MCPcopy Create free account
hub / github.com/apache/httpd / ssl_hook_Access_classic

Function ssl_hook_Access_classic

modules/ssl/ssl_engine_kernel.c:361–906  ·  view source on GitHub ↗

* Access Handler, classic flavour, for SSL/TLS up to v1.2 * where everything can be renegotiated and no one is happy. */

Source from the content-addressed store, hash-verified

359 * where everything can be renegotiated and no one is happy.
360 */
361static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
362 SSLConnRec *sslconn, SSL *ssl)
363{
364 server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
365 SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
366 SSL_CTX *ctx = ssl ? SSL_get_SSL_CTX(ssl) : NULL;
367 BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
368 X509 *peercert;
369 X509_STORE *cert_store = NULL;
370 X509_STORE_CTX *cert_store_ctx;
371 STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
372 const SSL_CIPHER *cipher = NULL;
373 int depth, verify_old, verify, n, rc;
374 const char *ncipher_suite;
375
376#ifdef HAVE_SRP
377 /*
378 * Support for per-directory reconfigured SSL connection parameters
379 *
380 * We do not force any renegotiation if the user is already authenticated
381 * via SRP.
382 *
383 */
384 if (SSL_get_srp_username(ssl)) {
385 return DECLINED;
386 }
387#endif
388
389 /*
390 * Support for per-directory reconfigured SSL connection parameters.
391 *
392 * This is implemented by forcing an SSL renegotiation with the
393 * reconfigured parameter suite. But Apache's internal API processing
394 * makes our life very hard here, because when internal sub-requests occur
395 * we nevertheless should avoid multiple unnecessary SSL handshakes (they
396 * require extra network I/O and especially time to perform).
397 *
398 * But the optimization for filtering out the unnecessary handshakes isn't
399 * obvious and trivial. Especially because while Apache is in its
400 * sub-request processing the client could force additional handshakes,
401 * too. And these take place perhaps without our notice. So the only
402 * possibility is to explicitly _ask_ OpenSSL whether the renegotiation
403 * has to be performed or not. It has to performed when some parameters
404 * which were previously known (by us) are not those we've now
405 * reconfigured (as known by OpenSSL) or (in optimized way) at least when
406 * the reconfigured parameter suite is stronger (more restrictions) than
407 * the currently active one.
408 */
409
410 /*
411 * Override of SSLCipherSuite
412 *
413 * We provide two options here:
414 *
415 * o The paranoid and default approach where we force a renegotiation when
416 * the cipher suite changed in _any_ way (which is straight-forward but
417 * often forces renegotiations too often and is perhaps not what the
418 * user actually wanted).

Callers 1

ssl_hook_AccessFunction · 0.85

Calls 5

ssl_log_ssl_errorFunction · 0.85
fill_reneg_bufferFunction · 0.85
has_buffered_dataFunction · 0.85
modssl_set_reneg_stateFunction · 0.85

Tested by

no test coverage detected