如何在Apache2.4.4 mod ssl//中获取可信CA,无需重新启动httpd即可重新加载CRL
我曾经使用过修补过的Apache2.2.17,它允许我重新加载CRL,而无需重新启动服务器 但似乎自从Apache2.3.15测试版以来,crl就被委托给OpenSSL(sc->server->crl不再存在…)。。。我看不出如何使我的补丁适应我的2.4.4 以下是我的新版本apache(和openssl 1.0.1e)无法使用的代码片段 之前:如何在Apache2.4.4 mod ssl//中获取可信CA,无需重新启动httpd即可重新加载CRL,c,apache,ssl,openssl,certificate,C,Apache,Ssl,Openssl,Certificate,我曾经使用过修补过的Apache2.2.17,它允许我重新加载CRL,而无需重新启动服务器 但似乎自从Apache2.3.15测试版以来,crl就被委托给OpenSSL(sc->server->crl不再存在…)。。。我看不出如何使我的补丁适应我的2.4.4 以下是我的新版本apache(和openssl 1.0.1e)无法使用的代码片段 之前: void refresh_revocation_store(server_rec *sr, apr_pool_t *pool) { SSLSr
void refresh_revocation_store(server_rec *sr, apr_pool_t *pool)
{
SSLSrvConfigRec *sc = mySrvConfig(sr);
int reload = 0;
/* Some stuff to determine if my crl needs to be reloaded */
...
reload = 1;
/*************/
if (reload) {
X509_STORE *old, *new;
new = SSL_X509_STORE_create ((char *)sc->server->crl_file,
(char *)sc->server->crl_path));
old = sc->server->crl;
sc->server->crl = new;
X509_STORE_free(old);
}
}
STACK_OF(X509) *extract_CAs(STACK_OF(X509_OBJECT) *sk)
{
STACK_OF(X509) *skx = sk_X509_new_null();
X509_OBJECT *tmp;
int num, i;
if(sk) {
num = sk_X509_OBJECT_num(sk);
for(i = 0; i < num; i++) {
tmp = sk_X509_OBJECT_value(sk, i);
if(tmp) {
if(tmp->type == X509_LU_X509) {
sk_X509_push(skx, tmp->data.x509);
}
}
}
}
return skx;
}
STACK_OF(X509_CRL) *extract_CRLs(STACK_OF(X509_OBJECT) *sk)
{
STACK_OF(X509_CRL) *skx = sk_X509_CRL_new_null();
X509_OBJECT *tmp;
int num, i;
if(sk) {
num = sk_X509_OBJECT_num(sk);
for(i = 0; i < num; i++) {
tmp = sk_X509_OBJECT_value(sk, i);
if(tmp->type == X509_LU_CRL) {
sk_X509_CRL_push(skx, tmp->data.crl);
}
}
}
return skx;
}
void ssl_verify(X509_STORE_CTX *ctx, void *dummy)
{
STACK_OF(X509) *trusted_CAs = NULL;
STACK_OF(X509) *untrusted_CAs = ctx->untrusted;
STACK_OF(X509_CRL) *crls;
SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
server_rec *s = conn->base_server;
int ok;
ssl_mutex_on(s);
trusted_CAs = extract_CAs(sc->server->ssl_ctx->cert_store->objs);
if(sc->server->crl) {
refresh_revocation_store(s, conn->pool);
crls = extract_CRLs(sc->server->crl->objs);
} else {
crls = sk_X509_CRL_new_null();
}
/* Starting the chain */
if (ctx->chain == NULL) {
ctx->chain = sk_X509_new_null();
}
ok = is_valid_cert(ctx, trusted_CAs, untrusted_CAs, crls, ctx->cert, 0);
sk_X509_free(trusted_CAs);
ssl_mutex_off(s);
return (ok == X509_V_OK) ? 1 : 0;
}
切洛特这是一个相当愚蠢的问题——但做一个简单的、所谓的“优雅”重启有多糟糕?这不会杀死任何仍在工作的工人——而且从所有意图和目的来看,这几乎是“免费”的?
void refresh_revocation_store(server_rec *sr, apr_pool_t *pool)
{
SSLSrvConfigRec *sc = mySrvConfig(sr);
int reload = 0;
/* Some stuff to determine if my crl needs to be reloaded */
...
reload = 1;
/*************/
if (reload) {
store = SSL_CTX_get_cert_store(sc->server->ssl_ctx);
if (!store || !X509_STORE_load_locations(store,
sc->server->crl_file,
sc->server->crl_path)) {
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sr);
ssl_die(sr);
}
}
}
}
STACK_OF(X509) *extract_CAs(STACK_OF(X509_OBJECT) *sk) {...} // Same as before
STACK_OF(X509_CRL) *extract_CRLs(STACK_OF(X509_OBJECT) *sk) {...} // Same as before
int ssl_verify(X509_STORE_CTX *ctx, void *dummy)
{
STACK_OF(X509) *trusted_CAs = NULL;
STACK_OF(X509) *untrusted_CAs = ctx->untrusted;
STACK_OF(X509_CRL) *crls;
SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
server_rec *s = conn->base_server;
int ok;
ssl_mutex_on(s);
X509_STORE *store = SSL_CTX_get_cert_store(sc->server->ssl_ctx);
if(store) {
refresh_revocation_store(s, conn->pool);
crls = extract_CRLs(store->objs);
} else {
crls = sk_X509_CRL_new_null();
}
/* Starting the chain */
if (ctx->chain == NULL) {
ctx->chain = sk_X509_new_null();
}
trusted_CAs = extract_CAs(sc->server->ssl_ctx->cert_store->objs);
ok = is_valid_cert(ctx, trusted_CAs, untrusted_CAs, crls, ctx->cert, 0);
sk_X509_free(trusted_CAs);
ssl_mutex_off(s);
return (ok == X509_V_OK) ? 1 : 0;
}