_engine_log.c
|
|
|
|
@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level,
|
|
|
|
BIO_puts(bio, "(ERROR)"); |
|
|
|
|
|
|
|
BIO_puts(bio, " / notbefore: "); |
|
|
|
- ASN1_TIME_print(bio, X509_get_notBefore(cert));
|
|
|
|
+ ASN1_TIME_print(bio, X509_get0_notBefore(cert));
|
|
|
|
|
|
|
|
BIO_puts(bio, " / notafter: "); |
|
|
|
- ASN1_TIME_print(bio, X509_get_notAfter(cert));
|
|
|
|
+ ASN1_TIME_print(bio, X509_get0_notAfter(cert));
|
|
|
|
|
|
|
|
BIO_puts(bio, "]"); |
|
|
|
|
|
|
|
--- a/modules/ssl/ssl_engine_vars.c
|
|
|
|
+++ b/modules/ssl/ssl_engine_vars.c
|
|
|
|
@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
|
|
|
|
result = ssl_var_lookup_ssl_cert_serial(p, xs); |
|
|
|
} |
|
|
|
else if (strcEQ(var, "V_START")) { |
|
|
|
- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));
|
|
|
|
+ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs));
|
|
|
|
} |
|
|
|
else if (strcEQ(var, "V_END")) { |
|
|
|
- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));
|
|
|
|
+ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs));
|
|
|
|
} |
|
|
|
else if (strcEQ(var, "V_REMAIN")) { |
|
|
|
- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
|
|
|
|
+ result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs));
|
|
|
|
resdup = FALSE; |
|
|
|
} |
|
|
|
else if (*var && strcEQ(var+1, "_DN")) { |
|
|
|
--- a/modules/ssl/ssl_private.h
|
|
|
|
+++ b/modules/ssl/ssl_private.h
|
|
|
|
@@ -92,6 +92,8 @@
|
|
|
|
#include <openssl/x509.h> |
|
|
|
#include <openssl/pem.h> |
|
|
|
#include <openssl/crypto.h> |
|
|
|
+#include <openssl/bn.h>
|
|
|
|
+#include <openssl/dh.h>
|
|
|
|
#include <openssl/evp.h> |
|
|
|
#include <openssl/rand.h> |
|
|
|
#include <openssl/x509v3.h> |
|
|
|
@@ -234,6 +236,10 @@
|
|
|
|
#define BIO_get_shutdown(x) (x->shutdown) |
|
|
|
#define BIO_set_shutdown(x,v) (x->shutdown=v) |
|
|
|
#define DH_bits(x) (BN_num_bits(x->p)) |
|
|
|
+#define X509_get0_notBefore X509_get_notBefore
|
|
|
|
+#define X509_get0_notAfter X509_get_notAfter
|
|
|
|
+#define X509_getm_notBefore X509_get_notBefore
|
|
|
|
+#define X509_getm_notAfter X509_get_notAfter
|
|
|
|
#else |
|
|
|
void init_bio_methods(void); |
|
|
|
void free_bio_methods(void); |
|
|
|
--- a/support/ab.c
|
|
|
|
+++ b/support/ab.c
|
|
|
|
@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
|
|
|
|
#define SSL_CTX_set_max_proto_version(ctx, version) \ |
|
|
|
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) |
|
|
|
#endif |
|
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
|
+#define X509_get0_notBefore X509_get_notBefore
|
|
|
|
+#define X509_get0_notAfter X509_get_notAfter
|
|
|
|
+#endif
|
|
|
|
#endif |
|
|
|
|
|
|
|
#include <math.h> |
|
|
|
@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert)
|
|
|
|
|
|
|
|
BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1); |
|
|
|
BIO_printf(bio,"Valid from: "); |
|
|
|
- ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
|
|
|
|
+ ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));
|
|
|
|
BIO_printf(bio,"\n"); |
|
|
|
|
|
|
|
BIO_printf(bio,"Valid to : "); |
|
|
|
- ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
|
|
|
|
+ ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));
|
|
|
|
BIO_printf(bio,"\n"); |
|
|
|
|
|
|
|
pk = X509_get_pubkey(cert); |
|
|
|
@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[])
|
|
|
|
CRYPTO_malloc_init(); |
|
|
|
#endif |
|
|
|
#endif |
|
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
|
SSL_load_error_strings(); |
|
|
|
SSL_library_init(); |
|
|
|
+#endif
|
|
|
|
bio_out=BIO_new_fp(stdout,BIO_NOCLOSE); |
|
|
|
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); |
|
|
|
|