| SYNOPSIS |
| |
| This Apache module provides strong cryptography for the Apache 2 webserver |
| via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS |
| v1) protocols by the help of the SSL/TLS implementation library OpenSSL which |
| is based on SSLeay from Eric A. Young and Tim J. Hudson. |
| |
| The mod_ssl package was created in April 1998 by Ralf S. Engelschall |
| and was originally derived from software developed by Ben Laurie for |
| use in the Apache-SSL HTTP server project. The mod_ssl implementation |
| for Apache 1.3 continues to be supported by the modssl project |
| <http://www.modssl.org/>. |
| |
| SOURCES |
| |
| See the top-level LAYOUT file for file descriptions. |
| |
| The source files are written in clean ANSI C and pass the ``gcc -O -g |
| -ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes |
| -Wmissing-declarations -Wnested-externs -Winline'' compiler test |
| (assuming `gcc' is GCC 2.95.2 or newer) without any complains. When |
| you make changes or additions make sure the source still passes this |
| compiler test. |
| |
| FUNCTIONS |
| |
| Inside the source code you will be confronted with the following types of |
| functions which can be identified by their prefixes: |
| |
| ap_xxxx() ............... Apache API function |
| ssl_xxxx() .............. mod_ssl function |
| SSL_xxxx() .............. OpenSSL function (SSL library) |
| OpenSSL_xxxx() .......... OpenSSL function (SSL library) |
| X509_xxxx() ............. OpenSSL function (Crypto library) |
| PEM_xxxx() .............. OpenSSL function (Crypto library) |
| EVP_xxxx() .............. OpenSSL function (Crypto library) |
| RSA_xxxx() .............. OpenSSL function (Crypto library) |
| |
| DATA STRUCTURES |
| |
| Inside the source code you will be confronted with the following |
| data structures: |
| |
| server_rec .............. Apache (Virtual) Server |
| conn_rec ................ Apache Connection |
| request_rec ............. Apache Request |
| SSLModConfig ............ mod_ssl (Global) Module Configuration |
| SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration |
| SSLDirConfig ............ mod_ssl Directory Configuration |
| SSLConnConfig ........... mod_ssl Connection Configuration |
| SSLFilterRec ............ mod_ssl Filter Context |
| SSL_CTX ................. OpenSSL Context |
| SSL_METHOD .............. OpenSSL Protocol Method |
| SSL_CIPHER .............. OpenSSL Cipher |
| SSL_SESSION ............. OpenSSL Session |
| SSL ..................... OpenSSL Connection |
| BIO ..................... OpenSSL Connection Buffer |
| |
| For an overview how these are related and chained together have a look at the |
| page in README.dsov.{fig,ps}. It contains overview diagrams for those data |
| structures. It's designed for DIN A4 paper size, but you can easily generate |
| a smaller version inside XFig by specifying a magnification on the Export |
| panel. |
| |
| INCOMPATIBILITIES |
| |
| The following intentional incompatibilities exist between mod_ssl 2.x |
| from Apache 1.3 and this mod_ssl version for Apache 2: |
| |
| o The complete EAPI-based SSL_VENDOR stuff was removed. |
| o The complete EAPI-based SSL_COMPAT stuff was removed. |
| o The <IfDefine> variable MOD_SSL is no longer provided automatically |
| |
| MAJOR CHANGES |
| |
| For a complete history of changes for Apache 2 mod_ssl, see the |
| CHANGES file in the top-level directory. The following |
| is a condensed summary of the major changes were made between |
| mod_ssl 2.x from Apache 1.3 and this mod_ssl version for Apache 2: |
| |
| o The DBM based session cache is now based on APR's DBM API only. |
| o The shared memory based session cache is now based on APR's APIs. |
| o SSL I/O is now implemented in terms of filters rather than BUFF |
| o Eliminated ap_global_ctx. Storing Persistent information in |
| process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and |
| ssl_config_global_* () functions have an extra parameter now - |
| "server_rec *" - which is used to retrieve the SSLModConfigRec. |
| o Properly support restarts, allowing mod_ssl to be added to a server |
| that is already running and to change server certs/keys on restart |
| o Various performance enhancements |
| o proxy support is no longer an "extension", much of the mod_ssl core |
| was re-written (ssl_engine_{init,kernel,config}.c) to be generic so |
| it could be re-used in proxy mode. |
| - the optional function ssl_proxy_enable is provide for mod_proxy |
| to enable proxy support |
| - proxy support now requires 'SSLProxyEngine on' to be configured |
| - proxy now supports SSLProxyCARevocation{Path,File} in addition to |
| the original SSLProxy* directives |
| o per-directory SSLCACertificate{File,Path} is now thread-safe but |
| requires SSL_set_cert_store patch to OpenSSL |
| o the ssl_engine_{ds,ext}.c source files are obsolete and no longer |
| exist |
| |
| TODO |
| |
| See the top-level STATUS file for current efforts and goals. |