Changeset d2b32f1 – mod_gnutls

CHANGELOG

-                      rbaa4ed5
+                      rd2b32f1
+**TODO:
+- Handle Unclean Shutdowns
+- make session cache use generic apache caches
+** Version 0.8.0 (2016-12-11)
+- New: Support for OCSP stapling
+- Bugfix: Access to DBM cache is locked using global mutex
+  "gnutls-cache"
+- Bugfix: GnuTLSSessionTickets is now disabled by default as described
+  in the handbook
+- Fixed memory leak while checking proxy backend certificate
+- Fixed memory leaks in post_config
+- Safely delete session ticket key (requires GnuTLS >= 3.4)
+- Improved error handling in post_config hook
+- Various handbook updates
+- Internal API documentation can be generated using Doxygen
+- Unused code has been removed (conditionals for GnuTLS 2.x and Apache
+  versions before 2.2, internal Lua bytecode structure last used in
+).
+- Test suite: Fixed locking for access to the PGP keyring of the test
+  certificate authority
+- mod_gnutls can be built using Clang (unsupported)
 ** Version 0.7.5 (2016-05-28)

Makefile.am

-                      rbaa4ed5
+                      rd2b32f1
 AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install"
 DISTCLEANFILES = config.nice
+MOSTLYCLEANFILES = $(DX_CLEANFILES)
 SUBDIRS = src test doc
 ACLOCAL_AMFLAGS = -I m4
+@DX_RULES@

README

-                      rbaa4ed5
+                      rd2b32f1
 -------------
  * GnuTLS          >= 3.1.4 <http://www.gnutls.org/> (3.2.* or newer preferred)
  * Apache HTTPD    >= 2.2 <http://httpd.apache.org/> (2.4.* preferred)
  * autotools, GNU make, & gcc
+ * GnuTLS          >= 3.3 <https://www.gnutls.org/> (3.4 or newer recommended)
+ * Apache HTTPD    >= 2.4 <https://httpd.apache.org/>
+ * autotools, GNU make, & GCC
  * libmsv          >= 0.1 (Optional, enable with ./configure --enable-msva)
  * pandoc   (for documentation, optional)
 …
 ------------
  tar xzvf mod_gnutls-version.tar.gz
+ tar xzvf mod_gnutls-version.tar.bz2
  cd mod_gnutls-version/
  autoreconf -fiv
 …
 correctly, please see test/README for details.
+If Doxygen is available, you can build internal API documentation
+using "make doxygen-doc". The documentation will be placed in
+doc/api/.
 Configuration
 -------------

configure.ac

-                      rbaa4ed5
+                      rd2b32f1
 dnl
 AC_INIT(mod_gnutls, 0.7.5)
+AC_INIT(mod_gnutls, 0.8.0)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
 …
 AC_CONFIG_MACRO_DIR([m4])
 AP_VERSION=2.2.0
+AP_VERSION=2.4.0
 CHECK_APACHE(,$AP_VERSION,
     :,:,
 …
+)
 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.1.4])
+PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0])
 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls`
 …
 AM_CONDITIONAL([DISABLE_FLOCK],
                [test "$enable_flock" = "no" || test "$flock_works" = "no"])
+# openssl is needed as the responder for OCSP tests
+AC_PATH_PROG([OPENSSL], [openssl], [no])
+# OCSP checks with gnutls-cli from GnuTLS versions before 3.3.23,
+# 3.4.12, or 3.5.1 (on the respective 3.x branch) fail if intermediate
+# CAs cannot be status checked, even if there are no intermediate CAs
+# like in the mod_gnutls test suite where end entity certificates are
+# directly issued by a root CA.
+AC_MSG_CHECKING([for gnutls-cli version supporting OCSP for EE under root CA])
+AC_PREPROC_IFELSE(
+        [AC_LANG_SOURCE([[#include "gnutls/gnutls.h"
+                        #if GNUTLS_VERSION_NUMBER < 0x030317
+                        #error
+                        #elif GNUTLS_VERSION_NUMBER >= 0x030400 && GNUTLS_VERSION_NUMBER < 0x03040c
+                        #error
+                        #elif GNUTLS_VERSION_NUMBER == 0x030500
+                        #error
+                        #endif
+                        ]])],
+        [gnutls_ocsp_ok="yes"],
+        [gnutls_ocsp_ok="no"],
+)
+AC_MSG_RESULT([$gnutls_ocsp_ok])
+AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no" && test "${gnutls_ocsp_ok}" = "yes"])
 dnl Enable test namespaces? Default is "yes".
 …
 dnl Build list of "Listen" statements for Apache
 LISTEN_LIST="# Listen addresses for the test servers"
+LISTEN_LIST="@%:@ Listen addresses for the test servers"
 for i in ${TEST_IP}; do
         LISTEN_LIST="${LISTEN_LIST}
 Listen ${i}:\${TEST_PORT}"
 done
+dnl HTTP ports, only active if TEST_HTTP_PORT is defined
+# Available extra ports, tests can "Define" variables of the listed
+# names in their apache.conf to enable them.
+for j in TEST_HTTP_PORT OCSP_PORT; do
 LISTEN_LIST="${LISTEN_LIST}
 <IfDefine TEST_HTTP_PORT>"
+<IfDefine ${j}>"
 for i in ${TEST_IP}; do
         LISTEN_LIST="${LISTEN_LIST}
         Listen ${i}:\${TEST_HTTP_PORT}"
+        Listen ${i}:\${${j}}"
 done
 LISTEN_LIST="${LISTEN_LIST}
 </IfDefine>"
+done
 AC_SUBST(LISTEN_LIST)
 AM_SUBST_NOTMAKE(LISTEN_LIST)
+DX_DOXYGEN_FEATURE(ON)
+DX_DOT_FEATURE(ON)
+DX_HTML_FEATURE(ON)
+DX_MAN_FEATURE(OFF)
+DX_RTF_FEATURE(OFF)
+DX_XML_FEATURE(OFF)
+DX_PDF_FEATURE(ON)
+DX_PS_FEATURE(OFF)
+DX_INIT_DOXYGEN([mod_gnutls], [doc/doxygen.conf], [doc/api])
 AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
                         doc/Makefile include/mod_gnutls.h \
+                        doc/Makefile doc/doxygen.conf include/mod_gnutls.h \
                         test/proxy_backend.conf \
                         test/apache-conf/listen.conf \

