/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #include #include #include #include #include #include #include #include "tls_cert.h" #include "tls_proto.h" #include "tls_conf.h" #include "tls_util.h" #include "tls_var.h" #include "tls_cache.h" extern module AP_MODULE_DECLARE_DATA tls_module; APLOG_USE_MODULE(tls); static tls_conf_global_t *conf_global_get_or_make(apr_pool_t *pool, server_rec *s) { tls_conf_global_t *gconf; /* we create this only once for apache's one ap_server_conf. * If this gets called for another server, we should already have * done it for ap_server_conf. */ if (ap_server_conf && s != ap_server_conf) { tls_conf_server_t *sconf = tls_conf_server_get(ap_server_conf); ap_assert(sconf); ap_assert(sconf->global); return sconf->global; } gconf = apr_pcalloc(pool, sizeof(*gconf)); gconf->ap_server = ap_server_conf; gconf->status = TLS_CONF_ST_INIT; gconf->proto = tls_proto_init(pool, s); gconf->proxy_configs = apr_array_make(pool, 10, sizeof(tls_conf_proxy_t*)); gconf->var_lookups = apr_hash_make(pool); tls_var_init_lookup_hash(pool, gconf->var_lookups); gconf->session_cache_spec = "default"; return gconf; } tls_conf_server_t *tls_conf_server_get(server_rec *s) { tls_conf_server_t *sc = ap_get_module_config(s->module_config, &tls_module); ap_assert(sc); return sc; } #define CONF_S_NAME(s) (s && s->server_hostname? s->server_hostname : "default") void *tls_conf_create_svr(apr_pool_t *pool, server_rec *s) { tls_conf_server_t *conf; conf = apr_pcalloc(pool, sizeof(*conf)); conf->global = conf_global_get_or_make(pool, s); conf->server = s; conf->enabled = TLS_FLAG_UNSET; conf->cert_specs = apr_array_make(pool, 3, sizeof(tls_cert_spec_t*)); conf->honor_client_order = TLS_FLAG_UNSET; conf->strict_sni = TLS_FLAG_UNSET; conf->tls_protocol_min = TLS_FLAG_UNSET; conf->tls_pref_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; conf->tls_supp_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; return conf; } #define MERGE_INT(base, add, field) \ (add->field == TLS_FLAG_UNSET)? base->field : add->field; void *tls_conf_merge_svr(apr_pool_t *pool, void *basev, void *addv) { tls_conf_server_t *base = basev; tls_conf_server_t *add = addv; tls_conf_server_t *nconf; nconf = apr_pcalloc(pool, sizeof(*nconf)); nconf->server = add->server; nconf->global = add->global? add->global : base->global; nconf->enabled = MERGE_INT(base, add, enabled); nconf->cert_specs = apr_array_append(pool, base->cert_specs, add->cert_specs); nconf->tls_protocol_min = MERGE_INT(base, add, tls_protocol_min); nconf->tls_pref_ciphers = add->tls_pref_ciphers->nelts? add->tls_pref_ciphers : base->tls_pref_ciphers; nconf->tls_supp_ciphers = add->tls_supp_ciphers->nelts? add->tls_supp_ciphers : base->tls_supp_ciphers; nconf->honor_client_order = MERGE_INT(base, add, honor_client_order); nconf->client_ca = add->client_ca? add->client_ca : base->client_ca; nconf->client_auth = (add->client_auth != TLS_CLIENT_AUTH_UNSET)? add->client_auth : base->client_auth; nconf->var_user_name = add->var_user_name? add->var_user_name : base->var_user_name; return nconf; } tls_conf_dir_t *tls_conf_dir_get(request_rec *r) { tls_conf_dir_t *dc = ap_get_module_config(r->per_dir_config, &tls_module); ap_assert(dc); return dc; } tls_conf_dir_t *tls_conf_dir_server_get(server_rec *s) { tls_conf_dir_t *dc = ap_get_module_config(s->lookup_defaults, &tls_module); ap_assert(dc); return dc; } void *tls_conf_create_dir(apr_pool_t *pool, char *dir) { tls_conf_dir_t *conf; (void)dir; conf = apr_pcalloc(pool, sizeof(*conf)); conf->std_env_vars = TLS_FLAG_UNSET; conf->proxy_enabled = TLS_FLAG_UNSET; conf->proxy_protocol_min = TLS_FLAG_UNSET; conf->proxy_pref_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; conf->proxy_supp_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; conf->proxy_machine_cert_specs = apr_array_make(pool, 3, sizeof(tls_cert_spec_t*)); return conf; } static