我曾经使用修补的Apache 2.2.17,它允许我重新加载CRL而无需重启我的服务器。
但是从Apache 2.3.15-beta开始,CRL被委托给OpenSSL(sc-> server-> crl不再存在......)......我看不出如何调整我的修补我的2.4.4。
以下是我不能用于新版apache(和openssl 1.0.1e)的代码片段
之前:
void refresh_revocation_store(server_rec *sr, apr_pool_t *pool)
{
SSLSrvConfigRec *sc = mySrvConfig(sr);
int reload = 0;
/* Some stuff to determine if my crl needs to be reloaded */
...
reload = 1;
/*************/
if (reload) {
X509_STORE *old, *new;
new = SSL_X509_STORE_create ((char *)sc->server->crl_file,
(char *)sc->server->crl_path));
old = sc->server->crl;
sc->server->crl = new;
X509_STORE_free(old);
}
}
STACK_OF(X509) *extract_CAs(STACK_OF(X509_OBJECT) *sk)
{
STACK_OF(X509) *skx = sk_X509_new_null();
X509_OBJECT *tmp;
int num, i;
if(sk) {
num = sk_X509_OBJECT_num(sk);
for(i = 0; i < num; i++) {
tmp = sk_X509_OBJECT_value(sk, i);
if(tmp) {
if(tmp->type == X509_LU_X509) {
sk_X509_push(skx, tmp->data.x509);
}
}
}
}
return skx;
}
STACK_OF(X509_CRL) *extract_CRLs(STACK_OF(X509_OBJECT) *sk)
{
STACK_OF(X509_CRL) *skx = sk_X509_CRL_new_null();
X509_OBJECT *tmp;
int num, i;
if(sk) {
num = sk_X509_OBJECT_num(sk);
for(i = 0; i < num; i++) {
tmp = sk_X509_OBJECT_value(sk, i);
if(tmp->type == X509_LU_CRL) {
sk_X509_CRL_push(skx, tmp->data.crl);
}
}
}
return skx;
}
void ssl_verify(X509_STORE_CTX *ctx, void *dummy)
{
STACK_OF(X509) *trusted_CAs = NULL;
STACK_OF(X509) *untrusted_CAs = ctx->untrusted;
STACK_OF(X509_CRL) *crls;
SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
server_rec *s = conn->base_server;
int ok;
ssl_mutex_on(s);
trusted_CAs = extract_CAs(sc->server->ssl_ctx->cert_store->objs);
if(sc->server->crl) {
refresh_revocation_store(s, conn->pool);
crls = extract_CRLs(sc->server->crl->objs);
} else {
crls = sk_X509_CRL_new_null();
}
/* Starting the chain */
if (ctx->chain == NULL) {
ctx->chain = sk_X509_new_null();
}
ok = is_valid_cert(ctx, trusted_CAs, untrusted_CAs, crls, ctx->cert, 0);
sk_X509_free(trusted_CAs);
ssl_mutex_off(s);
return (ok == X509_V_OK) ? 1 : 0;
}
现在它会像这样(但不起作用,我不是没有原因)
void refresh_revocation_store(server_rec *sr, apr_pool_t *pool)
{
SSLSrvConfigRec *sc = mySrvConfig(sr);
int reload = 0;
/* Some stuff to determine if my crl needs to be reloaded */
...
reload = 1;
/*************/
if (reload) {
store = SSL_CTX_get_cert_store(sc->server->ssl_ctx);
if (!store || !X509_STORE_load_locations(store,
sc->server->crl_file,
sc->server->crl_path)) {
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sr);
ssl_die(sr);
}
}
}
}
STACK_OF(X509) *extract_CAs(STACK_OF(X509_OBJECT) *sk) {...} // Same as before
STACK_OF(X509_CRL) *extract_CRLs(STACK_OF(X509_OBJECT) *sk) {...} // Same as before
int ssl_verify(X509_STORE_CTX *ctx, void *dummy)
{
STACK_OF(X509) *trusted_CAs = NULL;
STACK_OF(X509) *untrusted_CAs = ctx->untrusted;
STACK_OF(X509_CRL) *crls;
SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
server_rec *s = conn->base_server;
int ok;
ssl_mutex_on(s);
X509_STORE *store = SSL_CTX_get_cert_store(sc->server->ssl_ctx);
if(store) {
refresh_revocation_store(s, conn->pool);
crls = extract_CRLs(store->objs);
} else {
crls = sk_X509_CRL_new_null();
}
/* Starting the chain */
if (ctx->chain == NULL) {
ctx->chain = sk_X509_new_null();
}
trusted_CAs = extract_CAs(sc->server->ssl_ctx->cert_store->objs);
ok = is_valid_cert(ctx, trusted_CAs, untrusted_CAs, crls, ctx->cert, 0);
sk_X509_free(trusted_CAs);
ssl_mutex_off(s);
return (ok == X509_V_OK) ? 1 : 0;
}
如果有人有任何想法......请帮忙!我生气了...
干杯, Cheloute