doc/mod_gnutls_manual.mdwn

-                      rbaa4ed5
+                      rd2b32f1
 ========================
+`GnuTLSEnable`
+--------------
+General Options
+---------------
+### GnuTLSEnable
 Enable GnuTLS for this virtual host
 …
 This directive enables SSL/TLS Encryption for a Virtual Host.
+`GnuTLSCache`
+-------------
+Configure SSL Session Cache
+### GnuTLSCache
+Configure TLS Session Cache
     GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
 …
 Context: server config
+This directive configures the SSL Session Cache for `mod_gnutls`.
+This could be shared between machines of different architectures.
+This directive configures the TLS Session Cache for `mod_gnutls`.
+This could be shared between machines of different architectures. If a
+DBM cache is used, access is serialized using the `gnutls-cache`
+mutex. Which DBM types are available is part of the APR (Apache
+Portable Runtime) compile time configuration.
 `dbm` (Requires Berkeley DBM)
+:   Uses the default Berkeley DB backend of APR DBM to cache SSL
+    Sessions results.  The argument is a relative or absolute path to
+    be used as the DBM Cache file. This is compatible with most
+    operating systems, but needs the Apache Runtime to be compiled
+    with Berkeley DBM support.
+`gdbm`
+:   Uses the GDBM backend of APR DBM to cache SSL Sessions results.
+    The argument is a relative or absolute path to be used as the DBM Cache
+    file.  This is the recommended option.
+:   Uses the Berkeley DB backend of APR DBM to cache TLS Session
+        data.
+        The argument is a relative or absolute path to be used as
+    the DBM Cache file. This is compatible with most operating
+    systems.
+`gdbm` (Requires GDBM)
+:   Uses the GDBM backend of APR DBM to cache TLS Session data.
+    The argument is a relative or absolute path to be used as the DBM
+    Cache file.
 `memcache`
 :   Uses a memcached server to cache the SSL Session.
+:   Uses memcached server(s) to cache TLS Session data.
     The argument is a space separated list of servers. If no port
 …
 `none`
 :   Turns off all caching of SSL Sessions.
+:   Turns off all caching of TLS Sessions.
     This can significantly reduce the performance of `mod_gnutls` since
 …
     requires no configuration.
+`GnuTLSCacheTimeout`
+--------------------
+Timeout for SSL Session Cache expiration
+### GnuTLSCacheTimeout
+Timeout for TLS Session Cache expiration
     GnuTLSCacheTimeout SECONDS
 …
 Context: server config
+Sets the timeout for SSL Session Cache entries expiration.  This
+directive is valid even if Session Tickets are used, and indicates the
+expiration time of the ticket in seconds.
+`GnuTLSSessionTickets`
+----------------------
+Sets the timeout for TLS Session Cache entries expiration. This value
+is also used for OCSP responses if they do not contain a `nextUpdate`
+time.
+### GnuTLSSessionTickets
 Enable Session Tickets for the server
 …
 Context: server config, virtual host
+To avoid storing data for TLS session resumption it is allowed to
+provide client with a ticket, to use on return.  Use for servers with
+limited storage, and don't combine with GnuTLSCache. For a pool of
+servers this option is not recommended since the tickets are unique
+for the issuing server only.
+`GnuTLSCertificateFile`
+-----------------------
+Set to the PEM Encoded Server Certificate
+    GnuTLSCertificateFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a PEM-encoded X.509 certificate to
+use as this Server's End Entity (EE) certificate. If you need to supply
+certificates for intermediate Certificate Authorities (iCAs), they
+should be listed in sequence in the file, from EE to the iCA closest to
+the root CA. Optionally, you can also include the root CA's certificate
+as the last certificate in the list.
+Since version 0.7 this can be a PKCS #11 URL.
+`GnuTLSKeyFile`
+---------------
+Set to the PEM Encoded Server Private Key
+    GnuTLSKeyFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to the Server Private Key. Set
+`GnuTLSPIN` if the key file is encrypted.
+Since version 0.7 this can be a PKCS #11 URL.
+**Security Warning:**\
+This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+`GnuTLSPGPCertificateFile`
+--------------------------
+Set to a base64 Encoded Server OpenPGP Certificate
+    GnuTLSPGPCertificateFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a base64 Encoded OpenPGP
+Certificate to use as this Server's Certificate.
+`GnuTLSPGPKeyFile`
+------------------
+Set to the Server OpenPGP Secret Key
+    GnuTLSPGPKeyFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to the Server Private Key. This key
+cannot currently be password protected.
+**Security Warning:**\
+ This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+`GnuTLSClientVerify`
+--------------------
+Enable Client Certificate Verification\
+To avoid storing data for TLS session resumption the server can
+provide clients with tickets, to use on return. Tickets are an
+alternative to using a session cache, mostly used for busy servers
+with limited storage. For a pool of servers this option is not
+recommended since the tickets are bound to the issuing server only.
+If this option is set in the global configuration, virtual hosts
+without a `GnuTLSSessionTickets` setting will use the global setting.
+*Warning:* Currently the master key that protects the tickets is
+generated only on server start, and there is no mechanism to roll over
+the key. If session tickets are enabled it is highly recommened to
+restart the server regularly to protect past sessions in case an
+attacker gains access to server memory.
+### GnuTLSClientVerify
+Enable Client Certificate Verification
     GnuTLSClientVerify [ignore|request|require]
 …
 Context: server config, virtual host, directory, .htaccess
 This directive controls the use of SSL Client Certificate
+This directive controls the use of TLS Client Certificate
 Authentication. If used in the .htaccess context, it can force TLS
 re-negotiation.
 `ignore`
 :   `mod_gnutls` will ignore the contents of any SSL Client Certificates
+:   `mod_gnutls` will ignore the contents of any TLS Client Certificates
     sent. It will not request that the client sends a certificate.
 …
     environment variable will only be set to `SUCCESS`.
+`GnuTLSClientCAFile`
+--------------------
+Set to the PEM Encoded Certificate Authority Certificate
+    GnuTLSClientCAFile FILEPATH
+Default: *none*
+Context: server config, virtual host
+Takes an absolute or relative path to a PEM Encoded Certificate to use
+as a Certificate Authority with Client Certificate Authentication.
+This file may contain a list of trusted authorities.
+`GnuTLSPGPKeyringFile`
+----------------------
+Set to a base64 Encoded key ring
+    GnuTLSPGPKeyringFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a base64 Encoded Certificate
+list (key ring) to use as a means of verification of Client
+Certificates.  This file should contain a list of trusted signers.
+`GnuTLSDHFile`
+--------------
+### GnuTLSDHFile
 Set to the PKCS \#3 encoded Diffie Hellman parameters
 …
 `.  If not set `mod_gnutls` will use the included parameters.
+`GnuTLSSRPPasswdFile`
+---------------------
+Set to the SRP password file for SRP ciphersuites
+    GnuTLSSRPPasswdFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to an SRP password file. This is
+the same format as used in libsrp.  You can generate such file using
+the command `srptool --passwd /etc/tpasswd --passwd-conf
+/etc/tpasswd.conf -u test` to set a password for user test.  This
+password file holds the username, a password verifier and the
+dependency to the SRP parameters.
+`GnuTLSSRPPasswdConfFile`
+-------------------------
+Set to the SRP password.conf file for SRP ciphersuites
+    GnuTLSSRPPasswdConfFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to an SRP password.conf file. This
+is the same format as used in `libsrp`.  You can generate such file
+using the command `srptool --create-conf /etc/tpasswd.conf`.  This
+file holds the SRP parameters and is associate with the password file
+(the verifiers depends on these parameters).
+`GnuTLSPriorities`
+------------------
+Set the allowed ciphers, key exchange algorithms, MACs and compression
+methods
+### GnuTLSPriorities
+Set the allowed protocol versions, ciphers, key exchange algorithms,
+MACs and compression methods
     GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
 …
 Context: server config, virtual host
+Takes a semi-colon separated list of ciphers, key exchange methods
+Message authentication codes and compression methods to enable.
+The allowed keywords are specified in the `gnutls_priority_init()`
+function of GnuTLS.
+Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
+In brief you can specify a set of ciphersuites from the choices:
+`NONE`
+:   The empty list.
+`EXPORT`
+:   A list with all the supported cipher combinations
+    including the `EXPORT` strength algorithms.
+Takes a colon separated list of protocol version, ciphers, key
+exchange methods message authentication codes, and compression methods
+to enable. The allowed keywords are specified in the
+`gnutls_priority_init()` function of GnuTLS.
+Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings)
+for details. A few commonly used sets are listed below, note that
+their exact meaning may change with GnuTLS versions.
 `PERFORMANCE`
+:   A list with all the secure cipher combinations sorted in terms of performance.
+:   A list with all the secure cipher combinations sorted in terms of
+    performance.
 `NORMAL`
 …
     with respect to security margin (subjective term).
+`SECURE`
+:   A list with all the secure cipher combinations including
+    the 256-bit ciphers sorted with respect to security margin.
+Additionally you can add or remove algorithms using the `+` and `!`
+prefixes respectively.
+For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
+you can use the string `NORMAL:!ARCFOUR-128`
+Other options such as the protocol version and the compression method
+can be specified using the `VERS-` and `COMP-` prefixes.
+So in order to remove or add a specific TLS version from the `NORMAL`
+set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
+`NORMAL:+COMP-DEFLATE`.
+However it is recommended not to add compression at this level.  With
+the `NONE` set, in order to be usable, you have to specify a complete
+set of combinations of protocol versions, cipher algorithms
+(`AES-128-CBC`), key exchange algorithms (`RSA`), message
+authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
+`SECURE128`
+:   A list with all the secure cipher suites that offer a security level
+    of 128-bit or more.
+`PFS`
+:   Only cipher suites offering perfect forward secrecy (ECDHE and DHE),
+    sorted by security margin.
+You can add or remove algorithms using the `+` and `!` prefixes
+respectively. For example, in order to use the `NORMAL` set but
+disable TLS 1.0 and 1.1 you can use the string
+`NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`.
 You can find a list of all supported Ciphers, Versions, MACs, etc.  by
 running `gnutls-cli --list`.
+The special keyword `%COMPAT` will disable some security features such
+as protection against statistical attacks to ciphertext data in order to
+achieve maximum compatibility (some broken mobile clients need this).
+`GnuTLSP11Module`
+------------------
+### GnuTLSP11Module
 Load this PKCS #11 module.
 …
 defaults. May occur multiple times to load multiple modules.
+`GnuTLSPIN`
+------------------
+### GnuTLSPIN
 Set the PIN to be used to access encrypted key files or PKCS #11 objects.
 …
 or openssl encrypted keys.
+`GnuTLSSRKPIN`
+------------------
+Set the SRK PIN to be used to unlaccess the TPM.
+### GnuTLSSRKPIN
+Set the SRK PIN to be used to access the TPM.
     GnuTLSSRKPIN XXXXXX
 …
 the TPM module.
+`GnuTLSExportCertificates`
+--------------------------
+### GnuTLSExportCertificates
 Export the PEM encoded certificates to CGIs
 …
 environment variables to the CGI process as `mod_ssl`.
+`GnuTLSProxyEngine`
+--------------
+X.509 Certificate Authentication
+--------------------------------
+### GnuTLSCertificateFile
+Set to the PEM Encoded Server Certificate
+    GnuTLSCertificateFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a PEM-encoded X.509 certificate to
+use as this Server's End Entity (EE) certificate. If you need to supply
+certificates for intermediate Certificate Authorities (iCAs), they
+should be listed in sequence in the file, from EE to the iCA closest to
+the root CA. Optionally, you can also include the root CA's certificate
+as the last certificate in the list.
+Since version 0.7 this can be a PKCS #11 URL.
+### GnuTLSKeyFile
+Set to the PEM Encoded Server Private Key
+    GnuTLSKeyFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to the Server Private Key. Set
+`GnuTLSPIN` if the key file is encrypted.
+Since version 0.7 this can be a PKCS #11 URL.
+**Security Warning:**\
+This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+### GnuTLSClientCAFile
+Set the PEM encoded Certificate Authority list to use for X.509 base
+client authentication
+    GnuTLSClientCAFile FILEPATH
+Default: *none*
+Context: server config, virtual host
+Takes an absolute or relative path to a PEM Encoded Certificate to use
+as a Certificate Authority with Client Certificate Authentication.
+This file may contain a list of trusted authorities.
+OpenPGP Certificate Authentication
+----------------------------------
+### GnuTLSPGPCertificateFile
+Set to a base64 Encoded Server OpenPGP Certificate
+    GnuTLSPGPCertificateFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a base64 Encoded OpenPGP
+Certificate to use as this Server's Certificate.
+### GnuTLSPGPKeyFile
+Set to the Server OpenPGP Secret Key
+    GnuTLSPGPKeyFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to the Server Private Key. This key
+cannot currently be password protected.
+**Security Warning:**\
+ This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+### GnuTLSPGPKeyringFile
+Set to a base64 Encoded key ring
+    GnuTLSPGPKeyringFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a base64 Encoded Certificate
+list (key ring) to use as a means of verification of Client
+Certificates.  This file should contain a list of trusted signers.
+SRP Authentication
+------------------
+### GnuTLSSRPPasswdFile
+Set to the SRP password file for SRP ciphersuites
+    GnuTLSSRPPasswdFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to an SRP password file. This is
+the same format as used in libsrp.  You can generate such file using
+the command `srptool --passwd /etc/tpasswd --passwd-conf
+/etc/tpasswd.conf -u test` to set a password for user test.  This
+password file holds the username, a password verifier and the
+dependency to the SRP parameters.
+### GnuTLSSRPPasswdConfFile
+Set to the SRP password.conf file for SRP ciphersuites
+    GnuTLSSRPPasswdConfFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to an SRP password.conf file. This
