[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
How to config apache-ssl to support expired certificates

To: terrence@xxxxxxxxxxxxxxxxxxxxxxxx
Subject: How to config apache-ssl to support expired certificates
From: Terrence Miao <terrence@xxxxxxxxxxxxxx>
Date: Wed, 8 Oct 2003 16:05:00 +1000
User-agent: Mutt/1.4i
How to config apache-ssl to support expired certificates
--------------------------------------------------------

[root@oscar apache_1.3.28]# ls -1 ..
apache_1.3.28+ssl_1.49.tar.gz
apache_1.3.28.tar.gz

[root@oscar apache_1.3.28]# /usr/local/bin/patch -p1 < SSLpatch 
patching file `Makefile.tmpl'
patching file `configure'
patching file `src/Configuration'
patching file `src/Configuration.tmpl'
patching file `src/Configure'
patching file `src/Makefile.tmpl'
patching file `src/ap/Makefile.tmpl'
patching file `src/include/ap_config.h'
patching file `src/include/ap_mmn.h'
patching file `src/include/buff.h'
patching file `src/include/http_config.h'
patching file `src/include/http_main.h'
patching file `src/include/httpd.h'
patching file `src/main/Makefile.tmpl'
patching file `src/main/buff.c'
patching file `src/main/http_config.c'
patching file `src/main/http_log.c'
patching file `src/main/http_main.c'
patching file `src/main/util_script.c'
patching file `src/modules/standard/Makefile.tmpl'
patching file `src/modules/standard/mod_log_config.c'
patching file `src/modules/standard/mod_so.c'
patching file `src/os/unix/Makefile.tmpl'
patching file `src/support/apachectl'
patching file `src/support/suexec.c'

[root@oscar include]# pwd  
/servers/http/src/apache_1.3.28/src/include

[root@oscar include]# diff gcache.h gcache.h.orig 
3,8d2
< #ifdef DEBUG_GCACHE
< #define DPRINTF fprintf
< #else
< #define DPRINTF
< #endif
< 
12,13c6
<     GET_FROM_CACHE,
<     EXPIRE_CACHE_ENTRY
---
>     GET_FROM_CACHE
25,26d17
< /* added EXPIRE_CACHE_ENTRY command */
< 
30,31d20
< void CacheExpire(uchar *aucKey, int nKey);
< 
35,36d23
< void LocalCacheExpireKey(uchar *aucKey, int nLength);
< 
41,42d27
< 
< void GlobalCacheExpireKey(uchar *aucKey, int nKey);


