Collaboration diagram for mod_ssl:




#define SSL_DECLARE(type)   type
#define SSL_DECLARE_NONSTD(type)   type


const char * ssl_var_lookup (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)
apr_array_header_tssl_ext_list (apr_pool_t *p, conn_rec *c, int peer, const char *extension)
int ssl_is_https (conn_rec *)
apr_status_t ssl_get_tls_cb (apr_pool_t *p, conn_rec *c, const char *type, unsigned char **buf, apr_size_t *size)
int ssl_proxy_enable (conn_rec *)
int ssl_engine_disable (conn_rec *)
int ssl_engine_set (conn_rec *, ap_conf_vector_t *, int proxy, int enable)
int ssl_hook_add_cert_files (server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
int ssl_hook_add_fallback_cert_files (server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
int ssl_hook_init_server (server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx)
int ssl_hook_pre_handshake (conn_rec *c, SSL *ssl, int is_proxy)
int ssl_hook_proxy_post_handshake (conn_rec *c, SSL *ssl)
int ssl_hook_answer_challenge (conn_rec *c, const char *server_name, X509 **pcert, EVP_PKEY **pkey)
int ssl_hook_init_stapling_status (server_rec *s, apr_pool_t *p, X509 *cert, X509 *issuer)
int ssl_hook_get_stapling_status (unsigned char **pder, int *pderlen, conn_rec *c, server_rec *s, X509 *cert)

Detailed Description

Macro Definition Documentation




#define SSL_DECLARE (   type)    type




#define SSL_DECLARE_NONSTD (   type)    type

Function Documentation


AP_FN_ATTR_NONNULL ( (1, 2, 5)  )

◆ ssl_engine_disable()

int ssl_engine_disable ( conn_rec )

◆ ssl_engine_set()

int ssl_engine_set ( conn_rec ,
ap_conf_vector_t ,
int  proxy,
int  enable 

◆ ssl_ext_list()

apr_array_header_t* ssl_ext_list ( apr_pool_t p,
conn_rec c,
int  peer,
const char *  extension 

The ssl_ext_list() optional function attempts to build an array of all the values contained in the named X.509 extension. The returned array will be created in the supplied pool. The client certificate is used if peer is non-zero; the server certificate is used otherwise. Extension specifies the extensions to use as a string. This can be one of the "known" long or short names, or a numeric OID, e.g. "", 'nsComment' and 'DN' are all valid. A pointer to an apr_array_header_t structure is returned if at least one matching extension is found, NULL otherwise.

◆ ssl_get_tls_cb()

apr_status_t ssl_get_tls_cb ( apr_pool_t p,
conn_rec c,
const char *  type,
unsigned char **  buf,
apr_size_t size 

A function that returns the TLS channel binding data as per RFC5929. A buffer containing the Channel Binding Token for the given type will be allocated from the pool and returned to the caller, along with the size. Returns APR_SUCCESS on success; buf and size are not adjusted on error.

◆ ssl_hook_add_cert_files()

int ssl_hook_add_cert_files ( server_rec s,
apr_pool_t p,
apr_array_header_t cert_files,
apr_array_header_t key_files 

Lets others add certificate and key files to the given server. For each cert a key must also be added.

cert_fileand array of const char* with the path to the certificate chain
key_fileand array of const char* with the path to the private key file

◆ ssl_hook_add_fallback_cert_files()

int ssl_hook_add_fallback_cert_files ( server_rec s,
apr_pool_t p,
apr_array_header_t cert_files,
apr_array_header_t key_files 

In case no certificates are available for a server, this lets other modules add a fallback certificate for the time being. Regular requests against this server will be answered with a 503.

cert_fileand array of const char* with the path to the certificate chain
key_fileand array of const char* with the path to the private key file

◆ ssl_hook_answer_challenge()

int ssl_hook_answer_challenge ( conn_rec c,
const char *  server_name,
X509 **  pcert,
EVP_PKEY **  pkey 

On TLS connections that do not relate to a configured virtual host, allow other modules to provide a X509 certificate and EVP_PKEY to be used on the connection. This first hook which does not return DECLINED will determine the outcome.