+is the same format as used in `libsrp`.  You can generate such file
+using the command `srptool --create-conf /etc/tpasswd.conf`.  This
+file holds the SRP parameters and is associate with the password file
+(the verifiers depends on these parameters).
+TLS Proxy Configuration
+-----------------------
+### GnuTLSProxyEngine
 Enable TLS proxy connections for this virtual host
 …
 host.
+`GnuTLSProxyCAFile`
+--------------------
+### GnuTLSProxyCAFile
 Set to the PEM encoded Certificate Authority Certificate
 …
 always fail due to lack of a trusted CA.
+`GnuTLSProxyCRLFile`
+--------------------
+### GnuTLSProxyCRLFile
 Set to the PEM encoded Certificate Revocation List
 …
 back end servers. The file may contain a list of CRLs.
+`GnuTLSProxyCertificateFile`
+-----------------------
+### GnuTLSProxyCertificateFile
 Set to the PEM encoded Client Certificate
 …
 provide the matching private key.
+`GnuTLSProxyKeyFile`
+---------------
+### GnuTLSProxyKeyFile
 Set to the PEM encoded Private Key
 …
 apache user.
+`GnuTLSProxyPriorities`
+------------------
+### GnuTLSProxyPriorities
 Set the allowed ciphers, key exchange algorithms, MACs and compression
 …
 `GnuTLSProxyEngine` is `On`.
+OCSP Stapling Configuration
+---------------------------
+### GnuTLSOCSPStapling
+Enable OCSP stapling for this (virtual) host.
+    GnuTLSOCSPStapling [On|Off]
+Default: *off*\
+Context: server config, virtual host
+OCSP stapling, formally known as the TLS Certificate Status Request
+extension, allows the server to provide the client with an OCSP
+response for its certificate during the handshake. This way the client
+does not have to send an OCSP request to the CA to check the
+certificate status, which offers privacy and performance advantages.
+Using OCSP stapling has a few requirements:
+* Caching OCSP responses requires a cache, so `GnuTLSCache` must not
+  be `none`.
+* `GnuTLSCertificateFile` must contain the issuer CA certificate in
+  addition to the server certificate so responses can be verified.
+* The certificate must either contain an OCSP access URI using HTTP,
+  or `GnuTLSOCSPResponseFile` must be set.
+OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
+### GnuTLSOCSPCheckNonce
+Check the nonce in OCSP responses?
+    GnuTLSOCSPCheckNonce [On|Off]
+Default: *on*\
+Context: server config, virtual host
+Some CAs refuse to send nonces in their OCSP responses, probably
+because that way they can cache responses. If your CA is one of them
+you can use this flag to disable nonce verification. Note that
+`mod_gnutls` will _send_ a nonce either way.
+### GnuTLSOCSPResponseFile
+Read the OCSP response for stapling from this file instead of sending
+a request over HTTP.
+    GnuTLSOCSPResponseFile /path/to/response.der
+Default: *empty*\
+Context: server config, virtual host
+The response file must be updated externally, for example using a cron
+job. This option is an alternative to the server fetching OCSP
+responses over HTTP. Reasons to use this option include:
+* Performing OCSP requests separate from the web server, to prevent slow
+  responses from stalling handshakes.
+* The issuer CA uses an access method other than HTTP.
+* Testing
+You can use a GnuTLS `ocsptool` command like the following to create
+and update the response file:
+    ocsptool --ask --nonce --load-issuer ca_cert.pem \
+        --load-cert server_cert.pem --outfile ocsp_response.der
+Additional error checking is highly recommended. You may have to
+remove the `--nonce` option if the OCSP responder of your CA does not
+support nonces.
+### GnuTLSOCSPCacheTimeout
+Cache timeout for OCSP responses
+    GnuTLSOCSPCacheTimeout SECONDS
+Default: *3600*\
+Context: server config, virtual host
+Cached OCSP responses will be refreshed after the configured number of
+seconds. How long this timeout should reasonably be depends on your
+CA, namely how often its OCSP responder is updated and how long
+responses are valid. Note that a response will not be cached beyond
+its lifetime as denoted in the `nextUpdate` field of the response.
+### GnuTLSOCSPFailureTimeout
+Wait this many seconds before retrying a failed OCSP request.
+    GnuTLSOCSPFailureTimeout SECONDS
+Default: *300*\
+Context: server config, virtual host
+Retries of failed OCSP requests must be rate limited to avoid
+overloading both the server using mod_gnutls and the CA's OCSP
+responder. A shorter value increases the load on both sides, a longer
+one means that stapling will remain disabled for longer after a failed
+request.
+### GnuTLSOCSPSocketTimeout
+Timeout for TCP sockets used to send OCSP requests
+    GnuTLSOCSPFailureTimeout SECONDS
+Default: *6*\
+Context: server config, virtual host
+Stalled OCSP requests must time out after a while to prevent stalling
+the server too much. However, if the timeout is too short requests may
+fail with a slow OCSP responder or high latency network
+connection. This parameter allows you to adjust the timeout if
+necessary.
+Note that this is not an upper limit for the completion of an OCSP
+request but a socket timeout. The connection will time out if there is
+no activity (successful send or receive) at all for the configured
+time.
 * * * * *
 …
 ======================
 Simple Standard SSL Example
+Simple Standard TLS Example
 ---------------------------
 The following is an example of standard SSL Hosting, using one IP
 Addresses for each virtual host
+The following is an example of simple TLS hosting, using one IP
+Addresses for each virtual host.
      # Load the module into Apache.
 …
      GnuTLSCache gdbm /var/cache/www-tls-cache
      GnuTLSCacheTimeout 500
+     # With normal SSL Websites, you need one IP Address per-site.
+     Listen 1.2.3.1:443
+     Listen 1.2.3.2:443
+     Listen 1.2.3.3:443
+     Listen 1.2.3.4:443
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
+     DocumentRoot /www/site1.example.com/html
+     ServerName site1.example.com:443
+     GnuTLSCertificateFile conf/ssl/site1.crt
+     GnuTLSKeyFile conf/ss/site1.key
+     # Without SNI you need one IP Address per-site.
+     Listen 192.0.2.1:443
+     Listen 192.0.2.2:443
+     Listen 192.0.2.3:443
+     Listen 192.0.2.4:443
+     <VirtualHost 192.0.2.1:443>
+         GnuTLSEnable on
+         GnuTLSPriorities SECURE128
+         DocumentRoot /www/site1.example.com/html
+         ServerName site1.example.com:443
+         GnuTLSCertificateFile conf/tls/site1.crt
+         GnuTLSKeyFile conf/tls/site1.key
      </VirtualHost>
+     <VirtualHost 1.2.3.2:443>
+     # This virtual host enables SRP authentication
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL:+SRP
+     DocumentRoot /www/site2.example.com/html
+     ServerName site2.example.com:443
+     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
+     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
+     <VirtualHost 192.0.2.2:443>
+         # This virtual host enables SRP authentication
+         GnuTLSEnable on
+         GnuTLSPriorities NORMAL:+SRP
+         DocumentRoot /www/site2.example.com/html
+         ServerName site2.example.com:443
+         GnuTLSSRPPasswdFile conf/tls/tpasswd.site2
+         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf
      </VirtualHost>
+     <VirtualHost 1.2.3.3:443>
+     # This server enables SRP, OpenPGP and X.509 authentication.
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
+     DocumentRoot /www/site3.example.com/html
+     ServerName site3.example.com:443
+     GnuTLSCertificateFile conf/ssl/site3.crt
+     GnuTLSKeyFile conf/ss/site3.key
+     GnuTLSClientVerify ignore
+     GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
+     GnuTLSPGPKeyFile conf/ss/site3.sec.asc
+     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
+     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
+     <VirtualHost 192.0.2.3:443>
+         # This server enables SRP, OpenPGP and X.509 authentication.
+         GnuTLSEnable on
+         GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS:+CTYPE-OPENPGP
+         DocumentRoot /www/site3.example.com/html
+         ServerName site3.example.com:443
+         GnuTLSCertificateFile conf/tls/site3.crt
+         GnuTLSKeyFile conf/tls/site3.key
+         GnuTLSClientVerify ignore
+         GnuTLSPGPCertificateFile conf/tls/site3.pub.asc
+         GnuTLSPGPKeyFile conf/tls/site3.sec.asc
+         GnuTLSSRPPasswdFile conf/tls/tpasswd.site3
+         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf
      </VirtualHost>
+     <VirtualHost 1.2.3.4:443>
+     GnuTLSEnable on
+     # %COMPAT disables some security features to enable maximum compatibility with clients.
+     GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
+     DocumentRoot /www/site4.example.com/html
+     ServerName site4.example.com:443
+     GnuTLSCertificateFile conf/ssl/site4.crt
+     GnuTLSKeyFile conf/ss/site4.key
+     <VirtualHost 192.0.2.4:443>
+         GnuTLSEnable on
+         # %COMPAT disables some security features to enable maximum
+         # compatibility with clients. Don't use this if you need strong
+         # security.
+         GnuTLSPriorities NORMAL:%COMPAT
+         DocumentRoot /www/site4.example.com/html
+         ServerName site4.example.com:443
+         GnuTLSCertificateFile conf/tls/site4.crt
+         GnuTLSKeyFile conf/tls/site4.key
      </VirtualHost>
 …
 ------------------------------
+`mod_gnutls` can also use "Server Name Indication", as specified in
+RFC 3546.  This allows hosting many SSL Websites, with a Single IP
+Address.  Currently all the recent browsers support this
+standard. Here is an example, using SNI: ` `
+`mod_gnutls` supports "Server Name Indication", as specified in
+RFC 3546. This allows hosting many TLS websites with a single IP
+address. All recent browsers support this standard. Here is an
+example using SNI:
      # Load the module into Apache.
      LoadModule gnutls_module modules/mod_gnutls.so
+     # With normal SSL Websites, you need one IP Address per-site.
+     Listen 1.2.3.1:443
+     # This could also be 'Listen *:443',
+     # just like '*:80' is common for non-https
+     # No caching. Enable session tickets. Timeout is still used for
+     # ticket expiration.
+     GnuTLSCacheTimeout 600
+     # This tells apache, that for this IP/Port combination, we want to use
+     # Name Based Virtual Hosting. In the case of Server Name Indication,
+     # it lets mod_gnutls pick the correct Server Certificate.
+     NameVirtualHost 1.2.3.1:443
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSSessionTickets on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site1.example.com/html
+     ServerName site1.example.com:443
+     GnuTLSCertificateFile conf/ssl/site1.crt
+     GnuTLSKeyFile conf/ss/site1.key
+     # SNI allows hosting multiple sites using one IP address. This
+     # could also be 'Listen *:443', just like '*:80' is common for
+     # non-HTTPS
+     Listen 198.51.100.1:443
+     <VirtualHost _default_:443>
+         GnuTLSEnable on
+         GnuTLSSessionTickets on
+         GnuTLSPriorities NORMAL
+         DocumentRoot /www/site1.example.com/html
+         ServerName site1.example.com:443
+         GnuTLSCertificateFile conf/tls/site1.crt
+         GnuTLSKeyFile conf/tls/site1.key
      </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site2.example.com/html
+     ServerName site2.example.com:443
+     GnuTLSCertificateFile conf/ssl/site2.crt
+     GnuTLSKeyFile conf/ss/site2.key
+     <VirtualHost _default_:443>
+         GnuTLSEnable on
+         GnuTLSPriorities NORMAL
+         DocumentRoot /www/site2.example.com/html
+         ServerName site2.example.com:443
+         GnuTLSCertificateFile conf/tls/site2.crt
+         GnuTLSKeyFile conf/tls/site2.key
      </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site3.example.com/html
+     ServerName site3.example.com:443
+     GnuTLSCertificateFile conf/ssl/site3.crt
+     GnuTLSKeyFile conf/ss/site3.key
+     <VirtualHost _default_:443>
+         GnuTLSEnable on
+         GnuTLSPriorities NORMAL
+         DocumentRoot /www/site3.example.com/html
+         ServerName site3.example.com:443
+         GnuTLSCertificateFile conf/tls/site3.crt
+         GnuTLSKeyFile conf/tls/site3.key
      </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site4.example.com/html
+     ServerName site4.example.com:443
+     GnuTLSCertificateFile conf/ssl/site4.crt
+     GnuTLSKeyFile conf/ss/site4.key
+     <VirtualHost _default_:443>
+         GnuTLSEnable on
+         GnuTLSPriorities NORMAL
+         DocumentRoot /www/site4.example.com/html
+         ServerName site4.example.com:443
+         GnuTLSCertificateFile conf/tls/site4.crt
+         GnuTLSKeyFile conf/tls/site4.key
      </VirtualHost>
+* * * * *
+Performance Issues
+==================
+`mod_gnutls` by default uses conservative settings for the server.
+You can fine tune the configuration to reduce the load on a busy
+server.  The following examples do exactly this:
+OCSP Stapling Example
+---------------------
+This example uses an X.509 server certificate. The server will fetch
+OCSP responses from the responder listed in the certificate and store
+them im a memcached cache shared with another server.
      # Load the module into Apache.
      LoadModule gnutls_module modules/mod_gnutls.so
+     # Using 4 memcache servers to distribute the SSL Session Cache.
+     GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
+     GnuTLSCache memcache "192.0.2.1:11211 192.0.2.2:11211"
      GnuTLSCacheTimeout 600
+     Listen 1.2.3.1:443
+     NameVirtualHost 1.2.3.1:443
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     # Here we disable the Perfect forward secrecy ciphersuites (DHE)
+     # and disallow AES-256 since AES-128 is just fine.
+     GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
+     DocumentRoot /www/site1.example.com/html
+     ServerName site1.example.com:443
+     GnuTLSCertificateFile conf/ssl/site1.crt
+     GnuTLSKeyFile conf/ss/site1.key
+     </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     # Here we instead of disabling the DHE ciphersuites we use
+     # Diffie Hellman parameters of smaller size than the default (2048 bits).
+     # Using small numbers from 768 to 1024 bits should be ok once they are
+     # regenerated every few hours.
+     # Use "certtool --generate-dh-params --bits 1024" to get those
+     GnuTLSDHFile /etc/apache2/dh.params
+     GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
+     DocumentRoot /www/site2.example.com/html
+     ServerName site2.example.com:443
+     GnuTLSCertificateFile conf/ssl/site2.crt
+     GnuTLSKeyFile conf/ss/site2.key
+     Listen 192.0.2.1:443
+     <VirtualHost _default_:443>
+         GnuTLSEnable          On
+         GnuTLSPriorities      NORMAL
+         DocumentRoot          /www/site1.example.com/html
+         ServerName            site1.example.com:443
+         GnuTLSCertificateFile conf/tls/site1.crt
+         GnuTLSKeyFile         conf/tls/site1.key
+         GnuTLSPriorities      NORMAL
+         GnuTLSOCSPStapling    On
      </VirtualHost>

