diff options
author | Joe Orton <jorton@apache.org> | 2021-05-21 09:58:14 +0000 |
---|---|---|
committer | Joe Orton <jorton@apache.org> | 2021-05-21 09:58:14 +0000 |
commit | 9ce47de74a7b7746107c4eced3abd5985baf690f (patch) | |
tree | 2255717348fd9bad477846a18a61273cf30a8782 /modules/ssl | |
parent | 0dbc5ca0769aa35f0b956294b2c85726d3ea6466 (diff) | |
download | httpd-9ce47de74a7b7746107c4eced3abd5985baf690f.tar.gz |
mod_ssl: Switch to using OpenSSL's automatic internal DH parameter
generation from OpenSSL 1.1.0 and later. The
SSL_set_tmp_dh_callback() API is deprecated from OpenSSL 3.0 onwards.
Should not be a user-visible change (except mod_ssl gets smaller).
* modules/ssl/ssl_private.h,
modules/ssl/ssl_engine_kernel.c,
modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
Drop internal DH parameter generation and callback for OpenSSL 1.1+,
use SSL_CTX_set_dh_auto(, 1) instead.
Github: closes #188
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890067 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/ssl')
-rw-r--r-- | modules/ssl/ssl_engine_init.c | 14 | ||||
-rw-r--r-- | modules/ssl/ssl_engine_kernel.c | 2 | ||||
-rw-r--r-- | modules/ssl/ssl_private.h | 2 |
3 files changed, 14 insertions, 4 deletions
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 6ecc5df69b..bd11f975f7 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -92,7 +92,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) return 1; } -#endif /* * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* @@ -172,6 +171,7 @@ DH *modssl_get_dh_params(unsigned keylen) return NULL; /* impossible to reach. */ } +#endif static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, server_rec *s) @@ -456,8 +456,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ +#if MODSSL_USE_OPENSSL_PRE_1_1_API init_dh_params(); -#if !MODSSL_USE_OPENSSL_PRE_1_1_API +#else init_bio_methods(); #endif @@ -918,7 +919,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, { SSL_CTX *ctx = mctx->ssl_ctx; +#if MODSSL_USE_OPENSSL_PRE_1_1_API SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); +#else + SSL_CTX_set_dh_auto(ctx, 1); +#endif /* The info callback is used for debug-level tracing. For OpenSSL * versions where SSL_OP_NO_RENEGOTIATION is not available, the @@ -2361,10 +2366,11 @@ apr_status_t ssl_init_ModuleKill(void *data) } -#if !MODSSL_USE_OPENSSL_PRE_1_1_API +#if MODSSL_USE_OPENSSL_PRE_1_1_API + free_dh_params(); +#else free_bio_methods(); #endif - free_dh_params(); return APR_SUCCESS; } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 8e7437bf6c..eb97f6b64f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1704,6 +1704,7 @@ const authz_provider ssl_authz_provider_verify_client = ** _________________________________________________________________ */ +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* * Hand out standard DH parameters, based on the authentication strength */ @@ -1749,6 +1750,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) return modssl_get_dh_params(keylen); } +#endif /* * This OpenSSL callback function is called when OpenSSL diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 67176652cf..7eb9a364b0 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -1150,10 +1150,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); #endif +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* Retrieve DH parameters for given key length. Return value should * be treated as unmutable, since it is stored in process-global * memory. */ DH *modssl_get_dh_params(unsigned keylen); +#endif /* Returns non-zero if the request was made over SSL/TLS. If sslconn * is non-NULL and the request is using SSL/TLS, sets *sslconn to the |