Modules | |
| Private | |
| Utilities | |
Macros | |
| #define | SSL_DECLARE(type) type |
| #define | SSL_DECLARE_NONSTD(type) type |
| #define | SSL_DECLARE_DATA |
| #define | SSL_CERT_HOOKS |
Detailed Description
Macro Definition Documentation
◆ SSL_CERT_HOOKS
| #define SSL_CERT_HOOKS |
◆ SSL_DECLARE
| #define SSL_DECLARE | ( | type | ) | type |
◆ SSL_DECLARE_DATA
| #define SSL_DECLARE_DATA |
◆ SSL_DECLARE_NONSTD
| #define SSL_DECLARE_NONSTD | ( | type | ) | type |
Function Documentation
◆ AP_FN_ATTR_NONNULL()
| AP_FN_ATTR_NONNULL | ( | (1, 2, 5) | ) |
◆ ssl_engine_disable()
◆ ssl_engine_set()
| int ssl_engine_set | ( | conn_rec * | , |
| ap_conf_vector_t * | , | ||
| int | proxy, | ||
| int | enable | ||
| ) |
◆ ssl_ext_list()
| apr_array_header_t* ssl_ext_list | ( | apr_pool_t * | p, |
| conn_rec * | c, | ||
| int | peer, | ||
| const char * | extension | ||
| ) |
The ssl_ext_list() optional function attempts to build an array of all the values contained in the named X.509 extension. The returned array will be created in the supplied pool. The client certificate is used if peer is non-zero; the server certificate is used otherwise. Extension specifies the extensions to use as a string. This can be one of the "known" long or short names, or a numeric OID, e.g. "1.2.3.4", 'nsComment' and 'DN' are all valid. A pointer to an apr_array_header_t structure is returned if at least one matching extension is found, NULL otherwise.
◆ ssl_get_tls_cb()
| apr_status_t ssl_get_tls_cb | ( | apr_pool_t * | p, |
| conn_rec * | c, | ||
| const char * | type, | ||
| unsigned char ** | buf, | ||
| apr_size_t * | size | ||
| ) |
A function that returns the TLS channel binding data as per RFC5929. A buffer containing the Channel Binding Token for the given type will be allocated from the pool and returned to the caller, along with the size. Returns APR_SUCCESS on success; buf and size are not adjusted on error.
◆ ssl_hook_add_cert_files()
| int ssl_hook_add_cert_files | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| apr_array_header_t * | cert_files, | ||
| apr_array_header_t * | key_files | ||
| ) |
Lets others add certificate and key files to the given server. For each cert a key must also be added.
- Parameters
-
cert_file and array of const char* with the path to the certificate chain key_file and array of const char* with the path to the private key file
◆ ssl_hook_add_fallback_cert_files()
| int ssl_hook_add_fallback_cert_files | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| apr_array_header_t * | cert_files, | ||
| apr_array_header_t * | key_files | ||
| ) |
In case no certificates are available for a server, this lets other modules add a fallback certificate for the time being. Regular requests against this server will be answered with a 503.
- Parameters
-
cert_file and array of const char* with the path to the certificate chain key_file and array of const char* with the path to the private key file
◆ ssl_hook_answer_challenge()
| int ssl_hook_answer_challenge | ( | conn_rec * | c, |
| const char * | server_name, | ||
| X509 ** | pcert, | ||
| EVP_PKEY ** | pkey | ||
| ) |
On TLS connections that do not relate to a configured virtual host, allow other modules to provide a X509 certificate and EVP_PKEY to be used on the connection. This first hook which does not return DECLINED will determine the outcome.
◆ ssl_hook_get_stapling_status()
| int ssl_hook_get_stapling_status | ( | unsigned char ** | pder, |
| int * | pderlen, | ||
| conn_rec * | c, | ||
| server_rec * | s, | ||
| X509 * | cert | ||
| ) |
Anyone answering positive to ssl_init_stapling_status for a certificate, needs to register here and supply the actual OCSP stapling status data (OCSP_RESP) for a new connection. A hook supplying the response data must return APR_SUCCESS. The data is returned in DER encoded bytes via pder and pderlen. The returned pointer may be NULL, which indicates that data is (currently) unavailable. If DER data is returned, it MUST come from a response with status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means errors in OCSP retrieval are to be handled/logged by the hook and are not done by mod_ssl. Any DER bytes returned MUST be allocated via malloc() and ownership passes to mod_ssl. Meaning, the hook must return a malloced copy of the data it has. mod_ssl (or OpenSSL) will free it.
◆ ssl_hook_init_server()
| int ssl_hook_init_server | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| int | is_proxy, | ||
| SSL_CTX * | ctx | ||
| ) |
init_server hook – allow SSL_CTX-specific initialization to be performed by a module for each SSL-enabled server (one at a time)
- Parameters
-
s SSL-enabled [virtual] server p pconf pool is_proxy 1 if this server supports backend connections over SSL/TLS, 0 if it supports client connections over SSL/TLS ctx OpenSSL SSL Context for the server
◆ ssl_hook_init_stapling_status()
| int ssl_hook_init_stapling_status | ( | server_rec * | s, |
| apr_pool_t * | p, | ||
| X509 * | cert, | ||
| X509 * | issuer | ||
| ) |
During post_config phase, ask around if someone wants to provide OCSP stapling status information for the given cert (with the also provided issuer certificate). The first hook which does not return DECLINED promises to take responsibility (and respond in later calls via hook ssl_get_stapling_status). If no hook takes over, mod_ssl's own stapling implementation will be applied (if configured).
◆ ssl_hook_pre_handshake()
pre_handshake hook
- Parameters
-
c conn_rec for new connection from client or to backend server ssl OpenSSL SSL Connection for the client or backend server is_proxy 1 if this handshake is for a backend connection, 0 otherwise
◆ ssl_hook_proxy_post_handshake()
proxy_post_handshake hook – allow module to abort after successful handshake with backend server and subsequent peer checks
- Parameters
-
c conn_rec for connection to backend server ssl OpenSSL SSL Connection for the client or backend server
◆ ssl_is_https()
An optional function which returns non-zero if the given connection is using SSL/TLS.
◆ ssl_proxy_enable()
The ssl_proxy_enable() and ssl_engine_{set,disable}() optional functions are used by mod_proxy to enable use of SSL for outgoing connections.
◆ ssl_var_lookup()
| const char* ssl_var_lookup | ( | apr_pool_t * | p, |
| server_rec * | s, | ||
| conn_rec * | c, | ||
| request_rec * | r, | ||
| const char * | name | ||
| ) |
The ssl_var_lookup() optional function retrieves SSL environment variables. The pool in which to allocate the return value must be non-NULL since httpd 2.5.1. c and/or r may be NULL.
This hook allows modules to look up SSL related variables for a server/connection/request, depending on what they inquire. Some variables will only be available for a connection/request, for example.
- Parameters
-
p The pool to allocate a returned value in, MUST be provided s The server to inquire a value for, maybe NULL c The current connection, maybe NULL r The current request, maybe NULL name The name of the variable to retrieve, MUST be provided
- Returns
- value or the variable or NULL if not provided/available