[root@oscar ssl]# pwd    
/servers/http/src/apache_1.3.28/src/modules/ssl

[root@oscar ssl]# diff apache_ssl.c apache_ssl.c.orig 
75,88d74
< /* #define DPRINTF fprintf */
< #ifdef DONT_USE_LOCAL_CACHE
<   #define NO_LOCAL_CACHE
< #endif
< 
< /* 
< #ifdef ACCEPT_EXPIRED_CERT
<   #define ACCEPT_EXPIRED_CERTIFICATES 1
< #elseif
<   #define ACCEPT_EXPIRED_CERTIFICATES 0
< #endif
< */
< #define ACCEPT_EXPIRED_CERTIFICATES 1
< 
233,235d218
< #if ACCEPT_EXPIRED_CERTIFICATES 
<     BOOL bAcceptExpiredCertificates;
< #endif 
263,266d245
< #if ACCEPT_EXPIRED_CERTIFICATES
<   int UserCertExpired = 0;
< #endif
< 
528,537d506
< #if ACCEPT_EXPIRED_CERTIFICATES
<     UserCertExpired = 0;
<     if (pConfig->bAcceptExpiredCertificates) {  
<       if (error == X509_V_ERR_CERT_HAS_EXPIRED) {
<         fprintf (stderr, "Certificate: %s has expired, but what the heck, I'll accept it anyway\n", X509_NAME_oneline (X509_get_subject_name (xs), NULL, 0));
<         ok=1;
<         UserCertExpired = 1;
<       }
<     }
< #endif 
967c936
< 
---
> /*
970,975c939
< #if ACCEPT_EXPIRED_CERTIFICATES
<     /* if flag was set, indicating that user certificate had expired, we set */
<     /* an environtment variable for CGI environment */
<     ap_table_setn (r->subprocess_env, "SSL_CLIENT_CERTIFICATE_VALIDITY", UserCertExpired ? "EXPIRED" : "VALID");
< #endif
<     /* SSLAddCommonVars(r); */
---
>     SSLAddCommonVars(r);
977a942
> */
979d943
< 
1002,1004d965
< #if ACCEPT_EXPIRED_CERTIFICATES
<     rec->bAcceptExpiredCertificates = UNSET; /* will become FALSE */
< #endif
1035,1037d995
< #if ACCEPT_EXPIRED_CERTIFICATES
<     MergeBool (bAcceptExpiredCertificates);
< #endif
1191,1196d1148
< /* removes the session from both the local and global caches */
< void CacheExpire (uchar *aucKey, int nKey) {
<     LocalCacheExpireKey (aucKey, nKey);
<     GlobalCacheExpireKey (aucKey, nKey);
< }
< 
1206,1208d1157
< #ifdef NO_LOCAL_CACHE
<     p = NULL;
< #else
1210d1158
< #endif
1221,1222c1169
<       if(!t) {
<             DPRINTF (stderr, "CacheFind: globalcache miss\n");
---
>       if(!t)
1224,1225d1170
<         }
<         DPRINTF (stderr, "CacheFind: globalcache hit\n");
1230d1174
< #ifndef NO_LOCAL_CACHE
1233d1176
<         DPRINTF (stderr, "CacheFind: adding to local cache\n");
1237d1179
< #endif
1241d1182
<         DPRINTF (stderr, "CacheFind: localcache hit\n");
1270d1210
<     DPRINTF (stderr, "SendCertToServer: adding to local cache\n");
1274d1213
<     DPRINTF (stderr, "SendCertToServer: adding to global cache\n");
1308d1246
<         DPRINTF (stderr, "looking for aucSessionID: %s, length: %i\n", ap_uuencode (pCurrentConnection->client->pool, aucSessionID), nLength);
1312d1249
<         DPRINTF (stderr, "we found it\n");
1749,1753d1685
< #if ACCEPT_EXPIRED_CERTIFICATES
<         if (pConfig->bAcceptExpiredCertificates == UNSET) {
<             pConfig->bAcceptExpiredCertificates = FALSE;
<         };
< #endif
2015,2022d1946
< #if ACCEPT_EXPIRED_CERTIFICATES
< static const char *setAcceptExpiredCertificates (cmd_parms *parms, void *dummy, int flag) {
<    SSLConfigRec *c = ap_get_module_config (parms->server->module_config, &apache_ssl_module);
<    c->bAcceptExpiredCertificates = flag;
<    return NULL;
< }
< #endif
< 
2288,2290d2211
< #if ACCEPT_EXPIRED_CERTIFICATES
<     { "AcceptExpiredCertificates", setAcceptExpiredCertificates, NULL,RSRC_CONF, FLAG, "On or Off, if On expired user certificates will be accepted anyway"},
< #endif


[root@oscar ssl]# pwd  
/servers/http/src/apache_1.3.28/src/modules/ssl

[root@oscar ssl]# diff gcache.c gcache.c.orig 
123,132d122
< /* New function to handle expiry */
< void HandleExpire (int nFD) {
<     uchar *aucKey;
<     int nKey;
<     Cache *p;
<     aucKey = ReadThing (nFD, &nKey);
<     Dump ("Get", aucKey, nKey);
<     LocalCacheExpireKey (aucKey, nKey);
< }
< 


[root@oscar ssl]# pwd        
/servers/http/src/apache_1.3.28/src/modules/ssl

[root@oscar ssl]# diff gcacheclient.c gcacheclient.c.orig 
131,138d130
< /* New function to expire cache */
< void GlobalCacheExpireKey (uchar *aucKey, int nKey) {
<   int nFD = OpenServer ();
<   WriteCommand (nFD, EXPIRE_CACHE_ENTRY);
<   WriteThing (nFD, aucKey, nKey);
<   close (nFD);
< }
< 