include/mod_gnutls.h.in

-                      rbaa4ed5
+                      rd2b32f1
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2014 Nikos Mavrogiannopoulos
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2016 Thomas Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
 …
 /* GnuTLS Library Headers */
 #include <gnutls/gnutls.h>
-#if GNUTLS_VERSION_MAJOR == 2
-#include <gnutls/extra.h>
-#endif
 #include <gnutls/abstract.h>
 #include <gnutls/openpgp.h>
 …
 /* Module Debug Mode */
 #define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
-/*
- * Recent Versions of 2.1 renamed several hooks.
- * This allows us to compile on 2.0.xx
- */
-#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
-        #define USING_2_1_RECENT 1
-#else
-        #define USING_2_1_RECENT 0
-#endif
 /* mod_gnutls Cache Types */
 …
 } mgs_cache_e;
+/* Internal cache data, defined in gnutls_cache.h */
+typedef struct mgs_cache* mgs_cache_t;
 typedef enum {
     mgs_cvm_unset,
 …
 typedef struct {
     int client_verify_mode;
-    const char* lua_bytecode;
-    apr_size_t lua_bytecode_len;
 } mgs_dirconf_rec;
+/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
+typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
 …
     mgs_cache_e cache_type;
     const char* cache_config;
+    /* Internal cache data */
+    mgs_cache_t cache;
         /* GnuTLS uses Session Tickets */
 …
         /* Last Cache timestamp */
     apr_time_t last_cache_check;
+    /* Enable OCSP stapling */
+    unsigned char ocsp_staple;
+    /* Check nonce in OCSP responses? */
+    unsigned char ocsp_check_nonce;
+    /* Read OCSP response for stapling from this file instead of
+     * sending a request over HTTP */
+    char *ocsp_response_file;
+    /* Internal OCSP data for this server */
+    mgs_ocsp_data_t ocsp;
+    /* Mutex to prevent parallel OCSP requests */
+    apr_global_mutex_t *ocsp_mutex;
+    /* Cache timeout for OCSP responses. Note that the nextUpdate
+     * field of the response takes precedence if shorter. */
+    apr_interval_time_t ocsp_cache_time;
+    /* If an OCSP request fails wait this long before trying again. */
+    apr_interval_time_t ocsp_failure_timeout;
+    /* Socket timeout for OCSP requests */
+    apr_interval_time_t ocsp_socket_timeout;
 } mgs_srvconf_rec;
 …
 /**
- * Init the Cache after Configuration is done
- */
-int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
-                                 mgs_srvconf_rec *sc);
-/**
- * Init the Cache inside each Process
- */
-int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
-                                mgs_srvconf_rec *sc);
-/**
- * Setup the Session Caching
- */
-int mgs_cache_session_init(mgs_handle_t *ctxt);
-#define GNUTLS_SESSION_ID_STRING_LEN \
-    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
-/**
  * Perform any reinitialization required in PKCS #11
  */
 int mgs_pkcs11_reinit(server_rec * s);
-/**
- * Convert a SSL Session ID into a Null Terminated Hex Encoded String
- * @param id raw SSL Session ID
- * @param idlen Length of the raw Session ID
- * @param str Location to store the Hex Encoded String
- * @param strsize The Maximum Length that can be stored in str
- */
-char *mgs_session_id2sz(unsigned char *id, int idlen,
-                                char *str, int strsize);
-/**
- * Convert a time_t into a Null Terminated String
- * @param t time_t time
- * @param str Location to store the Hex Encoded String
- * @param strsize The Maximum Length that can be stored in str
- */
-char *mgs_time2sz(time_t t, char *str, int strsize);
 …
 /* Loads all files set in the configuration */
+int mgs_load_files(apr_pool_t * p, server_rec * s);
+int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
+    __attribute__((nonnull));
 const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
 …
                           const char *type, const char* arg);
+const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
+                                  const char *arg);
+const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
 const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
 …
                         apr_pool_t * plog, apr_pool_t * ptemp);
+int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
+                         apr_pool_t * ptemp,
+                         server_rec * base_server);
+int mgs_hook_post_config(apr_pool_t *pconf,
+                         apr_pool_t *plog,
+                         apr_pool_t *ptemp,
+                         server_rec *base_server);
 void mgs_hook_child_init(apr_pool_t *p, server_rec *s);

src/Makefile.am

-                      rbaa4ed5
+                      rd2b32f1
 endif
+mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c
+mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c \
+        gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_util.c
 mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
 mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS}
+noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h gnutls_util.h
 apmodpkglib_LTLIBRARIES = mod_gnutls.la

