我曾经使用修补过的 Apache 2.2.17,它允许我重新加载 CRL 而无需重新启动服务器。
但似乎自从 Apache 2.3.15-beta 以来,CRL 被委托给 OpenSSL(sc->server->crl 不再存在......)......我看不出如何使我的补丁适应我的 2.4。 4.
这是我的新版本 apache(和 openssl 1.0.1e)无法使用的代码
前 :
void refresh_revocation_store(server_rec *sr, apr_pool_t *pool)
{
SSLSrvConfigRec *sc = mySrvConfig(sr);
int reload = 0;
/* Some stuff to determine if my crl needs to be reloaded */
...
reload = 1;
/*************/
if (reload) {
X509_STORE *old, *new;
new = SSL_X509_STORE_create ((char *)sc->server->crl_file,
(char *)sc->server->crl_path));
old = sc->server->crl;
sc->server->crl = new;
X509_STORE_free(old);
}
}
STACK_OF(X509) *extract_CAs(STACK_OF(X509_OBJECT) *sk)
{
STACK_OF(X509) *skx = sk_X509_new_null();
X509_OBJECT *tmp;
int num, i;
if(sk) {
num = sk_X509_OBJECT_num(sk);
for(i = 0; i < num; i++) {
tmp = sk_X509_OBJECT_value(sk, i);
if(tmp) {
if(tmp->type == X509_LU_X509) {
sk_X509_push(skx, tmp->data.x509);
}
}
}
}
return skx;
}
STACK_OF(X509_CRL) *extract_CRLs(STACK_OF(X509_OBJECT) *sk)
{
STACK_OF(X509_CRL) *skx = sk_X509_CRL_new_null();
X509_OBJECT *tmp;
int num, i;
if(sk) {
num = sk_X509_OBJECT_num(sk);
for(i = 0; i < num; i++) {
tmp = sk_X509_OBJECT_value(sk, i);
if(tmp->type == X509_LU_CRL) {
sk_X509_CRL_push(skx, tmp->data.crl);
}
}
}
return skx;
}
void ssl_verify(X509_STORE_CTX *ctx, void *dummy)
{
STACK_OF(X509) *trusted_CAs = NULL;
STACK_OF(X509) *untrusted_CAs = ctx->untrusted;
STACK_OF(X509_CRL) *crls;
SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
server_rec *s = conn->base_server;
int ok;
ssl_mutex_on(s);
trusted_CAs = extract_CAs(sc->server->ssl_ctx->cert_store->objs);
if(sc->server->crl) {
refresh_revocation_store(s, conn->pool);
crls = extract_CRLs(sc->server->crl->objs);
} else {
crls = sk_X509_CRL_new_null();
}
/* Starting the chain */
if (ctx->chain == NULL) {
ctx->chain = sk_X509_new_null();
}
ok = is_valid_cert(ctx, trusted_CAs, untrusted_CAs, crls, ctx->cert, 0);
sk_X509_free(trusted_CAs);
ssl_mutex_off(s);
return (ok == X509_V_OK) ? 1 : 0;
}
现在它会是这样的(但不起作用,我不知道为什么)
void refresh_revocation_store(server_rec *sr, apr_pool_t *pool)
{
SSLSrvConfigRec *sc = mySrvConfig(sr);
int reload = 0;
/* Some stuff to determine if my crl needs to be reloaded */
...
reload = 1;
/*************/
if (reload) {
store = SSL_CTX_get_cert_store(sc->server->ssl_ctx);
if (!store || !X509_STORE_load_locations(store,
sc->server->crl_file,
sc->server->crl_path)) {
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sr);
ssl_die(sr);
}
}
}
}
STACK_OF(X509) *extract_CAs(STACK_OF(X509_OBJECT) *sk) {...} // Same as before
STACK_OF(X509_CRL) *extract_CRLs(STACK_OF(X509_OBJECT) *sk) {...} // Same as before
int ssl_verify(X509_STORE_CTX *ctx, void *dummy)
{
STACK_OF(X509) *trusted_CAs = NULL;
STACK_OF(X509) *untrusted_CAs = ctx->untrusted;
STACK_OF(X509_CRL) *crls;
SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
server_rec *s = conn->base_server;
int ok;
ssl_mutex_on(s);
X509_STORE *store = SSL_CTX_get_cert_store(sc->server->ssl_ctx);
if(store) {
refresh_revocation_store(s, conn->pool);
crls = extract_CRLs(store->objs);
} else {
crls = sk_X509_CRL_new_null();
}
/* Starting the chain */
if (ctx->chain == NULL) {
ctx->chain = sk_X509_new_null();
}
trusted_CAs = extract_CAs(sc->server->ssl_ctx->cert_store->objs);
ok = is_valid_cert(ctx, trusted_CAs, untrusted_CAs, crls, ctx->cert, 0);
sk_X509_free(trusted_CAs);
ssl_mutex_off(s);
return (ok == X509_V_OK) ? 1 : 0;
}
如果有人有任何想法......请帮忙!我要疯了……
干杯,切洛特