1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* _ _ 18 * _ __ ___ ___ __| | ___ ___| | mod_ssl 19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL 20 * | | | | | | (_) | (_| | \__ \__ \ | 21 * |_| |_| |_|\___/ \__,_|___|___/___/_| 22 * |_____| 23 * mod_ssl.c 24 * Apache API interface structures 25 */ 26 27#include "ssl_private.h" 28#include "mod_ssl.h" 29#include "util_md5.h" 30#include "util_mutex.h" 31#include "ap_provider.h" 32 33#include <assert.h> 34 35/* 36 * the table of configuration directives we provide 37 */ 38 39#define SSL_CMD_ALL(name, args, desc) \ 40 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \ 41 NULL, RSRC_CONF|OR_AUTHCFG, desc), 42 43#define SSL_CMD_SRV(name, args, desc) \ 44 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \ 45 NULL, RSRC_CONF, desc), 46 47#define SSL_CMD_DIR(name, type, args, desc) \ 48 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \ 49 NULL, OR_##type, desc), 50 51#define AP_END_CMD { NULL } 52 53static const command_rec ssl_config_cmds[] = { 54 /* 55 * Global (main-server) context configuration directives 56 */ 57 SSL_CMD_SRV(PassPhraseDialog, TAKE1, 58 "SSL dialog mechanism for the pass phrase query " 59 "('builtin', '|/path/to/pipe_program', " 60 "or 'exec:/path/to/cgi_program')") 61 SSL_CMD_SRV(SessionCache, TAKE1, 62 "SSL Session Cache storage " 63 "('none', 'nonenotnull', 'dbm:/path/to/file')") 64#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 65 SSL_CMD_SRV(CryptoDevice, TAKE1, 66 "SSL external Crypto Device usage " 67 "('builtin', '...')") 68#endif 69 SSL_CMD_SRV(RandomSeed, TAKE23, 70 "SSL Pseudo Random Number Generator (PRNG) seeding source " 71 "('startup|connect builtin|file:/path|exec:/path [bytes]')") 72 73 /* 74 * Per-server context configuration directives 75 */ 76 SSL_CMD_SRV(Engine, TAKE1, 77 "SSL switch for the protocol engine " 78 "('on', 'off')") 79 SSL_CMD_SRV(FIPS, FLAG, 80 "Enable FIPS-140 mode " 81 "(`on', `off')") 82 SSL_CMD_SRV(AllowEmptyFragments, FLAG, 83 "Allow empty fragments " 84 "(`on', `off')") 85 SSL_CMD_ALL(CipherSuite, TAKE1, 86 "Colon-delimited list of permitted SSL Ciphers " 87 "('XXX:...:XXX' - see manual)") 88 SSL_CMD_SRV(CertificateFile, TAKE1, 89 "SSL Server Certificate file " 90 "('/path/to/file' - PEM or DER encoded)") 91 SSL_CMD_SRV(CertificateKeyFile, TAKE1, 92 "SSL Server Private Key file " 93 "('/path/to/file' - PEM or DER encoded)") 94 SSL_CMD_SRV(CertificateChainFile, TAKE1, 95 "SSL Server CA Certificate Chain file " 96 "('/path/to/file' - PEM encoded)") 97#ifdef HAVE_TLS_SESSION_TICKETS 98 SSL_CMD_SRV(SessionTicketKeyFile, TAKE1, 99 "TLS session ticket encryption/decryption key file (RFC 5077) " 100 "('/path/to/file' - file with 48 bytes of random data)") 101#endif 102 SSL_CMD_ALL(CACertificatePath, TAKE1, 103 "SSL CA Certificate path " 104 "('/path/to/dir' - contains PEM encoded files)") 105 SSL_CMD_ALL(CACertificateFile, TAKE1, 106 "SSL CA Certificate file " 107 "('/path/to/file' - PEM encoded)") 108 SSL_CMD_SRV(CADNRequestPath, TAKE1, 109 "SSL CA Distinguished Name path " 110 "('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)") 111 SSL_CMD_SRV(CADNRequestFile, TAKE1, 112 "SSL CA Distinguished Name file " 113 "('/path/to/file' - PEM encoded to derive acceptable CA names to request)") 114 SSL_CMD_SRV(CARevocationPath, TAKE1, 115 "SSL CA Certificate Revocation List (CRL) path " 116 "('/path/to/dir' - contains PEM encoded files)") 117 SSL_CMD_SRV(CARevocationFile, TAKE1, 118 "SSL CA Certificate Revocation List (CRL) file " 119 "('/path/to/file' - PEM encoded)") 120 SSL_CMD_SRV(CARevocationCheck, TAKE1, 121 "SSL CA Certificate Revocation List (CRL) checking mode") 122 SSL_CMD_ALL(VerifyClient, TAKE1, 123 "SSL Client verify type " 124 "('none', 'optional', 'require', 'optional_no_ca')") 125 SSL_CMD_ALL(VerifyDepth, TAKE1, 126 "SSL Client verify depth " 127 "('N' - number of intermediate certificates)") 128 SSL_CMD_SRV(SessionCacheTimeout, TAKE1, 