Context Navigation

← Previous Changeset
Next Changeset →

Changeset ea9c699 in mod_gnutls

Timestamp:

Jan 28, 2019, 2:50:38 PM (8 weeks ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

debian/master

Children:

19e80a5

Parents:

8a264b0 (diff), 510764a (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

New upstream version 0.9.0

Files:

: 68 added
: 27 deleted
: 72 edited
: 2 moved

CHANGELOG (modified) (1 diff)
Makefile.am (modified) (2 diffs)
README (modified) (4 diffs)
aclocal.m4 (deleted)
config.in (deleted)
config/compile (deleted)
config/config.guess (deleted)
config/config.sub (deleted)
config/depcomp (deleted)
config/install-sh (deleted)
config/ltmain.sh (deleted)
config/missing (deleted)
config/test-driver (deleted)
configure (deleted)
configure.ac (modified) (14 diffs)
doc/Makefile.am (modified) (2 diffs)
doc/doxygen.conf.in (added)
doc/mod_gnutls_manual.mdwn (modified) (19 diffs)
doc/mod_gnutls_manual.yaml.in (added)
include/mod_gnutls.h.in (modified) (25 diffs)
m4/apache.m4 (modified) (2 diffs)
m4/apr_memcache.m4 (deleted)
m4/ax_prog_doxygen.m4 (added)
m4/libtool.m4 (deleted)
m4/ltoptions.m4 (deleted)
m4/ltsugar.m4 (deleted)
m4/ltversion.m4 (deleted)
m4/lt~obsolete.m4 (deleted)
src/Makefile.am (modified) (1 diff)
src/gnutls_cache.c (modified) (4 diffs)
src/gnutls_cache.h (added)
src/gnutls_config.c (modified) (14 diffs)
src/gnutls_config.h (added)
src/gnutls_hooks.c (modified) (43 diffs)
src/gnutls_io.c (modified) (24 diffs)
src/gnutls_ocsp.c (added)
src/gnutls_ocsp.h (added)
src/gnutls_proxy.c (added)
src/gnutls_proxy.h (added)
src/gnutls_sni.c (added)
src/gnutls_sni.h (added)
src/gnutls_util.c (added)
src/gnutls_util.h (added)
src/gnutls_watchdog.c (added)
src/gnutls_watchdog.h (added)
src/mod_gnutls.c (modified) (11 diffs)
test/Makefile.am (modified) (9 diffs)
test/README (modified) (2 diffs)
test/apache-conf/early_sni.conf.in (added)
test/apache-conf/netns.conf.in (modified) (1 diff)
test/apache_service.bash (added)
test/base_apache.conf (modified) (3 diffs)
test/cert_helper.c (added)
test/cert_helper.h (added)
test/client.template.in (modified) (1 diff)
test/common.bash (modified) (2 diffs)
test/data/dump.cgi (modified) (1 diff)
test/data/ocsp.cgi (added)
test/ffdhe3072.pem (added)
test/gen_ocsp_index.c (added)
test/imposter.uid.in (deleted)
test/ocsp-responder.template (added)
test/ocsp_server.conf.in (added)
test/pgpcrc.c (added)
test/proxy_backend.bash (deleted)
test/proxy_backend.conf.in (modified) (1 diff)
test/rogueca.uid.in (deleted)
test/runtests (modified) (11 diffs)
test/server-softhsm.conf (deleted)
test/server.template.in (modified) (2 diffs)
test/server.uid.in (deleted)
test/softhsm.bash (modified) (6 diffs)
test/test-14_basic_openpgp.bash (deleted)
test/test-14_resume_session.bash (added)
test/test-16_view-status.bash (modified) (1 diff)
test/test-19_TLS_reverse_proxy.bash (modified) (1 diff)
test/test-20_TLS_reverse_proxy_client_auth.bash (modified) (1 diff)
test/test-21_TLS_reverse_proxy_wrong_cert.bash (modified) (1 diff)
test/test-22_TLS_reverse_proxy_crl_revoke.bash (modified) (1 diff)
test/test-23_TLS_reverse_proxy_mismatched_priorities.bash (modified) (2 diffs)
test/test-24_pkcs11_cert.bash (modified) (2 diffs)
test/test-26_redirect_HTTP_to_HTTPS.bash (modified) (3 diffs)
test/test-27_OCSP_server.bash (added)
test/test-28_HTTP2_support.bash (added)
test/test-29_force_handshake_vhost.bash (added)
test/test-30_ip_based_vhosts.bash (added)
test/test-31_vhost_SNI_serveralias_match.bash (added)
test/test-32_vhost_SNI_serveralias_mismatch.bash (added)
test/test-33_vhost_SNI_serveralias_missinghost.bash (added)
test/test-34_TLS_reverse_proxy_h2.bash (added)
test/test_ca.mk (modified) (4 diffs)
test/tests/00_basic/apache.conf (modified) (2 diffs)
test/tests/01_serverwide_priorities/apache.conf (modified) (1 diff)
test/tests/02_cache_in_vhost/apache.conf (modified) (1 diff)
test/tests/03_cachetimeout_in_vhost/apache.conf (modified) (1 diff)
test/tests/03_cachetimeout_in_vhost/fail.server (deleted)
test/tests/03_cachetimeout_in_vhost/output (moved) (moved from test/tests/14_basic_openpgp/output)
test/tests/04_basic_nosni/apache.conf (modified) (1 diff)
test/tests/05_mismatched-priorities/apache.conf (modified) (1 diff)
test/tests/06_verify_sni_a/apache.conf (modified) (1 diff)
test/tests/07_verify_sni_b/apache.conf (modified) (1 diff)
test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf (modified) (1 diff)
test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf (modified) (1 diff)
test/tests/10_basic_client_verification/apache.conf (modified) (1 diff)
test/tests/11_basic_client_verification_fail/apache.conf (modified) (1 diff)
test/tests/12_cgi_variables/apache.conf (modified) (2 diffs)
test/tests/12_cgi_variables/output (modified) (1 diff)
test/tests/13_cgi_variables_no_client_cert/apache.conf (modified) (1 diff)
test/tests/13_cgi_variables_no_client_cert/output (modified) (1 diff)
test/tests/14_basic_openpgp/apache.conf (deleted)
test/tests/14_basic_openpgp/gnutls-cli.args (deleted)
test/tests/14_resume_session/apache.conf (added)
test/tests/14_resume_session/gnutls-cli.args (added)
test/tests/14_resume_session/input (moved) (moved from test/tests/14_basic_openpgp/input)
test/tests/14_resume_session/output (added)
test/tests/15_basic_msva/apache.conf (modified) (1 diff)
test/tests/16_view-status/apache.conf (modified) (1 diff)
test/tests/16_view-status/gnutls-cli.args (modified) (1 diff)
test/tests/16_view-status/input (modified) (1 diff)
test/tests/16_view-status/output (deleted)
test/tests/17_cgi_vars_large_cert/apache.conf (modified) (2 diffs)
test/tests/17_cgi_vars_large_cert/output (modified) (1 diff)
test/tests/18_client_verification_wrong_cert/apache.conf (modified) (1 diff)
test/tests/19_TLS_reverse_proxy/apache.conf (modified) (2 diffs)
test/tests/19_TLS_reverse_proxy/backend.conf (modified) (2 diffs)
test/tests/20_TLS_reverse_proxy_client_auth/apache.conf (modified) (1 diff)
test/tests/20_TLS_reverse_proxy_client_auth/backend.conf (modified) (1 diff)
test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf (modified) (1 diff)
test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf (modified) (1 diff)
test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf (modified) (1 diff)
test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf (modified) (1 diff)
test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf (modified) (2 diffs)
test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf (modified) (2 diffs)
test/tests/24_pkcs11_cert/apache.conf (modified) (1 diff)
test/tests/25_Disable_TLS_1.0/apache.conf (modified) (1 diff)
test/tests/25_Disable_TLS_1.0/gnutls-cli.args (modified) (1 diff)
test/tests/26_redirect_HTTP_to_HTTPS/apache.conf (modified) (1 diff)
test/tests/27_OCSP_server/apache.conf (added)
test/tests/27_OCSP_server/gnutls-cli.args (added)
test/tests/27_OCSP_server/input (added)
test/tests/27_OCSP_server/ocsp.conf (added)
test/tests/27_OCSP_server/output (added)
test/tests/28_HTTP2_support/apache.conf (added)
test/tests/29_force_handshake_vhost/apache.conf (added)
test/tests/29_force_handshake_vhost/gnutls-cli.args (added)
test/tests/29_force_handshake_vhost/input (added)
test/tests/29_force_handshake_vhost/output (added)
test/tests/30_ip_based_vhosts/apache.conf (added)
test/tests/30_ip_based_vhosts/gnutls-cli.args (added)
test/tests/30_ip_based_vhosts/input (added)
test/tests/30_ip_based_vhosts/output (added)
test/tests/31_vhost_SNI_serveralias_match/apache.conf (added)
test/tests/31_vhost_SNI_serveralias_match/gnutls-cli.args (added)
test/tests/31_vhost_SNI_serveralias_match/input (added)
test/tests/31_vhost_SNI_serveralias_match/output (added)
test/tests/32_vhost_SNI_serveralias_mismatch/apache.conf (added)
test/tests/32_vhost_SNI_serveralias_mismatch/gnutls-cli.args (added)
test/tests/32_vhost_SNI_serveralias_mismatch/input (added)
test/tests/32_vhost_SNI_serveralias_mismatch/output (added)
test/tests/33_vhost_SNI_serveralias_missinghost/apache.conf (added)
test/tests/33_vhost_SNI_serveralias_missinghost/gnutls-cli.args (added)
test/tests/33_vhost_SNI_serveralias_missinghost/input (added)
test/tests/33_vhost_SNI_serveralias_missinghost/output (added)
test/tests/34_TLS_reverse_proxy_h2/apache.conf (added)
test/tests/34_TLS_reverse_proxy_h2/backend.conf (added)
test/tests/34_TLS_reverse_proxy_h2/gnutls-cli.args (added)
test/tests/34_TLS_reverse_proxy_h2/input (added)
test/tests/34_TLS_reverse_proxy_h2/output (added)
test/tests/Makefile.am (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

CHANGELOG

-                      r8a264b0
+                      rea9c699
+**TODO:
+- Handle Unclean Shutdowns
+- make session cache use generic apache caches
+** Version 0.9.0 (2019-01-23)
+- Security fix: Refuse to send or receive any data over a failed TLS
+  connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The
+  previous behavior could lead to requests on reverse proxy TLS
+  connections being sent in plain text, and might have allowed faking
+  requests in plain text.
+- Security fix: Reject HTTP requests if they try to access virtual
+  hosts that do not match their TLS connections (commit
+  de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
+  and Host header match. Thanks to Krista Karppinen for contributing
+  tests!
+- OCSP stapling is now enabled by default, if possible. OCSP responses
+  are updated regularly and stored in a cache separate from the
+  session cache. The OCSP cache uses mod_socache_shmcb by default
+  (if the module is loaded, no other configuration required).
+- Session tickets are now enabled by default if using GnuTLS 3.6.4 or
+  newer. GnuTLS 3.6.4 introduced automatic rotation for the used key,
+  and TLS 1.3 takes care of other reasons not to use tickets while
+  requiring them for session resumption. Note that there is currently
+  no mechanism to synchronize ticket keys across a cluster of servers.
+- The internal cache implementation has been replaced with
+  mod_socache. Users may need to update their GnuTLSCache settings and
+  load the appropriate socache modules.
+- ALPN (required for HTTP/2) now works correctly with different
+  "Protocols" directives between virtual hosts if building with GnuTLS
+.6.3 or newer. Older versions require identical "Protocols"
+  directives for overlapping virtual hosts. Thanks to Vincent Tamet
+  for the bug report!
+- ALPN is now supported for proxy connections, making HTTP/2 proxy
+  connections using mod_proxy_http2 possible.
+- GnuTLSPriorities is optional now and defaults to "NORMAL" if
+  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
+  enabled).
+- The manual is now built as a manual page, too, if pandoc is
+  available.
+- OpenPGP support has been removed.
+- Don't require pem2openpgp for tests when building without MSVA
+  support.
+** Version 0.8.4 (2018-04-13)
+- Support Apache HTTPD 2.4.33 API for proxy TLS connections
+- Support TLS for HTTP/2 connections with mod_http2
+- Fix configuration of OCSP stapling callback
+** Version 0.8.3 (2017-10-20)
+- Use GnuTLS' default DH parameters by default
+- Handle long Server Name Indication data and gracefully ignore
+  unknown SNI types
+- Send SNI for proxy connections
+- Deprecate OpenPGP support like GnuTLS did (will be removed
+  completely in a future release)
+- Do not announce session ticket support for proxy connections
+- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
+- Test suite: Simplify handling of proxy backend servers and OCSP
+  responders
+- Test suite: stability/compatibility fixes
+** Version 0.8.2 (2017-01-08)
+- Test suite: Ensure CRLF line ends in HTTP headers
+- Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array
+** Version 0.8.1 (2016-12-20)
+- Bugfix: Use APR_SIZE_T_FMT for portable apr_size_t formatting
+** Version 0.8.0 (2016-12-11)
+- New: Support for OCSP stapling
+- Bugfix: Access to DBM cache is locked using global mutex
+  "gnutls-cache"
+- Bugfix: GnuTLSSessionTickets is now disabled by default as described
+  in the handbook
+- Fixed memory leak while checking proxy backend certificate
+- Fixed memory leaks in post_config
+- Safely delete session ticket key (requires GnuTLS >= 3.4)
+- Improved error handling in post_config hook
+- Various handbook updates
+- Internal API documentation can be generated using Doxygen
+- Unused code has been removed (conditionals for GnuTLS 2.x and Apache
+  versions before 2.2, internal Lua bytecode structure last used in
+).
+- Test suite: Fixed locking for access to the PGP keyring of the test
+  certificate authority
+- mod_gnutls can be built using Clang (unsupported)
+** Version 0.7.5 (2016-05-28)
+- Sunil Mohan Adapa reported retry loops during session shutdown in
+  cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
+  GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
+  errno in mgs_transport_write() fixes the problem.
+- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
+  Debian package.
+- Build system improvements that allow VPATH builds and get "make
+  distcheck" to work
+** Version 0.7.4 (2016-04-13)
+- Support SoftHSM 2 for PKCS #11 testing
+- Increase verbosity of test logs
 ** Version 0.7.3 (2016-01-12)

Makefile.am

-                      r8a264b0
+                      rea9c699
 AUTOMAKE_OPTIONS = foreign dist-bzip2
+AUTOMAKE_OPTIONS = foreign dist-bzip2 no-dist-gzip
 EXTRA_DIST = m4/outoforder.m4 m4/apache.m4 \
-                m4/apr_memcache.m4 \
                 m4/apache_test.m4  \
                 include/mod_gnutls.h.in \
 …
                 NOTICE LICENSE
+AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install" \
+        "SOFTHSM_LIB='$(SOFTHSM_LIB)'"
+DISTCLEANFILES = config.nice
+MOSTLYCLEANFILES = $(DX_CLEANFILES)
 SUBDIRS = src test doc
 ACLOCAL_AMFLAGS = -I m4
+@DX_RULES@

README

-                      r8a264b0
+                      rea9c699
 Lead Maintainer:
   Thomas Klute <thomas2.klute@uni-dortmund.de>
+  Fiona Klute <fiona.klute@gmx.de>
 Past maintainers and other contributors:
 …
 -------------
  * GnuTLS          >= 3.1.4 <http://www.gnutls.org/> (3.2.* or newer preferred)
  * Apache HTTPD    >= 2.2 <http://httpd.apache.org/> (2.4.* preferred)
  * autotools, GNU make, & gcc
+ * GnuTLS          >= 3.3 <https://www.gnutls.org/> (3.4 or newer recommended)
+ * Apache HTTPD    >= 2.4.17 <https://httpd.apache.org/>
+ * autotools, GNU make, & GCC
  * libmsv          >= 0.1 (Optional, enable with ./configure --enable-msva)
  * pandoc   (for documentation, optional)
 …
 ------------
  tar xzvf mod_gnutls-version.tar.gz
+ tar xzvf mod_gnutls-version.tar.bz2
  cd mod_gnutls-version/
  autoreconf -fiv
 …
 correctly, please see test/README for details.
+If Doxygen is available, you can build internal API documentation
+using "make doxygen-doc". The documentation will be placed in
+doc/api/.
 Configuration
 -------------