src/gnutls_cache.c

-                      rbaa4ed5
+                      rd2b32f1
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2016 Thomas Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
+/**
+ * @file gnutls_cache.c
+ *
+ * The signatures of the `(dbm|mc)_cache_...()` functions may be a bit
+ * confusing: "store" and "expire" take a server_rec, "fetch" an
+ * mgs_handle_t, and "delete" the `void*` required for a
+ * `gnutls_db_remove_func`. The first two have matching `..._session`
+ * functions to fit their respective GnuTLS session cache signatures.
+ *
+ * This is because "store", "expire" (dbm only), and "fetch" are also
+ * needed for the OCSP cache. Their `..._session` variants have been
+ * created to take care of the session cache specific parts, mainly
+ * calculating the DB key from the session ID. They have to match the
+ * appropriate GnuTLS DB function signatures.
+ *
+ * Additionally, there are the `mc_cache_(store|fetch)_generic()`
+ * functions. They exist because memcached requires string keys while
+ * DBM accepts binary keys, and provide wrappers to turn binary keys
+ * into hex strings with a `mod_gnutls:` prefix.
+ *
+ * To update cached OCSP responses independent of client connections,
+ * "store" and "expire" have to work without a connection context. On
+ * the other hand "fetch" does not need to do that, because cached
+ * OCSP responses will be retrieved for use in client connections.
+ */
+#include "gnutls_cache.h"
 #include "mod_gnutls.h"
+#include "gnutls_config.h"
 #if HAVE_APR_MEMCACHE
 …
 #include "apr_dbm.h"
+#include <apr_escape.h>
 #include "ap_mpm.h"
+#include <util_mutex.h>
 #include <unistd.h>
 …
 #endif
+/* it seems the default has some strange errors. Use SDBM
+ */
+/** Default session cache timeout */
+#define MGS_DEFAULT_CACHE_TIMEOUT 300
+/** Prefix for keys used with a memcached cache */
 #define MC_TAG "mod_gnutls:"
+#define MC_TAG_LEN sizeof(MC_TAG)
+#define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
+/** Maximum length of the hex string representation of a GnuTLS
+ * session ID: two characters per byte, plus one more for `\0` */
+#if GNUTLS_VERSION_NUMBER >= 0x030400
+#define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID_SIZE * 2) + 1)
+#else
+#define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID * 2) + 1)
+#endif
 #if MODULE_MAGIC_NUMBER_MAJOR < 20081201
 …
 #endif
+char *mgs_session_id2sz(unsigned char *id, int idlen,
+        char *str, int strsize) {
+    char *cp;
+    int n;
+    cp = str;
+    for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
+        apr_snprintf(cp, strsize - (cp - str), "%02X", id[n]);
+        cp += 2;
+    }
+    *cp = '\0';
+    return str;
+}
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+/**
+ * Turn a GnuTLS session ID into the key format we use with DBM
+ * caches. Name the Session ID as `server:port.SessionID` to disallow
+ * resuming sessions on different servers.
+ *
+ * @return `0` on success, `-1` on failure
  */
+static int mgs_session_id2dbm(conn_rec * c, unsigned char *id, int idlen,
+        apr_datum_t * dbmkey) {
+    char buf[STR_SESSION_LEN];
+    char *sz;
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof (buf));
+    if (sz == NULL)
+        return -1;
+    dbmkey->dptr =
+            apr_psprintf(c->pool, "%s:%d.%s",
+            c->base_server->server_hostname,
+            c->base_server->port, sz);
+    dbmkey->dsize = strlen(dbmkey->dptr);
+static int mgs_session_id2dbm(conn_rec *c, unsigned char *id, int idlen,
+                              gnutls_datum_t *dbmkey)
+{
+    char sz[GNUTLS_SESSION_ID_STRING_LEN];
+    apr_status_t rv = apr_escape_hex(sz, id, idlen, 0, NULL);
+    if (rv != APR_SUCCESS)
+        return -1;
+    char *newkey = apr_psprintf(c->pool, "%s:%d.%s",
+                                c->base_server->server_hostname,
+                                c->base_server->port, sz);
+    dbmkey->size = strlen(newkey);
+    /* signedness does not matter for arbitrary bits */
+    dbmkey->data = (unsigned char*) newkey;
     return 0;
+}
+#define CTIME "%b %d %k:%M:%S %Y %Z"
+char *mgs_time2sz(time_t in_time, char *str, int strsize) {
+/** The OPENSSL_TIME_FORMAT macro and mgs_time2sz() serve to print
+ * time in a format compatible with OpenSSL's `ASN1_TIME_print()`
+ * function. */
+#define OPENSSL_TIME_FORMAT "%b %d %k:%M:%S %Y %Z"
+char *mgs_time2sz(time_t in_time, char *str, int strsize)
+{
     apr_time_exp_t vtm;
     apr_size_t ret_size;
 …
     apr_time_ansi_put(&t, in_time);
     apr_time_exp_gmt(&vtm, t);
     apr_strftime(str, &ret_size, strsize - 1, CTIME, &vtm);
+    apr_strftime(str, &ret_size, strsize - 1, OPENSSL_TIME_FORMAT, &vtm);
     return str;
 …
 #if HAVE_APR_MEMCACHE
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+/**
+ * Turn a GnuTLS session ID into the key format we use with memcached
+ * caches. Name the Session ID as `server:port.SessionID` to disallow
+ * resuming sessions on different servers.
+ *
+ * @return `0` on success, `-1` on failure
  */
+static char *mgs_session_id2mc(conn_rec * c, unsigned char *id, int idlen) {
+    char buf[STR_SESSION_LEN];
+    char *sz;
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof (buf));
+    if (sz == NULL)
+static char *mgs_session_id2mc(conn_rec * c, unsigned char *id, int idlen)
+{
+    char sz[GNUTLS_SESSION_ID_STRING_LEN];
+    apr_status_t rv = apr_escape_hex(sz, id, idlen, 0, NULL);
+    if (rv != APR_SUCCESS)
         return NULL;
 …
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
                 "[gnutls_cache] Failed to create Memcache Object of '%d' size.",
                 nservers);
+                     "Failed to create Memcache object of size '%d'.",
+                     nservers);
         return rv;
+    }
 …
         if (rv != APR_SUCCESS) {
             ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                    "[gnutls_cache] Failed to Parse Server: '%s'",
+                    split);
+                         "Failed to parse server: '%s'", split);
             return rv;
+        }
 …
         if (host_str == NULL) {
             ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
                     "[gnutls_cache] Failed to Parse Server, "
                     "no hostname specified: '%s'", split);
+                         "Failed to parse server, "
+                         "no hostname specified: '%s'", split);
             return rv;
+        }
 …
         if (rv != APR_SUCCESS) {
             ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
                     "[gnutls_cache] Failed to Create Server: %s:%d",
                     host_str, port);
+                         "Failed to create server: %s:%d",
+                         host_str, port);
             return rv;
+        }
 …
         if (rv != APR_SUCCESS) {
             ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
                     "[gnutls_cache] Failed to Add Server: %s:%d",
                     host_str, port);
+                         "Failed to add server: %s:%d",
+                         host_str, port);
             return rv;
+        }
 …
+}
+static int mc_cache_store(void *baton, gnutls_datum_t key,
+        gnutls_datum_t data) {
+static int mc_cache_store(server_rec *s, const char *key,
+                          gnutls_datum_t data, apr_uint32_t timeout)
+{
+    apr_status_t rv = apr_memcache_set(mc, key, (char *) data.data,
+                                       data.size, timeout, 0);
+    if (rv != APR_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                     "error storing key '%s' with %d bytes of data",
+                     key, data.size);
+        return -1;
+    }
+    return 0;
+}
+static int mc_cache_store_generic(server_rec *s, gnutls_datum_t key,
+                                  gnutls_datum_t data, apr_time_t expiry)
+{
+    apr_uint32_t timeout = apr_time_sec(expiry - apr_time_now());
+    apr_pool_t *p;
+    apr_pool_create(&p, NULL);
+    const char *hex = apr_pescape_hex(p, key.data, key.size, 1);
+    if (hex == NULL)
+    {
+        apr_pool_destroy(p);
+        return -1;
+    }
+    const char *strkey = apr_psprintf(p, MC_TAG "%s", hex);
+    int ret = mc_cache_store(s, strkey, data, timeout);
+    apr_pool_destroy(p);
+    return ret;
+}
+static int mc_cache_store_session(void *baton, gnutls_datum_t key,
+                                  gnutls_datum_t data)
+{
+    mgs_handle_t *ctxt = baton;
+    const char *strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
+    if (!strkey)
+        return -1;
+    apr_uint32_t timeout = apr_time_sec(ctxt->sc->cache_timeout);
+    return mc_cache_store(ctxt->c->base_server, strkey, data, timeout);
+}
+static gnutls_datum_t mc_cache_fetch(conn_rec *c, const char *key)
+{
     apr_status_t rv = APR_SUCCESS;
-    mgs_handle_t *ctxt = baton;
-    char *strkey = NULL;
-    apr_uint32_t timeout;
-    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
-    if (!strkey)
-        return -1;
-    timeout = apr_time_sec(ctxt->sc->cache_timeout);
-    rv = apr_memcache_set(mc, strkey, (char *) data.data, data.size, timeout,
-);
-    if (rv != APR_SUCCESS) {
-        ap_log_error(APLOG_MARK, APLOG_CRIT, rv,
-                ctxt->c->base_server,
-                "[gnutls_cache] error setting key '%s' "
-                "with %d bytes of data", strkey, data.size);
-        return -1;
+    }
-    return 0;
+}
-static gnutls_datum_t mc_cache_fetch(void *baton, gnutls_datum_t key) {
-    apr_status_t rv = APR_SUCCESS;
-    mgs_handle_t *ctxt = baton;
-    char *strkey = NULL;
     char *value;
     apr_size_t value_len;
     gnutls_datum_t data = {NULL, 0};
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
+    if (!strkey) {
+        return data;
+    }
+    rv = apr_memcache_getp(mc, ctxt->c->pool, strkey,
+            &value, &value_len, NULL);
+    if (rv != APR_SUCCESS) {
+    rv = apr_memcache_getp(mc, c->pool, key, &value, &value_len, NULL);
+    if (rv != APR_SUCCESS)
+    {
 #if MOD_GNUTLS_DEBUG
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error fetching key '%s' ",
+                strkey);
+#endif
+        data.size = 0;
+        data.data = NULL;
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c,
+                      "error fetching key '%s'",
+                      key);
+#endif
         return data;
+    }
 …
+}
+static gnutls_datum_t mc_cache_fetch_generic(mgs_handle_t *ctxt,
+                                             gnutls_datum_t key)
+{
+    gnutls_datum_t data = {NULL, 0};
+    const char *hex = apr_pescape_hex(ctxt->c->pool, key.data, key.size, 1);
+    if (hex == NULL)
+        return data;
+    const char *strkey = apr_psprintf(ctxt->c->pool, MC_TAG "%s", hex);
+    return mc_cache_fetch(ctxt->c, strkey);
+}
+static gnutls_datum_t mc_cache_fetch_session(void *baton, gnutls_datum_t key)
+{
+    mgs_handle_t *ctxt = baton;
+    gnutls_datum_t data = {NULL, 0};
+    const char *strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
+    if (!strkey)
+        return data;
+    return mc_cache_fetch(ctxt->c, strkey);
+}
 static int mc_cache_delete(void *baton, gnutls_datum_t key) {
     apr_status_t rv = APR_SUCCESS;
 …
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
                 ctxt->c->base_server,
                 "[gnutls_cache] error deleting key '%s' ",
                 strkey);
+                     ctxt->c->base_server,
+                     "error deleting key '%s'",
+                     strkey);
         return -1;
+    }
 …
 #define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
+static void dbm_cache_expire(mgs_handle_t * ctxt) {
+static void dbm_cache_expire(server_rec *s)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
     apr_status_t rv;
     apr_dbm_t *dbm;
     apr_datum_t dbmkey;
     apr_datum_t dbmval;
-    apr_time_t now;
     apr_time_t dtime;
     apr_pool_t *spool;
     int total, deleted;
+    now = apr_time_now();
+    if (now - ctxt->sc->last_cache_check <
+            (ctxt->sc->cache_timeout) / 2)
+    apr_time_t now = apr_time_now();
+    if (now - sc->last_cache_check < (sc->cache_timeout) / 2)
         return;
     ctxt->sc->last_cache_check = now;
     apr_pool_create(&spool, ctxt->c->pool);
+    sc->last_cache_check = now;
+    apr_pool_create(&spool, NULL);
     total = 0;
     deleted = 0;
+    rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
+            ctxt->sc->cache_config, APR_DBM_RWCREATE,
+    apr_global_mutex_lock(sc->cache->mutex);
+    rv = apr_dbm_open_ex(&dbm, db_type(sc),
+            sc->cache_config, APR_DBM_RWCREATE,
             SSL_DBM_FILE_MODE, spool);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
                 ctxt->c->base_server,
                 "[gnutls_cache] error opening cache searcher '%s'",
                 ctxt->sc->cache_config);
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s,
+                     "error opening cache '%s'",
+                     sc->cache_config);
+        apr_global_mutex_unlock(sc->cache->mutex);
         apr_pool_destroy(spool);
         return;
 …
     apr_dbm_close(dbm);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+            ctxt->c->base_server,
+            "[gnutls_cache] Cleaned up cache '%s'. Deleted %d and left %d",
+            ctxt->sc->cache_config, deleted, total - deleted);
+    rv = apr_global_mutex_unlock(sc->cache->mutex);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s,
+                 "Cleaned up cache '%s'. Deleted %d and left %d",
+                 sc->cache_config, deleted, total - deleted);
     apr_pool_destroy(spool);
 …
+}
+static gnutls_datum_t dbm_cache_fetch(void *baton, gnutls_datum_t key) {
+static gnutls_datum_t dbm_cache_fetch(mgs_handle_t *ctxt, gnutls_datum_t key)
+{
     gnutls_datum_t data = {NULL, 0};
     apr_dbm_t *dbm;
     apr_datum_t dbmkey;
+    apr_datum_t dbmkey = {(char*) key.data, key.size};
     apr_datum_t dbmval;
     mgs_handle_t *ctxt = baton;
+    apr_time_t expiry = 0;
     apr_status_t rv;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return data;
+    /* check if it is time for cache expiration */
+    dbm_cache_expire(ctxt->c->base_server);
+    apr_global_mutex_lock(ctxt->sc->cache->mutex);
     rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
 …
             SSL_DBM_FILE_MODE, ctxt->c->pool);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
                 ctxt->c->base_server,
                 "[gnutls_cache] error opening cache '%s'",
                 ctxt->sc->cache_config);
+        ap_log_cerror(APLOG_MARK, APLOG_NOTICE, rv, ctxt->c,
+                      "error opening cache '%s'",
+                      ctxt->sc->cache_config);
+        apr_global_mutex_unlock(ctxt->sc->cache->mutex);
         return data;
+    }
 …
     rv = apr_dbm_fetch(dbm, dbmkey, &dbmval);
+    if (rv != APR_SUCCESS) {
+        apr_dbm_close(dbm);
+    if (rv != APR_SUCCESS)
+        goto close_db;
+    if (dbmval.dptr == NULL || dbmval.dsize <= sizeof (apr_time_t))
+        goto cleanup;
+    data.size = dbmval.dsize - sizeof (apr_time_t);
+    /* get data expiration tag */
+    expiry = *((apr_time_t *) dbmval.dptr);
+    data.data = gnutls_malloc(data.size);
+    if (data.data == NULL)
+    {
+        data.size = 0;
+        goto cleanup;
+    }
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, ctxt->c,
+                  "fetched %ld bytes from cache",
+                  dbmval.dsize);
+    memcpy(data.data, dbmval.dptr + sizeof (apr_time_t), data.size);
+ cleanup:
+    apr_dbm_freedatum(dbm, dbmval);
+ close_db:
+    apr_dbm_close(dbm);
+    apr_global_mutex_unlock(ctxt->sc->cache->mutex);
+    /* cache entry might have expired since last cache cleanup */
+    if (expiry != 0 && expiry < apr_time_now())
+    {
+        gnutls_free(data.data);
+        data.data = NULL;
+        data.size = 0;
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "dropped expired cache data");
+    }
+    return data;
+}
+static gnutls_datum_t dbm_cache_fetch_session(void *baton, gnutls_datum_t key)
+{
+    gnutls_datum_t data = {NULL, 0};
+    gnutls_datum_t dbmkey;
+    mgs_handle_t *ctxt = baton;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
         return data;
+    }
+    if (dbmval.dptr == NULL || dbmval.dsize <= sizeof (apr_time_t)) {
+        apr_dbm_freedatum(dbm, dbmval);
+        apr_dbm_close(dbm);
+        return data;
+    }
+    data.size = dbmval.dsize - sizeof (apr_time_t);
+    data.data = gnutls_malloc(data.size);
+    if (data.data == NULL) {
+        apr_dbm_freedatum(dbm, dbmval);
+        apr_dbm_close(dbm);
+        return data;
+    }
+    memcpy(data.data, dbmval.dptr + sizeof (apr_time_t), data.size);
+    apr_dbm_freedatum(dbm, dbmval);
+    apr_dbm_close(dbm);
+    return data;
+}
+static int dbm_cache_store(void *baton, gnutls_datum_t key,
+        gnutls_datum_t data) {
+    return dbm_cache_fetch(ctxt, dbmkey);
+}
+static int dbm_cache_store(server_rec *s, gnutls_datum_t key,
+                           gnutls_datum_t data, apr_time_t expiry)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
     apr_dbm_t *dbm;
     apr_datum_t dbmkey;
+    apr_datum_t dbmkey = {(char*) key.data, key.size};
     apr_datum_t dbmval;
-    mgs_handle_t *ctxt = baton;
     apr_status_t rv;
-    apr_time_t expiry;
     apr_pool_t *spool;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
+    /* we expire dbm only on every store
+     */
+    dbm_cache_expire(ctxt);
+    apr_pool_create(&spool, ctxt->c->pool);
+    /* check if it is time for cache expiration */
+    dbm_cache_expire(s);
+    apr_pool_create(&spool, NULL);
     /* create DBM value */
 …
     dbmval.dptr = (char *) apr_palloc(spool, dbmval.dsize);
+    expiry = apr_time_now() + ctxt->sc->cache_timeout;
+    /* prepend expiration time */
     memcpy((char *) dbmval.dptr, &expiry, sizeof (apr_time_t));
     memcpy((char *) dbmval.dptr + sizeof (apr_time_t),
             data.data, data.size);
+    apr_global_mutex_lock(sc->cache->mutex);
+    rv = apr_dbm_open_ex(&dbm, db_type(sc),
+                         sc->cache_config, APR_DBM_RWCREATE,
+                         SSL_DBM_FILE_MODE, spool);
+    if (rv != APR_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s,
+                     "error opening cache '%s'",
+                     sc->cache_config);
+        apr_global_mutex_unlock(sc->cache->mutex);
+        apr_pool_destroy(spool);
+        return -1;
+    }
+    rv = apr_dbm_store(dbm, dbmkey, dbmval);
+    if (rv != APR_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s,
+                     "error storing in cache '%s'",
+                     sc->cache_config);
+        apr_dbm_close(dbm);
+        apr_global_mutex_unlock(sc->cache->mutex);
+        apr_pool_destroy(spool);
+        return -1;
+    }
+    apr_dbm_close(dbm);
+    apr_global_mutex_unlock(sc->cache->mutex);
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s,
+                 "stored %ld bytes of data (%ld byte key) in cache '%s'",
+                 dbmval.dsize, dbmkey.dsize, sc->cache_config);
+    apr_pool_destroy(spool);
+    return 0;
+}
+static int dbm_cache_store_session(void *baton, gnutls_datum_t key,
+                                   gnutls_datum_t data)
+{
+    mgs_handle_t *ctxt = baton;
+    gnutls_datum_t dbmkey;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
+    apr_time_t expiry = apr_time_now() + ctxt->sc->cache_timeout;
+    return dbm_cache_store(ctxt->c->base_server, dbmkey, data, expiry);
+}
+static int dbm_cache_delete(void *baton, gnutls_datum_t key)
+{
+    apr_dbm_t *dbm;
+    gnutls_datum_t tmpkey;
+    mgs_handle_t *ctxt = baton;
+    apr_status_t rv;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &tmpkey) < 0)
+        return -1;
+    apr_datum_t dbmkey = {(char*) tmpkey.data, tmpkey.size};
+    apr_global_mutex_lock(ctxt->sc->cache->mutex);
     rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
 …
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error opening cache '%s'",
+                ctxt->sc->cache_config);
+        apr_pool_destroy(spool);
+        return -1;
+    }
+    rv = apr_dbm_store(dbm, dbmkey, dbmval);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error storing in cache '%s'",
+                ctxt->sc->cache_config);
+        apr_dbm_close(dbm);
+        apr_pool_destroy(spool);
+        return -1;
+    }
+    apr_dbm_close(dbm);
+    apr_pool_destroy(spool);
+    return 0;
+}
+static int dbm_cache_delete(void *baton, gnutls_datum_t key) {
+    apr_dbm_t *dbm;
+    apr_datum_t dbmkey;
+    mgs_handle_t *ctxt = baton;
+    apr_status_t rv;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
+    rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
+            ctxt->sc->cache_config, APR_DBM_RWCREATE,
+            SSL_DBM_FILE_MODE, ctxt->c->pool);
+                     ctxt->c->base_server,
+                     "error opening cache '%s'",
+                     ctxt->sc->cache_config);
+        apr_global_mutex_unlock(ctxt->sc->cache->mutex);
+        return -1;
+    }
+    rv = apr_dbm_delete(dbm, dbmkey);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error opening cache '%s'",
+                ctxt->sc->cache_config);
+        return -1;
+    }
+    rv = apr_dbm_delete(dbm, dbmkey);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error deleting from cache '%s'",
+                ctxt->sc->cache_config);
+                     ctxt->c->base_server,
+                     "error deleting from cache '%s'",
+                     ctxt->sc->cache_config);
         apr_dbm_close(dbm);
+        apr_global_mutex_unlock(ctxt->sc->cache->mutex);
         return -1;
+    }
     apr_dbm_close(dbm);
+    apr_global_mutex_unlock(ctxt->sc->cache->mutex);
     return 0;
 …
         sc->cache_type = mgs_cache_none;
     /* if GnuTLSCacheTimeout was never explicitly set: */
+    if (sc->cache_timeout == -1)
+        sc->cache_timeout = apr_time_from_sec(300);
+    if (sc->cache_type == mgs_cache_dbm
+            || sc->cache_type == mgs_cache_gdbm) {
+    if (sc->cache_timeout == MGS_TIMEOUT_UNSET)
+        sc->cache_timeout = apr_time_from_sec(MGS_DEFAULT_CACHE_TIMEOUT);
+    /* initialize mutex only once */
+    if (sc->cache == NULL)
+    {
+        sc->cache = apr_palloc(p, sizeof(struct mgs_cache));
+        apr_status_t rv = ap_global_mutex_create(&sc->cache->mutex, NULL,
+                                                 MGS_CACHE_MUTEX_NAME,
+                                                 NULL, s, p, 0);
+        if (rv != APR_SUCCESS)
+            return rv;
+    }
+    if (sc->cache_type == mgs_cache_dbm || sc->cache_type == mgs_cache_gdbm)
+    {
+        sc->cache->store = dbm_cache_store;
+        sc->cache->fetch = dbm_cache_fetch;
         return dbm_cache_post_config(p, s, sc);
+    }
-    return 0;
+}
 #if HAVE_APR_MEMCACHE
+    else if (sc->cache_type == mgs_cache_memcache)
+    {
+        sc->cache->store = mc_cache_store_generic;
+        sc->cache->fetch = mc_cache_fetch_generic;
+    }
+#endif
+    return APR_SUCCESS;
+}
 int mgs_cache_child_init(apr_pool_t * p,
                          server_rec * s,
                          mgs_srvconf_rec * sc)
+#else
+int mgs_cache_child_init(apr_pool_t * p __attribute__((unused)),
+                         server_rec * s __attribute__((unused)),
+                         mgs_srvconf_rec * sc)
+#endif
+{
+{
+    /* reinit cache mutex */
+    const char *lockfile = apr_global_mutex_lockfile(sc->cache->mutex);
+    apr_status_t rv = apr_global_mutex_child_init(&sc->cache->mutex,
+                                                  lockfile, p);
+    if (rv != APR_SUCCESS)
+        ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
+                     "Failed to reinit mutex '%s'", MGS_CACHE_MUTEX_NAME);
     if (sc->cache_type == mgs_cache_dbm
             || sc->cache_type == mgs_cache_gdbm) {
 …
             || ctxt->sc->cache_type == mgs_cache_gdbm) {
         gnutls_db_set_retrieve_function(ctxt->session,
                 dbm_cache_fetch);
+                dbm_cache_fetch_session);
         gnutls_db_set_remove_function(ctxt->session,
                 dbm_cache_delete);
         gnutls_db_set_store_function(ctxt->session,
                 dbm_cache_store);
+                dbm_cache_store_session);
         gnutls_db_set_ptr(ctxt->session, ctxt);
+    }
 …
     else if (ctxt->sc->cache_type == mgs_cache_memcache) {
         gnutls_db_set_retrieve_function(ctxt->session,
                 mc_cache_fetch);
+                mc_cache_fetch_session);
         gnutls_db_set_remove_function(ctxt->session,
                 mc_cache_delete);
         gnutls_db_set_store_function(ctxt->session,
                 mc_cache_store);
+                mc_cache_store_session);
         gnutls_db_set_ptr(ctxt->session, ctxt);
+    }