int same_proxy_settings(tls_conf_dir_t *a, tls_conf_dir_t *b) { return a->proxy_ca == b->proxy_ca; } static void dir_assign_merge( tls_conf_dir_t *dest, apr_pool_t *pool, tls_conf_dir_t *base, tls_conf_dir_t *add) { tls_conf_dir_t local; memset(&local, 0, sizeof(local)); local.std_env_vars = MERGE_INT(base, add, std_env_vars); local.export_cert_vars = MERGE_INT(base, add, export_cert_vars); local.proxy_enabled = MERGE_INT(base, add, proxy_enabled); local.proxy_ca = add->proxy_ca? add->proxy_ca : base->proxy_ca; local.proxy_protocol_min = MERGE_INT(base, add, proxy_protocol_min); local.proxy_pref_ciphers = add->proxy_pref_ciphers->nelts? add->proxy_pref_ciphers : base->proxy_pref_ciphers; local.proxy_supp_ciphers = add->proxy_supp_ciphers->nelts? add->proxy_supp_ciphers : base->proxy_supp_ciphers; local.proxy_machine_cert_specs = apr_array_append(pool, base->proxy_machine_cert_specs, add->proxy_machine_cert_specs); if (local.proxy_enabled == TLS_FLAG_TRUE) { if (add->proxy_config) { local.proxy_config = same_proxy_settings(&local, add)? add->proxy_config : NULL; } else if (base->proxy_config) { local.proxy_config = same_proxy_settings(&local, base)? add->proxy_config : NULL; } } memcpy(dest, &local, sizeof(*dest)); } void *tls_conf_merge_dir(apr_pool_t *pool, void *basev, void *addv) { tls_conf_dir_t *base = basev; tls_conf_dir_t *add = addv; tls_conf_dir_t *nconf = apr_pcalloc(pool, sizeof(*nconf)); dir_assign_merge(nconf, pool, base, add); return nconf; } static void tls_conf_dir_set_options_defaults(apr_pool_t *pool, tls_conf_dir_t *dc) { (void)pool; dc->std_env_vars = TLS_FLAG_FALSE; dc->export_cert_vars = TLS_FLAG_FALSE; } apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p) { (void)p; if (sc->enabled == TLS_FLAG_UNSET) sc->enabled = TLS_FLAG_FALSE; if (sc->tls_protocol_min == TLS_FLAG_UNSET) sc->tls_protocol_min = 0; if (sc->honor_client_order == TLS_FLAG_UNSET) sc->honor_client_order = TLS_FLAG_TRUE; if (sc->strict_sni == TLS_FLAG_UNSET) sc->strict_sni = TLS_FLAG_TRUE; if (sc->client_auth == TLS_CLIENT_AUTH_UNSET) sc->client_auth = TLS_CLIENT_AUTH_NONE; return APR_SUCCESS; } apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p) { (void)p; if (dc->std_env_vars == TLS_FLAG_UNSET) dc->std_env_vars = TLS_FLAG_FALSE; if (dc->export_cert_vars == TLS_FLAG_UNSET) dc->export_cert_vars = TLS_FLAG_FALSE; if (dc->proxy_enabled == TLS_FLAG_UNSET) dc->proxy_enabled = TLS_FLAG_FALSE; return APR_SUCCESS; } tls_conf_proxy_t *tls_conf_proxy_make( apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s) { tls_conf_proxy_t *pc = apr_pcalloc(p, sizeof(*pc)); pc->defined_in = s; pc->global = gc; pc->proxy_ca = dc->proxy_ca; pc->proxy_protocol_min = dc->proxy_protocol_min; pc->proxy_pref_ciphers = dc->proxy_pref_ciphers; pc->proxy_supp_ciphers = dc->proxy_supp_ciphers; pc->machine_cert_specs = dc->proxy_machine_cert_specs; pc->machine_certified_keys = apr_array_make(p, 3, sizeof(const rustls_certified_key*)); return pc; } int tls_proxy_section_post_config( apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config) { tls_conf_dir_t *proxy_dc, *server_dc; tls_conf_server_t *sc; /* mod_proxy collects the ... sections per server (base server or virtualhost) * and in its post_config hook, calls our function registered at its hook for each with * s - the server they were define in * section_config - the set of dir_configs for a section * * If none of _our_ config directives had been used, here or in the server, we get a NULL. * Which means we have to do nothing. Otherwise, we add to `proxy_dc` the * settings from `server_dc` - since this is not automagically done by apache. * * `proxy_dc` is then complete and tells us if we handle outgoing connections * here and with what parameter settings. */ (void)ptemp; (void)plog; ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "%s: tls_proxy_section_post_config called", s->server_hostname); proxy_dc = ap_get_module_config(section_config, &tls_module); if (!proxy_dc) goto cleanup; server_dc = ap_get_module_config(s->lookup_defaults, &tls_module); ap_assert(server_dc); dir_assign_merge(proxy_dc, p, server_dc, proxy_dc); tls_conf_dir_apply_defaults(proxy_dc, p); if (proxy_dc->proxy_enabled && !proxy_dc->proxy_config) { /* remember `proxy_dc` for subsequent configuration of outoing TLS setups */ sc = tls_conf_server_get(s); proxy_dc->proxy_config = tls_conf_proxy_make(p, proxy_dc, sc->global, s); ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "%s: adding proxy_conf to globals in proxy_post_config_section", s->server_hostname); APR_ARRAY_PUSH(sc->global->proxy_configs, tls_conf_proxy_t*) = proxy_dc->proxy_config; } cleanup: return OK; } static const char *cmd_check_file(cmd_parms *cmd, const char *fpath) { char *real_path; /* just a dump of the configuration, dont resolve/check */ if (ap_state_query(AP_SQ_RUN_MODE) == AP_SQ_RM_CONFIG_DUMP) { return NULL; } real_path = ap_server_root_relative(cmd->pool, fpath); if (!real_path) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": Invalid file path ", fpath, NULL); } if (!tls_util_is_file(cmd->pool, real_path)) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": file '", real_path, "' does not exist or is empty", NULL); } return NULL; } static const char *tls_conf_add_engine(cmd_parms *cmd, void *dc, const char*v) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); tls_conf_global_t *gc = sc->global; const char *err = NULL; char *host, *scope_id; apr_port_t port; apr_sockaddr_t *sa; server_addr_rec *sar; apr_status_t rv; (void)dc; /* Example of use: * TLSEngine 443 * TLSEngine hostname:443 * TLSEngine 91.0.0.1:443 * TLSEngine [::0]:443 */ rv = apr_parse_addr_port(&host, &scope_id, &port, v, cmd->pool); if (APR_SUCCESS != rv) { err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": invalid address/port in '", v, "'", NULL); goto cleanup; } /* translate host/port to a sockaddr that we can match with incoming connections */ rv = apr_sockaddr_info_get(&sa, host, APR_UNSPEC, port, 0, cmd->pool); if (APR_SUCCESS != rv) { err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": unable to get sockaddr for '", host, "'", NULL); goto cleanup; } if (scope_id) { #if APR_VERSION_AT_LEAST(1,7,0) rv = apr_sockaddr_zone_set(sa, scope_id); if (APR_SUCCESS != rv) { err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": error setting ipv6 scope id: '", scope_id, "'", NULL); goto cleanup; } #else err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": IPv6 scopes not supported by your APR: '", scope_id, "'", NULL); goto cleanup; #endif } sar = apr_pcalloc(cmd->pool, sizeof(*sar)); sar->host_addr = sa; sar->virthost = host; sar->host_port = port; sar->next = gc->tls_addresses; gc->tls_addresses = sar; cleanup: return err; } static int flag_value( const char *arg) { if (!strcasecmp(arg, "On")) { return TLS_FLAG_TRUE; } else if (!strcasecmp(arg, "Off")) { return TLS_FLAG_FALSE; } return TLS_FLAG_UNSET; } static const char *flag_err( cmd_parms *cmd, const char *v) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": value must be 'On' or 'Off': '", v, "'", NULL); } static const char *tls_conf_add_certificate( cmd_parms *cmd, void *dc, const char *cert_file, const char *pkey_file) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); const char *err = NULL, *fpath; tls_cert_spec_t *cert; (void)dc; if (NULL != (err = cmd_check_file(cmd, cert_file))) goto cleanup; /* key file may be NULL, in which case cert_file must contain the key PEM */ if (pkey_file && NULL != (err = cmd_check_file(cmd, pkey_file))) goto cleanup; cert = apr_pcalloc(cmd->pool, sizeof(*cert)); fpath = ap_server_root_relative(cmd->pool, cert_file); if (!tls_util_is_file(cmd->pool, fpath)) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": unable to find certificate file: '", fpath, "'", NULL); } cert->cert_file = cert_file; if (pkey_file) { fpath = ap_server_root_relative(cmd->pool, pkey_file); if (!tls_util_is_file(cmd->pool, fpath)) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": unable to find certificate key file: '", fpath, "'", NULL); } } cert->pkey_file = pkey_file; *(const tls_cert_spec_t **)apr_array_push(sc->cert_specs) = cert; cleanup: return err; } static const char *parse_ciphers( cmd_parms *cmd, tls_conf_global_t *gc, const char *nop_name, int argc, char *const argv[], apr_array_header_t *ciphers) { apr_array_clear(ciphers); if (argc > 1 || apr_strnatcasecmp(nop_name, argv[0])) { apr_uint16_t cipher; int i; for (i = 0; i < argc; ++i) { char *name, *last = NULL; const char *value = argv[i]; name = apr_strtok(apr_pstrdup(cmd->pool, value), ":", &last); while (name) { if (tls_proto_get_cipher_by_name(gc->proto, name, &cipher) != APR_SUCCESS) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": cipher not recognized '", name, "'", NULL); } APR_ARRAY_PUSH(ciphers, apr_uint16_t) = cipher; name = apr_strtok(NULL, ":", &last); } } } return NULL; } static const char *tls_conf_set_preferred_ciphers( cmd_parms *cmd, void *dc, int argc, char *const argv[]) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); const char *err = NULL; (void)dc; if (!argc) { err = "specify the TLS ciphers to prefer or 'default' for the rustls default ordering."; goto cleanup; } err = parse_ciphers(cmd, sc->global, "default", argc, argv, sc->tls_pref_ciphers); cleanup: return err; } static const char *tls_conf_set_suppressed_ciphers( cmd_parms *cmd, void *dc, int argc, char *const argv[]) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); const char *err = NULL; (void)dc; if (!argc) { err = "specify the TLS ciphers to never use or 'none'."; goto cleanup; } err = parse_ciphers(cmd, sc->global, "none", argc, argv, sc->tls_supp_ciphers); cleanup: return err; } static const char *tls_conf_set_honor_client_order( cmd_parms *cmd, void *dc, const char *v) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); int flag = flag_value(v); (void)dc; if (TLS_FLAG_UNSET == flag) return flag_err(cmd, v); sc->honor_client_order = flag; return NULL; } static const char *tls_conf_set_strict_sni( cmd_parms *cmd, void *dc, const char *v) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); int flag = flag_value(v); (void)dc; if (TLS_FLAG_UNSET == flag) return flag_err(cmd, v); sc->strict_sni = flag; return NULL; } static const char *get_min_protocol( cmd_parms *cmd, const char *v, int *pmin) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); const char *err = NULL; if (!apr_strnatcasecmp("default", v)) { *pmin = 0; } else if (*v && v[strlen(v)-1] == '+') { char *name = apr_pstrdup(cmd->pool, v); name[strlen(name)-1] = '\0'; *pmin = tls_proto_get_version_by_name(sc->global->proto, name); if (!*pmin) { err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": unrecognized protocol version specifier (try TLSv1.2+ or TLSv1.3+): '", v, "'", NULL); goto cleanup; } } else { err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": value must be 'default', 'TLSv1.2+' or 'TLSv1.3+': '", v, "'", NULL); goto cleanup; } cleanup: return err; } static const char *tls_conf_set_protocol( cmd_parms *cmd, void *dc, const char *v) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); (void)dc; return get_min_protocol(cmd, v, &sc->tls_protocol_min); } static const char *tls_conf_set_options( cmd_parms *cmd, void *dcv, int argc, char *const argv[]) { tls_conf_dir_t *dc = dcv; const char *err = NULL, *option; int i, val; /* Are we only having deltas (+/-) or do we reset the options? */ for (i = 0; i < argc; ++i) { if (argv[i][0] != '+' && argv[i][0] != '-') { tls_conf_dir_set_options_defaults(cmd->pool, dc); break; } } for (i = 0; i < argc; ++i) { option = argv[i]; if (!apr_strnatcasecmp("Defaults", option)) { dc->std_env_vars = TLS_FLAG_FALSE; dc->export_cert_vars = TLS_FLAG_FALSE; } else { val = TLS_FLAG_TRUE; if (*option == '+' || *option == '-') { val = (*option == '+')? TLS_FLAG_TRUE : TLS_FLAG_FALSE; ++option; } if (!apr_strnatcasecmp("StdEnvVars", option)) { dc->std_env_vars = val; } else if (!apr_strnatcasecmp("ExportCertData", option)) { dc->export_cert_vars = val; } else { err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": unknown option '", option, "'", NULL); goto cleanup; } } } cleanup: return err; } static const char *tls_conf_set_session_cache( cmd_parms *cmd, void *dc, const char *value) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); const char *err = NULL; (void)dc; if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) goto cleanup; err = tls_cache_set_specification(value, sc->global, cmd->pool, cmd->temp_pool); cleanup: return err; } static const char *tls_conf_set_proxy_engine(cmd_parms *cmd, void *dir_conf, int flag) { tls_conf_dir_t *dc = dir_conf; (void)cmd; dc->proxy_enabled = flag ? TLS_FLAG_TRUE : TLS_FLAG_FALSE; return NULL; } static const char *tls_conf_set_proxy_ca( cmd_parms *cmd, void *dir_conf, const char *proxy_ca) { tls_conf_dir_t *dc = dir_conf; const char *err = NULL; if (strcasecmp(proxy_ca, "default") && NULL != (err = cmd_check_file(cmd, proxy_ca))) goto cleanup; dc->proxy_ca = proxy_ca; cleanup: return err; } static const char *tls_conf_set_proxy_protocol( cmd_parms *cmd, void *dir_conf, const char *v) { tls_conf_dir_t *dc = dir_conf; return get_min_protocol(cmd, v, &dc->proxy_protocol_min); } static const char *tls_conf_set_proxy_preferred_ciphers( cmd_parms *cmd, void *dir_conf, int argc, char *const argv[]) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); tls_conf_dir_t *dc = dir_conf; const char *err = NULL; if (!argc) { err = "specify the proxy TLS ciphers to prefer or 'default' for the rustls default ordering."; goto cleanup; } err = parse_ciphers(cmd, sc->global, "default", argc, argv, dc->proxy_pref_ciphers); cleanup: return err; } static const char *tls_conf_set_proxy_suppressed_ciphers( cmd_parms *cmd, void *dir_conf, int argc, char *const argv[]) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); tls_conf_dir_t *dc = dir_conf; const char *err = NULL; if (!argc) { err = "specify the proxy TLS ciphers to never use or 'none'."; goto cleanup; } err = parse_ciphers(cmd, sc->global, "none", argc, argv, dc->proxy_supp_ciphers); cleanup: return err; } #if TLS_CLIENT_CERTS static const char *tls_conf_set_client_ca( cmd_parms *cmd, void *dc, const char *client_ca) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); const char *err; (void)dc; if (NULL != (err = cmd_check_file(cmd, client_ca))) goto cleanup; sc->client_ca = client_ca; cleanup: return err; } static const char *tls_conf_set_client_auth( cmd_parms *cmd, void *dc, const char *mode) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); const char *err = NULL; (void)dc; if (!strcasecmp(mode, "required")) { sc->client_auth = TLS_CLIENT_AUTH_REQUIRED; } else if (!strcasecmp(mode, "optional")) { sc->client_auth = TLS_CLIENT_AUTH_OPTIONAL; } else if (!strcasecmp(mode, "none")) { sc->client_auth = TLS_CLIENT_AUTH_NONE; } else { err = apr_pstrcat(cmd->pool, cmd->cmd->name, ": unknown value: '", mode, "', use required/optional/none.", NULL); } return err; } static const char *tls_conf_set_user_name( cmd_parms *cmd, void *dc, const char *var_user_name) { tls_conf_server_t *sc = tls_conf_server_get(cmd->server); (void)dc; sc->var_user_name = var_user_name; return NULL; } #endif /* if TLS_CLIENT_CERTS */ #if TLS_MACHINE_CERTS static const char *tls_conf_add_proxy_machine_certificate( cmd_parms *cmd, void *dir_conf, const char *cert_file, const char *pkey_file) { tls_conf_dir_t *dc = dir_conf; const char *err = NULL, *fpath; tls_cert_spec_t *cert; (void)dc; if (NULL != (err = cmd_check_file(cmd, cert_file))) goto cleanup; /* key file may be NULL, in which