[root@oscar ssl]# pwd
/servers/http/src/apache_1.3.28/src/modules/ssl

[root@oscar ssl]# diff gcachecommon.c gcachecommon.c.orig 
146,160d145
< void LocalCacheExpireKey (uchar *aucKey, int nLength) {
<     int n, m;
< 
<     for (n=m=0; n < nCache; ++m)
<         if (pCache[n].nKey == nLength && !memcmp (pCache[n].aucKey, aucKey, nLength)) {
<             --nCache;
<             free (pCache[m].aucKey);
<             free (pCache[m].aucData);
<         }
<         else {
<             pCache[n] = pCache[m];
<             ++n;
<         }
< }
< 


[root@oscar include]# pwd
/servers/http/src/apache_1.3.28/src/include
[root@oscar include]# diff buff.h buff.h.orig 
81c81
< # define APACHE_SSL_EXPORT_CERTS      TRUE
---
> # define APACHE_SSL_EXPORT_CERTS      FALSE


[root@oscar apache_1.3.28]# cat config
#!/usr/local/bin/bash

SSL_BASE="/servers/http/src/openssl-0.9.7c"
SSL_LIB="-L$SSL_BASE"
SSL_INCLUDE="-I$SSL_BASE/include -I$SSL_BASE/include/openssl"
LIBS="-lssl -lcrypto" 
PREFIX="/servers/http/apache-1.3.28SSL_expired-cert"
ENABLE="--enable-module=apache_ssl"

CFLAGS="$SSL_INCLUDE" \
LDFLAGS="$SSL_LIB" LIBS=$LIBS \
  ./configure --prefix=$PREFIX \
  $ENABLE

[root@oscar apache_1.3.28]# ./config
Configuring for Apache, Version 1.3.28
 + using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
 + configured for Solaris 260 platform
 + setting C compiler to gcc
 + setting C pre-processor to gcc -E
 + using "tr [a-z] [A-Z]" to uppercase
 + checking for system header files
 + using custom target name: httpsd
 + adding selected modules
 + using builtin Expat
 + checking sizeof various data types
 + doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/lib/expat-lite
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl

[root@oscar conf]# cat httpsd.conf
...
<IfModule apache_ssl.c>

SSLDisable
SSLCacheServerPort      12345
SSLCacheServerPath      /servers/http/apache-1.3.28SSL_expired-cert/bin/gcache
SSLSessionCacheTimeout  300

<VirtualHost certificate-test.unimacq.edu.au:11443>

DocumentRoot    /servers/http/certificate/htdocs

ServerName      certificate-test.unimacq.edu.au
ServerAdmin     http@xxxxxxxxxxxxxx

ErrorLog        /servers/http/apache-1.3.28SSL_expired-cert/logs/httpsd-cert-error_log
CustomLog       /servers/http/apache-1.3.28SSL_expired-cert/logs/httpsd-cert-access_log common

SSLEnable
SSLRequireSSL
SSLCertificateFile      /servers/http/conf/ssl.crt/UnimacqTestCAServer.crt
SSLCertificateKeyFile   /servers/http/conf/ssl.key/UnimacqTestCAServer.key
SSLCACertificateFile    /servers/http/conf/ssl.crt/ca-bundle.crt
SSLVerifyClient 2
SSLVerifyDepth  2
SSLExportClientCertificates

AcceptExpiredCertificates On

ScriptAlias /cgi-bin/ /servers/http/certificate/cgi-bin/exp-allow-prot/

<Location /cgi-bin>
    options ExecCGI FollowSymLinks
    order deny,allow
    allow from All
</Location>

<Location />
    order allow,deny
    allow from All
</Location>

</VirtualHost>

</IfModule>
...
Prev by Date: connect oracle db by using perl
Next by Date: How to output performance statistics from Oracle 9iAS portal pages
Previous by thread: connect oracle db by using perl
Next by thread: How to output performance statistics from Oracle 9iAS portal pages
Index(es):
- Main
- Thread