src/gnutls_config.c

-                      rbaa4ed5
+                      rd2b32f1
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2016 Thomas Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
+#include "gnutls_config.h"
 #include "mod_gnutls.h"
+#include "gnutls_ocsp.h"
 #include "apr_lib.h"
 #include <gnutls/abstract.h>
 …
         "-----END DH PARAMETERS-----\n";
+int mgs_load_files(apr_pool_t * p, server_rec * s)
+/*
+ * Clean up the various GnuTLS data structures allocated from
+ * mgs_load_files()
+ */
+static apr_status_t mgs_pool_free_credentials(void *arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) arg;
+    if (sc->certs)
+    {
+        gnutls_certificate_free_credentials(sc->certs);
+        sc->certs = NULL;
+    }
+    if (sc->anon_creds)
+    {
+        gnutls_anon_free_server_credentials(sc->anon_creds);
+        sc->anon_creds = NULL;
+    }
+#ifdef ENABLE_SRP
+    if (sc->srp_creds)
+    {
+        gnutls_srp_free_server_credentials(sc->srp_creds);
+        sc->srp_creds = NULL;
+    }
+#endif
+    if (sc->dh_params)
+    {
+        gnutls_dh_params_deinit(sc->dh_params);
+        sc->dh_params = NULL;
+    }
+    for (unsigned int i = 0; i < sc->certs_x509_chain_num; i++)
+    {
+        gnutls_pcert_deinit(&sc->certs_x509_chain[i]);
+        gnutls_x509_crt_deinit(sc->certs_x509_crt_chain[i]);
+    }
+    if (sc->privkey_x509)
+    {
+        gnutls_privkey_deinit(sc->privkey_x509);
+        sc->privkey_x509 = NULL;
+    }
+    if (sc->ca_list)
+    {
+        for (unsigned int i = 0; i < sc->ca_list_size; i++)
+        {
+            gnutls_x509_crt_deinit(sc->ca_list[i]);
+        }
+        gnutls_free(sc->ca_list);
+        sc->ca_list = NULL;
+    }
+    if (sc->cert_pgp)
+    {
+        gnutls_pcert_deinit(&sc->cert_pgp[0]);
+        sc->cert_pgp = NULL;
+        gnutls_openpgp_crt_deinit(sc->cert_crt_pgp[0]);
+        sc->cert_crt_pgp = NULL;
+    }
+    if (sc->privkey_pgp)
+    {
+        gnutls_privkey_deinit(sc->privkey_pgp);
+        sc->privkey_pgp = NULL;
+#if GNUTLS_VERSION_NUMBER < 0x030312
+        gnutls_openpgp_privkey_deinit(sc->privkey_pgp_internal);
+        sc->privkey_pgp_internal = NULL;
+#endif
+    }
+    if (sc->pgp_list)
+    {
+        gnutls_openpgp_keyring_deinit(sc->pgp_list);
+        sc->pgp_list = NULL;
+    }
+    if (sc->priorities)
+    {
+        gnutls_priority_deinit(sc->priorities);
+        sc->priorities = NULL;
+    }
+    return APR_SUCCESS;
+}
+int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
+{
     apr_pool_t *spool;
 …
     int ret;
     mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                 &gnutls_module);
+    apr_pool_create(&spool, p);
+    sc->cert_pgp = apr_pcalloc(p, sizeof(sc->cert_pgp[0]));
+    sc->cert_crt_pgp = apr_pcalloc(p, sizeof(sc->cert_crt_pgp[0]));
+    sc->certs_x509_chain =
+        apr_pcalloc(p, MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
+    sc->certs_x509_crt_chain =
+        apr_pcalloc(p,
+                    MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
+    ret = gnutls_certificate_allocate_credentials(&sc->certs);
+    if (ret < 0) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                     "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                     gnutls_strerror(ret));
+        ret = -1;
+        goto cleanup;
+    }
+    ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
+    if (ret < 0) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                     "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                     gnutls_strerror(ret));
+        ret = -1;
+        goto cleanup;
+        (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                 &gnutls_module);
+    apr_pool_create(&spool, ptemp);
+    /* Cleanup function for the GnuTLS structures allocated below */
+    apr_pool_cleanup_register(pconf, sc, mgs_pool_free_credentials,
+                              apr_pool_cleanup_null);
+    if (sc->certs == NULL)
+    {
+        ret = gnutls_certificate_allocate_credentials(&sc->certs);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->anon_creds == NULL)
+    {
+        ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
     /* Load SRP parameters */
 #ifdef ENABLE_SRP
+    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
+    if (ret < 0) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                     "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                     gnutls_strerror(ret));
+        ret = -1;
+        goto cleanup;
+    }
+    if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) {
+        ret = gnutls_srp_set_server_credentials_file
+            (sc->srp_creds, sc->srp_tpasswd_file,
+             sc->srp_tpasswd_conf_file);
+        if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
+                         s,
+                         "GnuTLS: Host '%s:%d' is missing a "
+                         "SRP password or conf File!",
+                         s->server_hostname, s->port);
+            ret = -1;
+            goto cleanup;
+        }
+    if (sc->srp_creds == NULL)
+    {
+        ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL)
+    {
+        ret = gnutls_srp_set_server_credentials_file
+            (sc->srp_creds, sc->srp_tpasswd_file,
+             sc->srp_tpasswd_conf_file);
+        if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Host '%s:%d' is missing a "
+                         "SRP password or conf File!",
+                         s->server_hostname, s->port);
+            ret = -1;
+            goto cleanup;
+        }
+    }
 #endif
+    ret = gnutls_dh_params_init(&sc->dh_params);
+    if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         ": (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+    }
+    /* Load DH parameters */
+    if (sc->dh_file) {
+        if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret =
+            gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
+                                          GNUTLS_X509_FMT_PEM);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "DH params '%s': (%d) %s", sc->dh_file, ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    } else {
+        gnutls_datum_t pdata = {
+            (void *) static_dh_params,
+            sizeof(static_dh_params)
+        };
+        ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                    "GnuTLS: Unable to generate or load DH Params: (%d) %s",
+                    ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->x509_cert_file != NULL) {
+        unsigned int chain_num, i;
+        unsigned format = GNUTLS_X509_FMT_PEM;
+        /* Load X.509 certificate */
+        if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
+            gnutls_pkcs11_obj_t obj;
+            file = sc->x509_cert_file;
+            ret = gnutls_pkcs11_obj_init(&obj);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Initializing PKCS #11 object");
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
+            ret = gnutls_pkcs11_obj_import_url(obj, file, GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Importing PKCS #11 object: '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            format = GNUTLS_X509_FMT_DER;
+            ret = gnutls_pkcs11_obj_export2(obj, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Exporting a PKCS #11 object: '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_deinit(obj);
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_cert_file);
+            ret = gnutls_load_file(file, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Certificate '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        ret =
+            gnutls_x509_crt_list_import2(&sc->certs_x509_crt_chain,
+                                        &chain_num, &data, format,
+                                        GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
+        gnutls_free(data.data);
+        sc->certs_x509_chain_num = chain_num;
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import Certificate Chain '%s': (%d) %s",
+                         file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        for (i = 0; i < chain_num; i++) {
+            ret =
+                gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
+                                         sc->certs_x509_crt_chain[i], 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import pCertificate '%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        sc->certs_x509_chain_num = chain_num;
+    }
+    if (sc->x509_key_file) {
+        ret = gnutls_privkey_init(&sc->privkey_x509);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
+            file = sc->x509_key_file;
+            gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
+                                            sc);
+            ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key URL '%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_key_file);
+            if (load_datum_from_file(spool, file, &data) != 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Private Key '%s'",
+                             file);
+                ret = -1;
+                goto cleanup;
+            }
+            ret =
+                gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
+                                               GNUTLS_X509_FMT_PEM, sc->pin,
+);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key '%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+    if (sc->dh_params == NULL)
+    {
+        ret = gnutls_dh_params_init(&sc->dh_params);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         ": (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        /* Load DH parameters */
+        if (sc->dh_file)
+        {
+            if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
+                ret = -1;
+                goto cleanup;
+            }
+            ret =
+                gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
+                                              GNUTLS_X509_FMT_PEM);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import "
+                             "DH params '%s': (%d) %s", sc->dh_file, ret,
+                             gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        } else {
+            gnutls_datum_t pdata = {
+                (void *) static_dh_params,
+                sizeof(static_dh_params)
+            };
+            ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Unable to generate or load DH Params: (%d) %s",
+                             ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+    }
+    if (sc->x509_cert_file != NULL && sc->certs_x509_crt_chain == NULL)
+    {
+        sc->certs_x509_chain =
+            apr_pcalloc(pconf,
+                        MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
+        sc->certs_x509_crt_chain =
+            apr_pcalloc(pconf,
+                        MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
+        unsigned int chain_num = MAX_CHAIN_SIZE;
+        unsigned format = GNUTLS_X509_FMT_PEM;
+        /* Load X.509 certificate */
+        if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
+            gnutls_pkcs11_obj_t obj;
+            file = sc->x509_cert_file;
+            ret = gnutls_pkcs11_obj_init(&obj);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Initializing PKCS #11 object");
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
+            ret = gnutls_pkcs11_obj_import_url(obj, file,
+                                               GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Importing PKCS #11 object: "
+                             "'%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            format = GNUTLS_X509_FMT_DER;
+            ret = gnutls_pkcs11_obj_export2(obj, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Exporting a PKCS #11 object: "
+                             "'%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_deinit(obj);
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_cert_file);
+            ret = gnutls_load_file(file, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Certificate '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        ret = gnutls_x509_crt_list_import(sc->certs_x509_crt_chain,
+                                          &chain_num, &data, format,
+                                          GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
+        gnutls_free(data.data);
+        sc->certs_x509_chain_num = chain_num;
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import Certificate Chain "
+                         "'%s': (%d) %s",
+                         file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        for (unsigned int i = 0; i < chain_num; i++)
+        {
+            ret =
+                gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
+                                         sc->certs_x509_crt_chain[i], 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import pCertificate "
+                             "'%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        sc->certs_x509_chain_num = chain_num;
+    }
+    if (sc->x509_key_file && sc->privkey_x509 == NULL)
+    {
+        ret = gnutls_privkey_init(&sc->privkey_x509);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
+            file = sc->x509_key_file;
+            gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
+                                            sc);
+            ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key URL "
+                             "'%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_key_file);
+            if (load_datum_from_file(spool, file, &data) != 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Private Key '%s'",
+                             file);
+                ret = -1;
+                goto cleanup;
+            }
+            ret =
+                gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
+                                               GNUTLS_X509_FMT_PEM, sc->pin,
+);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key "
+                             "'%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+    }
     /* Load the X.509 CA file */
+    if (sc->x509_ca_file) {
+        if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Client CA File '%s'",
+                         sc->x509_ca_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
+                                         &data, GNUTLS_X509_FMT_PEM, 0);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to load "
+                         "Client CA File '%s': (%d) %s", sc->x509_ca_file,
+                         ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->pgp_cert_file) {
+        if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Certificate '%s'",
+                         sc->pgp_cert_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Init "
+                         "PGP Certificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret =
+            gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data,
+                                      GNUTLS_OPENPGP_FMT_BASE64);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP Certificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret =
+            gnutls_pcert_import_openpgp(sc->cert_pgp, sc->cert_crt_pgp[0],
+);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP pCertificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    if (sc->x509_ca_file)
+    {
+        if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Client CA File '%s'",
+                         sc->x509_ca_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
+                                           &data, GNUTLS_X509_FMT_PEM, 0);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to load "
+                         "Client CA File '%s': (%d) %s", sc->x509_ca_file,
+                         ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->pgp_cert_file && sc->cert_pgp == NULL)
+    {
+        sc->cert_pgp = apr_pcalloc(pconf, sizeof(sc->cert_pgp[0]));
+        sc->cert_crt_pgp = apr_pcalloc(pconf, sizeof(sc->cert_crt_pgp[0]));
+        if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Certificate '%s'",
+                         sc->pgp_cert_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Init "
+                         "PGP Certificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data,
+                                        GNUTLS_OPENPGP_FMT_BASE64);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP Certificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_pcert_import_openpgp(sc->cert_pgp,
+                                          sc->cert_crt_pgp[0], 0);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP pCertificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
     /* Load the PGP key file */
+    if (sc->pgp_key_file) {
+        if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Private Key '%s'",
+                         sc->pgp_key_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_privkey_init(&sc->privkey_pgp);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         ": (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    if (sc->pgp_key_file && sc->privkey_pgp == NULL)
+    {
+        if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Private Key '%s'",
+                         sc->pgp_key_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_privkey_init(&sc->privkey_pgp);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         ": (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
 #if GNUTLS_VERSION_NUMBER < 0x030312
 …
          * gnutls_privkey_import_openpgp. */
         ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
         if (ret != 0) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                          "GnuTLS: Failed to initialize "
                          "PGP Private Key '%s': (%d) %s",
                          sc->pgp_key_file, ret, gnutls_strerror(ret));
             ret = -1;
             goto cleanup;
+        }
+        if (ret != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize "
+                         "PGP Private Key '%s': (%d) %s",
+                         sc->pgp_key_file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
         ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data,
                                             GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
         if (ret != 0) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                          "GnuTLS: Failed to Import "
                          "PGP Private Key '%s': (%d) %s",
                          sc->pgp_key_file, ret, gnutls_strerror(ret));
             ret = -1;
             goto cleanup;
+        }
+        if (ret != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP Private Key '%s': (%d) %s",
+                         sc->pgp_key_file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
         ret = gnutls_privkey_import_openpgp(sc->privkey_pgp,
 …
                          "to gnutls_privkey_t structure: (%d) %s",
                          sc->pgp_key_file, ret, gnutls_strerror(ret));
             ret = -1;
             goto cleanup;
+        }
+            ret = -1;
+            goto cleanup;
+        }
 #else
         ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
                                                 GNUTLS_OPENPGP_FMT_BASE64,
                                                 NULL, NULL);
         if (ret != 0)
+        if (ret != 0)
+        {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
 …
                          "PGP Private Key '%s': (%d) %s",
                          sc->pgp_key_file, ret, gnutls_strerror(ret));
             ret = -1;
             goto cleanup;
+        }
+            ret = -1;
+            goto cleanup;
+        }
 #endif
+    }
     /* Load the keyring file */
+    if (sc->pgp_ring_file) {
+        if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Keyring File '%s'",
+                         sc->pgp_ring_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_keyring_init(&sc->pgp_list);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         "keyring: (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
+                                           GNUTLS_OPENPGP_FMT_BASE64);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to load "
+                         "Keyring File '%s': (%d) %s", sc->pgp_ring_file,
+                         ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->priorities_str) {
+    if (sc->pgp_ring_file && sc->pgp_list == NULL)
+    {
+        if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Keyring File '%s'",
+                         sc->pgp_ring_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_keyring_init(&sc->pgp_list);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         "keyring: (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
+                                            GNUTLS_OPENPGP_FMT_BASE64);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to load "
+                         "Keyring File '%s': (%d) %s", sc->pgp_ring_file,
+                         ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->priorities_str && sc->priorities == NULL)
+    {
         const char *err;
         ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err);
         if (ret < 0) {
             if (ret == GNUTLS_E_INVALID_REQUEST) {
                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                              "GnuTLS: Syntax error parsing priorities string at: %s",
                              err);
             } else {
                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                              "GnuTLS: error parsing priorities string");
+            }
             ret = -1;
             goto cleanup;
+        }
+        if (ret < 0) {
+            if (ret == GNUTLS_E_INVALID_REQUEST) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Syntax error parsing priorities string at: %s",
+                             err);
+            } else {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: error parsing priorities string");
+            }
+            ret = -1;
+            goto cleanup;
+        }
+    }
     ret = 0;
   cleanup:
+ cleanup:
     apr_pool_destroy(spool);
 …
+}
+const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy __attribute__((unused)),
+        const char *arg) {
+    int argint;
+    const char *err;
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+    if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) {
+        return err;
+    }
+    argint = atoi(arg);
+    if (argint < 0) {
+        return "GnuTLSCacheTimeout: Invalid argument";
+    } else if (argint == 0) {
+        sc->cache_timeout = 0;
+    } else {
+        sc->cache_timeout = apr_time_from_sec(argint);
+    }
+const char *mgs_set_timeout(cmd_parms * parms,
+                            void *dummy __attribute__((unused)),
+                            const char *arg)
+{
+    apr_int64_t argint = apr_atoi64(arg);
+    /* timeouts cannot be negative */
+    if (argint < 0)
+        return apr_psprintf(parms->pool, "%s: Invalid argument",
+                            parms->directive->directive);
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+    if (!apr_strnatcasecmp(parms->directive->directive, "GnuTLSCacheTimeout"))
+    {
+        const char *err;
+        if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
+            return err;
+        sc->cache_timeout = apr_time_from_sec(argint);
+    }
+    else if (!apr_strnatcasecmp(parms->directive->directive,
+                                "GnuTLSOCSPCacheTimeout"))
+        sc->ocsp_cache_time = apr_time_from_sec(argint);
+    else if (!apr_strnatcasecmp(parms->directive->directive,
+                                "GnuTLSOCSPFailureTimeout"))
+        sc->ocsp_failure_timeout = apr_time_from_sec(argint);
+    else if (!apr_strnatcasecmp(parms->directive->directive,
+                                "GnuTLSOCSPSocketTimeout"))
+        sc->ocsp_socket_timeout = apr_time_from_sec(argint);
+    else
+        /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
+        return apr_psprintf(parms->pool,
+                            "mod_gnutls: %s called for invalid option '%s'",
+                            __func__, parms->directive->directive);
     return NULL;
 …
     sc->privkey_x509 = NULL;
+    sc->privkey_pgp = NULL;
+    sc->anon_creds = NULL;
+#ifdef ENABLE_SRP
+    sc->srp_creds = NULL;
+#endif
+    sc->certs = NULL;
+    sc->certs_x509_chain = NULL;
+    sc->certs_x509_crt_chain = NULL;
     sc->certs_x509_chain_num = 0;
     sc->p11_modules = NULL;
     sc->pin = NULL;
+    sc->cert_pgp = NULL;
+    sc->cert_crt_pgp = NULL;
+    sc->privkey_pgp = NULL;
+#if GNUTLS_VERSION_NUMBER < 0x030312
+    sc->privkey_pgp_internal = NULL;
+#endif
+    sc->pgp_list = NULL;
     sc->priorities_str = NULL;
     sc->cache_timeout = -1;     /* -1 means "unset" */
+    sc->cache_timeout = MGS_TIMEOUT_UNSET;
     sc->cache_type = mgs_cache_unset;
     sc->cache_config = NULL;
+    sc->cache = NULL;
     sc->tickets = GNUTLS_ENABLED_UNSET;
     sc->priorities = NULL;
     sc->dh_params = NULL;
+    sc->ca_list = NULL;
+    sc->ca_list_size = 0;
     sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
     sc->export_certificates_size = -1;
 …
     sc->proxy_x509_crl_file = NULL;
     sc->proxy_priorities_str = NULL;
+    sc->proxy_x509_creds = NULL;
+    sc->anon_client_creds = NULL;
     sc->proxy_priorities = NULL;
+    sc->proxy_x509_tl = NULL;
+    sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
+    sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
+    sc->ocsp_response_file = NULL;
+    sc->ocsp_mutex = NULL;
+    sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
+    sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
+    sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
 …
     gnutls_srvconf_merge(proxy_priorities, NULL);
+    /* FIXME: the following items are pre-allocated, and should be
+     * properly disposed of before assigning in order to avoid leaks;
+     * so at the moment, we can't actually have them in the config.
+     * what happens during de-allocation? */
+    /* TODO: mgs_load_files takes care of most of these now, verify
+     * and clean up the following lines */
+    gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_assign(ocsp_response_file);
+    gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
+    gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
+    gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_assign(ca_list);
     gnutls_srvconf_assign(ca_list_size);