configure.ac

-                      r8a264b0
+                      rea9c699
+dnl
+AC_INIT(mod_gnutls, 0.7.3)
+AC_INIT(mod_gnutls, 0.9.0)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
 …
 AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in)
+LT_INIT([disable-static])
 AC_SUBST(MOD_GNUTLS_VERSION)
 …
 AC_CONFIG_MACRO_DIR([m4])
 AP_VERSION=2.2.0
+AP_VERSION=2.4.17
 CHECK_APACHE(,$AP_VERSION,
     :,:,
 …
+)
+PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.1.4])
+dnl Maybe use the binaries for tests, too?
+AC_ARG_WITH([gnutls-dev],
+        AS_HELP_STRING([--with-gnutls-dev=DIR],
+                [Use GnuTLS libraries from a development (git) tree. Use \
+                this if you want to test mod_gnutls with the latest \
+                GnuTLS code.]),
+        [
+                AS_IF([test -d "${with_gnutls_dev}" ],
+                [
+                        LIBGNUTLS_CFLAGS="-I${with_gnutls_dev}/lib/includes"
+                        LIBGNUTLS_LIBS="-lgnutls -L${with_gnutls_dev}/lib/.libs -R${with_gnutls_dev}/lib/.libs"
+                ],
+                [AC_MSG_ERROR([--with-gnutls-dev=DIR requires a directory!])])
+        ], [])
+PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0])
 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls`
+AC_ARG_ENABLE(vpath-install,
+       AS_HELP_STRING([--enable-vpath-install],
+               [Modify the Apache module directory provided by apxs to \
+               follow --prefix, if necessary. Most users will not want this, \
+               but it is required for VPATH builds including "make \
+               distcheck".]),
+       vpath_install=$enableval, vpath_install=no)
+AM_CONDITIONAL([ENABLE_VPATH_INSTALL], [test "$vpath_install" = "yes"])
 AC_ARG_ENABLE(srp,
 …
 AC_SEARCH_LIBS([gnutls_srp_server_get_username], [gnutls], [], [use_srp="no"])
 SRP_CFLAGS=""
+GNUTLS_FEAT_CFLAGS=""
 if test "$use_srp" != "no"; then
+        SRP_CFLAGS="-DENABLE_SRP=1"
+fi
+        GNUTLS_FEAT_CFLAGS="-DENABLE_SRP=1"
+fi
+# check if the available GnuTLS library supports raw extension parsing
+AC_SEARCH_LIBS([gnutls_ext_raw_parse], [gnutls], [early_sni="yes"],
+        [early_sni="no"])
+if test "$early_sni" != "no"; then
+        ENABLE_EARLY_SNI=1
+        # This is for the test server configuration
+        EXPECT_EARLY_SNI="Define EXPECT_EARLY_SNI"
+else
+        ENABLE_EARLY_SNI=0
+        EXPECT_EARLY_SNI=""
+fi
+AC_SUBST(ENABLE_EARLY_SNI)
+AC_SUBST(EXPECT_EARLY_SNI)
+AM_SUBST_NOTMAKE(EXPECT_EARLY_SNI)
 AC_ARG_ENABLE(strict,
 …
 STRICT_CFLAGS=""
 if test "$use_strict" != "no"; then
         STRICT_CFLAGS="-Wall -Werror -Wextra"
+        STRICT_CFLAGS="-Wall -Werror -Wextra -Wno-error=deprecated-declarations"
 fi
 …
         AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1],
               [flock_works="yes"], [flock_works="no"])
+        AC_MSG_RESULT([$flock_works])
+        # Old versions of flock do not support --verbose. They fail
+        # without executing the command but still return 0. Check for
+        # this behavior by testing if the rm command was executed.
+        AC_MSG_CHECKING([whether ${FLOCK} supports --verbose])
+        testfile="$(mktemp)"
+        AS_IF([${FLOCK} --verbose --timeout 1 ${lockfile} rm "${testfile}" \
+                        >&AS_MESSAGE_LOG_FD 2>&1; test ! -e "${testfile}"],
+              [flock_verbose="yes"; FLOCK="${FLOCK} --verbose"],
+              [flock_verbose="no"; rm "${testfile}"])
+        AC_MSG_RESULT([$flock_verbose])
         rm "${lockfile}"
-        AC_MSG_RESULT([$flock_works])
       ],
       [flock_works="no"])
 …
                [test "$enable_flock" = "no" || test "$flock_works" = "no"])
+# openssl is needed as the responder for OCSP tests
+AC_PATH_PROG([OPENSSL], [openssl], [no])
+# OCSP checks with gnutls-cli from GnuTLS versions before 3.3.23,
+# 3.4.12, or 3.5.1 (on the respective 3.x branch) fail if intermediate
+# CAs cannot be status checked, even if there are no intermediate CAs
+# like in the mod_gnutls test suite where end entity certificates are
+# directly issued by a root CA.
+AC_MSG_CHECKING([for gnutls-cli version supporting OCSP for EE under root CA])
+AC_PREPROC_IFELSE(
+        [AC_LANG_SOURCE([[#include "gnutls/gnutls.h"
+                        #if GNUTLS_VERSION_NUMBER < 0x030317
+                        #error
+                        #elif GNUTLS_VERSION_NUMBER >= 0x030400 && GNUTLS_VERSION_NUMBER < 0x03040c
+                        #error
+                        #elif GNUTLS_VERSION_NUMBER == 0x030500
+                        #error
+                        #endif
+                        ]])],
+        [gnutls_ocsp_ok="yes"],
+        [gnutls_ocsp_ok="no"],
+)
+AC_MSG_RESULT([$gnutls_ocsp_ok])
+AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no" && test "${gnutls_ocsp_ok}" = "yes"])
 dnl Enable test namespaces? Default is "yes".
 AC_ARG_ENABLE(test-namespaces,
+        AS_HELP_STRING([--disable-test-namespaces], [Disable use of network \
+        namespaces to run tests in parallel (some architectures might not \
+        support it)]),
+        AS_HELP_STRING([--disable-test-namespaces], [Disable use of \
+        namespaces for tests (limits parallelization)]),
         [use_netns=$enableval], [use_netns=yes])
 # Check if "unshare" is available and has permission to create network
 # and user namespaces
+# Check if "unshare" is available and has permission to create
+# network, IPC, and user namespaces
 AC_PATH_PROG([UNSHARE], [unshare], [no])
 AS_IF([test "${UNSHARE}" != "no"],
+      [
         AC_MSG_CHECKING([for permission to create network and user namespaces])
         AS_IF([${UNSHARE} --net -r /bin/sh -c \
+        AC_MSG_CHECKING([for permission to use namespaces])
+        AS_IF([${UNSHARE} --net --ipc -r /bin/sh -c \
                 "ip link set up lo && ip addr show" >&AS_MESSAGE_LOG_FD 2>&1],
               [unshare_works="yes"], [unshare_works="no"])
 …
 # and test specific PID files if using namespaces, defaults otherwise.
 AS_IF([test "$use_netns" = "yes"],
       [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"],
       [MUTEX_TYPE="default"; PID_AFFIX=""])
 AC_SUBST(MUTEX_TYPE)
+      [MUTEX_CONF="Mutex pthread default"; PID_AFFIX="-\${TEST_NAME}"],
+      [MUTEX_CONF=""; PID_AFFIX=""])
+AC_SUBST(MUTEX_CONF)
 AC_SUBST(PID_AFFIX)
 AM_SUBST_NOTMAKE(MUTEX_TYPE)
+AM_SUBST_NOTMAKE(MUTEX_CONF)
 AM_SUBST_NOTMAKE(PID_AFFIX)
 …
 AC_MSG_RESULT($use_msva)
-have_apr_memcache=0
-CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0])
-AC_SUBST(have_apr_memcache)
 # Building documentation requires pandoc, which in turn needs pdflatex
 # to build PDF output.
 …
         AC_PATH_PROG([PDFLATEX], [pdflatex], [no])
         if test "$PDFLATEX" != "no"; then
                 build_doc=yes
+                build_doc="html, manual page, pdf"
         else
                 build_doc="html only"
+                build_doc="html, manual page"
         fi
 else
 …
 AC_PATH_PROGS([HTTP_CLI], [curl wget], [no])
+MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
+MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
+MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${GNUTLS_FEAT_CFLAGS} ${MSVA_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
+MODULE_LIBS="${LIBGNUTLS_LIBS}"
+AC_PATH_PROGS([SOFTHSM], [softhsm2-util softhsm], [no])
+if test "${SOFTHSM}" != "no"; then
+        softhsm_version=$(${SOFTHSM} --version)
+        AS_VERSION_COMPARE([$(${SOFTHSM} --version)], [2.0.0],
+                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [1])],
+                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])],
+                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])])
+fi
+AM_CONDITIONAL([HAVE_SOFTHSM], [test "${SOFTHSM}" != "no"])
+AM_CONDITIONAL([HAVE_SOFTHSM1], [test "${SOFTHSM_MAJOR_VERSION}" = "1"])
+AM_CONDITIONAL([HAVE_SOFTHSM2], [test "${SOFTHSM_MAJOR_VERSION}" = "2"])
 AC_SUBST(MODULE_CFLAGS)
 …
                       "[::1] 127.0.0.1". Note that IPv6 addresses must be \
                       enclosed in square brackets.])
+AM_SUBST_NOTMAKE(TEST_IP)
+: ${TEST_LOCK_WAIT:="30"}
+: ${TEST_QUERY_TIMEOUT:="30"}
+AC_ARG_VAR([TEST_LOCK_WAIT], [Timeout in seconds to acquire locks for \
+                             Apache instances in the test suite, or the \
+                             previous instance to remove its PID file if \
+                             flock is not used. Default is 30.])
+AC_ARG_VAR([TEST_QUERY_TIMEOUT], [Timeout in seconds for HTTPS requests \
+                                 sent using gnutls-cli in the test suite. \
+                                 Default is 30.])
+dnl Allow user to set SoftHSM PKCS #11 module
+AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \
+                          use. By default the test suite will search common \
+                          library paths.])
 dnl Build list of "Listen" statements for Apache
 LISTEN_LIST="# Listen addresses for the test servers"
+LISTEN_LIST="@%:@ Listen addresses for the test servers"
 for i in ${TEST_IP}; do
         LISTEN_LIST="${LISTEN_LIST}
 Listen ${i}:\${TEST_PORT}"
 done
+dnl HTTP ports, only active if TEST_HTTP_PORT is defined
+# Available extra ports, tests can "Define" variables of the listed
+# names in their apache.conf to enable them.
+for j in TEST_HTTP_PORT; do
 LISTEN_LIST="${LISTEN_LIST}
 <IfDefine TEST_HTTP_PORT>"
+<IfDefine ${j}>"
 for i in ${TEST_IP}; do
         LISTEN_LIST="${LISTEN_LIST}
         Listen ${i}:\${TEST_HTTP_PORT}"
+        Listen ${i}:\${${j}}"
 done
 LISTEN_LIST="${LISTEN_LIST}
 </IfDefine>"
+done
 AC_SUBST(LISTEN_LIST)
 AM_SUBST_NOTMAKE(LISTEN_LIST)
+DX_DOXYGEN_FEATURE(ON)
+DX_DOT_FEATURE(ON)
+DX_HTML_FEATURE(ON)
+DX_MAN_FEATURE(OFF)
+DX_RTF_FEATURE(OFF)
+DX_XML_FEATURE(OFF)
+DX_PDF_FEATURE(OFF)
+DX_PS_FEATURE(OFF)
+DX_INIT_DOXYGEN([mod_gnutls], [doc/doxygen.conf], [doc/api])
 AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
+                        doc/Makefile include/mod_gnutls.h \
+                        test/proxy_backend.conf \
+                        doc/Makefile doc/doxygen.conf include/mod_gnutls.h \
+                        test/proxy_backend.conf test/ocsp_server.conf \
+                        test/apache-conf/early_sni.conf \
                         test/apache-conf/listen.conf \
                         test/apache-conf/netns.conf])
 …
 echo "   * Apache Modules directory:    ${AP_LIBEXECDIR}"
 echo "   * GnuTLS Library version:      ${LIBGNUTLS_VERSION}"
+echo "   * CFLAGS for GnuTLS:           ${LIBGNUTLS_CFLAGS}"
+echo "   * LDFLAGS for GnuTLS:  ${LIBGNUTLS_LIBS}"
 echo "   * SRP Authentication:  ${use_srp}"
 echo "   * MSVA Client Verification:    ${use_msva}"
+echo "   * Early SNI:                   ${early_sni}"
 echo "   * Build documentation: ${build_doc}"
 echo ""

doc/Makefile.am

-                      r8a264b0
+                      rea9c699
 EXTRA_DIST = mod_gnutls_manual.mdwn
+EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in
 if USE_PANDOC
 html_DATA = mod_gnutls_manual.html
+man3_MANS = mod_gnutls_manual.man
 if USE_PDFLATEX
 # pandoc && pdflatex
 …
 endif
 MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA)
+MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man3_MANS)
+# pdf_DATA will be empty if pandoc isn't available
+$(html_DATA) $(pdf_DATA): mod_gnutls_manual.mdwn
+%.yaml: %.yaml.in
+        sed -e s/__MOD_GNUTLS_VERSION__/@MOD_GNUTLS_VERSION@/ < $< > $@
+if USE_PANDOC
+%.man: %.mdwn %.yaml
+        $(PANDOC) --standalone -f markdown -t man -o $@ $^
+if USE_PDFLATEX
+%.pdf: %.mdwn
+        $(PANDOC) --toc -f markdown -o $@ $<
+endif
+endif
+%.html: %.mdwn
 if USE_PANDOC
         $(PANDOC) --toc --standalone -f markdown -o $@ $<