case cert_file must contain the key PEM */ if (pkey_file && NULL != (err = cmd_check_file(cmd, pkey_file))) goto cleanup; cert = apr_pcalloc(cmd->pool, sizeof(*cert)); fpath = ap_server_root_relative(cmd->pool, cert_file); if (!tls_util_is_file(cmd->pool, fpath)) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": unable to find certificate file: '", fpath, "'", NULL); } cert->cert_file = cert_file; if (pkey_file) { fpath = ap_server_root_relative(cmd->pool, pkey_file); if (!tls_util_is_file(cmd->pool, fpath)) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": unable to find certificate key file: '", fpath, "'", NULL); } } cert->pkey_file = pkey_file; *(const tls_cert_spec_t **)apr_array_push(dc->proxy_machine_cert_specs) = cert; cleanup: return err; } #endif /* if TLS_MACHINE_CERTS */ const command_rec tls_conf_cmds[] = { AP_INIT_TAKE12("TLSCertificate", tls_conf_add_certificate, NULL, RSRC_CONF, "Add a certificate to the server by specifying a file containing the " "certificate PEM, followed by its chain PEMs. The PEM of the key must " "either also be there or can be given as a separate file."), AP_INIT_TAKE_ARGV("TLSCiphersPrefer", tls_conf_set_preferred_ciphers, NULL, RSRC_CONF, "Set the TLS ciphers to prefer when negotiating with a client."), AP_INIT_TAKE_ARGV("TLSCiphersSuppress", tls_conf_set_suppressed_ciphers, NULL, RSRC_CONF, "Set the TLS ciphers to never use when negotiating with a client."), AP_INIT_TAKE1("TLSHonorClientOrder", tls_conf_set_honor_client_order, NULL, RSRC_CONF, "Set 'on' to have the server honor client preferences in cipher suites, default off."), AP_INIT_TAKE1("TLSEngine", tls_conf_add_engine, NULL, RSRC_CONF, "Specify an address+port where the module shall handle incoming TLS connections."), AP_INIT_TAKE_ARGV("TLSOptions", tls_conf_set_options, NULL, OR_OPTIONS, "En-/disables optional features in the module."), AP_INIT_TAKE1("TLSProtocol", tls_conf_set_protocol, NULL, RSRC_CONF, "Set the minimum TLS protocol version to use."), AP_INIT_TAKE1("TLSStrictSNI", tls_conf_set_strict_sni, NULL, RSRC_CONF, "Set strictness of client server name (SNI) check against hosts, default on."), AP_INIT_TAKE1("TLSSessionCache", tls_conf_set_session_cache, NULL, RSRC_CONF, "Set which cache to use for TLS sessions."), AP_INIT_FLAG("TLSProxyEngine", tls_conf_set_proxy_engine, NULL, RSRC_CONF|PROXY_CONF, "Enable TLS encryption of outgoing connections in this location/server."), AP_INIT_TAKE1("TLSProxyCA", tls_conf_set_proxy_ca, NULL, RSRC_CONF|PROXY_CONF, "Set the trust anchors for certificates from proxied backend servers from a PEM file."), AP_INIT_TAKE1("TLSProxyProtocol", tls_conf_set_proxy_protocol, NULL, RSRC_CONF|PROXY_CONF, "Set the minimum TLS protocol version to use for proxy connections."), AP_INIT_TAKE_ARGV("TLSProxyCiphersPrefer", tls_conf_set_proxy_preferred_ciphers, NULL, RSRC_CONF|PROXY_CONF, "Set the TLS ciphers to prefer when negotiating a proxy connection."), AP_INIT_TAKE_ARGV("TLSProxyCiphersSuppress", tls_conf_set_proxy_suppressed_ciphers, NULL, RSRC_CONF|PROXY_CONF, "Set the TLS ciphers to never use when negotiating a proxy connection."), #if TLS_CLIENT_CERTS AP_INIT_TAKE1("TLSClientCA", tls_conf_set_client_ca, NULL, RSRC_CONF, "Set the trust anchors for client certificates from a PEM file."), AP_INIT_TAKE1("TLSClientCertificate", tls_conf_set_client_auth, NULL, RSRC_CONF, "If TLS client authentication is 'required', 'optional' or 'none'."), AP_INIT_TAKE1("TLSUserName", tls_conf_set_user_name, NULL, RSRC_CONF, "Set the SSL variable to be used as user name."), #endif /* if TLS_CLIENT_CERTS */ #if TLS_MACHINE_CERTS AP_INIT_TAKE12("TLSProxyMachineCertificate", tls_conf_add_proxy_machine_certificate, NULL, RSRC_CONF|PROXY_CONF, "Add a certificate to be used as client certificate on a proxy connection. "), #endif /* if TLS_MACHINE_CERTS */ AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL) };