129 "SSL Session Cache object lifetime " 130 "('N' - number of seconds)") 131#ifdef HAVE_TLSV1_X 132#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2" 133#else 134#define SSL_PROTOCOLS "SSLv3|TLSv1" 135#endif 136 SSL_CMD_SRV(Protocol, RAW_ARGS, 137 "Enable or disable various SSL protocols " 138 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)") 139 SSL_CMD_SRV(HonorCipherOrder, FLAG, 140 "Use the server's cipher ordering preference") 141 SSL_CMD_SRV(Compression, FLAG, 142 "Enable SSL level compression " 143 "(`on', `off')") 144 SSL_CMD_SRV(InsecureRenegotiation, FLAG, 145 "Enable support for insecure renegotiation") 146 SSL_CMD_ALL(UserName, TAKE1, 147 "Set user name to SSL variable value") 148 SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, 149 "Strict SNI virtual host checking") 150 151#ifdef HAVE_SRP 152 SSL_CMD_SRV(SRPVerifierFile, TAKE1, 153 "SRP verifier file " 154 "('/path/to/file' - created by srptool)") 155 SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1, 156 "SRP seed for unknown users (to avoid leaking a user's existence) " 157 "('some secret text')") 158#endif 159 160 /* 161 * Proxy configuration for remote SSL connections 162 */ 163 SSL_CMD_SRV(ProxyEngine, FLAG, 164 "SSL switch for the proxy protocol engine " 165 "('on', 'off')") 166 SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, 167 "SSL Proxy: enable or disable SSL protocol flavors " 168 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)") 169 SSL_CMD_SRV(ProxyCipherSuite, TAKE1, 170 "SSL Proxy: colon-delimited list of permitted SSL ciphers " 171 "('XXX:...:XXX' - see manual)") 172 SSL_CMD_SRV(ProxyVerify, TAKE1, 173 "SSL Proxy: whether to verify the remote certificate " 174 "('on' or 'off')") 175 SSL_CMD_SRV(ProxyVerifyDepth, TAKE1, 176 "SSL Proxy: maximum certificate verification depth " 177 "('N' - number of intermediate certificates)") 178 SSL_CMD_SRV(ProxyCACertificateFile, TAKE1, 179 "SSL Proxy: file containing server certificates " 180 "('/path/to/file' - PEM encoded certificates)") 181 SSL_CMD_SRV(ProxyCACertificatePath, TAKE1, 182 "SSL Proxy: directory containing server certificates " 183 "('/path/to/dir' - contains PEM encoded certificates)") 184 SSL_CMD_SRV(ProxyCARevocationPath, TAKE1, 185 "SSL Proxy: CA Certificate Revocation List (CRL) path " 186 "('/path/to/dir' - contains PEM encoded files)") 187 SSL_CMD_SRV(ProxyCARevocationFile, TAKE1, 188 "SSL Proxy: CA Certificate Revocation List (CRL) file " 189 "('/path/to/file' - PEM encoded)") 190 SSL_CMD_SRV(ProxyCARevocationCheck, TAKE1, 191 "SSL Proxy: CA Certificate Revocation List (CRL) checking mode") 192 SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1, 193 "SSL Proxy: file containing client certificates " 194 "('/path/to/file' - PEM encoded certificates)") 195 SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1, 196 "SSL Proxy: directory containing client certificates " 197 "('/path/to/dir' - contains PEM encoded certificates)") 198 SSL_CMD_SRV(ProxyMachineCertificateChainFile, TAKE1, 199 "SSL Proxy: file containing issuing certificates " 200 "of the client certificate " 201 "(`/path/to/file' - PEM encoded certificates)") 202 SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG, 203 "SSL Proxy: check the peer certificate's expiration date") 204 SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, 205 "SSL Proxy: check the peer certificate's CN") 206 SSL_CMD_SRV(ProxyCheckPeerName, FLAG, 207 "SSL Proxy: check the peer certificate's name " 208 "(must be present in subjectAltName extension or CN") 209 210 /* 211 * Per-directory context configuration directives 212 */ 213 SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS, 214 "Set one or more options to configure the SSL engine" 215 "('[+-]option[=value] ...' - see manual)") 216 SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS, 217 "Require the SSL protocol for the per-directory context " 218 "(no arguments)") 