doc/mod_gnutls_manual.mdwn

-                      r8a264b0
+                      rea9c699
 `mod_gnutls` is a module for the Apache web server that provides HTTPS
 (HTTP over Transport Layer Security (TLS) or the older Secure Sockets
+Layer (SSL)) using the GnuTLS library.  More information about the
 module can be found at [the project's website](https://mod.gnutls.org/).
+(HTTP over Transport Layer Security (TLS)) using the GnuTLS library.
+More information about the module can be found at
+[the project's website](https://mod.gnutls.org/).
 * * * * *
 …
     LoadModule gnutls_module modules/mod_gnutls.so
+Note on HTTP/2
+--------------
+HTTP/2 is supported with `mod_gnutls`. However, full support requires
+compiling with GnuTLS 3.6.3 or later. When using lower versions all
+virtual hosts using `mod_gnutls` with overlapping IP/port combinations
+need to use identical `Protocols` directives for protocol negotiation
+to work correctly.
+The technical reason is that using HTTP/2 requires ALPN (Application
+Layer Protocol Negotiation) to be set up before GnuTLS parses the TLS
+ClientHello message, but earlier hooks cannot use
+`gnutls_server_name_get()` to retrieve SNI (Server Name Indication)
+data for virtual host selection. Because of this `mod_gnutls` provides
+its own early SNI parser, which requires the `gnutls_ext_raw_parse()`
+function introduced in GnuTLS 3.6.3 to retrieve the extension data in
+a *pre* client hello hook.
+During build `./configure` will report "Early SNI: yes" if your
+version of GnuTLS is new enough.
 * * * * *
 …
 ========================
+`GnuTLSEnable`
+--------------
+General Options
+---------------
+### GnuTLSEnable
 Enable GnuTLS for this virtual host
 …
 This directive enables SSL/TLS Encryption for a Virtual Host.
+`GnuTLSCache`
+-------------
+Configure SSL Session Cache
+    GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-]
+### GnuTLSCache
+Configure TLS Session Cache
+    GnuTLSCache (shmcb|dbm|memcache|...|none)[:PARAMETERS]
 Default: `GnuTLSCache none`\
 Context: server config
+This directive configures the SSL Session Cache for `mod_gnutls`.
+This could be shared between machines of different architectures.
+`dbm` (Requires Berkeley DBM)
+:   Uses the default Berkeley DB backend of APR DBM to cache SSL
+    Sessions results.  The argument is a relative or absolute path to
+    be used as the DBM Cache file. This is compatible with most
+    operating systems, but needs the Apache Runtime to be compiled
+    with Berkeley DBM support.
+`gdbm`
+:   Uses the GDBM backend of APR DBM to cache SSL Sessions results.
+    The argument is a relative or absolute path to be used as the DBM Cache
+    file.  This is the recommended option.
+This directive configures the TLS Session Cache for `mod_gnutls`. This
+could be shared between machines of different architectures. If the
+selected cache implementation is not thread-safe, access is serialized
+using the `gnutls-cache` mutex.
+Which cache implementations are available depends on your Apache
+installation and configuration, `mod_gnutls` can use any socache
+provider. In general you will need to load a `mod_socache_PROVIDER`
+module. Common options are described below, please check the Apache
+HTTPD documentation for details on available providers and their
+configuration.
+`shmcb`
+:   Uses a shared memory segment. This is a high performance local
+    cache. The parameter is a relative or absolute path to be used if
+    the local shared memory implementation requires one, followed by
+    the cache size in bytes enclosed in parentheses.
+    Example: `shmcb:cache/gnutls_cache(65536)`
+`dbm`
+:   Uses a DBM cache file. The parameter is a relative or absolute
+    path to be used as the DBM cache file.
+    Example: `dbm:cache/gnutls_cache`
 `memcache`
 :   Uses a memcached server to cache the SSL Session.
     The argument is a space separated list of servers. If no port
+    number is supplied, the default of 11211 is used.  This can be
     used to share a session cache between all servers in a cluster.
+:   Uses memcached server(s) to cache TLS session data. The parameter
+    is a comma separated list of servers (host:port). This can be used
+    to share a session cache between all servers in a cluster.
+    Example: `memcache:memcache.example.com:12345,memcache2.example.com:12345`
 `none`
+:   Turns off all caching of SSL Sessions.
+    This can significantly reduce the performance of `mod_gnutls` since
+    even followup connections by a client must renegotiate parameters
+    instead of reusing old ones.  This is the default, since it
+    requires no configuration.
+`GnuTLSCacheTimeout`
+--------------------
+Timeout for SSL Session Cache expiration
+:   Turns off all caching of TLS sessions.
+    This can significantly reduce the performance of `mod_gnutls`
+    since even followup connections by a client must renegotiate
+    parameters instead of reusing old ones. This is the default, since
+    it requires no configuration.
+    Session tickets are an alternative to using a session cache,
+    please see `GnuTLSSessionTickets`. Note that for TLS 1.3 GnuTLS
+    supports resumption using session tickets only as of version
+.6.4.
+### GnuTLSCacheTimeout
+Timeout for TLS Session Cache expiration
     GnuTLSCacheTimeout SECONDS
 Default: `GnuTLSCacheTimeout 300`\
+Context: server config
+Sets the timeout for SSL Session Cache entries expiration.  This
+directive is valid even if Session Tickets are used, and indicates the
+expiration time of the ticket in seconds.
+`GnuTLSSessionTickets`
+----------------------
+Context: server config, virtual host
+Sets the expiration timeout for cached TLS sessions.
+### GnuTLSSessionTickets
 Enable Session Tickets for the server
 …
     GnuTLSSessionTickets [on|off]
+Default: `off`\
+Context: server config, virtual host
+To avoid storing data for TLS session resumption it is allowed to
+provide client with a ticket, to use on return.  Use for servers with
+limited storage, and don't combine with GnuTLSCache. For a pool of
+servers this option is not recommended since the tickets are unique
+for the issuing server only.
+`GnuTLSCertificateFile`
+-----------------------
+Set to the PEM Encoded Server Certificate
+    GnuTLSCertificateFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a PEM-encoded X.509 certificate to
+use as this Server's End Entity (EE) certificate. If you need to supply
+certificates for intermediate Certificate Authorities (iCAs), they
+should be listed in sequence in the file, from EE to the iCA closest to
+the root CA. Optionally, you can also include the root CA's certificate
+as the last certificate in the list.
+Since version 0.7 this can be a PKCS #11 URL.
+`GnuTLSKeyFile`
+---------------
+Set to the PEM Encoded Server Private Key
+    GnuTLSKeyFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to the Server Private Key. Set
+`GnuTLSPIN` if the key file is encrypted.
+Since version 0.7 this can be a PKCS #11 URL.
+**Security Warning:**\
+This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+`GnuTLSPGPCertificateFile`
+--------------------------
+Set to a base64 Encoded Server OpenPGP Certificate
+    GnuTLSPGPCertificateFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a base64 Encoded OpenPGP
+Certificate to use as this Server's Certificate.
+`GnuTLSPGPKeyFile`
+------------------
+Set to the Server OpenPGP Secret Key
+    GnuTLSPGPKeyFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to the Server Private Key. This key
+cannot currently be password protected.
+**Security Warning:**\
+ This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+`GnuTLSClientVerify`
+--------------------
+Enable Client Certificate Verification\
+Default: `on` with GnuTLS 3.6.4 and newer, `off` otherwise\
+Context: server config, virtual host
+Session tickets allow TLS session resumption without session state
+stored on the server, using encrypted tickets provided to the clients
+instead. Tickets are an alternative to using a session cache, and
+currently the only session resumption mechanism in TLS 1.3. For a pool
+of servers this option is not recommended since the tickets are bound
+to the issuing server only.
+If this option is set in the global configuration, virtual hosts
+without a `GnuTLSSessionTickets` setting will use the global setting.
+*Warning:* With GnuTLS version before 3.6.4 the master key that
+protects the tickets is generated only on server start, and there is
+no mechanism to roll over the key. If session tickets are enabled it
+is highly recommended to restart the server regularly to protect past
+sessions in case an attacker gains access to server memory. GnuTLS
+.6.4 introduced an automatic TOTP-based key rollover, so this warning
+does not apply any more and tickets are enabled by default.
+### GnuTLSClientVerify
+Enable Client Certificate Verification
     GnuTLSClientVerify [ignore|request|require]
 …
 Context: server config, virtual host, directory, .htaccess
 This directive controls the use of SSL Client Certificate
+This directive controls the use of TLS Client Certificate
 Authentication. If used in the .htaccess context, it can force TLS
 re-negotiation.
 `ignore`
 :   `mod_gnutls` will ignore the contents of any SSL Client Certificates
+:   `mod_gnutls` will ignore the contents of any TLS Client Certificates
     sent. It will not request that the client sends a certificate.
 …
     environment variable will only be set to `SUCCESS`.
+`GnuTLSClientCAFile`
+--------------------
+Set to the PEM Encoded Certificate Authority Certificate
+### GnuTLSDHFile
+Use the provided PKCS \#3 encoded Diffie-Hellman parameters
+    GnuTLSDHFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+By default, `mod_gnutls` uses the DH parameters included with GnuTLS
+corresponding to the security level of the configured private keys if
+compiled with GnuTLS 3.5.6 or newer, and the ffdhe2048 DH group as
+defined in RFC 7919, Appendix A.1 otherwise.
+If you need to use different DH parameters, you can provide a PEM file
+containing them in PKCS \#3 encoding using this option. Please see the
+"[Parameter
+generation](https://gnutls.org/manual/html_node/Parameter-generation.html)"
+section of the GnuTLS documentation for a short discussion of the
+security implications.
+### GnuTLSPriorities
+Set the allowed protocol versions, ciphers, key exchange algorithms,
+MACs and compression methods
+    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
+Default: `NORMAL`\
+Context: server config, virtual host
+Sets the allowed protocol version(s), ciphers, key exchange methods,
+message authentication codes, and other TLS parameters for the server.
+The parameter is a GnuTLS priority string as described in the
+[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
+For example, to disable TLS 1.0 use `NORMAL:-VERS-TLS1.0`.
+### GnuTLSP11Module
+Load this PKCS #11 module.
+    GnuTLSP11Module PATH_TO_LIBRARY
+Default: *none*\
+Context: server config
+Load this PKCS #11 provider module, instead of the system
+defaults. May occur multiple times to load multiple modules.
+### GnuTLSPIN
+Set the PIN to be used to access encrypted key files or PKCS #11 objects.
+    GnuTLSPIN XXXXXX
+Default: *none*\
+Context: server config, virtual host
+Takes a string to be used as a PIN for the protected objects in
+a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
+or openssl encrypted keys.
+### GnuTLSSRKPIN
+Set the SRK PIN to be used to access the TPM.
+    GnuTLSSRKPIN XXXXXX
+Default: *none*\
+Context: server config, virtual host
+Takes a string to be used as a PIN for the protected objects in
+the TPM module.
+### GnuTLSExportCertificates
+Export the PEM encoded certificates to CGIs
+    GnuTLSExportCertificates [off|on|SIZE]
+Default: `off`\
+Context: server config, virtual host
+This directive configures exporting the full certificates of the
+server and the client to CGI scripts via the `SSL_SERVER_CERT` and
+`SSL_CLIENT_CERT` environment variables. The exported certificates
+will be PEM-encoded, limited to the given size. The type of the
+certificate will be exported in `SSL_SERVER_CERT_TYPE` and
+`SSL_CLIENT_CERT_TYPE`.
+SIZE should be an integer number of bytes, or may be written with a
+trailing `K` to indicate kibibytes.  `off` means the same thing as
+`0`, in which case the certificates will not be exported to the
+environment. `on` is an alias for `16K`. If a non-zero size is
+specified for this directive, but a certificate is too large to fit in
+the buffer, then the corresponding environment variable will contain
+the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
+With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
+environment variables to the CGI process as `mod_ssl`.
+X.509 Certificate Authentication
+--------------------------------
+### GnuTLSCertificateFile
+Set the PEM encoded server certificate or certificate chain
+    GnuTLSCertificateFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+FILEPATH is an absolute or relative path to a file containing the
+PEM-encoded X.509 certificate to use as this Server's End Entity (EE)
+certificate, and optionally those of the issuing Certificate
+Authorities (CAs). If the file contains multiple certificates they
+should be ordered from EE to the CA closest to the root CA (or the
+root CA itself).
+Including at least the immediately issuing CA is highly recommended
+because it is required for OCSP stapling.
+Since version 0.7 this can be a PKCS #11 URL instead of a file.
+On Linux and other Unix-like systems you can create the file with a
+command like this (assuming "CA 1" issued the server certificate and
+has been issued by "Root CA" itself):
+        $ cat server.pem ca-1.pem root-ca.pem >server-chain.pem
+### GnuTLSKeyFile
+Set to the PEM Encoded Server Private Key
+    GnuTLSKeyFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to the Server Private Key. Set
+`GnuTLSPIN` if the key file is encrypted.
+Since version 0.7 this can be a PKCS #11 URL.
+**Security Warning:**\
+This private key must be protected. It is read while Apache is still
+running as root, and does not need to be readable by the nobody or
+apache user.
+### GnuTLSClientCAFile
+Set the PEM encoded Certificate Authority list to use for X.509 base
+client authentication
     GnuTLSClientCAFile FILEPATH
 …
 This file may contain a list of trusted authorities.
+`GnuTLSPGPKeyringFile`
+----------------------
+Set to a base64 Encoded key ring
+    GnuTLSPGPKeyringFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a base64 Encoded Certificate
+list (key ring) to use as a means of verification of Client
+Certificates.  This file should contain a list of trusted signers.
+`GnuTLSDHFile`
+--------------
+Set to the PKCS \#3 encoded Diffie Hellman parameters
+    GnuTLSDHFile FILEPATH
+Default: *none*\
+Context: server config, virtual host
+Takes an absolute or relative path to a PKCS \#3 encoded DH
+parameters.Those are used when the DHE key exchange method is enabled.
+You can generate this file using `certtool --generate-dh-params --bits
+`.  If not set `mod_gnutls` will use the included parameters.
+`GnuTLSSRPPasswdFile`
+---------------------
+SRP Authentication
+------------------
+### GnuTLSSRPPasswdFile
 Set to the SRP password file for SRP ciphersuites
 …
 dependency to the SRP parameters.
+`GnuTLSSRPPasswdConfFile`
+-------------------------
+### GnuTLSSRPPasswdConfFile
 Set to the SRP password.conf file for SRP ciphersuites
     GnuTLSSRPPasswdConfFile FILEPATH
+    GnuTLSSRPPasswdConfFile FILEPATH
 Default: *none*\
 …
 (the verifiers depends on these parameters).
+`GnuTLSPriorities`
+------------------
+Set the allowed ciphers, key exchange algorithms, MACs and compression
+methods
+    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
+Default: *none*\
+Context: server config, virtual host
+Takes a semi-colon separated list of ciphers, key exchange methods
+Message authentication codes and compression methods to enable.
+The allowed keywords are specified in the `gnutls_priority_init()`
+function of GnuTLS.
+Full details can be found at [the GnuTLS documentation](http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings).
+In brief you can specify a set of ciphersuites from the choices:
+`NONE`
+:   The empty list.
+`EXPORT`
+:   A list with all the supported cipher combinations
+    including the `EXPORT` strength algorithms.
+`PERFORMANCE`
+:   A list with all the secure cipher combinations sorted in terms of performance.
+`NORMAL`
+:   A list with all the secure cipher combinations sorted
+    with respect to security margin (subjective term).
+`SECURE`
+:   A list with all the secure cipher combinations including
+    the 256-bit ciphers sorted with respect to security margin.
+Additionally you can add or remove algorithms using the `+` and `!`
+prefixes respectively.
+For example, in order to disable the `ARCFOUR` cipher from the `NORMAL` set
+you can use the string `NORMAL:!ARCFOUR-128`
+Other options such as the protocol version and the compression method
+can be specified using the `VERS-` and `COMP-` prefixes.
+So in order to remove or add a specific TLS version from the `NORMAL`
+set, use `NORMAL:!VERS-SSL3.0`.  And to enable zlib compression use
+`NORMAL:+COMP-DEFLATE`.
+However it is recommended not to add compression at this level.  With
+the `NONE` set, in order to be usable, you have to specify a complete
+set of combinations of protocol versions, cipher algorithms
+(`AES-128-CBC`), key exchange algorithms (`RSA`), message
+authentication codes (`SHA1`) and compression methods (`COMP-NULL`).
+You can find a list of all supported Ciphers, Versions, MACs, etc.  by
+running `gnutls-cli --list`.
+The special keyword `%COMPAT` will disable some security features such
+as protection against statistical attacks to ciphertext data in order to
+achieve maximum compatibility (some broken mobile clients need this).
+`GnuTLSP11Module`
+------------------
+Load this PKCS #11 module.
+    GnuTLSP11Module PATH_TO_LIBRARY
+Default: *none*\
+Context: server config
+Load this PKCS #11 provider module, instead of the system
+defaults. May occur multiple times to load multiple modules.
+`GnuTLSPIN`
+------------------
+Set the PIN to be used to access encrypted key files or PKCS #11 objects.
+    GnuTLSPIN XXXXXX
+Default: *none*\
+Context: server config, virtual host
+Takes a string to be used as a PIN for the protected objects in
+a security module, or as a key to be used to decrypt PKCS #8, PKCS #12,
+or openssl encrypted keys.
+`GnuTLSSRKPIN`
+------------------
+Set the SRK PIN to be used to unlaccess the TPM.
+    GnuTLSSRKPIN XXXXXX
+Default: *none*\
+Context: server config, virtual host
+Takes a string to be used as a PIN for the protected objects in
+the TPM module.
+`GnuTLSExportCertificates`
+--------------------------
+Export the PEM encoded certificates to CGIs
+    GnuTLSExportCertificates [off|on|SIZE]
+Default: `off`\
+Context: server config, virtual host
+This directive configures exporting the full certificates of the
+server and the client to CGI scripts via the `SSL_SERVER_CERT` and
+`SSL_CLIENT_CERT` environment variables. The exported certificates
+will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
+size given.  The type of the certificate will be exported in
+`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
+SIZE should be an integer number of bytes, or may be written with a
+trailing `K` to indicate kibibytes.  `off` means the same thing as
+`0`, in which case the certificates will not be exported to the
+environment.  `on` is an alias for `16K`.  If a non-zero size is
+specified for this directive, but a certificate is too large to fit in
+the buffer, then the corresponding environment variable will contain
+the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
+With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
+environment variables to the CGI process as `mod_ssl`.
+`GnuTLSProxyEngine`
+--------------
+TLS Proxy Configuration
+-----------------------
+### GnuTLSProxyEngine
 Enable TLS proxy connections for this virtual host
 …
 host.
+`GnuTLSProxyCAFile`
+--------------------
+### GnuTLSProxyCAFile
 Set to the PEM encoded Certificate Authority Certificate
 …
 always fail due to lack of a trusted CA.
+`GnuTLSProxyCRLFile`
+--------------------
+### GnuTLSProxyCRLFile
 Set to the PEM encoded Certificate Revocation List
 …
 back end servers. The file may contain a list of CRLs.
+`GnuTLSProxyCertificateFile`
+-----------------------
+### GnuTLSProxyCertificateFile