src/gnutls_hooks.c

-                      rbaa4ed5
+                      rd2b32f1
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
 #include "mod_gnutls.h"
+#include "gnutls_cache.h"
+#include "gnutls_ocsp.h"
 #include "http_vhost.h"
 #include "ap_mpm.h"
 #include "mod_status.h"
+#include <util_mutex.h>
+#include <apr_escape.h>
 #ifdef ENABLE_MSVA
 …
 #endif
-#if !USING_2_1_RECENT
-extern server_rec *ap_server_conf;
-#endif
 #if MOD_GNUTLS_DEBUG
 static apr_file_t *debug_log_fp;
 …
     ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
+/** Key to encrypt session tickets. Must be kept secret. This key is
+ * generated in the `pre_config` hook and thus constant across
+ * forks. The problem with this approach is that it does not support
+ * regular key rotation. */
 static gnutls_datum_t session_ticket_key = {NULL, 0};
 …
 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert);
 #endif
+static int load_proxy_x509_credentials(server_rec *s);
+static int load_proxy_x509_credentials(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
+    __attribute__((nonnull));
 /* Pool Cleanup Function */
+apr_status_t mgs_cleanup_pre_config(void *data __attribute__((unused))) {
+        /* Free all session data */
+apr_status_t mgs_cleanup_pre_config(void *data __attribute__((unused)))
+{
+    /* Free session ticket master key */
+#if GNUTLS_VERSION_NUMBER >= 0x030400
+    gnutls_memset(session_ticket_key.data, 0, session_ticket_key.size);
+#endif
     gnutls_free(session_ticket_key.data);
     session_ticket_key.data = NULL;
 …
     AP_OPTIONAL_HOOK(status_hook, mgs_status_hook, NULL, NULL, APR_HOOK_MIDDLE);
+        /* Register a pool clean-up function */
+    ap_mutex_register(pconf, MGS_CACHE_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
+    ap_mutex_register(pconf, MGS_OCSP_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
+    /* Register a pool clean-up function */
     apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, apr_pool_cleanup_null);
 …
     /* Set Anon credentials */
     gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
+    if (ctxt->sc->ocsp_staple)
+    {
+        gnutls_certificate_set_ocsp_status_request_function(ctxt->sc->certs,
+                                                            mgs_get_ocsp_response,
+                                                            ctxt);
+    }
 #ifdef ENABLE_SRP
 …
+}
+int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog __attribute__((unused)), apr_pool_t * ptemp __attribute__((unused)), server_rec * base_server) {
+/**
+ * Post config hook.
+ *
+ * Must return OK or DECLINED on success, something else on
+ * error. These codes are defined in Apache httpd.h along with the
+ * HTTP status codes, so I'm going to use HTTP error codes both for
+ * fun (and to avoid conflicts).
+ */
+int mgs_hook_post_config(apr_pool_t *pconf,
+                         apr_pool_t *plog __attribute__((unused)),
+                         apr_pool_t *ptemp,
+                         server_rec *base_server)
+{
     int rv;
     server_rec *s;
 …
+    rv = mgs_cache_post_config(p, s, sc_base);
+    if (rv != 0) {
+    rv = mgs_cache_post_config(pconf, s, sc_base);
+    if (rv != APR_SUCCESS)
+    {
         ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
+                "GnuTLS: Post Config for GnuTLSCache Failed."
+                " Shutting Down.");
+        exit(-1);
+                     "Post config for cache failed.");
+        return HTTP_INSUFFICIENT_STORAGE;
+    }
+    if (sc_base->ocsp_mutex == NULL)
+    {
+        rv = ap_global_mutex_create(&sc_base->ocsp_mutex, NULL,
+                                    MGS_OCSP_MUTEX_NAME, NULL,
+                                    base_server, pconf, 0);
+        if (rv != APR_SUCCESS)
+        {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, base_server,
+                         "Failed to create mutex '" MGS_OCSP_MUTEX_NAME
+                         "'.");
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
+    }
 …
+    }
+    for (s = base_server; s; s = s->next) {
+    for (s = base_server; s; s = s->next)
+    {
         sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
         sc->cache_type = sc_base->cache_type;
         sc->cache_config = sc_base->cache_config;
         sc->cache_timeout = sc_base->cache_timeout;
+        rv = mgs_load_files(p, s);
+        sc->cache = sc_base->cache;
+        rv = mgs_load_files(pconf, ptemp, s);
         if (rv != 0) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                 "GnuTLS: Loading required files failed."
                 " Shutting Down.");
+            exit(-1);
+            return HTTP_NOT_FOUND;
+        }
+        if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET)
+            sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
+        sc->ocsp_mutex = sc_base->ocsp_mutex;
+        /* init OCSP configuration if OCSP is enabled for this host */
+        if (sc->ocsp_staple)
+        {
+            rv = mgs_ocsp_post_config_server(pconf, ptemp, s);
+            if (rv != OK && rv != DECLINED)
+                return rv;
+        }
 …
             sc->enabled = GNUTLS_ENABLED_FALSE;
         if (sc->tickets == GNUTLS_ENABLED_UNSET)
             sc->tickets = GNUTLS_ENABLED_TRUE;
+            sc->tickets = GNUTLS_ENABLED_FALSE;
         if (sc->export_certificates_size < 0)
             sc->export_certificates_size = 0;
 …
                     "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
                     s->server_hostname, s->port);
             exit(-1);
+            return HTTP_NOT_ACCEPTABLE;
+        }
 …
                                                 "GnuTLS: Host '%s:%d' is missing a Certificate File!",
                                                 s->server_hostname, s->port);
             exit(-1);
+            return HTTP_UNAUTHORIZED;
+        }
         if (sc->enabled == GNUTLS_ENABLED_TRUE &&
             ((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||
+             (sc->cert_crt_pgp[0] != NULL && sc->privkey_pgp == NULL))) {
+             (sc->cert_crt_pgp != NULL && sc->privkey_pgp == NULL)))
+        {
                         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                                                 "GnuTLS: Host '%s:%d' is missing a Private Key File!",
                                                 s->server_hostname, s->port);
             exit(-1);
+            return HTTP_UNAUTHORIZED;
+        }
 …
             rv = -1;
             if (sc->certs_x509_chain_num > 0) {
                 rv = read_crt_cn(s, p, sc->certs_x509_crt_chain[0], &sc->cert_cn);
+                rv = read_crt_cn(s, pconf, sc->certs_x509_crt_chain[0], &sc->cert_cn);
+            }
             if (rv < 0 && sc->cert_pgp != NULL) {
                 rv = read_pgpcrt_cn(s, p, sc->cert_crt_pgp[0], &sc->cert_cn);
+                rv = read_pgpcrt_cn(s, pconf, sc->cert_crt_pgp[0], &sc->cert_cn);
+                        }
 …
         if (sc->enabled == GNUTLS_ENABLED_TRUE
             && sc->proxy_enabled == GNUTLS_ENABLED_TRUE
             && load_proxy_x509_credentials(s) != APR_SUCCESS)
+            && load_proxy_x509_credentials(pconf, ptemp, s) != APR_SUCCESS)
+        {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
 …
                          "'%s:%d' failed, exiting!",
                          __func__, s->server_hostname, s->port);
             exit(-1);
+        }
+    }
     ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
+            return HTTP_PROXY_AUTHENTICATION_REQUIRED;
+        }
+    }
+    ap_add_version_component(pconf, "mod_gnutls/" MOD_GNUTLS_VERSION);
+    {
         const char* libvers = gnutls_check_version(NULL);
         char* gnutls_version = NULL;
         if(libvers && (gnutls_version = apr_psprintf(p, "GnuTLS/%s", libvers))) {
             ap_add_version_component(p, gnutls_version);
+        if(libvers && (gnutls_version = apr_psprintf(pconf, "GnuTLS/%s", libvers))) {
+            ap_add_version_component(pconf, gnutls_version);
         } else {
             // In case we could not create the above string go for the static version instead
             ap_add_version_component(p, "GnuTLS/" GNUTLS_VERSION "-static");
+            ap_add_version_component(pconf, "GnuTLS/" GNUTLS_VERSION "-static");
+        }
+    }
 …
+}
+void mgs_hook_child_init(apr_pool_t * p, server_rec *s) {
+void mgs_hook_child_init(apr_pool_t *p, server_rec *s)
+{
     apr_status_t rv = APR_SUCCESS;
     mgs_srvconf_rec *sc =
         (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     /* if we use PKCS #11 reinitialize it */
     if (mgs_pkcs11_reinit(s) < 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
 …
+        }
+    }
+    /* reinit OCSP mutex */
+    const char *lockfile = apr_global_mutex_lockfile(sc->ocsp_mutex);
+    rv = apr_global_mutex_child_init(&sc->ocsp_mutex, lockfile, p);
+    if (rv != APR_SUCCESS)
+        ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
+                     "Failed to reinit mutex '" MGS_OCSP_MUTEX_NAME "'.");
     /* Block SIGPIPE Signals */
     rv = apr_signal_block(SIGPIPE);
 …
 #define MAX_HOST_LEN 255
-#if USING_2_1_RECENT
 typedef struct {
     mgs_handle_t *ctxt;
 …
  * @param x vhost callback record
  * @param s server record
+ * @param tsc mod_gnutls server data for `s`
+ *
  * @return true if a match, false otherwise
+ *
  */
+int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc) {
+int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc)
+{
         apr_array_header_t *names;
         int rv = 0;
 …
+}
+static int vhost_cb(void *baton, conn_rec * conn __attribute__((unused)), server_rec * s) {
+static int vhost_cb(void *baton, conn_rec *conn, server_rec * s)
+{
     mgs_srvconf_rec *tsc;
     vhost_cb_rec *x = baton;
 …
         ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_crt_chain[0], s->server_hostname);
         if (0 == ret)
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                          "GnuTLS: the certificate doesn't match requested hostname "
                          "'%s'", s->server_hostname);
+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
+                          "GnuTLS: the certificate doesn't match requested "
+                          "hostname '%s'", s->server_hostname);
     } else {
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                     "GnuTLS: SNI request for '%s' but no X.509 certs available at all",
+                     s->server_hostname);
+        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, conn,
+                      "GnuTLS: SNI request for '%s' but no X.509 certs "
+                      "available at all",
+                      s->server_hostname);
+    }
         return check_server_aliases(x, s, tsc);
+}
-#endif
 mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
 …
     char sni_name[MAX_HOST_LEN];
     mgs_handle_t *ctxt;
-#if USING_2_1_RECENT
     vhost_cb_rec cbx;
-#else
-    server_rec *s;
-    mgs_srvconf_rec *tsc;
-#endif
     if (session == NULL)
 …
     if (sni_type != GNUTLS_NAME_DNS) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
+                ctxt->c->base_server,
+                "GnuTLS: Unknown type '%d' for SNI: "
+                "'%s'", sni_type, sni_name);
+        ap_log_cerror(APLOG_MARK, APLOG_CRIT, 0, ctxt->c,
+                      "GnuTLS: Unknown type '%d' for SNI: '%s'",
+                      sni_type, sni_name);
         return NULL;
+    }
 …
      * for this IP/Port combo.  Trust that the core did the 'right' thing.
      */
-#if USING_2_1_RECENT
     cbx.ctxt = ctxt;
     cbx.sc = NULL;
 …
         return cbx.sc;
+    }
-#else
-    for (s = ap_server_conf; s; s = s->next) {
-        tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
-                                                       &gnutls_module);
-        if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; }
-        if(check_server_aliases(x, s, tsc)) {
-            return tsc;
+        }
+    }
-#endif
     return NULL;
+}
 …
                           gnutls_strerror(err), err);
         /* Initialize Session Tickets */
+        if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
+        if (session_ticket_key.data != NULL &&
+            ctxt->sc->tickets == GNUTLS_ENABLED_TRUE)
+        {
             err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
 …
 int mgs_hook_fixups(request_rec * r) {
     unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
-    char buf[AP_IOBUFSIZE];
     const char *tmp;
     size_t len;
 …
     len = sizeof (sbuf);
     gnutls_session_get_id(ctxt->session, sbuf, &len);
     tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
     apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
+    apr_table_setn(env, "SSL_SESSION_ID",
+                   apr_pescape_hex(r->pool, sbuf, len, 0));
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
 …
     len = sizeof (sbuf);
     gnutls_x509_crt_get_serial(cert, sbuf, &len);
     tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
     apr_table_setn(env, MGS_SIDE("_M_SERIAL"), apr_pstrdup(r->pool, tmp));
+    apr_table_setn(env, MGS_SIDE("_M_SERIAL"),
+                   apr_pescape_hex(r->pool, sbuf, len, 0));
     ret = gnutls_x509_crt_get_version(cert);
 …
     len = sizeof (sbuf);
     gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
     tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
     apr_table_setn(env, MGS_SIDE("_FINGERPRINT"), apr_pstrdup(r->pool, tmp));
+    apr_table_setn(env, MGS_SIDE("_FINGERPRINT"),
+                   apr_pescape_hex(r->pool, sbuf, len, 0));
     ret = gnutls_openpgp_crt_get_version(cert);
 …
+    }
+    gnutls_datum_t * out = gnutls_malloc(sizeof(gnutls_datum_t));
+    /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy certs
+     * 0: according to function API, the last argument should be 0 */
+    err = gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509,
+                                                       out, 0);
+    if (err != GNUTLS_E_SUCCESS)
+    if (status == 0)
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
                       "%s: server verify print failed: %s (%d)",
                       __func__, gnutls_strerror(err), err);
+                      "%s: server certificate is trusted.",
+                      __func__);
     else
+    {
+        /* If the certificate is trusted, logging the result is just
+         * nice for debugging. But if the back end server provided an
+         * untrusted certificate, warn! */
+        int level = (status == 0 ? APLOG_DEBUG : APLOG_WARNING);
+        ap_log_cerror(APLOG_MARK, level, 0, ctxt->c,
+                      "%s: server certificate verify result: %s",
+                      __func__, out->data);
+    }
+    gnutls_free(out);
+        gnutls_datum_t out;
+        /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy
+         * certs 0: according to function API, the last argument
+         * should be 0 */
+        err = gnutls_certificate_verification_status_print(status,
+                                                           GNUTLS_CRT_X509,
+                                                           &out, 0);
+        if (err != GNUTLS_E_SUCCESS)
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c,
+                          "%s: server verify print failed: %s (%d)",
+                          __func__, gnutls_strerror(err), err);
+        else
+            ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
+                          "%s: %s",
+                          __func__, out.data);
+        gnutls_free(out.data);
+    }
     return status;
+}
 …
+static apr_status_t load_proxy_x509_credentials(server_rec *s)
+static apr_status_t cleanup_proxy_x509_credentials(void *arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) arg;
+    if (sc->proxy_x509_creds)
+    {
+        /* This implicitly releases the associated trust list
+         * sc->proxy_x509_tl, too. */
+        gnutls_certificate_free_credentials(sc->proxy_x509_creds);
+        sc->proxy_x509_creds = NULL;
+        sc->proxy_x509_tl = NULL;
+    }
+    if (sc->anon_client_creds)
+    {
+        gnutls_anon_free_client_credentials(sc->anon_client_creds);
+        sc->anon_client_creds = NULL;
+    }
+    if (sc->proxy_priorities)
+    {
+        gnutls_priority_deinit(sc->proxy_priorities);
+        sc->proxy_priorities = NULL;
+    }
+    return APR_SUCCESS;
+}
+static apr_status_t load_proxy_x509_credentials(apr_pool_t *pconf,
+                                                apr_pool_t *ptemp,
+                                                server_rec *s)
+{
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
 …
         return APR_EGENERAL;
     apr_status_t ret = APR_SUCCESS;
+    apr_status_t ret = APR_EINIT;
     int err = GNUTLS_E_SUCCESS;
+    /* Cleanup function for the GnuTLS structures allocated below */
+    apr_pool_cleanup_register(pconf, sc, cleanup_proxy_x509_credentials,
+                              apr_pool_cleanup_null);
     /* Function pool, gets destroyed before exit. */
     apr_pool_t *pool;
     ret = apr_pool_create(&pool, s->process->pool);
+    ret = apr_pool_create(&pool, ptemp);
     if (ret != APR_SUCCESS)
+    {

