Apache2
Data Structures | Macros | Enumerations | Functions
tls_core.h File Reference

Go to the source code of this file.

Data Structures

struct  tls_conf_conn_t
 

Macros

#define TLS_CONN_ST_IS_ENABLED(cc)   (cc && cc->state >= TLS_CONN_ST_CLIENT_HELLO)
 

Enumerations

enum  tls_conn_state_t {
  TLS_CONN_ST_INIT , TLS_CONN_ST_DISABLED , TLS_CONN_ST_CLIENT_HELLO , TLS_CONN_ST_HANDSHAKE ,
  TLS_CONN_ST_TRAFFIC , TLS_CONN_ST_NOTIFIED , TLS_CONN_ST_DONE
}
 

Functions

tls_conf_conn_ttls_conf_conn_get (conn_rec *c)
 
void tls_conf_conn_set (conn_rec *c, tls_conf_conn_t *cc)
 
int tls_conn_check_ssl (conn_rec *c)
 
apr_status_t tls_core_init (apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
 
apr_status_t tls_core_init_outgoing (apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
 
void tls_core_conn_bind (conn_rec *c, ap_conf_vector_t *dir_conf)
 
void tls_core_conn_disable (conn_rec *c)
 
int tls_core_pre_conn_init (conn_rec *c)
 
apr_status_t tls_core_conn_init (conn_rec *c)
 
apr_status_t tls_core_conn_seen_client_hello (conn_rec *c)
 
apr_status_t tls_core_conn_post_handshake (conn_rec *c)
 
int tls_core_request_check (request_rec *r)
 
apr_status_t tls_core_error (conn_rec *c, rustls_result rr, const char **perrstr)
 
int tls_core_setup_outgoing (conn_rec *c)
 

Macro Definition Documentation

◆ TLS_CONN_ST_IS_ENABLED

#define TLS_CONN_ST_IS_ENABLED (   cc)    (cc && cc->state >= TLS_CONN_ST_CLIENT_HELLO)

Enumeration Type Documentation

◆ tls_conn_state_t

enum tls_conn_state_t
Enumerator
TLS_CONN_ST_INIT 
TLS_CONN_ST_DISABLED 
TLS_CONN_ST_CLIENT_HELLO 
TLS_CONN_ST_HANDSHAKE 
TLS_CONN_ST_TRAFFIC 
TLS_CONN_ST_NOTIFIED 
TLS_CONN_ST_DONE 

Function Documentation

◆ tls_conf_conn_get()

tls_conf_conn_t* tls_conf_conn_get ( conn_rec c)

◆ tls_conf_conn_set()

void tls_conf_conn_set ( conn_rec c,
tls_conf_conn_t cc 
)

◆ tls_conn_check_ssl()

int tls_conn_check_ssl ( conn_rec c)

◆ tls_core_conn_bind()

void tls_core_conn_bind ( conn_rec c,
ap_conf_vector_t dir_conf 
)

Supply a directory configuration for the connection to work with. This maybe NULL. This can be called several times during the lifetime of a connection and must not change the current TLS state.

Parameters
cthe connection
dir_confoptional directory configuration that applies

◆ tls_core_conn_disable()

void tls_core_conn_disable ( conn_rec c)

Disable TLS on a new connection. Will do nothing on already initialized connections.

Parameters
ca new connection

◆ tls_core_conn_init()

apr_status_t tls_core_conn_init ( conn_rec c)

Initialize the module for a TLS enabled connection.

Parameters
ca new connection

◆ tls_core_conn_post_handshake()

apr_status_t tls_core_conn_post_handshake ( conn_rec c)

The TLS handshake for the connection has been successfully performed. This means that TLS related properties, such as TLS version and cipher, are known and the props in tls_conf_conn_t of the connection can be set.

◆ tls_core_conn_seen_client_hello()

apr_status_t tls_core_conn_seen_client_hello ( conn_rec c)

Called when the ClientHello has been received and values from it have been extracted into the tls_conf_conn_t of the connection.

Decides:

  • which server_rec this connection is for (SNI)
  • which application protocol to use (ALPN) This may be unsuccessful for several reasons. The SNI from the client may not be known or the selected server has not certificates available. etc. On success, a proper rustls_connection will have been created and set in the tls_conf_conn_t of the connection.

◆ tls_core_error()

apr_status_t tls_core_error ( conn_rec c,
rustls_result  rr,
const char **  perrstr 
)

A Rustls error happened while processing the connection. Look up an error description, determine the apr_status_t to use for it and remember this as the last error at tls_conf_conn_t.

◆ tls_core_init()

apr_status_t tls_core_init ( apr_pool_t p,
apr_pool_t ptemp,
server_rec base_server 
)

Initialize the module's global and server specific settings. This runs in Apache's "post-config" phase, meaning the configuration has been read and checked for syntactic and other easily verifiable errors and now it is time to load everything in and make it ready for traffic.

a memory pool staying with us the whole time until the server stops/reloads. <ptemp> a temporary pool as a scratch buffer that will be destroyed shortly after. <base_server> the server for the global configuration which links -> next to all contained virtual hosts configured.

◆ tls_core_init_outgoing()

apr_status_t tls_core_init_outgoing ( apr_pool_t p,
apr_pool_t ptemp,
server_rec base_server 
)

Initialize the module's outgoing connection settings. This runs in Apache's "post-config" phase after mod_proxy.

◆ tls_core_pre_conn_init()

int tls_core_pre_conn_init ( conn_rec c)

Initialize the tls_conf_connt_t for the connection and decide if TLS is enabled or not.

Returns
OK if enabled, DECLINED otherwise

◆ tls_core_request_check()

int tls_core_request_check ( request_rec r)

After a request has been read, but before processing is started, we check if everything looks good to us:

  • was an SNI hostname provided by the client when we have vhosts to choose from? if not, we deny it.
  • if the SNI hostname and request host are not the same, are they - from TLS point of view - 'compatible' enough? For example, if one server requires client certificates and the other not (or with different settings), such a request will also be denied. returns DECLINED if everything is ok, otherwise an HTTP response code to generate an error page for.

◆ tls_core_setup_outgoing()

int tls_core_setup_outgoing ( conn_rec c)

Determine if we handle the TLS for an outgoing connection or not.

Parameters
cthe connection
Returns
OK if we handle the TLS, DECLINED otherwise.