 Set to the PEM encoded Client Certificate
 …
 provide the matching private key.
+`GnuTLSProxyKeyFile`
+---------------
+### GnuTLSProxyKeyFile
 Set to the PEM encoded Private Key
 …
 apache user.
+`GnuTLSProxyPriorities`
+------------------
+### GnuTLSProxyPriorities
 Set the allowed ciphers, key exchange algorithms, MACs and compression
 …
     GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
+Default: *none*\
+Context: server config, virtual host
+This option is used to set the allowed ciphers, key exchange
+algorithms, MACs and compression methods for proxy connections. It
+takes the same parameters as `GnuTLSPriorities`. Required if
+`GnuTLSProxyEngine` is `On`.
+Default: `NORMAL`\
+Context: server config, virtual host
+Sets the allowed protocol version(s), ciphers, key exchange methods,
+message authentication codes, and other TLS parameters for TLS proxy
+connections. Like for `GnuTLSPriorities` the parameter is a GnuTLS
+priority string as described in the
+[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
+OCSP Stapling Configuration
+---------------------------
+### GnuTLSOCSPStapling
+Enable OCSP stapling for this (virtual) host.
+    GnuTLSOCSPStapling [On|Off]
+Default: *on* if requirements are met, *off* otherwise\
+Context: server config, virtual host
+OCSP stapling, formally known as the TLS Certificate Status Request
+extension, allows the server to provide the client with a cached OCSP
+response for its certificate during the handshake. With OCSP stapling
+the client does not have to send an OCSP request to the issuer CA to
+check the certificate status, which offers privacy and performance
+advantages, and avoids the security issue of how to handle errors that
+prevent the client from getting a response.
+Using OCSP stapling has a few requirements:
+* `GnuTLSCertificateFile` must contain the issuer CA certificate in
+  addition to the server certificate so responses can be verified.
+* The server certificate must either contain an OCSP access URI using
+  HTTP, or `GnuTLSOCSPResponseFile` must be set.
+* Caching OCSP responses requires a cache to store responses. If
+  `mod_socache_shmcb` is loaded `mod_gnutls` can set up the cache
+  automatically without additional configuration, see
+  `GnuTLSOCSPCache`.
+Stapling is activated by default if these requirements are met. If
+`GnuTLSOCSPStapling` is explicitly set to `on` unmet requirements are
+an error.
+OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
+### GnuTLSOCSPCache
+OCSP stapling cache configuration
+        GnuTLSOCSPCache (shmcb|memcache|...|none)[:PARAMETERS]
+Default: `shmcb:gnutls_ocsp_cache`\
+Context: server config
+This directive configures the OCSP stapling cache, and uses the same
+syntax as `GnuTLSOCSPCache`. Please check there for details.
+The default should be reasonable for most servers and requires
+[mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html)
+to be loaded. Servers with very many virtual hosts may need to
+increase the default cache size via the parameters string, those with
+few virtual hosts and memory constraints could save a few KB by reducing
+it. Note that `mod_socache_dbm` has a size constraint for entries that
+is generally too small for OCSP responses.
+If the selected cache implementation is not thread-safe, access
+is serialized using the `gnutls-ocsp-cache` mutex.
+### GnuTLSOCSPAutoRefresh
+Regularly refresh cached OCSP response independent of TLS handshakes?
+    GnuTLSOCSPAutoRefresh [On|Off]
+Default: *on*\
+Context: server config, virtual host
+By default `mod_gnutls` will regularly refresh the cached OCSP
+response for hosts that have OCSP stapling enabled, regardless of
+whether it is used. This has advantages over updating the OCSP
+response only if a TLS handshake needs it:
+* Updating the cached response before it expires can hide short
+  unavailability of the OCSP responder, if a repeated request is
+  successful before the cache expires (see below).
+* Handshakes are not slowed down by fetching responses.
+The interval to the next request is determined as follows: After a
+successful OCSP request the next one is scheduled for a random period
+between `GnuTLSOCSPFuzzTime` and half of it before
+`GnuTLSOCSPCacheTimeout` expires. For example, if the cache timeout is
+seconds and the fuzz time 600 seconds, the next request will be
+sent after 3000 to 3300 seconds. If the validity period of the
+response expires before then, the selected interval is halved until it
+is smaller than the time until expiry. If an OCSP request fails, it is
+retried after `GnuTLSOCSPFailureTimeout`.
+Regularly updating the OCSP cache requires `mod_watchdog`,
+`mod_gnutls` will fall back to updating the OCSP cache during
+handshakes if `mod_watchdog` is not available or this option is set to
+`Off`.
+### GnuTLSOCSPCheckNonce
+Check the nonce in OCSP responses?
+    GnuTLSOCSPCheckNonce [On|Off]
+Default: *on*\
+Context: server config, virtual host
+Some CAs refuse to send nonces in their OCSP responses, probably
+because that way they can cache responses. If your CA is one of them
+you can use this flag to disable nonce verification. Note that
+`mod_gnutls` will _send_ a nonce either way.
+### GnuTLSOCSPResponseFile
+Read the OCSP response for stapling from this file instead of sending
+a request over HTTP.
+    GnuTLSOCSPResponseFile /path/to/response.der
+Default: *empty*\
+Context: server config, virtual host
+The response file must be updated externally, for example using a cron
+job. This option is an alternative to the server fetching OCSP
+responses over HTTP. Reasons to use this option include:
+* Performing OCSP requests separate from the web server, to prevent slow
+  responses from stalling handshakes.
+* The issuer CA uses an access method other than HTTP.
+* Testing
+You can use a GnuTLS `ocsptool` command like the following to create
+and update the response file:
+    ocsptool --ask --nonce --load-issuer ca_cert.pem \
+        --load-cert server_cert.pem --outfile ocsp_response.der
+Additional error checking is highly recommended. You may have to
+remove the `--nonce` option if the OCSP responder of your CA does not
+support nonces.
+### GnuTLSOCSPCacheTimeout
+Cache timeout for OCSP responses
+    GnuTLSOCSPCacheTimeout SECONDS
+Default: *3600*\
+Context: server config, virtual host
+Cached OCSP responses will be refreshed after the configured number of
+seconds. How long this timeout should reasonably be depends on your
+CA, namely how often its OCSP responder is updated and how long
+responses are valid. Note that a response will not be cached beyond
+its lifetime as denoted in the `nextUpdate` field of the response.
+### GnuTLSOCSPFailureTimeout
+Wait this many seconds before retrying a failed OCSP request.
+    GnuTLSOCSPFailureTimeout SECONDS
+Default: *300*\
+Context: server config, virtual host
+Retries of failed OCSP requests must be rate limited to avoid
+overloading both the server using mod_gnutls and the CA's OCSP
+responder. A shorter value increases the load on both sides, a longer
+one means that stapling will remain disabled for longer after a failed
+request.
+### GnuTLSOCSPFuzzTime
+Update the cached OCSP response up to this time before the cache expires
+    GnuTLSOCSPFuzzTime SECONDS
+Default: *larger of GnuTLSOCSPCacheTimeout / 8 and GnuTLSOCSPFailureTimeout \* 2*\
+Context: server config, virtual host
+Refreshing the cached response before it expires hides short OCSP
+responder unavailability. See `GnuTLSOCSPAutoRefresh` for how this
+value is used, using at least twice `GnuTLSOCSPFailureTimeout` is
+recommended.
+### GnuTLSOCSPSocketTimeout
+Timeout for TCP sockets used to send OCSP requests
+    GnuTLSOCSPFailureTimeout SECONDS
+Default: *6*\
+Context: server config, virtual host
+Stalled OCSP requests must time out after a while to prevent stalling
+the server too much. However, if the timeout is too short requests may
+fail with a slow OCSP responder or high latency network
+connection. This parameter allows you to adjust the timeout if
+necessary.
+Note that this is not an upper limit for the completion of an OCSP
+request but a socket timeout. The connection will time out if there is
+no activity (successful send or receive) at all for the configured
+time.
 * * * * *
 …
 ======================
+Simple Standard SSL Example
+---------------------------
+The following is an example of standard SSL Hosting, using one IP
+Addresses for each virtual host
+Minimal Example
+---------------
+A minimal server configuration using mod_gnutls might look like this
+(other than the default setup):
+     # Load mod_gnutls into Apache.
+     LoadModule gnutls_module modules/mod_gnutls.so
+         Listen 192.0.2.1:443
+     <VirtualHost _default_:443>
+             # Standard virtual host stuff
+         DocumentRoot /www/site1.example.com/html
+         ServerName site1.example.com:443
+                 # Minimal mod_gnutls setup: enable, and set credentials
+                 GnuTLSEnable on
+         GnuTLSCertificateFile conf/tls/site1_cert_chain.pem
+         GnuTLSKeyFile conf/tls/site1_key.pem
+     </VirtualHost>
+This gives you an HTTPS site using the GnuTLS `NORMAL` set of
+ciphersuites. OCSP stapling will be enabled if the server certificate
+contains an OCSP URI, `conf/tls/site1_cert_chain.pem` contains the
+issuer certificate in addition to the server's, and
+[mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html)
+is loaded. With Gnutls 3.6.4 or newer session tickets are enabled,
+too.
+Virtual Hosts with Server Name Indication
+-----------------------------------------
+`mod_gnutls` supports Server Name Indication (SNI), as specified in
+[RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3).
+This allows hosting many TLS websites with a single IP address, you
+can just add virtual host configurations. All recent browsers support
+this standard. Here is an example using SNI:
      # Load the module into Apache.
      LoadModule gnutls_module modules/mod_gnutls.so
+     GnuTLSCache gdbm /var/cache/www-tls-cache
      GnuTLSCacheTimeout 500
+     # With normal SSL Websites, you need one IP Address per-site.
      Listen 1.2.3.1:443
      Listen 1.2.3.2:443
      Listen 1.2.3.3:443
      Listen 1.2.3.4:443
+     <VirtualHost 1.2.3.1:443>
      GnuTLSEnable on
      GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL
      DocumentRoot /www/site1.example.com/html
      ServerName site1.example.com:443
      GnuTLSCertificateFile conf/ssl/site1.crt
      GnuTLSKeyFile conf/ss/site1.key
+         # This example server uses session tickets, no cache.
+     GnuTLSSessionTickets on
+     # SNI allows hosting multiple sites using one IP address. This
+     # could also be 'Listen *:443', just like '*:80' is common for
+     # non-HTTPS
+     Listen 198.51.100.1:443
+     <VirtualHost _default_:443>
+         GnuTLSEnable on
+         DocumentRoot /www/site1.example.com/html
+         ServerName site1.example.com:443
+         GnuTLSCertificateFile conf/tls/site1.crt
+         GnuTLSKeyFile conf/tls/site1.key
      </VirtualHost>
+     <VirtualHost 1.2.3.2:443>
+     # This virtual host enables SRP authentication
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL:+SRP
+     DocumentRoot /www/site2.example.com/html
+     ServerName site2.example.com:443
+     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2
+     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf
+     <VirtualHost _default_:443>
+         GnuTLSEnable on
+         DocumentRoot /www/site2.example.com/html
+         ServerName site2.example.com:443
+         GnuTLSCertificateFile conf/tls/site2.crt
+         GnuTLSKeyFile conf/tls/site2.key
      </VirtualHost>
+     <VirtualHost 1.2.3.3:443>
+     # This server enables SRP, OpenPGP and X.509 authentication.
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
+     DocumentRoot /www/site3.example.com/html
+     ServerName site3.example.com:443
+     GnuTLSCertificateFile conf/ssl/site3.crt
+     GnuTLSKeyFile conf/ss/site3.key
+     GnuTLSClientVerify ignore
+     GnuTLSPGPCertificateFile conf/ss/site3.pub.asc
+     GnuTLSPGPKeyFile conf/ss/site3.sec.asc
+     GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3
+     GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf
+     <VirtualHost _default_:443>
+         GnuTLSEnable on
+         DocumentRoot /www/site3.example.com/html
+         ServerName site3.example.com:443
+         GnuTLSCertificateFile conf/tls/site3.crt
+         GnuTLSKeyFile conf/tls/site3.key
+         # Enable HTTP/2. With GnuTLS before version 3.6.3 all
+         # virtual hosts in this example would have to share this
+         # directive to work correctly.
+         Protocols h2 http/1.1
      </VirtualHost>
+     <VirtualHost 1.2.3.4:443>
+     GnuTLSEnable on
+     # %COMPAT disables some security features to enable maximum compatibility with clients.
+     GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT
+     DocumentRoot /www/site4.example.com/html
+     ServerName site4.example.com:443
+     GnuTLSCertificateFile conf/ssl/site4.crt
+     GnuTLSKeyFile conf/ss/site4.key
+     </VirtualHost>
+Server Name Indication Example
+------------------------------
+`mod_gnutls` can also use "Server Name Indication", as specified in
+RFC 3546.  This allows hosting many SSL Websites, with a Single IP
+Address.  Currently all the recent browsers support this
+standard. Here is an example, using SNI: ` `
+Virtual Hosts without SNI
+-------------------------
+If you need to support clients that do not use SNI, you have to use a
+unique IP address/port combination for each virtual host. In this
+example all virtual hosts use the default port for HTTPS (443) and
+different IP addresses.
      # Load the module into Apache.
      LoadModule gnutls_module modules/mod_gnutls.so
+     # With normal SSL Websites, you need one IP Address per-site.
+     Listen 1.2.3.1:443
+     # This could also be 'Listen *:443',
+     # just like '*:80' is common for non-https
+     # No caching. Enable session tickets. Timeout is still used for
+     # ticket expiration.
+     GnuTLSCacheTimeout 600
+     # This tells apache, that for this IP/Port combination, we want to use
+     # Name Based Virtual Hosting. In the case of Server Name Indication,
+     # it lets mod_gnutls pick the correct Server Certificate.
+     NameVirtualHost 1.2.3.1:443
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSSessionTickets on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site1.example.com/html
+     ServerName site1.example.com:443
+     GnuTLSCertificateFile conf/ssl/site1.crt
+     GnuTLSKeyFile conf/ss/site1.key
+         # This example server uses a session cache.
+     GnuTLSCache dbm:/var/cache/www-tls-cache
+     GnuTLSCacheTimeout 1200
+     # Without SNI you need one IP Address per site. The IP addresses
+         # are listed separately for clarity, you could also use "Listen 443"
+         # to use that port on all available IP addresses.
+     Listen 192.0.2.1:443
+     Listen 192.0.2.2:443
+     Listen 192.0.2.3:443
+     <VirtualHost 192.0.2.1:443>
+         GnuTLSEnable on
+         GnuTLSPriorities SECURE128
+         DocumentRoot /www/site1.example.com/html
+         ServerName site1.example.com:443
+         GnuTLSCertificateFile conf/tls/site1.crt
+         GnuTLSKeyFile conf/tls/site1.key
      </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site2.example.com/html
+     ServerName site2.example.com:443
+     GnuTLSCertificateFile conf/ssl/site2.crt
+     GnuTLSKeyFile conf/ss/site2.key
+     <VirtualHost 192.0.2.2:443>
+         # This virtual host enables SRP authentication
+         GnuTLSEnable on
+         GnuTLSPriorities NORMAL:+SRP
+         DocumentRoot /www/site2.example.com/html
+         ServerName site2.example.com:443
+         GnuTLSSRPPasswdFile conf/tls/tpasswd.site2
+         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf
      </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site3.example.com/html
+     ServerName site3.example.com:443
+     GnuTLSCertificateFile conf/ssl/site3.crt
+     GnuTLSKeyFile conf/ss/site3.key
+     <VirtualHost 192.0.2.3:443>
+         # This server enables SRP and X.509 authentication.
+         GnuTLSEnable on
+         GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS
+         DocumentRoot /www/site3.example.com/html
+         ServerName site3.example.com:443
+         GnuTLSCertificateFile conf/tls/site3.crt
+         GnuTLSKeyFile conf/tls/site3.key
+         GnuTLSClientVerify ignore
+         GnuTLSSRPPasswdFile conf/tls/tpasswd.site3
+         GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf
      </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     GnuTLSPriorities NORMAL
+     DocumentRoot /www/site4.example.com/html
+     ServerName site4.example.com:443
+     GnuTLSCertificateFile conf/ssl/site4.crt
+     GnuTLSKeyFile conf/ss/site4.key
+     </VirtualHost>
+* * * * *
+Performance Issues
+==================
+`mod_gnutls` by default uses conservative settings for the server.
+You can fine tune the configuration to reduce the load on a busy
+server.  The following examples do exactly this:
+OCSP Stapling Example
+---------------------
+This is an example with a customized OCSP stapling configuration. What
+is a resonable cache timeout varies depending on how long your CA's
+OCSP responses are valid. Some CAs provide responses that are valid
+for multiple days, in that case timeout and fuzz time could be
+significantly larger.
      # Load the module into Apache.
      LoadModule gnutls_module modules/mod_gnutls.so
+     # Using 4 memcache servers to distribute the SSL Session Cache.
+     GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com"
+     GnuTLSCacheTimeout 600
+     Listen 1.2.3.1:443
+     NameVirtualHost 1.2.3.1:443
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     # Here we disable the Perfect forward secrecy ciphersuites (DHE)
+     # and disallow AES-256 since AES-128 is just fine.
+     GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
+     DocumentRoot /www/site1.example.com/html
+     ServerName site1.example.com:443
+     GnuTLSCertificateFile conf/ssl/site1.crt
+     GnuTLSKeyFile conf/ss/site1.key
+     </VirtualHost>
+     <VirtualHost 1.2.3.1:443>
+     GnuTLSEnable on
+     # Here we instead of disabling the DHE ciphersuites we use
+     # Diffie Hellman parameters of smaller size than the default (2048 bits).
+     # Using small numbers from 768 to 1024 bits should be ok once they are
+     # regenerated every few hours.
+     # Use "certtool --generate-dh-params --bits 1024" to get those
+     GnuTLSDHFile /etc/apache2/dh.params
+     GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
+     DocumentRoot /www/site2.example.com/html
+     ServerName site2.example.com:443
+     GnuTLSCertificateFile conf/ssl/site2.crt
+     GnuTLSKeyFile conf/ss/site2.key
+         # A 64K cache is more than enough for one response
+     GnuTLSOCSPCache shmcb:ocsp_cache(65536)
+     Listen 192.0.2.1:443
+     <VirtualHost _default_:443>
+         GnuTLSEnable           On
+         DocumentRoot           /www/site1.example.com/html
+         ServerName             site1.example.com:443
+         GnuTLSCertificateFile  conf/tls/site1_cert_chain.pem
+         GnuTLSKeyFile          conf/tls/site1_key.pem
+         GnuTLSOCSPStapling     On
+                 # The cached OCSP response is kept for up to 4 hours,
+                 # with updates scheduled every 3 to 3.5 hours.
+         GnuTLSOCSPCacheTimeout 21600
+                 GnuTLSOCSPFuzzTime     3600
      </VirtualHost>
 …
 -----------------
+The SSL or TLS cipher suite name
+The distinguished name of the issuer of the client's certificate in
+RFC2253 format.
 `SSL_CLIENT_S_AN%`
 …
 ------------------
 The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
 (see the `GnuTLSExportCertificates` directive).
+The PEM-encoded (X.509) server certificate (see the
+`GnuTLSExportCertificates` directive).
 `SSL_SERVER_CERT_TYPE`
 ----------------------
 The certificate type can be `X.509` or `OPENPGP`.
+The certificate type will be `X.509`.
 `SSL_CLIENT_CERT`
 ------------------
 The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
 (see the `GnuTLSExportCertificates` directive).
+PEM-encoded (X.509) client certificate, if any (see the
+`GnuTLSExportCertificates` directive).
 `SSL_CLIENT_CERT_TYPE`
 ----------------------
 The certificate type can be `X.509` or `OPENPGP`.
+The certificate type will be `X.509`, if any.