src/gnutls_io.c

-                      rbaa4ed5
+                      rd2b32f1
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2016 Thomas Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
 …
 #endif
+#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
+#include <inttypes.h>
+#endif
 /**
+ * @file
  * Describe how the GnuTLS Filter system works here
  *  - Basicly the same as what mod_ssl does with OpenSSL.
 …
 /**
  * Convert APR_EINTR or APR_EAGAIN to the match raw error code. Needed
  * to pass the status on to GnuTLS from the pull function.
+ * Convert `APR_EINTR` or `APR_EAGAIN` to the matching errno. Needed
+ * to pass the status on to GnuTLS from the pull and push functions.
  */
 #define EAI_APR_TO_RAW(s) (APR_STATUS_IS_EAGAIN(s) ? EAGAIN : EINTR)
 …
     case HTTP_BAD_REQUEST:
         /* log the situation */
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0,
+                     f->c->base_server,
+                     "GnuTLS handshake failed: HTTP spoken on HTTPS port; "
+                     "trying to send HTML error page");
+        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
+                      "GnuTLS handshake failed: HTTP spoken on HTTPS port; "
+                      "trying to send HTML error page");
         mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
             ap_get_module_config(f->c->base_server->module_config,
 …
     if (maxtries < 1) {
         ctxt->status = -1;
-#if USING_2_1_RECENT
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c,
                 "GnuTLS: Handshake Failed. Hit Maximum Attempts");
-#else
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0,
-                ctxt->c->base_server,
-                "GnuTLS: Handshake Failed. Hit Maximum Attempts");
-#endif
         if (ctxt->session) {
             gnutls_alert_send(ctxt->session, GNUTLS_AL_FATAL,
 …
                 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
             errcode = gnutls_alert_get(ctxt->session);
+            ap_log_error(APLOG_MARK, APLOG_INFO, 0,
+                    ctxt->c->base_server,
+                    "GnuTLS: Handshake Alert (%d) '%s'.",
+                    errcode,
+                    gnutls_alert_get_name(errcode));
+            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
+                          "GnuTLS: Handshake Alert (%d) '%s'.",
+                          errcode, gnutls_alert_get_name(errcode));
+        }
         if (!gnutls_error_is_fatal(ret)) {
+            ap_log_error(APLOG_MARK, APLOG_INFO, 0,
+                    ctxt->c->base_server,
+                    "GnuTLS: Non-Fatal Handshake Error: (%d) '%s'",
+                    ret, gnutls_strerror(ret));
+            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
+                          "GnuTLS: Non-Fatal Handshake Error: (%d) '%s'",
+                          ret, gnutls_strerror(ret));
             goto tryagain;
+        }
-#if USING_2_1_RECENT
         ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
                 "GnuTLS: Handshake Failed (%d) '%s'", ret,
                 gnutls_strerror(ret));
-#else
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0,
-                ctxt->c->base_server,
-                "GnuTLS: Handshake Failed (%d) '%s'", ret,
-                gnutls_strerror(ret));
-#endif
         ctxt->status = -1;
         if (ctxt->session) {
 …
     if (rv != 0) {
         /* the client did not want to rehandshake. goodbye */
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
+                ctxt->c->base_server,
+                "GnuTLS: Client Refused Rehandshake request.");
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
+                      "GnuTLS: Client Refused Rehandshake request.");
         return -1;
+    }
 …
  * Close the TLS session associated with the given connection
  * structure and free its resources
+ *
+ * @param ctxt the mod_gnutls session context
+ *
+ * @return a GnuTLS status code, hopefully `GNUTLS_E_SUCCESS`
  */
 static int mgs_bye(mgs_handle_t* ctxt)
 …
             return APR_ENOTIMPL;
+        }
+        /* Err. This is bad. readbytes *can* be a 64bit int! len.. is NOT */
+        if ((apr_size_t) readbytes < len) {
+        /* 'readbytes' and 'len' are of different integer types, which
+         * might have different lengths. Read sizes should be too
+         * small for 32 or 64 bit to matter, but we have to make
+         * sure. */
+#if defined(__GNUC__) && __GNUC__ < 5 && !defined(__clang__)
+        if ((apr_size_t) readbytes < len)
+        {
+            /* If readbytes is negative the function fails in the
+             * check above, but the compiler doesn't get that. */
+            if (__builtin_expect(imaxabs(readbytes) > SIZE_MAX, 0))
+            {
+                ap_log_cerror(APLOG_MARK, APLOG_CRIT, APR_EINVAL, ctxt->c,
+                              "%s: prevented buffer length overflow",
+                              __func__);
+                return APR_EINVAL;
+            }
             len = (apr_size_t) readbytes;
+        }
+#else
+        if ((apr_size_t) readbytes < len
+            && __builtin_add_overflow(readbytes, 0, &len))
+        {
+            ap_log_cerror(APLOG_MARK, APLOG_CRIT, APR_EINVAL, ctxt->c,
+                          "%s: prevented buffer length overflow",
+                          __func__);
+            return APR_EINVAL;
+        }
+#endif
         status =
                 gnutls_io_input_read(ctxt, ctxt->input_buffer, &len);
 …
+}
+/**
+ * Try to flush the output bucket brigade.
+ *
+ * @param ctxt the mod_gnutls session context
+ *
+ * @return `1` on success, `-1` on failure.
+ */
 static ssize_t write_flush(mgs_handle_t * ctxt) {
     apr_bucket *e;
 …
                 if (ret < 0) {
                     /* error sending output */
+                    ap_log_error(APLOG_MARK,
+                            APLOG_INFO,
+                            ctxt->output_rc,
+                            ctxt->c->base_server,
+                            "GnuTLS: Error writing data."
+                            " (%d) '%s'",
+                            (int) ret,
+                            gnutls_strerror(ret));
+                    ap_log_cerror(APLOG_MARK, APLOG_INFO, ctxt->output_rc,
+                                  ctxt->c,
+                                  "GnuTLS: Error writing data. (%d) '%s'",
+                                  ret, gnutls_strerror(ret));
                     if (ctxt->output_rc == APR_SUCCESS) {
                         ctxt->output_rc =
 …
  * Pull function for GnuTLS
+ *
+ * Generic errnos used for gnutls_transport_set_errno:
+ * EIO: Unknown I/O error
+ * ECONNABORTED: Input BB does not exist (NULL)
+ *
+ * The reason we are not using APR_TO_OS_ERROR to map apr_status_t to
+ * errnos is this warning in the APR documentation: "If the statcode
+ * was not created by apr_get_os_error or APR_FROM_OS_ERROR, the
+ * results are undefined." We cannot know if this applies to any error
+ * we might encounter.
+ * Generic errnos used for `gnutls_transport_set_errno()`:
+ * * `EAGAIN`: no data available at the moment, try again (maybe later)
+ * * `EINTR`: read was interrupted, try again
+ * * `EIO`: Unknown I/O error
+ * * `ECONNABORTED`: Input BB does not exist (`NULL`)
+ *
+ * The reason we are not using `APR_TO_OS_ERROR` to map `apr_status_t`
+ * to errnos is this warning [in the APR documentation][apr-warn]:
+ *
+ * > If the statcode was not created by apr_get_os_error or
+ * > APR_FROM_OS_ERROR, the results are undefined.
+ *
+ * We cannot know if this applies to any error we might encounter.
+ *
+ * @param ptr GnuTLS session data pointer (the mod_gnutls context
+ * structure)
+ *
+ * @param buffer buffer for the read data
+ *
+ * @param len maximum number of bytes to read (must fit into the
+ * buffer)
+ *
+ * @return The number of bytes read (may be zero on EOF), or `-1` on
+ * error. Note that some errors may warrant another try (see above).
+ *
+ * [apr-warn]: https://apr.apache.org/docs/apr/1.4/group__apr__errno.html#ga2385cae04b04afbdcb65f1a45c4d8506 "Apache Portable Runtime: Error Codes"
  */
 ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
 …
  * Push function for GnuTLS
+ *
+ * In case of unexpected errors gnutls_transport_set_errno is called
+ * with EIO.  The reason we are not using APR_TO_OS_ERROR to map
+ * apr_status_t to errnos is this warning in the APR documentation:
+ * "If the statcode was not created by apr_get_os_error or
+ * APR_FROM_OS_ERROR, the results are undefined." We cannot know if
+ * this applies to any error we might encounter.
+ * `gnutls_transport_set_errno()` will be called with `EAGAIN` or
+ * `EINTR` on recoverable errors, or `EIO` in case of unexpected
+ * errors. See the description of mgs_transport_read() for details on
+ * possible error codes.
+ *
+ * @param ptr GnuTLS session data pointer (the mod_gnutls context
+ * structure)
+ *
+ * @param buffer buffer containing the data to send
+ *
+ * @param len length of the data
+ * buffer)
+ *
+ * @return The number of written bytes, or `-1` on error. Note that
+ * some errors may warrant another try (see above).
  */
 ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,

src/mod_gnutls.c

-                      rbaa4ed5
+                      rd2b32f1
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2016 Thomas Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
 #include "mod_gnutls.h"
+#include "gnutls_ocsp.h"
 #ifdef APLOG_USE_MODULE
 …
                         APR_HOOK_REALLY_LAST);
     /* HTTP Scheme Hook */
-#if USING_2_1_RECENT
     ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
-#else
-    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
-#endif
     /* Default Port Hook */
     ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
 …
+/*
+ * mod_rewrite calls this function to fill %{HTTPS}. A non-zero return
+ * value means that HTTPS is in use.
+/**
+ * mod_rewrite calls this function to fill %{HTTPS}.
+ *
+ * @param c the connection to check
+ * @return non-zero value if HTTPS is in use, zero if not
  */
 int ssl_is_https(conn_rec *c)
 …
     "TLS Server SRP Parameters file"),
 #endif
     AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
+    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
     NULL,
     RSRC_CONF,
 …
     "The priorities to enable for proxy connections (ciphers, key exchange, "
     "MACs, compression)."),
+    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
+                 NULL, RSRC_CONF,
+                 "Enable OCSP stapling"),
+    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
+                 NULL, RSRC_CONF,
+                 "Check nonce in OCSP responses?"),
+    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
+                  NULL, RSRC_CONF,
+                  "Read OCSP response for stapling from this file instead "
+                  "of sending a request over HTTP (must be updated "
+                  "externally)"),
+    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
+                  NULL, RSRC_CONF,
+                  "Cache timeout for OCSP responses"),
+    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
+                  NULL, RSRC_CONF,
+                  "Wait this many seconds before retrying a failed OCSP "
+                  "request"),
+    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
+                  NULL, RSRC_CONF,
+                  "Socket timeout for OCSP requests"),
+#ifdef __clang__
+    /* Workaround for this clang bug:
+     * https://llvm.org/bugs/show_bug.cgi?id=21689 */
+    {},
+#else
     { NULL },
+#endif
 };

test/Makefile.am

-                      rbaa4ed5
+                      rd2b32f1
         test-24_pkcs11_cert.bash \
         test-25_Disable_TLS_1.0.bash \
+        test-26_redirect_HTTP_to_HTTPS.bash
+        test-26_redirect_HTTP_to_HTTPS.bash \
+        test-27_OCSP_server.bash
 TESTS = $(dist_check_SCRIPTS)
 …
 check_PROGRAMS = pgpcrc
 pgpcrc_SOURCES = pgpcrc.c
+# build OCSP database tool
+if ENABLE_OCSP_TEST
+check_PROGRAMS += gen_ocsp_index
+gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
+gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
+noinst_HEADERS = cert_helper.h
+endif
 # Identities in the miniature CA, server, and client environment for
 …
 pgp_identities = $(shared_identities)
 x509_only_identities = rogueclient
+if ENABLE_OCSP_TEST
+x509_only_identities += ocsp-responder
+endif
 x509_identities = $(shared_identities) $(x509_only_identities)
 identities = $(shared_identities) $(x509_only_identities)
 …
 cert_templates = authority.template.in client.template.in \
         imposter.template.in rogueca.template rogueclient.template.in \
         server.template.in
+        imposter.template.in ocsp-responder.template rogueca.template \
+        rogueclient.template.in server.template.in
 generated_templates = authority.template client.template \
         imposter.template rogueclient.template server.template
 …
 endif
+if ENABLE_OCSP_TEST
+# rules to build OCSP database
+check_DATA += authority/ocsp_index.txt
+MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
+authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
+        ./gen_ocsp_index server/x509.pem client/x509.pem > $@
+authority/ocsp_index.txt.attr: authority/secret.key
+        echo "unique_subject = no" > $@
+# build certificate chain file for server
+check_DATA += server/x509-chain.pem
+MOSTLYCLEANFILES += server/x509-chain.pem
+%/x509-chain.pem: %/x509.pem authority/x509.pem
+        cat $< authority/x509.pem > $@
+endif
 # SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
 …
 # Apache configuration and data files
+apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/secret.txt data/test.txt mime.types proxy_mods.conf
+apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
+        data/secret.txt data/test.txt mime.types ocsp_server.conf \
+        proxy_mods.conf
 EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
 …
 # port for MSVA in test cases that use it
 MSVA_PORT ?= 9933
+# port for OCSP server (Apache vhost if enabled)
+if ENABLE_OCSP_TEST
+OCSP_PORT ?= 9936
+endif
 # maximum time to wait for MSVA startup (milliseconds)
 TEST_MSVA_MAX_WAIT ?= 10000
 …
 endif
+if ENABLE_OCSP_TEST
+AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
+        export OCSP_PORT="$(OCSP_PORT)";
+endif
 if ENABLE_NETNS
 AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \

test/client.template.in

rbaa4ed5	rd2b32f1
5	5	signing_key
6	6	encryption_key
	7	### ocsp_uri=http://__HOSTNAME__:__OCSP_PORT__/ocsp/

test/runtests

-                      rbaa4ed5
+                      rd2b32f1
 fi
+# check OCSP server
+if [ -n "${CHECK_OCSP_SERVER}" ]; then
+    if [ -n "${OCSP_RESPONSE_FILE}" ]; then
+        store_ocsp="--outfile ${OCSP_RESPONSE_FILE}"
+    fi
+    echo "---- Testing OCSP server ----"
+    ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}
+    echo "---- OCSP test done ----"
+fi
 # PID file for sleep command (explanation below)
 sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"

test/server.template.in

rbaa4ed5	rd2b32f1
5	5	encryption_key
6	6	dns_name="__HOSTNAME__"
	7	### ocsp_uri=http://__HOSTNAME__:__OCSP_PORT__/ocsp/

test/test_ca.mk

-                      rbaa4ed5
+                      rd2b32f1
 %.template: $(srcdir)/%.template.in
         sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
+        if test -n "$(OCSP_PORT)"; then \
+                sed -i -e 's/^### ocsp/ocsp/' \
+                        -e s/__OCSP_PORT__/$(OCSP_PORT)/ $@; \
+        fi
 %.uid: $(srcdir)/%.uid.in
 …
 # Import and signing modify the shared keyring, which leads to race
+# conditions with parallel make. Locking avoids this problem.
+%/cert.pgp: %/minimal.pgp authority/gpg.conf
+# conditions with parallel make. Locking avoids this problem. Building
+# authority/minimal.pgp (instead of just authority/gpg.conf) before
+# */cert.pgp avoids having to lock for all */minimal.pgp, too.
+%/cert.pgp: %/minimal.pgp authority/minimal.pgp
         if test -r $@; then rm $@; fi
         GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
         GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
         GNUPGHOME=authority gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
+        GNUPGHOME=authority $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
 # special cases for the authorities' root certs:

test/tests/Makefile.am

rbaa4ed5	rd2b32f1
26	26	24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
27	27	25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
28		26_redirect_HTTP_to_HTTPS/apache.conf
	28	26_redirect_HTTP_to_HTTPS/apache.conf \
	29	27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output

Context Navigation

Changeset d2b32f1 in mod_gnutls

Legend:

CHANGELOG

Makefile.am

README

configure.ac

doc/mod_gnutls_manual.mdwn

include/mod_gnutls.h.in

src/Makefile.am

src/gnutls_cache.c

src/gnutls_config.c

src/gnutls_hooks.c

src/gnutls_io.c

src/mod_gnutls.c

test/Makefile.am

test/client.template.in

test/runtests

test/server.template.in

test/test_ca.mk

test/tests/Makefile.am

Download in other formats: