summaryrefslogtreecommitdiffstats
path: root/rubbos/app/httpd-2.0.64/modules/ssl/README
blob: b24af26fe543fbe98a6285f831e2e205e9610f75 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
SYNOPSIS

 This Apache module provides strong cryptography for the Apache 2.0 webserver
 via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
 v1) protocols by the help of the SSL/TLS implementation library OpenSSL which
 is based on SSLeay from Eric A. Young and Tim J. Hudson. 

 The mod_ssl package was created in April 1998 by Ralf S. Engelschall 
 and was originally derived from software developed by Ben Laurie for 
 use in the Apache-SSL HTTP server project.  The mod_ssl implementation 
 for Apache 1.3 continues to be supported by the modssl project 
 <http://www.modssl.org/>.

SOURCES

 See the top-level LAYOUT file in httpd-2.0 for file descriptions.

 The source files are written in clean ANSI C and pass the ``gcc -O -g
 -ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
 -Wmissing-declarations -Wnested-externs -Winline'' compiler test
 (assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
 you make changes or additions make sure the source still passes this
 compiler test.

FUNCTIONS
  
 Inside the source code you will be confronted with the following types of
 functions which can be identified by their prefixes:

   ap_xxxx() ............... Apache API function
   ssl_xxxx() .............. mod_ssl function
   SSL_xxxx() .............. OpenSSL function (SSL library)
   OpenSSL_xxxx() .......... OpenSSL function (SSL library)
   X509_xxxx() ............. OpenSSL function (Crypto library)
   PEM_xxxx() .............. OpenSSL function (Crypto library)
   EVP_xxxx() .............. OpenSSL function (Crypto library)
   RSA_xxxx() .............. OpenSSL function (Crypto library)

DATA STRUCTURES

 Inside the source code you will be confronted with the following
 data structures:

   server_rec .............. Apache (Virtual) Server
   conn_rec ................ Apache Connection
   request_rec ............. Apache Request
   SSLModConfig ............ mod_ssl (Global)  Module Configuration
   SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
   SSLDirConfig ............ mod_ssl Directory Configuration
   SSLConnConfig ........... mod_ssl Connection Configuration
   SSLFilterRec ............ mod_ssl Filter Context
   SSL_CTX ................. OpenSSL Context
   SSL_METHOD .............. OpenSSL Protocol Method
   SSL_CIPHER .............. OpenSSL Cipher
   SSL_SESSION ............. OpenSSL Session
   SSL ..................... OpenSSL Connection
   BIO ..................... OpenSSL Connection Buffer

 For an overview how these are related and chained together have a look at the
 page in README.dsov.{fig,ps}. It contains overview diagrams for those data
 structures. It's designed for DIN A4 paper size, but you can easily generate
 a smaller version inside XFig by specifing a magnification on the Export
 panel.

EXPERIMENTAL CODE

 Experimental code is always encapsulated as following:

   | #ifdef SSL_EXPERIMENTAL_xxxx
   | ...
   | #endif

 This way it is only compiled in when this define is enabled with
 the APACI --enable-rule=SSL_EXPERIMENTAL option and as long as the
 C pre-processor variable SSL_EXPERIMENTAL_xxxx_IGNORE is _NOT_
 defined (via CFLAGS). Or in other words: SSL_EXPERIMENTAL enables all
 SSL_EXPERIMENTAL_xxxx variables, except if SSL_EXPERIMENTAL_xxxx_IGNORE
 is already defined. Currently the following features are experimental:

   o SSL_EXPERIMENTAL_ENGINE
     The ability to support the new forthcoming OpenSSL ENGINE stuff.
     Until this development branch of OpenSSL is merged into the main
     stream, you have to use openssl-engine-0.9.x.tar.gz for this.
     mod_ssl automatically recognizes this OpenSSL variant and then can
     activate external crypto devices through SSLCryptoDevice directive.

INCOMPATIBILITIES

 The following intentional incompatibilities exist between mod_ssl 2.x
 from Apache 1.3 and this mod_ssl version for Apache 2.0:

 o The complete EAPI-based SSL_VENDOR stuff was removed.
 o The complete EAPI-based SSL_COMPAT stuff was removed.
 o The <IfDefine> variable MOD_SSL is no longer provided automatically 

MAJOR CHANGES 

 For a complete history of changes for Apache 2.0 mod_ssl, see the 
 CHANGES file in the top-level httpd-2.0 directory.  The following 
 is a condensed summary of the major changes were made between 
 mod_ssl 2.x from Apache 1.3 and this mod_ssl version for Apache 2.0:

 o The DBM based session cache is now based on APR's DBM API only.
 o The shared memory based session cache is now based on APR's APIs.
 o SSL I/O is now implemented in terms of filters rather than BUFF
 o Eliminated ap_global_ctx. Storing Persistant information in 
   process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and 
   ssl_config_global_* () functions have an extra parameter now - 
   "server_rec *" -  which is used to retrieve the SSLModConfigRec.
 o Properly support restarts, allowing mod_ssl to be added to a server
   that is already running and to change server certs/keys on restart
 o Various performance enhancements
 o proxy support is no longer an "extension", much of the mod_ssl core
   was re-written (ssl_engine_{init,kernel,config}.c) to be generic so
   it could be re-used in proxy mode.
   - the optional function ssl_proxy_enable is provide for mod_proxy
     to enable proxy support
   - proxy support now requires 'SSLProxyEngine on' to be configured
   - proxy now supports SSLProxyCARevocation{Path,File} in addition to
     the original SSLProxy* directives
 o per-directory SSLCACertificate{File,Path} is now thread-safe but
   requires SSL_set_cert_store patch to OpenSSL
 o RSA sslc is supported via ssl_toolkit_compat.h
 o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
   exist

TODO

 See the top-level STATUS file in httpd-2.0 for current efforts and goals.