◆ ssl_hook_get_stapling_status()

int ssl_hook_get_stapling_status ( unsigned char **  pder,
int pderlen,
conn_rec c,
server_rec s,
X509 *  cert 

Anyone answering positive to ssl_init_stapling_status for a certificate, needs to register here and supply the actual OCSP stapling status data (OCSP_RESP) for a new connection. A hook supplying the response data must return APR_SUCCESS. The data is returned in DER encoded bytes via pder and pderlen. The returned pointer may be NULL, which indicates that data is (currently) unavailable. If DER data is returned, it MUST come from a response with status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means errors in OCSP retrieval are to be handled/logged by the hook and are not done by mod_ssl. Any DER bytes returned MUST be allocated via malloc() and ownership passes to mod_ssl. Meaning, the hook must return a malloced copy of the data it has. mod_ssl (or OpenSSL) will free it.

◆ ssl_hook_init_server()

int ssl_hook_init_server ( server_rec s,
apr_pool_t p,
int  is_proxy,
SSL_CTX *  ctx 

init_server hook – allow SSL_CTX-specific initialization to be performed by a module for each SSL-enabled server (one at a time)

sSSL-enabled [virtual] server
ppconf pool
is_proxy1 if this server supports backend connections over SSL/TLS, 0 if it supports client connections over SSL/TLS
ctxOpenSSL SSL Context for the server

◆ ssl_hook_init_stapling_status()

int ssl_hook_init_stapling_status ( server_rec s,
apr_pool_t p,
X509 *  cert,
X509 *  issuer 

During post_config phase, ask around if someone wants to provide OCSP stapling status information for the given cert (with the also provided issuer certificate). The first hook which does not return DECLINED promises to take responsibility (and respond in later calls via hook ssl_get_stapling_status). If no hook takes over, mod_ssl's own stapling implementation will be applied (if configured).

◆ ssl_hook_pre_handshake()

int ssl_hook_pre_handshake ( conn_rec c,
SSL *  ssl,
int  is_proxy 

pre_handshake hook

cconn_rec for new connection from client or to backend server
sslOpenSSL SSL Connection for the client or backend server
is_proxy1 if this handshake is for a backend connection, 0 otherwise

◆ ssl_hook_proxy_post_handshake()

int ssl_hook_proxy_post_handshake ( conn_rec c,
SSL *  ssl 

proxy_post_handshake hook – allow module to abort after successful handshake with backend server and subsequent peer checks

cconn_rec for connection to backend server
sslOpenSSL SSL Connection for the client or backend server

◆ ssl_is_https()

int ssl_is_https ( conn_rec )

An optional function which returns non-zero if the given connection is using SSL/TLS.

◆ ssl_proxy_enable()

int ssl_proxy_enable ( conn_rec )

The ssl_proxy_enable() and ssl_engine_{set,disable}() optional functions are used by mod_proxy to enable use of SSL for outgoing connections.

◆ ssl_var_lookup()

const char* ssl_var_lookup ( apr_pool_t p,
server_rec s,
conn_rec c,
request_rec r,
const char *  name 

The ssl_var_lookup() optional function retrieves SSL environment variables. The pool in which to allocate the return value must be non-NULL since httpd 2.5.1. c and/or r may be NULL.

This hook allows modules to look up SSL related variables for a server/connection/request, depending on what they inquire. Some variables will only be available for a connection/request, for example.

pThe pool to allocate a returned value in, MUST be provided
sThe server to inquire a value for, maybe NULL
cThe current connection, maybe NULL
rThe current request, maybe NULL
nameThe name of the variable to retrieve, MUST be provided
value or the variable or NULL if not provided/available