include/mod_gnutls.h.in

-                      r8a264b0
+                      rea9c699
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2014 Nikos Mavrogiannopoulos
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2018 Fiona Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
 …
 #include "http_log.h"
 #include "apr_buckets.h"
-#include "apr_strings.h"
 #include "apr_tables.h"
 #include "ap_release.h"
-#include "apr_fnmatch.h"
 /* GnuTLS Library Headers */
 #include <gnutls/gnutls.h>
-#if GNUTLS_VERSION_MAJOR == 2
-#include <gnutls/extra.h>
-#endif
 #include <gnutls/abstract.h>
-#include <gnutls/openpgp.h>
 #include <gnutls/x509.h>
 #ifndef __mod_gnutls_h_inc
 #define __mod_gnutls_h_inc
-#define HAVE_APR_MEMCACHE    @have_apr_memcache@
 extern module AP_MODULE_DECLARE_DATA gnutls_module;
 …
 #define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
+/*
+ * Recent Versions of 2.1 renamed several hooks.
+ * This allows us to compile on 2.0.xx
+ */
+#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
+        #define USING_2_1_RECENT 1
+#else
+        #define USING_2_1_RECENT 0
+/* Compile support for early SNI? */
+#if @ENABLE_EARLY_SNI@ == 1
+#define ENABLE_EARLY_SNI
 #endif
+/* mod_gnutls Cache Types */
+typedef enum {
+        /* No Cache */
+    mgs_cache_none,
+        /* Use Old Berkley DB */
+    mgs_cache_dbm,
+        /* Use Gnu's version of Berkley DB */
+    mgs_cache_gdbm,
+#if HAVE_APR_MEMCACHE
+        /* Use Memcache */
+    mgs_cache_memcache,
+#endif
+    mgs_cache_unset
+} mgs_cache_e;
+/** Name of the module-wide singleton watchdog */
+#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
+/* Internal cache data, defined in gnutls_cache.h */
+typedef struct mgs_cache* mgs_cache_t;
 typedef enum {
 …
 typedef struct {
     int client_verify_mode;
-    const char* lua_bytecode;
-    apr_size_t lua_bytecode_len;
 } mgs_dirconf_rec;
+/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
+typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
 /* The maximum number of certificates to send in a chain */
 #define MAX_CHAIN_SIZE 8
+/* The maximum number of SANs to read from a x509 certificate */
+#define MAX_CERT_SAN 5
+/* Server Configuration Record */
+/** Server Configuration Record */
 typedef struct {
+    /** Server this mod_gnutls configuration is for */
+    server_rec* s;
     /* --- Configuration values --- */
         /* Is the module enabled? */
 …
         /* Is mod_proxy enabled? */
     int proxy_enabled;
-        /* A Plain HTTP request */
-    int non_ssl_request;
     /* List of PKCS #11 provider modules to load, only valid in the
 …
     char *x509_ca_file;
-    char *pgp_cert_file;
-    char *pgp_key_file;
-    char *pgp_ring_file;
     char *dh_file;
 …
         /* Cache timeout value */
     int cache_timeout;
+        /* Chose Cache Type */
+    mgs_cache_e cache_type;
+    const char* cache_config;
+    /* Enable cache */
+    unsigned char cache_enable : 2;
+    /* Internal cache data */
+    mgs_cache_t cache;
         /* GnuTLS uses Session Tickets */
     int tickets;
-    /* --- Things initialized at _child_init --- */
     /* x509 Certificate Structure */
 …
      * connections */
     gnutls_anon_client_credentials_t anon_client_creds;
-        /* Current x509 Certificate CN [Common Name] */
-    char* cert_cn;
-        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
-    char* cert_san[MAX_CERT_SAN];
         /* An x509 Certificate Chain */
     gnutls_pcert_st *certs_x509_chain;
 …
         /* Current x509 Certificate Private Key */
     gnutls_privkey_t privkey_x509;
-        /* OpenPGP Certificate */
-    gnutls_pcert_st *cert_pgp;
-    gnutls_openpgp_crt_t *cert_crt_pgp;
-        /* OpenPGP Certificate Private Key */
-    gnutls_privkey_t privkey_pgp;
-#if GNUTLS_VERSION_NUMBER < 0x030312
-    /* Internal structure for the OpenPGP private key, used in the
-     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
-     * frees memory that is still needed. DO NOT USE for any other
-     * purpose. */
-    gnutls_openpgp_privkey_t privkey_pgp_internal;
-#endif
     /* Export full certificates to CGI environment: */
 …
         /* A list of CA Certificates */
     gnutls_x509_crt_t *ca_list;
-        /* OpenPGP Key Ring */
-    gnutls_openpgp_keyring_t pgp_list;
         /* CA Certificate list size */
     unsigned int ca_list_size;
 …
         /* Client Certificate Verification Method */
     mgs_client_verification_method_e client_verify_method;
+        /* Last Cache timestamp */
+    apr_time_t last_cache_check;
+    /* Enable OCSP stapling */
+    unsigned char ocsp_staple;
+    /* Automatically refresh cached OCSP response? */
+    unsigned char ocsp_auto_refresh;
+    /* Check nonce in OCSP responses? */
+    unsigned char ocsp_check_nonce;
+    /* Read OCSP response for stapling from this file instead of
+     * sending a request over HTTP */
+    char *ocsp_response_file;
+    /* Internal OCSP data for this server */
+    mgs_ocsp_data_t ocsp;
+    /* Mutex to prevent parallel OCSP requests */
+    apr_global_mutex_t *ocsp_mutex;
+    /* Internal OCSP cache data */
+    mgs_cache_t ocsp_cache;
+    /* Cache timeout for OCSP responses. Note that the nextUpdate
+     * field of the response takes precedence if shorter. */
+    apr_interval_time_t ocsp_cache_time;
+    /* If an OCSP request fails wait this long before trying again. */
+    apr_interval_time_t ocsp_failure_timeout;
+    /** How long before a cached OCSP response expires should it be
+     * updated? During configuration parsing this is set to the
+     * maximum, during post configuration the value will be set to
+     * half that. After each update the interval to for the next one
+     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
+     * RANDOM` with `0 <= RANDOM <= 1`. */
+    apr_interval_time_t ocsp_fuzz_time;
+    /* Socket timeout for OCSP requests */
+    apr_interval_time_t ocsp_socket_timeout;
+    /** This module's singleton watchdog, used for async OCSP cache
+     * updates. */
+    struct mgs_watchdog *singleton_wd;
 } mgs_srvconf_rec;
 …
 } mgs_char_buffer_t;
 /* GnuTLS Handle */
+/** GnuTLS connection handle */
 typedef struct {
         /* Server configuration record */
 …
         /* GnuTLS Session handle */
     gnutls_session_t session;
+    /** Server name requested via SNI if any, or NULL. */
+    const char *sni_name;
         /* module input status */
     apr_status_t input_rc;
 …
         /* Output length */
     apr_size_t output_length;
+        /* General Status */
+    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
+     * error (checks use status < 0 or status > 0) */
     int status;
 } mgs_handle_t;
 …
 apr_status_t apr_signal_block(int signum);
  /* Proxy Support */
+/* Proxy Support */
 /* An optional function which returns non-zero if the given connection
 is using SSL/TLS. */
 APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+/* The ssl_var_lookup() optional function retrieves SSL environment
+ * variables. */
+APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+                        (apr_pool_t *, server_rec *,
+                         conn_rec *, request_rec *,
+                         char *));
 /* The ssl_proxy_enable() and ssl_engine_disable() optional functions
  * are used by mod_proxy to enable use of SSL for outgoing
 …
 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
+                                              ap_conf_vector_t *,
+                                              int proxy, int enable));
+mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
 int ssl_is_https(conn_rec *c);
+char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
+                     request_rec *r, char *var);
 int ssl_proxy_enable(conn_rec *c);
 int ssl_engine_disable(conn_rec *c);
 …
 /**
- * Init the Cache after Configuration is done
- */
-int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
-                                 mgs_srvconf_rec *sc);
-/**
- * Init the Cache inside each Process
- */
-int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
-                                mgs_srvconf_rec *sc);
-/**
- * Setup the Session Caching
- */
-int mgs_cache_session_init(mgs_handle_t *ctxt);
-#define GNUTLS_SESSION_ID_STRING_LEN \
-    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
-/**
  * Perform any reinitialization required in PKCS #11
  */
 int mgs_pkcs11_reinit(server_rec * s);
-/**
- * Convert a SSL Session ID into a Null Terminated Hex Encoded String
- * @param id raw SSL Session ID
- * @param idlen Length of the raw Session ID
- * @param str Location to store the Hex Encoded String
- * @param strsize The Maximum Length that can be stored in str
- */
-char *mgs_session_id2sz(unsigned char *id, int idlen,
-                                char *str, int strsize);
-/**
- * Convert a time_t into a Null Terminated String
- * @param t time_t time
- * @param str Location to store the Hex Encoded String
- * @param strsize The Maximum Length that can be stored in str
- */
-char *mgs_time2sz(time_t t, char *str, int strsize);
 …
 /* Loads all files set in the configuration */
+int mgs_load_files(apr_pool_t * p, server_rec * s);
+int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
+    __attribute__((nonnull));
 const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
 …
                              const char *arg);
+const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
+                                        const char *arg);
+const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
+                             const char *arg);
+const char *mgs_set_cache(cmd_parms * parms, void *dummy,
+                          const char *type, const char* arg);
+const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
+                                  const char *arg);
+const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
 const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
 …
 const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
-                                   const char *arg);
-const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
                                    const char *arg);
 …
                             const int arg);
-const char *mgs_set_require_section(cmd_parms *cmd,
-                                    void *mconfig, const char *arg);
 void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
 void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
 …
 void *mgs_config_dir_create(apr_pool_t *p, char *dir);
-const char *mgs_set_require_bytecode(cmd_parms *cmd,
-                                    void *mconfig, const char *arg);
-mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
 const char *mgs_store_cred_path(cmd_parms * parms,
 …
                         apr_pool_t * plog, apr_pool_t * ptemp);
+int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
+                         apr_pool_t * ptemp,
+                         server_rec * base_server);
+int mgs_hook_post_config(apr_pool_t *pconf,
+                         apr_pool_t *plog,
+                         apr_pool_t *ptemp,
+                         server_rec *base_server);
 void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
 …
 int mgs_hook_pre_connection(conn_rec * c, void *csd);
+int mgs_hook_process_connection(conn_rec* c);
 int mgs_hook_fixups(request_rec *r);
+/** Post request hook, checks if TLS connection and vhost match */
+int mgs_req_vhost_check(request_rec *r);
 int mgs_hook_authz(request_rec *r);

m4/apache.m4

-                      r8a264b0
+                      rea9c699
         AP_PREFIX="`$APXS_BIN -q prefix 2>/dev/null`"
+        AP_EXEC_PREFIX="`$APXS_BIN -q exec_prefix 2>/dev/null`"
         AP_BINDIR="`$APXS_BIN -q bindir 2>/dev/null`"
 …
         AC_SUBST(AP_DEFS)
         AC_SUBST(AP_PREFIX)
+        AC_SUBST(AP_EXEC_PREFIX)
         AC_SUBST(AP_CFLAGS)
         AC_SUBST(AP_CPPFLAGS)

src/Makefile.am

-                      r8a264b0
+                      rea9c699
+CLEANFILES = .libs/libmod_gnutls *~
+# installation directory for Apache modules
+if ENABLE_VPATH_INSTALL
+apmodpkglibdir = $(subst ${AP_EXEC_PREFIX},${prefix},${AP_LIBEXECDIR})
+else
+apmodpkglibdir = ${AP_LIBEXECDIR}
+endif
+libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c
+libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
+libmod_gnutls_la_LDFLAGS = -rpath ${AP_LIBEXECDIR} -module -avoid-version ${MODULE_LIBS}
+mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c \
+        gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_proxy.c \
+        gnutls_sni.c gnutls_util.c gnutls_watchdog.c
+mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
+mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS}
+noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h \
+        gnutls_proxy.h gnutls_sni.h gnutls_util.h gnutls_watchdog.h
+lib_LTLIBRARIES = libmod_gnutls.la
+make_so: $(lib_LTLIBRARIES)
+        @if test ! -L mod_gnutls.so ; then ln -s .libs/libmod_gnutls.so mod_gnutls.so ; fi
+clean:
+        rm -f mod_gnutls.so
+        rm -f *.o *.lo *.la
+        rm -fr .libs
+install: make_so
+        @${APXS_BIN} -i -n gnutls mod_gnutls.so
+        @echo ""
+        @echo ""
+        @echo "***********************************************"
+        @echo ""
+        @echo "  Please read the manual in the doc/ directory for"
+        @echo "  details on the configuration of this module"
+        @echo ""
+        @echo "***********************************************"
+        @echo ""
+apmodpkglib_LTLIBRARIES = mod_gnutls.la

src/gnutls_cache.c

-                      r8a264b0
+                      rea9c699
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2018 Fiona Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ */
+ */
+/**
+ * @file gnutls_cache.c
+ *
+ * This file contains the cache implementation used for session
+ * caching and OCSP stapling. The `socache_*_session` functions
+ * implement the GnuTLS session cache API using the configured cache,
+ * using mgs_cache_store() and mgs_cache_fetch() as appropriate (see
+ * gnutls_cache.h).
+ */
+#include "gnutls_cache.h"
 #include "mod_gnutls.h"
+#if HAVE_APR_MEMCACHE
+#include "apr_memcache.h"
+#endif
+#include "apr_dbm.h"
+#include "ap_mpm.h"
+#include <unistd.h>
+#include <sys/types.h>
+#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
+#include "unixd.h"
+#endif
+/* it seems the default has some strange errors. Use SDBM
+ */
+#define MC_TAG "mod_gnutls:"
+#define MC_TAG_LEN sizeof(MC_TAG)
+#define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
+#if MODULE_MAGIC_NUMBER_MAJOR < 20081201
+#define ap_unixd_config unixd_config
+#include "gnutls_config.h"
+#include "gnutls_ocsp.h"
+#include <ap_socache.h>
+#include <apr_strings.h>
+#include <mod_status.h>
+#include <apr_escape.h>
+#include <util_mutex.h>
+/** Default session cache timeout */
+#define MGS_DEFAULT_CACHE_TIMEOUT 300
+/** Session cache name */
+#define MGS_SESSION_CACHE_NAME "gnutls_session"
+/** Default type for OCSP cache */
+#define DEFAULT_OCSP_CACHE_TYPE "shmcb"
+/** Default config string for OCSP cache */
+#define DEFAULT_OCSP_CACHE_CONF "gnutls_ocsp_cache"
+/** Maximum length of the hex string representation of a GnuTLS
+ * session ID: two characters per byte, plus one more for `\0` */
+#if GNUTLS_VERSION_NUMBER >= 0x030400
+#define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID_SIZE * 2) + 1)
+#else
+#define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID * 2) + 1)
 #endif
 …
 #endif
+char *mgs_session_id2sz(unsigned char *id, int idlen,
+        char *str, int strsize) {
+    char *cp;
+    int n;
+    cp = str;
+    for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
+        apr_snprintf(cp, strsize - (cp - str), "%02X", id[n]);
+        cp += 2;
+    }
+    *cp = '\0';
+    return str;
+}
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static int mgs_session_id2dbm(conn_rec * c, unsigned char *id, int idlen,
+        apr_datum_t * dbmkey) {
+    char buf[STR_SESSION_LEN];
+    char *sz;
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof (buf));
+    if (sz == NULL)
+/**
+ * Turn a GnuTLS session ID into the key format we use for
+ * caches. Name the Session ID as `server:port.SessionID` to disallow
+ * resuming sessions on different servers.
+ *
+ * @return `0` on success, `-1` on failure
+ */
+static int mgs_session_id2dbm(conn_rec *c, unsigned char *id, int idlen,
+                              gnutls_datum_t *dbmkey)
+{
+    char sz[GNUTLS_SESSION_ID_STRING_LEN];
+    apr_status_t rv = apr_escape_hex(sz, id, idlen, 0, NULL);
+    if (rv != APR_SUCCESS)
         return -1;
     dbmkey->dptr =
             apr_psprintf(c->pool, "%s:%d.%s",
             c->base_server->server_hostname,
             c->base_server->port, sz);
     dbmkey->dsize = strlen(dbmkey->dptr);
+    char *newkey = apr_psprintf(c->pool, "%s:%d.%s",
+                                c->base_server->server_hostname,
+                                c->base_server->port, sz);
+    dbmkey->size = strlen(newkey);
+    /* signedness does not matter for arbitrary bits */
+    dbmkey->data = (unsigned char*) newkey;
     return 0;
+}
+#define CTIME "%b %d %k:%M:%S %Y %Z"
+char *mgs_time2sz(time_t in_time, char *str, int strsize) {
+/** The OPENSSL_TIME_FORMAT macro and mgs_time2sz() serve to print
+ * time in a format compatible with OpenSSL's `ASN1_TIME_print()`
+ * function. */
+#define OPENSSL_TIME_FORMAT "%b %d %k:%M:%S %Y %Z"
+char *mgs_time2sz(time_t in_time, char *str, int strsize)
+{
     apr_time_exp_t vtm;
     apr_size_t ret_size;
 …
     apr_time_ansi_put(&t, in_time);
     apr_time_exp_gmt(&vtm, t);
     apr_strftime(str, &ret_size, strsize - 1, CTIME, &vtm);
+    apr_strftime(str, &ret_size, strsize - 1, OPENSSL_TIME_FORMAT, &vtm);
     return str;
+}
+#if HAVE_APR_MEMCACHE
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static char *mgs_session_id2mc(conn_rec * c, unsigned char *id, int idlen) {
+    char buf[STR_SESSION_LEN];
+    char *sz;
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof (buf));
+    if (sz == NULL)
+        return NULL;
+    return apr_psprintf(c->pool, MC_TAG "%s:%d.%s",
+            c->base_server->server_hostname,
+            c->base_server->port, sz);
+}
+int mgs_cache_store(mgs_cache_t cache, server_rec *server,
+                    gnutls_datum_t key, gnutls_datum_t data,
+                    apr_time_t expiry)
+{
+    apr_pool_t *spool;
+    apr_pool_create(&spool, NULL);
+    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_lock(cache->mutex);
+    apr_status_t rv = cache->prov->store(cache->socache, server,
+                                         key.data, key.size,
+                                         expiry,
+                                         data.data, data.size,
+                                         spool);
+    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_unlock(cache->mutex);
+    if (rv != APR_SUCCESS)
+    {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, server,
+                     "error storing in cache '%s:%s'",
+                     cache->prov->name, cache->config);
+        apr_pool_destroy(spool);
+        return -1;
+    }
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
+                 "stored %u bytes of data (%u byte key) in cache '%s:%s'",
+                 data.size, key.size,
+                 cache->prov->name, cache->config);
+    apr_pool_destroy(spool);
+    return 0;
+}
 /**
+ * GnuTLS Session Cache using libmemcached
+ *
+ */
+/* The underlying apr_memcache system is thread safe... woohoo */
+static apr_memcache_t *mc;
+static int mc_cache_child_init(apr_pool_t * p, server_rec * s,
+        mgs_srvconf_rec * sc) {
+    apr_status_t rv = APR_SUCCESS;
+    int thread_limit = 0;
+    int nservers = 0;
+    char *cache_config;
+    char *split;
+    char *tok;
+    ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
+    /* Find all the servers in the first run to get a total count */
+    cache_config = apr_pstrdup(p, sc->cache_config);
+    split = apr_strtok(cache_config, " ", &tok);
+    while (split) {
+        nservers++;
+        split = apr_strtok(NULL, " ", &tok);
+    }
+    rv = apr_memcache_create(p, nservers, 0, &mc);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                "[gnutls_cache] Failed to create Memcache Object of '%d' size.",
+                nservers);
+        return rv;
+    }
+    /* Now add each server to the memcache */
+    cache_config = apr_pstrdup(p, sc->cache_config);
+    split = apr_strtok(cache_config, " ", &tok);
+    while (split) {
+        apr_memcache_server_t *st;
+        char *host_str;
+        char *scope_id;
+        apr_port_t port;
+        rv = apr_parse_addr_port(&host_str, &scope_id, &port,
+                split, p);
+        if (rv != APR_SUCCESS) {
+            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                    "[gnutls_cache] Failed to Parse Server: '%s'",
+                    split);
+            return rv;
+        }
+        if (host_str == NULL) {
+            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                    "[gnutls_cache] Failed to Parse Server, "
+                    "no hostname specified: '%s'", split);
+            return rv;
+        }
+        if (port == 0) {
+            port = 11211; /* default port */
+        }
+        /* Should Max Conns be (thread_limit / nservers) ? */
+        rv = apr_memcache_server_create(p,
+                host_str, port,
+,
+, thread_limit, 600, &st);
+        if (rv != APR_SUCCESS) {
+            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                    "[gnutls_cache] Failed to Create Server: %s:%d",
+                    host_str, port);
+            return rv;
+        }
+        rv = apr_memcache_add_server(mc, st);
+        if (rv != APR_SUCCESS) {
+            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
+                    "[gnutls_cache] Failed to Add Server: %s:%d",
+                    host_str, port);
+            return rv;
+        }
+        split = apr_strtok(NULL, " ", &tok);
+    }
+    return rv;
+}
+static int mc_cache_store(void *baton, gnutls_datum_t key,
+        gnutls_datum_t data) {
+    apr_status_t rv = APR_SUCCESS;
+ * Store function for the GnuTLS session cache, see
+ * gnutls_db_set_store_function().
+ *
+ * @param baton mgs_handle_t for the connection, as set via
+ * gnutls_db_set_ptr()
+ *
+ * @param key object key to store
+ *
+ * @param data the object to store
+ *
+ * @return `0` in case of success, `-1` in case of failure
+ */
+static int socache_store_session(void *baton, gnutls_datum_t key,
+                                 gnutls_datum_t data)
+{
     mgs_handle_t *ctxt = baton;
+    char *strkey = NULL;
+    apr_uint32_t timeout;
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
+    if (!strkey)
+    gnutls_datum_t dbmkey;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
         return -1;
+    timeout = apr_time_sec(ctxt->sc->cache_timeout);
+    rv = apr_memcache_set(mc, strkey, (char *) data.data, data.size, timeout,
+);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error setting key '%s' "
+                "with %d bytes of data", strkey, data.size);
+        return -1;
+    }
+    return 0;
+}
+static gnutls_datum_t mc_cache_fetch(void *baton, gnutls_datum_t key) {
+    apr_status_t rv = APR_SUCCESS;
+    mgs_handle_t *ctxt = baton;
+    char *strkey = NULL;
+    char *value;
+    apr_size_t value_len;
+    apr_time_t expiry = apr_time_now() + ctxt->sc->cache_timeout;
+    return mgs_cache_store(ctxt->sc->cache, ctxt->c->base_server,
+                           dbmkey, data, expiry);
+}
+/** 8K is the maximum size accepted when receiving OCSP responses,
+ * sessions cache entries should be much smaller. The buffer is
+ * reallocated to actual size after fetching, so memory waste is
+ * minimal and temporary. */
+#define SOCACHE_FETCH_BUF_SIZE (8 * 1024)
+gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
+                               gnutls_datum_t key, apr_pool_t *pool)
+{
     gnutls_datum_t data = {NULL, 0};
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
+    if (!strkey) {
+        return data;
+    }
+    rv = apr_memcache_getp(mc, ctxt->c->pool, strkey,
+            &value, &value_len, NULL);
+    if (rv != APR_SUCCESS) {
+#if MOD_GNUTLS_DEBUG
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error fetching key '%s' ",
+                strkey);
+#endif
+        data.size = 0;
+        data.data = NULL;
+        return data;
+    }
+    /* TODO: Eliminate this memcpy. gnutls-- */
+    data.data = gnutls_malloc(value_len);
+    data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
     if (data.data == NULL)
         return data;
+    data.size = value_len;
+    memcpy(data.data, value, value_len);
+    data.size = SOCACHE_FETCH_BUF_SIZE;
+    apr_pool_t *spool;
+    apr_pool_create(&spool, pool);
+    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_lock(cache->mutex);
+    apr_status_t rv = cache->prov->retrieve(cache->socache, server,
+                                            key.data, key.size,
+                                            data.data, &data.size,
+                                            spool);
+    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_unlock(cache->mutex);
+    if (rv != APR_SUCCESS)
+    {
+        /* APR_NOTFOUND means there's no such object. */
+        if (rv == APR_NOTFOUND)
+            ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
+                         "requested entry not found in cache '%s:%s'.",
+                         cache->prov->name, cache->config);
+        else
+            ap_log_error(APLOG_MARK, APLOG_WARNING, rv, server,
+                         "error fetching from cache '%s:%s'",
+                         cache->prov->name, cache->config);
+        /* free unused buffer */
+        gnutls_free(data.data);
+        data.data = NULL;
+        data.size = 0;
+    }
+    else
+    {
+        ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
+                     "fetched %u bytes from cache '%s:%s'",
+                     data.size, cache->prov->name, cache->config);
+        /* Realloc buffer to data.size. Data size must be less than or
+         * equal to the initial buffer size, so this REALLY should not
+         * fail. */
+        data.data = gnutls_realloc(data.data, data.size);
+        if (__builtin_expect(data.data == NULL, 0))
+        {
+            ap_log_error(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, server,
+                         "%s: Could not realloc fetch buffer to data size!",
+                         __func__);
+            data.size = 0;
+        }
+    }
+    apr_pool_destroy(spool);
     return data;
+}
+static int mc_cache_delete(void *baton, gnutls_datum_t key) {
+    apr_status_t rv = APR_SUCCESS;
+/**
+ * Fetch function for the GnuTLS session cache, see
+ * gnutls_db_set_retrieve_function().
+ *
+ * *Warning*: The `data` element of the returned `gnutls_datum_t` is
+ * allocated using `gnutls_malloc()` for compatibility with the GnuTLS
+ * session caching API, and must be released using `gnutls_free()`.
+ *
+ * @param baton mgs_handle_t for the connection, as set via
+ * gnutls_db_set_ptr()
+ *
+ * @param key object key to fetch
+ *
+ * @return the requested cache entry, or `{NULL, 0}`
+ */
+static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)
+{
+    gnutls_datum_t data = {NULL, 0};
+    gnutls_datum_t dbmkey;
     mgs_handle_t *ctxt = baton;
+    char *strkey = NULL;
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
+    if (!strkey)
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return data;
+    return mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
+                           dbmkey, ctxt->c->pool);
+}
+/**
+ * Remove function for the GnuTLS session cache, see
+ * gnutls_db_set_remove_function().
+ *
+ * @param baton mgs_handle_t for the connection, as set via
+ * gnutls_db_set_ptr()
+ *
+ * @param key object key to remove
+ *
+ * @return `0` in case of success, `-1` in case of failure
+ */
+static int socache_delete_session(void *baton, gnutls_datum_t key)
+{
+    gnutls_datum_t tmpkey;
+    mgs_handle_t *ctxt = baton;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &tmpkey) < 0)
         return -1;
+    rv = apr_memcache_delete(mc, strkey, 0);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error deleting key '%s' ",
+                strkey);
+        return -1;
+    }
+    return 0;
+}
+#endif  /* have_apr_memcache */
+static const char *db_type(mgs_srvconf_rec * sc) {
+    if (sc->cache_type == mgs_cache_gdbm)
+        return "gdbm";
+    else
+        return "db";
+}
+#define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
+static void dbm_cache_expire(mgs_handle_t * ctxt) {
+    apr_status_t rv;
+    apr_dbm_t *dbm;
+    apr_datum_t dbmkey;
+    apr_datum_t dbmval;
+    apr_time_t now;
+    apr_time_t dtime;
+    apr_pool_t *spool;
+    int total, deleted;
+    now = apr_time_now();
+    if (now - ctxt->sc->last_cache_check <
+            (ctxt->sc->cache_timeout) / 2)
+        return;
+    ctxt->sc->last_cache_check = now;
+    apr_pool_create(&spool, ctxt->c->pool);
+    total = 0;
+    deleted = 0;
+    rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
+            ctxt->sc->cache_config, APR_DBM_RWCREATE,
+            SSL_DBM_FILE_MODE, spool);
+    if (ctxt->sc->cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_lock(ctxt->sc->cache->mutex);
+    apr_status_t rv = ctxt->sc->cache->prov->remove(ctxt->sc->cache->socache,
+                                                    ctxt->c->base_server,
+                                                    key.data, key.size,
+                                                    ctxt->c->pool);
+    if (ctxt->sc->cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_unlock(ctxt->sc->cache->mutex);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error opening cache searcher '%s'",
+                ctxt->sc->cache_config);
+        apr_pool_destroy(spool);
+        return;
+    }
+    apr_dbm_firstkey(dbm, &dbmkey);
+    while (dbmkey.dptr != NULL) {
+        apr_dbm_fetch(dbm, dbmkey, &dbmval);
+        if (dbmval.dptr != NULL
+                && dbmval.dsize >= sizeof (apr_time_t)) {
+            memcpy(&dtime, dbmval.dptr, sizeof (apr_time_t));
+            if (now >= dtime) {
+                apr_dbm_delete(dbm, dbmkey);
+                deleted++;
+            }
+            apr_dbm_freedatum(dbm, dbmval);
+        } else {
+            apr_dbm_delete(dbm, dbmkey);
+            deleted++;
+        }
+        total++;
+        apr_dbm_nextkey(dbm, &dbmkey);
+    }
+    apr_dbm_close(dbm);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+            ctxt->c->base_server,
+            "[gnutls_cache] Cleaned up cache '%s'. Deleted %d and left %d",
+            ctxt->sc->cache_config, deleted, total - deleted);
+    apr_pool_destroy(spool);
+    return;
+}
+static gnutls_datum_t dbm_cache_fetch(void *baton, gnutls_datum_t key) {
+    gnutls_datum_t data = {NULL, 0};
+    apr_dbm_t *dbm;
+    apr_datum_t dbmkey;
+    apr_datum_t dbmval;
+    mgs_handle_t *ctxt = baton;
+    apr_status_t rv;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return data;
+    rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
+            ctxt->sc->cache_config, APR_DBM_READONLY,
+            SSL_DBM_FILE_MODE, ctxt->c->pool);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error opening cache '%s'",
+                ctxt->sc->cache_config);
+        return data;
+    }
+    rv = apr_dbm_fetch(dbm, dbmkey, &dbmval);
+    if (rv != APR_SUCCESS) {
+        apr_dbm_close(dbm);
+        return data;
+    }
+    if (dbmval.dptr == NULL || dbmval.dsize <= sizeof (apr_time_t)) {
+        apr_dbm_freedatum(dbm, dbmval);
+        apr_dbm_close(dbm);
+        return data;
+    }
+    data.size = dbmval.dsize - sizeof (apr_time_t);
+    data.data = gnutls_malloc(data.size);
+    if (data.data == NULL) {
+        apr_dbm_freedatum(dbm, dbmval);
+        apr_dbm_close(dbm);
+        return data;
+    }
+    memcpy(data.data, dbmval.dptr + sizeof (apr_time_t), data.size);
+    apr_dbm_freedatum(dbm, dbmval);
+    apr_dbm_close(dbm);
+    return data;
+}
+static int dbm_cache_store(void *baton, gnutls_datum_t key,
+        gnutls_datum_t data) {
+    apr_dbm_t *dbm;
+    apr_datum_t dbmkey;
+    apr_datum_t dbmval;
+    mgs_handle_t *ctxt = baton;
+    apr_status_t rv;
+    apr_time_t expiry;
+    apr_pool_t *spool;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+                     ctxt->c->base_server,
+                     "error deleting from cache '%s:%s'",
+                     ctxt->sc->cache->prov->name, ctxt->sc->cache->config);
         return -1;
+    /* we expire dbm only on every store
+     */
+    dbm_cache_expire(ctxt);
+    apr_pool_create(&spool, ctxt->c->pool);
+    /* create DBM value */
+    dbmval.dsize = data.size + sizeof (apr_time_t);
+    dbmval.dptr = (char *) apr_palloc(spool, dbmval.dsize);
+    expiry = apr_time_now() + ctxt->sc->cache_timeout;
+    memcpy((char *) dbmval.dptr, &expiry, sizeof (apr_time_t));
+    memcpy((char *) dbmval.dptr + sizeof (apr_time_t),
+            data.data, data.size);
+    rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
+            ctxt->sc->cache_config, APR_DBM_RWCREATE,
+            SSL_DBM_FILE_MODE, ctxt->c->pool);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error opening cache '%s'",
+                ctxt->sc->cache_config);
+        apr_pool_destroy(spool);
+        return -1;
+    }
+    rv = apr_dbm_store(dbm, dbmkey, dbmval);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error storing in cache '%s'",
+                ctxt->sc->cache_config);
+        apr_dbm_close(dbm);
+        apr_pool_destroy(spool);
+        return -1;
+    }
+    apr_dbm_close(dbm);
+    apr_pool_destroy(spool);
+    }
     return 0;
+}
+static int dbm_cache_delete(void *baton, gnutls_datum_t key) {
+    apr_dbm_t *dbm;
+    apr_datum_t dbmkey;
+    mgs_handle_t *ctxt = baton;
+    apr_status_t rv;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
+    rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc),
+            ctxt->sc->cache_config, APR_DBM_RWCREATE,
+            SSL_DBM_FILE_MODE, ctxt->c->pool);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error opening cache '%s'",
+                ctxt->sc->cache_config);
+        return -1;
+    }
+    rv = apr_dbm_delete(dbm, dbmkey);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
+                ctxt->c->base_server,
+                "[gnutls_cache] error deleting from cache '%s'",
+                ctxt->sc->cache_config);
+        apr_dbm_close(dbm);
+        return -1;
+    }
+    apr_dbm_close(dbm);
+const char *mgs_cache_inst_config(mgs_cache_t *cache, server_rec *server,
+                                  const char* type, const char* config,
+                                  apr_pool_t *pconf, apr_pool_t *ptemp)
+{
+    /* Allocate cache structure, will be assigned to *cache after
+     * successful configuration. */
+    mgs_cache_t c = apr_pcalloc(pconf, sizeof(struct mgs_cache));
+    if (c == NULL)
+        return "Could not allocate memory for cache configuration!";
+    /* Find the right socache provider */
+    c->prov = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP,
+                                 type,
+                                 AP_SOCACHE_PROVIDER_VERSION);
+    if (c->prov == NULL)
+    {
+        return apr_psprintf(ptemp,
+                            "Could not find socache provider '%s', please "
+                            "make sure that the provider name is valid and "
+                            "the appropriate module is loaded (maybe "
+                            "mod_socache_%s.so?).",
+                            type, type);
+    }
+    /* shmcb works fine with NULL, but make sure there's a valid (if
+     * empty) string for logging */
+    if (config != NULL)
+        c->config = apr_pstrdup(pconf, config);
+    else
+        c->config = "";
+    /* Create and configure the cache instance. */
+    const char *err = c->prov->create(&c->socache, c->config, ptemp, pconf);
+    if (err != NULL)
+    {
+        return apr_psprintf(ptemp,
+                            "Creating cache '%s:%s' failed: %s",
+                            c->prov->name, c->config, err);
+    }
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
+                 "%s: Socache '%s:%s' created.",
+                 __func__, c->prov->name, c->config);
+    /* assign configured cache structure to server */
+    *cache = c;
+    return NULL;
+}
+/**
+ * This function is supposed to be called during post_config to
+ * initialize mutex and socache instance associated with an
+ * mgs_cache_t.
+ *
+ * @param cache the mod_gnutls cache structure
+ *
+ * @param cache_name name for socache initialization
+ *
+ * @param mutex_name name to pass to ap_global_mutex_create(), must
+ * have been registered during pre_config.
+ *
+ * @param server server for logging purposes
+ *
+ * @param pconf memory pool for server configuration
+ */
+static apr_status_t mgs_cache_inst_init(mgs_cache_t cache,
+                                        const char *cache_name,
+                                        const char *mutex_name,
+                                        server_rec *server,
+                                        apr_pool_t *pconf)
+{
+    apr_status_t rv = APR_SUCCESS;
+    if (cache->mutex == NULL)
+    {
+        rv = ap_global_mutex_create(&cache->mutex, NULL,
+                                    mutex_name,
+                                    NULL, server, pconf, 0);
+        ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
+                     "%s: create mutex", __func__);
+        if (rv != APR_SUCCESS)
+            return rv;
+    }
+    rv = cache->prov->init(cache->socache, cache_name, NULL, server, pconf);
+    if (rv != APR_SUCCESS)
+        ap_log_error(APLOG_MARK, APLOG_CRIT, rv, server,
+                     "Initializing cache '%s:%s' failed!",
+                     cache->prov->name, cache->config);
+    else
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, server,
+                     "%s: socache '%s:%s' initialized.", __func__,
+                     cache->prov->name, cache->config);
+    return rv;
+}
+static apr_status_t cleanup_socache(void *data)
+{
+    server_rec *s = data;
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
+    if (sc->cache)
+    {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
+                     "Cleaning up session cache '%s:%s'",
+                     sc->cache->prov->name, sc->cache->config);
+        sc->cache->prov->destroy(sc->cache->socache, s);
+    }
+    if (sc->ocsp_cache)
+    {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
+                     "Cleaning up OCSP cache '%s:%s'",
+                     sc->ocsp_cache->prov->name, sc->ocsp_cache->config);
+        sc->ocsp_cache->prov->destroy(sc->ocsp_cache->socache, s);
+    }
+    return APR_SUCCESS;
+}
+int mgs_cache_post_config(apr_pool_t *pconf, apr_pool_t *ptemp,
+                          server_rec *s, mgs_srvconf_rec *sc)
+{
+    apr_status_t rv = APR_SUCCESS;
+    /* If the OCSP cache is unconfigured initialize it with
+     * defaults. */
+    if (sc->ocsp_cache == NULL)
+    {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s,
+                     "%s: OCSP cache unconfigured, using '%s:%s'.", __func__,
+                     DEFAULT_OCSP_CACHE_TYPE, DEFAULT_OCSP_CACHE_CONF);
+        const char *err = mgs_cache_inst_config(&sc->ocsp_cache, s,
+                                                DEFAULT_OCSP_CACHE_TYPE,
+                                                DEFAULT_OCSP_CACHE_CONF,
+                                                pconf, ptemp);
+        if (err != NULL)
+            ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s,
+                         "%s: Configuring default OCSP cache '%s:%s' failed, "
+                         "make sure that mod_socache_%s is loaded.", __func__,
+                         DEFAULT_OCSP_CACHE_TYPE, DEFAULT_OCSP_CACHE_CONF,
+                         DEFAULT_OCSP_CACHE_TYPE);
+    }
+    /* Initialize the OCSP cache first so it's not skipped if the
+     * session cache is disabled. */
+    if (sc->ocsp_cache != NULL)
+    {
+        /* TODO: Maybe initialize only if explicitly enabled OR at
+         * least one (virtual) host has OCSP enabled? */
+        rv = mgs_cache_inst_init(sc->ocsp_cache, MGS_OCSP_CACHE_NAME,
+                                 MGS_OCSP_CACHE_MUTEX_NAME, s, pconf);
+        if (rv != APR_SUCCESS)
+            return HTTP_INSUFFICIENT_STORAGE;
+    }
+    /* GnuTLSCache was never explicitly set or is disabled: */
+    if (sc->cache_enable == GNUTLS_ENABLED_UNSET
+        || sc->cache_enable == GNUTLS_ENABLED_FALSE)
+    {
+        sc->cache_enable = GNUTLS_ENABLED_FALSE;
+        /* Cache disabled, done. */
+        return APR_SUCCESS;
+    }
+    /* if GnuTLSCacheTimeout was never explicitly set: */
+    if (sc->cache_timeout == MGS_TIMEOUT_UNSET)
+        sc->cache_timeout = apr_time_from_sec(MGS_DEFAULT_CACHE_TIMEOUT);
+    rv = mgs_cache_inst_init(sc->cache, MGS_SESSION_CACHE_NAME,
+                             MGS_CACHE_MUTEX_NAME, s, pconf);
+    if (rv != APR_SUCCESS)
+        return HTTP_INSUFFICIENT_STORAGE;
+    apr_pool_pre_cleanup_register(pconf, s, cleanup_socache);
+    return APR_SUCCESS;
+}
+int mgs_cache_child_init(apr_pool_t *p, server_rec *server,
+                         mgs_cache_t cache, const char *mutex_name)
+{
+    /* reinit cache mutex */
+    const char *lockfile = apr_global_mutex_lockfile(cache->mutex);
+    apr_status_t rv = apr_global_mutex_child_init(&cache->mutex,
+                                                  lockfile, p);
+    if (rv != APR_SUCCESS)
+        ap_log_error(APLOG_MARK, APLOG_EMERG, rv, server,
+                     "Failed to reinit mutex '%s'", mutex_name);
+    return rv;
+}
+int mgs_cache_session_init(mgs_handle_t * ctxt)
+{
+    if (ctxt->sc->cache_enable)
+    {
+        gnutls_db_set_retrieve_function(ctxt->session,
+                                        socache_fetch_session);
+        gnutls_db_set_remove_function(ctxt->session,
+                                      socache_delete_session);
+        gnutls_db_set_store_function(ctxt->session,
+                                     socache_store_session);
+        gnutls_db_set_ptr(ctxt->session, ctxt);
+    }
     return 0;
+}
+static int dbm_cache_post_config(apr_pool_t * p, server_rec * s,
+        mgs_srvconf_rec * sc) {
+    apr_status_t rv;
+    apr_dbm_t *dbm;
+    const char *path1;
+    const char *path2;
+    rv = apr_dbm_open_ex(&dbm, db_type(sc), sc->cache_config,
+            APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, p);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+                "GnuTLS: Cannot create DBM Cache at `%s'",
+                sc->cache_config);
+        return rv;
+    }
+    apr_dbm_close(dbm);
+    apr_dbm_get_usednames_ex(p, db_type(sc), sc->cache_config, &path1,
+            &path2);
+    /* The Following Code takes logic directly from mod_ssl's DBM Cache */
+#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
+    /* Running as Root */
+    if (path1 && geteuid() == 0) {
+        if (0 != chown(path1, ap_unixd_config.user_id, -1))
+            ap_log_error(APLOG_MARK, APLOG_NOTICE, -1, s,
+                         "GnuTLS: could not chown cache path1 `%s' to uid %d (errno: %d)",
+                         path1, ap_unixd_config.user_id, errno);
+        if (path2 != NULL) {
+            if (0 != chown(path2, ap_unixd_config.user_id, -1))
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, -1, s,
+                             "GnuTLS: could not chown cache path2 `%s' to uid %d (errno: %d)",
+                             path2, ap_unixd_config.user_id, errno);
+        }
+    }
+#endif
+    return rv;
+}
+int mgs_cache_post_config(apr_pool_t * p, server_rec * s,
+        mgs_srvconf_rec * sc) {
+    /* if GnuTLSCache was never explicitly set: */
+    if (sc->cache_type == mgs_cache_unset)
+        sc->cache_type = mgs_cache_none;
+    /* if GnuTLSCacheTimeout was never explicitly set: */
+    if (sc->cache_timeout == -1)
+        sc->cache_timeout = apr_time_from_sec(300);
+    if (sc->cache_type == mgs_cache_dbm
+            || sc->cache_type == mgs_cache_gdbm) {
+        return dbm_cache_post_config(p, s, sc);
+    }
+    return 0;
+}
+#if HAVE_APR_MEMCACHE
+int mgs_cache_child_init(apr_pool_t * p,
+                         server_rec * s,
+                         mgs_srvconf_rec * sc)
+#else
+int mgs_cache_child_init(apr_pool_t * p __attribute__((unused)),
+                         server_rec * s __attribute__((unused)),
+                         mgs_srvconf_rec * sc)
+#endif
+{
+    if (sc->cache_type == mgs_cache_dbm
+            || sc->cache_type == mgs_cache_gdbm) {
+        return 0;
+    }
+#if HAVE_APR_MEMCACHE
+    else if (sc->cache_type == mgs_cache_memcache) {
+        return mc_cache_child_init(p, s, sc);
+    }
+#endif
+    return 0;
+}
+#include <assert.h>
+int mgs_cache_session_init(mgs_handle_t * ctxt) {
+    if (ctxt->sc->cache_type == mgs_cache_dbm
+            || ctxt->sc->cache_type == mgs_cache_gdbm) {
+        gnutls_db_set_retrieve_function(ctxt->session,
+                dbm_cache_fetch);
+        gnutls_db_set_remove_function(ctxt->session,
+                dbm_cache_delete);
+        gnutls_db_set_store_function(ctxt->session,
+                dbm_cache_store);
+        gnutls_db_set_ptr(ctxt->session, ctxt);
+    }
+#if HAVE_APR_MEMCACHE
+    else if (ctxt->sc->cache_type == mgs_cache_memcache) {
+        gnutls_db_set_retrieve_function(ctxt->session,
+                mc_cache_fetch);
+        gnutls_db_set_remove_function(ctxt->session,
+                mc_cache_delete);
+        gnutls_db_set_store_function(ctxt->session,
+                mc_cache_store);
+        gnutls_db_set_ptr(ctxt->session, ctxt);
+    }
+#endif
+    return 0;
+}
+int mgs_cache_status(mgs_cache_t cache, const char *header_title,
+                     request_rec *r, int flags)
+{
+    if (!(flags & AP_STATUS_SHORT))
+        ap_rprintf(r, "<h3>%s:</h3>\n", header_title);
+    else
+        ap_rprintf(r, "%s:\n", header_title);
+    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_lock(cache->mutex);
+    cache->prov->status(cache->socache, r, flags);
+    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
+        apr_global_mutex_unlock(cache->mutex);
+    return OK;
+}