219 SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS, 220 "Require a boolean expression to evaluate to true for granting access" 221 "(arbitrary complex boolean expression - see manual)") 222 SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1, 223 "Configure the amount of memory that will be used for buffering the " 224 "request body if a per-location SSL renegotiation is required due to " 225 "changed access control requirements") 226 227 SSL_CMD_SRV(OCSPEnable, FLAG, 228 "Enable use of OCSP to verify certificate revocation ('on', 'off')") 229 SSL_CMD_SRV(OCSPDefaultResponder, TAKE1, 230 "URL of the default OCSP Responder") 231 SSL_CMD_SRV(OCSPOverrideResponder, FLAG, 232 "Force use of the default responder URL ('on', 'off')") 233 SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1, 234 "Maximum time difference in OCSP responses") 235 SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1, 236 "Maximum age of OCSP responses") 237 SSL_CMD_SRV(OCSPResponderTimeout, TAKE1, 238 "OCSP responder query timeout") 239 240#ifdef HAVE_OCSP_STAPLING 241 /* 242 * OCSP Stapling options 243 */ 244 SSL_CMD_SRV(StaplingCache, TAKE1, 245 "SSL Stapling Response Cache storage " 246 "(`dbm:/path/to/file')") 247 SSL_CMD_SRV(UseStapling, FLAG, 248 "SSL switch for the OCSP Stapling protocol " "(`on', `off')") 249 SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1, 250 "SSL stapling option for maximum time difference in OCSP responses") 251 SSL_CMD_SRV(StaplingResponderTimeout, TAKE1, 252 "SSL stapling option for OCSP responder timeout") 253 SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1, 254 "SSL stapling option for maximum age of OCSP responses") 255 SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1, 256 "SSL stapling option for normal OCSP Response Cache Lifetime") 257 SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG, 258 "SSL stapling switch to return Status Errors Back to Client" 259 "(`on', `off')") 260 SSL_CMD_SRV(StaplingFakeTryLater, FLAG, 261 "SSL stapling switch to send tryLater response to client on error " 262 "(`on', `off')") 263 SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1, 264 "SSL stapling option for OCSP Response Error Cache Lifetime") 265 SSL_CMD_SRV(StaplingForceURL, TAKE1, 266 "SSL stapling option to Force the OCSP Stapling URL") 267#endif 268 269#ifdef HAVE_SSL_CONF_CMD 270 SSL_CMD_SRV(OpenSSLConfCmd, TAKE2, 271 "OpenSSL configuration command") 272#endif 273 274 /* Deprecated directives. */ 275 AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL, 276 "SSLLog directive is no longer supported - use ErrorLog."), 277 AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL, 278 "SSLLogLevel directive is no longer supported - use LogLevel."), 279 280 AP_END_CMD 281}; 282 283/* 284 * the various processing hooks 285 */ 286static apr_status_t ssl_cleanup_pre_config(void *data) 287{ 288 /* 289 * Try to kill the internals of the SSL library. 290 */ 291 /* Corresponds to OPENSSL_load_builtin_modules(): 292 * XXX: borrowed from apps.h, but why not CONF_modules_free() 293 * which also invokes CONF_modules_finish()? 294 */ 295 CONF_modules_unload(1); 296 /* Corresponds to SSL_library_init: */ 297 EVP_cleanup(); 298#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES 299 ENGINE_cleanup(); 300#endif 301 ERR_remove_state(0); 302 303 /* Don't call ERR_free_strings here; ERR_load_*_strings only 304 * actually load the error strings once per process due to static 305 * variable abuse in OpenSSL. */ 306 307 /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered 308 * ex_data indices may have been cached in static variables in 309 * OpenSSL; removing them may cause havoc. Notably, with OpenSSL 310 * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which 311 * could result in a per-connection memory leak (!). */ 312 313 /* 314 * TODO: determine somewhere we can safely shove out diagnostics 315 * (when enabled) at this late stage in the game: 316 * CRYPTO_mem_leaks_fp(stderr); 317 */ 318 return APR_SUCCESS; 319} 320 321static int ssl_hook_pre_config(apr_pool_t *pconf, 322 apr_pool_t *plog, 323 apr_pool_t *ptemp) 324{ 325 /* We must register the library in full, to ensure our configuration 326 * code can successfully test the SSL environment. 327 */ 328 CRYPTO_malloc_init(); 329 ERR_load_crypto_strings(); 330 SSL_load_error_strings(); 331 SSL_library_init(); 332#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES 333 ENGINE_load_builtin_engines(); 334#endif 335 OpenSSL_add_all_algorithms(); 336 OPENSSL_load_builtin_modules(); 337 338 /* 339 * Let us cleanup the ssl library when the module is unloaded 340 */ 341 apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, 342 apr_pool_cleanup_null); 343 344 /* Register us to handle mod_log_config %c/%x variables */ 345 ssl_var_log_config_register(pconf); 346 347 /* Register to handle mod_status status page generation */ 348 ssl_scache_status_register(pconf); 349 350 /* Register mutex type names so they can be configured with Mutex */ 351 ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); 352#ifdef HAVE_OCSP_STAPLING 353 ap_mutex_register(pconf, SSL_STAPLING_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); 354#endif 355 356 return OK; 357} 358 359static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) 360{ 361 SSLConnRec *sslconn = myConnConfig(c); 362 363 if (sslconn) { 364 return sslconn; 365 } 366 367 sslconn = apr_pcalloc(c->pool, sizeof(*sslconn)); 368 369 sslconn->server = c->base_server; 370 sslconn->verify_depth = UNSET; 371 372 myConnConfigSet(c, sslconn); 373 374 return sslconn; 375} 376 377int ssl_proxy_enable(conn_rec *c) 378{ 379 SSLSrvConfigRec *sc; 380 381 SSLConnRec *sslconn = ssl_init_connection_ctx(c); 382 sc = mySrvConfig(sslconn->server); 383 384 if (!sc->proxy_enabled) { 385 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961) 386 "SSL Proxy requested for %s but not enabled " 387 "[Hint: SSLProxyEngine]", sc->vhost_id); 388 389 return 0; 390 } 391 392 sslconn->is_proxy = 1; 393 sslconn->disabled = 0; 394 395 return 1; 396} 397 398int ssl_engine_disable(conn_rec *c) 399{ 400 SSLSrvConfigRec *sc; 401 402 SSLConnRec *sslconn = myConnConfig(c); 403 404 if (sslconn) { 405 sc = mySrvConfig(sslconn->server); 406 } 407 else { 408 sc = mySrvConfig(c->base_server); 409 } 410 if (sc->enabled == SSL_ENABLED_FALSE) { 411 return 0; 412 } 413 414 sslconn = ssl_init_connection_ctx(c); 415 416 sslconn->disabled = 1; 417 418 return 1; 419} 420 421int ssl_init_ssl_connection(conn_rec *c, request_rec *r) 422{ 423 SSLSrvConfigRec *sc; 424 SSL *ssl; 425 SSLConnRec *sslconn = myConnConfig(c); 426 char *vhost_md5; 427 modssl_ctx_t *mctx; 428 server_rec *server; 429 430 if (!sslconn) { 431 sslconn = ssl_init_connection_ctx(c); 432 } 433 server = sslconn->server; 434 sc = mySrvConfig(server); 435 436 /* 437 * Seed the Pseudo Random Number Generator (PRNG) 438 */ 439 ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, ""); 440 441 mctx = sslconn->is_proxy ? sc->proxy : sc->server; 442 443 /* 444 * Create a new SSL connection with the configured server SSL context and 445 * attach this to the socket. Additionally we register this attachment 446 * so we can detach later. 447 */ 448 if (!(ssl = SSL_new(mctx->ssl_ctx))) { 449 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962) 450 "Unable to create a new SSL connection from the SSL " 451 "context"); 452 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server); 453 454 c->aborted = 1; 455 456 return DECLINED; /* XXX */ 457 } 458 459 vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, 460 sc->vhost_id_len); 461 462 if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5, 463 APR_MD5_DIGESTSIZE*2)) 464 { 465 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963) 466 "Unable to set session id context to '%s'", vhost_md5); 467 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server); 468 469 c->aborted = 1; 470 471 return DECLINED; /* XXX */ 472 } 473 474 SSL_set_app_data(ssl, c); 475 SSL_set_app_data2(ssl, NULL); /* will be request_rec */ 476 477 sslconn->ssl = ssl; 478 479 SSL_set_verify_result(ssl, X509_V_OK); 480 481 ssl_io_filter_init(c, r, ssl); 482 483 return APR_SUCCESS; 484} 485 486static const char *ssl_hook_http_scheme(const request_rec *r) 487{ 488 SSLSrvConfigRec *sc = mySrvConfig(r->server); 489 490 if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { 491 return NULL; 492 } 493 494 return "https"; 495} 496 497static apr_port_t ssl_hook_default_port(const request_rec *r) 498{ 499 SSLSrvConfigRec *sc = mySrvConfig(r->server); 500 501 if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { 502 return 0; 503 } 504 505 return 443; 506} 507 508static int ssl_hook_pre_connection(conn_rec *c, void *csd) 509{ 510 SSLSrvConfigRec *sc; 511 SSLConnRec *sslconn = myConnConfig(c); 512 513 if (sslconn) { 514 sc = mySrvConfig(sslconn->server); 515 } 516 else { 517 sc = mySrvConfig(c->base_server); 518 } 519 /* 520 * Immediately stop processing if SSL is disabled for this connection 521 */ 522 if (!(sc && (sc->enabled == SSL_ENABLED_TRUE || 523 (sslconn && sslconn->is_proxy)))) 524 { 525 return DECLINED; 526 } 527 528 /* 529 * Create SSL context 530 */ 531 if (!sslconn) { 532 sslconn = ssl_init_connection_ctx(c); 533 } 534 535 if (sslconn->disabled) { 536 return DECLINED; 537 } 538 539 /* 540 * Remember the connection information for 541 * later access inside callback functions 542 */ 543 544 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964) 545 "Connection to child %ld established " 546 "(server %s)", c->id, sc->vhost_id); 547 548 return ssl_init_ssl_connection(c, NULL); 549} 550 551/* 552 * the module registration phase 553 */ 554 555static void ssl_register_hooks(apr_pool_t *p) 556{ 557 /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must 558 * run after mod_setenvif's post_read_request hook. */ 559 static const char *pre_prr[] = { "mod_setenvif.c", NULL }; 560 561 ssl_io_filter_register(p); 562 563 ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE); 564 ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE); 565 ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE); 566 ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE); 567 ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE); 568 ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE); 569 ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE); 570 ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST, 571 AP_AUTH_INTERNAL_PER_CONF); 572 ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE); 573 ap_hook_check_access (ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE, 574 AP_AUTH_INTERNAL_PER_CONF); 575 ap_hook_check_authz (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE, 576 AP_AUTH_INTERNAL_PER_CONF); 577 ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE); 578 579 ssl_var_register(p); 580 581 APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); 582 APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); 583 584 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl", 585 AUTHZ_PROVIDER_VERSION, 586 &ssl_authz_provider_require_ssl, 587 AP_AUTH_INTERNAL_PER_CONF); 588 589 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client", 590 AUTHZ_PROVIDER_VERSION, 591 &ssl_authz_provider_verify_client, 592 AP_AUTH_INTERNAL_PER_CONF); 593 594} 595 596module AP_MODULE_DECLARE_DATA ssl_module = { 597 STANDARD20_MODULE_STUFF, 598 ssl_config_perdir_create, /* create per-dir config structures */ 599 ssl_config_perdir_merge, /* merge per-dir config structures */ 600 ssl_config_server_create, /* create per-server config structures */ 601 ssl_config_server_merge, /* merge per-server config structures */ 602 ssl_config_cmds, /* table of configuration directives */ 603 ssl_register_hooks /* register hooks */ 604}; 605