src/gnutls_config.c

-                      r8a264b0
+                      rea9c699
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2018 Fiona Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
+#include "gnutls_cache.h"
+#include "gnutls_config.h"
 #include "mod_gnutls.h"
+#include "gnutls_ocsp.h"
 #include "apr_lib.h"
+#include <apr_strings.h>
 #include <gnutls/abstract.h>
 …
+}
+/* 2048-bit group parameters from SRP specification */
+const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
+        "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
+        "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
+        "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
+        "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
+        "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
+        "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
+        "-----END DH PARAMETERS-----\n";
+int mgs_load_files(apr_pool_t * p, server_rec * s)
+/**
+ * Clean up the various GnuTLS data structures allocated by
+ * mgs_load_files()
+ */
+static apr_status_t mgs_pool_free_credentials(void *arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) arg;
+    if (sc->certs)
+    {
+        gnutls_certificate_free_credentials(sc->certs);
+        sc->certs = NULL;
+    }
+    if (sc->anon_creds)
+    {
+        gnutls_anon_free_server_credentials(sc->anon_creds);
+        sc->anon_creds = NULL;
+    }
+#ifdef ENABLE_SRP
+    if (sc->srp_creds)
+    {
+        gnutls_srp_free_server_credentials(sc->srp_creds);
+        sc->srp_creds = NULL;
+    }
+#endif
+    if (sc->dh_params)
+    {
+        gnutls_dh_params_deinit(sc->dh_params);
+        sc->dh_params = NULL;
+    }
+    for (unsigned int i = 0; i < sc->certs_x509_chain_num; i++)
+    {
+        gnutls_pcert_deinit(&sc->certs_x509_chain[i]);
+        gnutls_x509_crt_deinit(sc->certs_x509_crt_chain[i]);
+    }
+    if (sc->privkey_x509)
+    {
+        gnutls_privkey_deinit(sc->privkey_x509);
+        sc->privkey_x509 = NULL;
+    }
+    if (sc->ca_list)
+    {
+        for (unsigned int i = 0; i < sc->ca_list_size; i++)
+        {
+            gnutls_x509_crt_deinit(sc->ca_list[i]);
+        }
+        gnutls_free(sc->ca_list);
+        sc->ca_list = NULL;
+    }
+    /* Deinit server priorities only if set from
+     * sc->priorities_str. Otherwise the server is using the default
+     * global priority cache, which must not be deinitialized here. */
+    if (sc->priorities_str && sc->priorities)
+    {
+        gnutls_priority_deinit(sc->priorities);
+        sc->priorities = NULL;
+    }
+    return APR_SUCCESS;
+}
+int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
+{
     apr_pool_t *spool;
 …
     int ret;
     mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                 &gnutls_module);
+    apr_pool_create(&spool, p);
+    sc->cert_pgp = apr_pcalloc(p, sizeof(sc->cert_pgp[0]));
+    sc->cert_crt_pgp = apr_pcalloc(p, sizeof(sc->cert_crt_pgp[0]));
+    sc->certs_x509_chain =
+        apr_pcalloc(p, MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
+    sc->certs_x509_crt_chain =
+        apr_pcalloc(p,
+                    MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
+    ret = gnutls_certificate_allocate_credentials(&sc->certs);
+    if (ret < 0) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                     "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                     gnutls_strerror(ret));
+        ret = -1;
+        goto cleanup;
+    }
+    ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
+    if (ret < 0) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                     "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                     gnutls_strerror(ret));
+        ret = -1;
+        goto cleanup;
+        (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                 &gnutls_module);
+    apr_pool_create(&spool, ptemp);
+    /* Cleanup function for the GnuTLS structures allocated below */
+    apr_pool_cleanup_register(pconf, sc, mgs_pool_free_credentials,
+                              apr_pool_cleanup_null);
+    if (sc->certs == NULL)
+    {
+        ret = gnutls_certificate_allocate_credentials(&sc->certs);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->anon_creds == NULL)
+    {
+        ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
     /* Load SRP parameters */
 #ifdef ENABLE_SRP
+    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
+    if (ret < 0) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                     "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                     gnutls_strerror(ret));
+        ret = -1;
+        goto cleanup;
+    }
+    if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) {
+        ret = gnutls_srp_set_server_credentials_file
+            (sc->srp_creds, sc->srp_tpasswd_file,
+             sc->srp_tpasswd_conf_file);
+        if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
+                         s,
+                         "GnuTLS: Host '%s:%d' is missing a "
+                         "SRP password or conf File!",
+                         s->server_hostname, s->port);
+            ret = -1;
+            goto cleanup;
+        }
+    }
+#endif
+    ret = gnutls_dh_params_init(&sc->dh_params);
+    if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         ": (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+    }
+    /* Load DH parameters */
+    if (sc->dh_file) {
+        if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret =
+            gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
+                                          GNUTLS_X509_FMT_PEM);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "DH params '%s': (%d) %s", sc->dh_file, ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    } else {
+        gnutls_datum_t pdata = {
+            (void *) static_dh_params,
+            sizeof(static_dh_params)
+        };
+        ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM);
+    if (sc->srp_creds == NULL)
+    {
+        ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
         if (ret < 0) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                     "GnuTLS: Unable to generate or load DH Params: (%d) %s",
                     ret, gnutls_strerror(ret));
+                         "GnuTLS: Failed to initialize" ": (%d) %s", ret,
+                         gnutls_strerror(ret));
             ret = -1;
             goto cleanup;
 …
+    }
+    if (sc->x509_cert_file != NULL) {
+        unsigned int chain_num, i;
+        unsigned format = GNUTLS_X509_FMT_PEM;
+        /* Load X.509 certificate */
+        if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
+            gnutls_pkcs11_obj_t obj;
+            file = sc->x509_cert_file;
+            ret = gnutls_pkcs11_obj_init(&obj);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Initializing PKCS #11 object");
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
+            ret = gnutls_pkcs11_obj_import_url(obj, file, GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Importing PKCS #11 object: '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            format = GNUTLS_X509_FMT_DER;
+            ret = gnutls_pkcs11_obj_export2(obj, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Exporting a PKCS #11 object: '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_deinit(obj);
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_cert_file);
+            ret = gnutls_load_file(file, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Certificate '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        ret =
+            gnutls_x509_crt_list_import2(&sc->certs_x509_crt_chain,
+                                        &chain_num, &data, format,
+                                        GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
+        gnutls_free(data.data);
+        sc->certs_x509_chain_num = chain_num;
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import Certificate Chain '%s': (%d) %s",
+                         file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        for (i = 0; i < chain_num; i++) {
+            ret =
+                gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
+                                         sc->certs_x509_crt_chain[i], 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import pCertificate '%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        sc->certs_x509_chain_num = chain_num;
+    }
+    if (sc->x509_key_file) {
+        ret = gnutls_privkey_init(&sc->privkey_x509);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
+            file = sc->x509_key_file;
+            gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
+                                            sc);
+            ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key URL '%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_key_file);
+            if (load_datum_from_file(spool, file, &data) != 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Private Key '%s'",
+                             file);
+                ret = -1;
+                goto cleanup;
+            }
+            ret =
+                gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
+                                               GNUTLS_X509_FMT_PEM, sc->pin,
+);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key '%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+    }
+    /* Load the X.509 CA file */
+    if (sc->x509_ca_file) {
+        if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Client CA File '%s'",
+                         sc->x509_ca_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
+                                         &data, GNUTLS_X509_FMT_PEM, 0);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to load "
+                         "Client CA File '%s': (%d) %s", sc->x509_ca_file,
+                         ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->pgp_cert_file) {
+        if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Certificate '%s'",
+                         sc->pgp_cert_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Init "
+                         "PGP Certificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret =
+            gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data,
+                                      GNUTLS_OPENPGP_FMT_BASE64);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP Certificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret =
+            gnutls_pcert_import_openpgp(sc->cert_pgp, sc->cert_crt_pgp[0],
+);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP pCertificate: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    /* Load the PGP key file */
+    if (sc->pgp_key_file) {
+        if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Private Key '%s'",
+                         sc->pgp_key_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_privkey_init(&sc->privkey_pgp);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         ": (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+#if GNUTLS_VERSION_NUMBER < 0x030312
+        /* GnuTLS versions before 3.3.12 contain a bug in
+         * gnutls_privkey_import_openpgp_raw which frees data that is
+         * accessed when the key is used, leading to segfault. Loading
+         * the key into a gnutls_openpgp_privkey_t and then assigning
+         * it to the gnutls_privkey_t works around the bug, hence this
+         * chain of gnutls_openpgp_privkey_init,
+         * gnutls_openpgp_privkey_import and
+         * gnutls_privkey_import_openpgp. */
+        ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
+        if (ret != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize "
+                         "PGP Private Key '%s': (%d) %s",
+                         sc->pgp_key_file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data,
+                                            GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
+        if (ret != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP Private Key '%s': (%d) %s",
+                         sc->pgp_key_file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_privkey_import_openpgp(sc->privkey_pgp,
+                                            sc->privkey_pgp_internal, 0);
+        if (ret != 0)
+    if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL)
+    {
+        ret = gnutls_srp_set_server_credentials_file
+            (sc->srp_creds, sc->srp_tpasswd_file,
+             sc->srp_tpasswd_conf_file);
+        if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Host '%s:%d' is missing a "
+                         "SRP password or conf File!",
+                         s->server_hostname, s->port);
+            ret = -1;
+            goto cleanup;
+        }
+    }
+#endif
+    /* Load user provided DH parameters, if any */
+    if (sc->dh_file)
+    {
+        if (sc->dh_params == NULL)
+        {
+            ret = gnutls_dh_params_init(&sc->dh_params);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to initialize"
+                             ": (%d) %s", ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to assign PGP Private Key '%s' "
+                         "to gnutls_privkey_t structure: (%d) %s",
+                         sc->pgp_key_file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+#else
+        ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
+                                                GNUTLS_OPENPGP_FMT_BASE64,
+                                                NULL, NULL);
+        if (ret != 0)
+        {
+                         "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret =
+            gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
+                                          GNUTLS_X509_FMT_PEM);
+        if (ret < 0) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                          "GnuTLS: Failed to Import "
+                         "PGP Private Key '%s': (%d) %s",
+                         sc->pgp_key_file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+#endif
+    }
+    /* Load the keyring file */
+    if (sc->pgp_ring_file) {
+        if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Keyring File '%s'",
+                         sc->pgp_ring_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_keyring_init(&sc->pgp_list);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize"
+                         "keyring: (%d) %s", ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
+                                           GNUTLS_OPENPGP_FMT_BASE64);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to load "
+                         "Keyring File '%s': (%d) %s", sc->pgp_ring_file,
+                         ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->priorities_str) {
+                         "DH params '%s': (%d) %s", sc->dh_file, ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->x509_cert_file != NULL && sc->certs_x509_crt_chain == NULL)
+    {
+        sc->certs_x509_chain =
+            apr_pcalloc(pconf,
+                        MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
+        sc->certs_x509_crt_chain =
+            apr_pcalloc(pconf,
+                        MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
+        unsigned int chain_num = MAX_CHAIN_SIZE;
+        unsigned format = GNUTLS_X509_FMT_PEM;
+        /* Load X.509 certificate */
+        if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
+            gnutls_pkcs11_obj_t obj;
+            file = sc->x509_cert_file;
+            ret = gnutls_pkcs11_obj_init(&obj);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Initializing PKCS #11 object");
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
+            ret = gnutls_pkcs11_obj_import_url(obj, file,
+                                               GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Importing PKCS #11 object: "
+                             "'%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            format = GNUTLS_X509_FMT_DER;
+            ret = gnutls_pkcs11_obj_export2(obj, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Exporting a PKCS #11 object: "
+                             "'%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+            gnutls_pkcs11_obj_deinit(obj);
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_cert_file);
+            ret = gnutls_load_file(file, &data);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Certificate '%s': %s",
+                             file, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        ret = gnutls_x509_crt_list_import(sc->certs_x509_crt_chain,
+                                          &chain_num, &data, format,
+                                          GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
+        gnutls_free(data.data);
+        sc->certs_x509_chain_num = chain_num;
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import Certificate Chain "
+                         "'%s': (%d) %s",
+                         file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        for (unsigned int i = 0; i < chain_num; i++)
+        {
+            ret =
+                gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
+                                         sc->certs_x509_crt_chain[i], 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import pCertificate "
+                             "'%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+        sc->certs_x509_chain_num = chain_num;
+    }
+    if (sc->x509_key_file && sc->privkey_x509 == NULL)
+    {
+        ret = gnutls_privkey_init(&sc->privkey_x509);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to initialize: (%d) %s", ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+        if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
+            file = sc->x509_key_file;
+            gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
+                                            sc);
+            ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key URL "
+                             "'%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        } else {
+            file = ap_server_root_relative(spool, sc->x509_key_file);
+            if (load_datum_from_file(spool, file, &data) != 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Error Reading Private Key '%s'",
+                             file);
+                ret = -1;
+                goto cleanup;
+            }
+            ret =
+                gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
+                                               GNUTLS_X509_FMT_PEM, sc->pin,
+);
+            if (ret < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Failed to Import Private Key "
+                             "'%s': (%d) %s",
+                             file, ret, gnutls_strerror(ret));
+                ret = -1;
+                goto cleanup;
+            }
+        }
+    }
+    /* Load the X.509 CA file */
+    if (sc->x509_ca_file)
+    {
+        if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "Client CA File '%s'",
+                         sc->x509_ca_file);
+            ret = -1;
+            goto cleanup;
+        }
+        ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
+                                           &data, GNUTLS_X509_FMT_PEM, 0);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to load "
+                         "Client CA File '%s': (%d) %s", sc->x509_ca_file,
+                         ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+    }
+    if (sc->priorities_str && sc->priorities == NULL)
+    {
         const char *err;
         ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err);
         if (ret < 0) {
             if (ret == GNUTLS_E_INVALID_REQUEST) {
                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                              "GnuTLS: Syntax error parsing priorities string at: %s",
                              err);
             } else {
                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                              "GnuTLS: error parsing priorities string");
+            }
             ret = -1;
             goto cleanup;
+        }
+        if (ret < 0) {
+            if (ret == GNUTLS_E_INVALID_REQUEST) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Syntax error parsing priorities string at: %s",
+                             err);
+            } else {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: error parsing priorities string");
+            }
+            ret = -1;
+            goto cleanup;
+        }
+    }
     ret = 0;
   cleanup:
+ cleanup:
     apr_pool_destroy(spool);
 …
+}
-const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg)
+{
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-    sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg);
-    return NULL;
+}
-const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-    sc->pgp_key_file = ap_server_root_relative(parms->pool, arg);
-    return NULL;
+}
 const char *mgs_set_tickets(cmd_parms *parms,
                             void *dummy __attribute__((unused)),
 …
 #endif
+const char *mgs_set_cache(cmd_parms * parms, void *dummy __attribute__((unused)),
+        const char *type, const char *arg) {
+const char *mgs_set_cache(cmd_parms * parms,
+                          void *dummy __attribute__((unused)),
+                          const char *type, const char *arg)
+{
     const char *err;
     mgs_srvconf_rec *sc =
+        ap_get_module_config(parms->server->module_config,
+                             &gnutls_module);
+    if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) {
+        return err;
+    }
+    if (strcasecmp("none", type) == 0) {
+        sc->cache_type = mgs_cache_none;
+        sc->cache_config = NULL;
+        return NULL;
+    } else if (strcasecmp("dbm", type) == 0) {
+        sc->cache_type = mgs_cache_dbm;
+    } else if (strcasecmp("gdbm", type) == 0) {
+        sc->cache_type = mgs_cache_gdbm;
+    }
+#if HAVE_APR_MEMCACHE
+    else if (strcasecmp("memcache", type) == 0) {
+        sc->cache_type = mgs_cache_memcache;
+    }
+#endif
+    else {
+        return "Invalid Type for GnuTLSCache!";
+    }
+    if (arg == NULL)
+        return "Invalid argument 2 for GnuTLSCache!";
+    if (sc->cache_type == mgs_cache_dbm
+        || sc->cache_type == mgs_cache_gdbm) {
+        sc->cache_config = ap_server_root_relative(parms->pool, arg);
+    } else {
+        sc->cache_config = apr_pstrdup(parms->pool, arg);
+    }
+    return NULL;
+}
+const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy __attribute__((unused)),
+        const char *arg) {
+    int argint;
+    const char *err;
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+    if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) {
+        return err;
+    }
+    argint = atoi(arg);
+    if (argint < 0) {
+        return "GnuTLSCacheTimeout: Invalid argument";
+    } else if (argint == 0) {
+        sc->cache_timeout = 0;
+    } else {
+        sc->cache_timeout = apr_time_from_sec(argint);
+    }
+        ap_get_module_config(parms->server->module_config,
+                             &gnutls_module);
+    if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
+        return err;
+    unsigned char enable = GNUTLS_ENABLED_TRUE;
+    /* none: disable cache */
+    if (strcasecmp("none", type) == 0)
+        enable = GNUTLS_ENABLED_FALSE;
+    /* Try to split socache "type:config" style configuration */
+    const char* sep = ap_strchr_c(type, ':');
+    if (sep)
+    {
+        type = apr_pstrmemdup(parms->temp_pool, type, sep - type);
+        if (arg != NULL)
+        {
+            /* No mixing of socache style and legacy config! */
+            return "GnuTLSCache appears to have a mod_socache style "
+                "type:config value, but there is a second parameter!";
+        }
+        arg = ++sep;
+    }
+    mgs_cache_t *cache = NULL;
+    /* parms->directive->directive contains the directive string */
+    if (!strcasecmp(parms->directive->directive, "GnuTLSCache"))
+    {
+        if (enable == GNUTLS_ENABLED_FALSE)
+        {
+            sc->cache_enable = GNUTLS_ENABLED_FALSE;
+            return NULL;
+        }
+        sc->cache_enable = GNUTLS_ENABLED_TRUE;
+        cache = &sc->cache;
+    }
+    else if (!strcasecmp(parms->directive->directive, "GnuTLSOCSPCache"))
+    {
+        if (enable == GNUTLS_ENABLED_FALSE)
+            return "\"GnuTLSOCSPCache none\" is invalid, use "
+                "\"GnuTLSOCSPStapling off\" if you want to disable "
+                "OCSP stapling.";
+        cache = &sc->ocsp_cache;
+    }
+    else
+        return apr_psprintf(parms->temp_pool, "Internal Error: %s "
+                            "called for unknown directive %s",
+                            __func__, parms->directive->directive);
+    return mgs_cache_inst_config(cache, parms->server,
+                                 type, arg,
+                                 parms->pool, parms->temp_pool);
+}
+const char *mgs_set_timeout(cmd_parms * parms,
+                            void *dummy __attribute__((unused)),
+                            const char *arg)
+{
+    apr_int64_t argint = apr_atoi64(arg);
+    /* timeouts cannot be negative */
+    if (argint < 0)
+        return apr_psprintf(parms->pool, "%s: Invalid argument",
+                            parms->directive->directive);
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+    if (!strcasecmp(parms->directive->directive, "GnuTLSCacheTimeout"))
+        sc->cache_timeout = apr_time_from_sec(argint);
+    else if (!strcasecmp(parms->directive->directive,
+                         "GnuTLSOCSPCacheTimeout"))
+        sc->ocsp_cache_time = apr_time_from_sec(argint);
+    else if (!strcasecmp(parms->directive->directive,
+                         "GnuTLSOCSPFailureTimeout"))
+        sc->ocsp_failure_timeout = apr_time_from_sec(argint);
+    else if (!strcasecmp(parms->directive->directive,
+                         "GnuTLSOCSPFuzzTime"))
+        sc->ocsp_fuzz_time = apr_time_from_sec(argint);
+    else if (!strcasecmp(parms->directive->directive,
+                         "GnuTLSOCSPSocketTimeout"))
+        sc->ocsp_socket_timeout = apr_time_from_sec(argint);
+    else
+        /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
+        return apr_psprintf(parms->pool,
+                            "mod_gnutls: %s called for invalid option '%s'",
+                            __func__, parms->directive->directive);
     return NULL;
 …
     sc->x509_ca_file = ap_server_root_relative(parms->pool, arg);
-    return NULL;
+}
-const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-    sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg);
     return NULL;
 …
     sc->privkey_x509 = NULL;
+    sc->privkey_pgp = NULL;
+    sc->anon_creds = NULL;
+#ifdef ENABLE_SRP
+    sc->srp_creds = NULL;
+#endif
+    sc->certs = NULL;
+    sc->certs_x509_chain = NULL;
+    sc->certs_x509_crt_chain = NULL;
     sc->certs_x509_chain_num = 0;
     sc->p11_modules = NULL;
     sc->pin = NULL;
     sc->priorities_str = NULL;
     sc->cache_timeout = -1;     /* -1 means "unset" */
     sc->cache_type = mgs_cache_unset;
     sc->cache_config = NULL;
+    sc->cache_timeout = MGS_TIMEOUT_UNSET;
+    sc->cache_enable = GNUTLS_ENABLED_UNSET;
+    sc->cache = NULL;
     sc->tickets = GNUTLS_ENABLED_UNSET;
     sc->priorities = NULL;
     sc->dh_params = NULL;
+    sc->dh_file = NULL;
+    sc->ca_list = NULL;
+    sc->ca_list_size = 0;
     sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
     sc->export_certificates_size = -1;
 …
     sc->proxy_x509_crl_file = NULL;
     sc->proxy_priorities_str = NULL;
+    sc->proxy_x509_creds = NULL;
+    sc->anon_client_creds = NULL;
     sc->proxy_priorities = NULL;
+    sc->proxy_x509_tl = NULL;
+    sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
+    sc->ocsp_auto_refresh = GNUTLS_ENABLED_UNSET;
+    sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
+    sc->ocsp_response_file = NULL;
+    sc->ocsp_mutex = NULL;
+    sc->ocsp_cache = NULL;
+    sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
+    sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
+    sc->ocsp_fuzz_time = MGS_TIMEOUT_UNSET;
+    sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
+    sc->singleton_wd = NULL;
 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
 …
 void *mgs_config_server_merge(apr_pool_t * p, void *BASE, void *ADD)
+{
-    int i;
     char *err = NULL;
     mgs_srvconf_rec *base = (mgs_srvconf_rec *) BASE;
 …
     gnutls_srvconf_merge(p11_modules, NULL);
     gnutls_srvconf_merge(pin, NULL);
-    gnutls_srvconf_merge(pgp_cert_file, NULL);
-    gnutls_srvconf_merge(pgp_key_file, NULL);
-    gnutls_srvconf_merge(pgp_ring_file, NULL);
     gnutls_srvconf_merge(dh_file, NULL);
     gnutls_srvconf_merge(priorities_str, NULL);
+    gnutls_srvconf_merge(cache_timeout, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_merge(proxy_x509_key_file, NULL);
 …
     gnutls_srvconf_merge(proxy_priorities, NULL);
+    /* FIXME: the following items are pre-allocated, and should be
+     * properly disposed of before assigning in order to avoid leaks;
+     * so at the moment, we can't actually have them in the config.
+     * what happens during de-allocation? */
+    /* TODO: mgs_load_files takes care of most of these now, verify
+     * and clean up the following lines */
+    gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(ocsp_auto_refresh, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_assign(ocsp_response_file);
+    gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
+    gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
+    gnutls_srvconf_merge(ocsp_fuzz_time, MGS_TIMEOUT_UNSET);
+    gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_assign(ca_list);
     gnutls_srvconf_assign(ca_list_size);
-    gnutls_srvconf_assign(cert_pgp);
-    gnutls_srvconf_assign(cert_crt_pgp);
-    gnutls_srvconf_assign(pgp_list);
     gnutls_srvconf_assign(certs);
     gnutls_srvconf_assign(anon_creds);
 …
     gnutls_srvconf_assign(certs_x509_crt_chain);
     gnutls_srvconf_assign(certs_x509_chain_num);
-    /* how do these get transferred cleanly before the data from ADD
-     * goes away? */
-    gnutls_srvconf_assign(cert_cn);
-    for (i = 0; i < MAX_CERT_SAN; i++)
-        gnutls_srvconf_assign(cert_san[i]);
     return sc;

src/gnutls_hooks.c

-                      r8a264b0
+                      rea9c699
 /**
+/*
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
  *  Copyright 2013-2014 Daniel Kahn Gillmor
  *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2019 Fiona Klute
+ *
  *  Licensed under the Apache License, Version 2.0 (the "License");
 …
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
  */
 #include "mod_gnutls.h"
+#include "gnutls_cache.h"
+#include "gnutls_config.h"
+#include "gnutls_ocsp.h"
+#include "gnutls_proxy.h"
+#include "gnutls_sni.h"
+#include "gnutls_util.h"
+#include "gnutls_watchdog.h"
 #include "http_vhost.h"
 #include "ap_mpm.h"
+#include "mod_status.h"
+#include <mod_status.h>
+#include <util_mutex.h>
+#include <apr_escape.h>
+/* This provides strcmp and related functions */
+#define APR_WANT_STRFUNC
+#include <apr_want.h>
 #ifdef ENABLE_MSVA
 …
 #endif
-#if !USING_2_1_RECENT
-extern server_rec *ap_server_conf;
-#endif
 #if MOD_GNUTLS_DEBUG
 static apr_file_t *debug_log_fp;
 …
     ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
+/** Key to encrypt session tickets. Must be kept secret. This key is
+ * generated in the `pre_config` hook and thus constant across
+ * forks. The problem with this approach is that it does not support
+ * regular key rotation. */
 static gnutls_datum_t session_ticket_key = {NULL, 0};
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
+/** use side==0 for server and side==1 for client */
 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size);
 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size);
+mgs_srvconf_rec* mgs_find_sni_server(mgs_handle_t *ctxt);
 static int mgs_status_hook(request_rec *r, int flags);
 #ifdef ENABLE_MSVA
 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert);
 #endif
-static int load_proxy_x509_credentials(server_rec *s);
 /* Pool Cleanup Function */
+apr_status_t mgs_cleanup_pre_config(void *data __attribute__((unused))) {
+        /* Free all session data */
+apr_status_t mgs_cleanup_pre_config(void *data __attribute__((unused)))
+{
+    /* Free session ticket master key */
+#if GNUTLS_VERSION_NUMBER >= 0x030400
+    gnutls_memset(session_ticket_key.data, 0, session_ticket_key.size);
+#endif
     gnutls_free(session_ticket_key.data);
     session_ticket_key.data = NULL;
     session_ticket_key.size = 0;
+        /* Deinitialize GnuTLS Library */
+    gnutls_global_deinit();
+    /* Deinit default priority setting */
+    mgs_default_priority_deinit();
     return APR_SUCCESS;
+}
 …
+    }
-        /* Initialize GnuTLS Library */
-    ret = gnutls_global_init();
-    if (ret < 0) {
-                ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_global_init: %s", gnutls_strerror(ret));
-                return DONE;
+    }
         /* Generate a Session Key */
     ret = gnutls_session_ticket_key_generate(&session_ticket_key);
 …
+    }
+    /* Initialize default priority setting */
+    ret = mgs_default_priority_init();
+    if (ret < 0)
+    {
+        ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog,
+                      "gnutls_priority_init failed for default '%s': %s (%d)",
+                      MGS_DEFAULT_PRIORITY, gnutls_strerror(ret), ret);
+        return DONE;
+    }
     AP_OPTIONAL_HOOK(status_hook, mgs_status_hook, NULL, NULL, APR_HOOK_MIDDLE);
+        /* Register a pool clean-up function */
+    ap_mutex_register(pconf, MGS_CACHE_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
+    ap_mutex_register(pconf, MGS_OCSP_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
+    ap_mutex_register(pconf, MGS_OCSP_CACHE_MUTEX_NAME, NULL,
+                      APR_LOCK_DEFAULT, 0);
+    /* Register a pool clean-up function */
     apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, apr_pool_cleanup_null);
 …
+}
+static int mgs_select_virtual_server_cb(gnutls_session_t session) {
+    mgs_handle_t *ctxt = NULL;
+    mgs_srvconf_rec *tsc = NULL;
+/**
+ * Get the list of available protocols for this connection and add it
+ * to the GnuTLS session. Must run before the client hello function.
+ */
+static void prepare_alpn_proposals(mgs_handle_t *ctxt)
+{
+    /* Check if any protocol upgrades are available
+     *
+     * The "report_all" parameter to ap_get_protocol_upgrades() is 0
+     * (report only more preferable protocols) because setting it to 1
+     * doesn't actually report ALL protocols, but only all except the
+     * current one. This way we can at least list the current one as
+     * available by appending it without potentially negotiating a
+     * less preferred protocol. */
+    const apr_array_header_t *pupgrades = NULL;
+    apr_status_t ret =
+        ap_get_protocol_upgrades(ctxt->c, NULL, ctxt->sc->s,
+                                 /*report_all*/ 0, &pupgrades);
+    if (ret != APR_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
+                      "%s: ap_get_protocol_upgrades() failed, "
+                      "cannot configure ALPN!", __func__);
+        return;
+    }
+    if (pupgrades == NULL || pupgrades->nelts == 0)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c,
+                      "%s: No protocol upgrades available.", __func__);
+        return;
+    }
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c,
+                  "%s: Found %d protocol upgrade(s) for ALPN: %s",
+                  __func__, pupgrades->nelts,
+                  apr_array_pstrcat(ctxt->c->pool, pupgrades, ','));
+    gnutls_datum_t *alpn_protos =
+        mgs_str_array_to_datum_array(pupgrades,
+                                     ctxt->c->pool,
+                                     pupgrades->nelts + 1);
+    /* Add the current (default) protocol at the end of the list */
+    alpn_protos[pupgrades->nelts].data =
+        (void*) apr_pstrdup(ctxt->c->pool, ap_get_protocol(ctxt->c));
+    alpn_protos[pupgrades->nelts].size =
+        strlen((char*) alpn_protos[pupgrades->nelts].data);
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c,
+                  "%s: Adding current protocol %s to ALPN set.",
+                  __func__, alpn_protos[pupgrades->nelts].data);
+    gnutls_alpn_set_protocols(ctxt->session,
+                              alpn_protos,
+                              pupgrades->nelts,
+                              GNUTLS_ALPN_SERVER_PRECEDENCE);
+}
+/**
+ * Check if ALPN selected any protocol upgrade, try to switch if so.
+ */
+static int process_alpn_result(mgs_handle_t *ctxt)
+{
     int ret = 0;
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+    ctxt = gnutls_transport_get_ptr(session);
+    /* find the virtual server */
+    tsc = mgs_find_sni_server(session);
+    if (tsc != NULL) {
+        // Found a TLS vhost based on the SNI from the client; use it instead.
+        ctxt->sc = tsc;
+        }
+    gnutls_certificate_server_set_request(session, ctxt->sc->client_verify_mode);
+    gnutls_datum_t alpn_proto;
+    ret = gnutls_alpn_get_selected_protocol(ctxt->session, &alpn_proto);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: No ALPN result: %s (%d)",
+                      __func__, gnutls_strerror(ret), ret);
+        return GNUTLS_E_SUCCESS;
+    }
+    apr_array_header_t *client_protos =
+        apr_array_make(ctxt->c->pool, 1, sizeof(char *));
+    /* apr_pstrndup to ensure that the protocol is null terminated */
+    APR_ARRAY_PUSH(client_protos, char *) =
+        apr_pstrndup(ctxt->c->pool, (char*) alpn_proto.data, alpn_proto.size);
+    const char *selected =
+        ap_select_protocol(ctxt->c, NULL, ctxt->sc->s, client_protos);
+    /* ap_select_protocol() will return NULL if none of the ALPN
+     * proposals matched. GnuTLS negotiated alpn_proto based on the
+     * list provided by the server, but the vhost might have changed
+     * based on SNI. Apache seems to adjust the proposal list to avoid
+     * such issues though.
+     *
+     * GnuTLS will return a fatal "no_application_protocol" alert as
+     * required by RFC 7301 if the post client hello function returns
+     * GNUTLS_E_NO_APPLICATION_PROTOCOL. */
+    if (!selected)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                      "%s: ap_select_protocol() returned NULL! Please "
+                      "make sure any overlapping vhosts have the same "
+                      "protocols available.",
+                      __func__);
+        return GNUTLS_E_NO_APPLICATION_PROTOCOL;
+    }
+    if (strcmp(selected, ap_get_protocol(ctxt->c)) == 0)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: Already using protocol '%s', nothing to do.",
+                      __func__, selected);
+        return GNUTLS_E_SUCCESS;
+    }
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                  "%s: Switching protocol to '%s' based on ALPN.",
+                  __func__, selected);
+    apr_status_t status = ap_switch_protocol(ctxt->c, NULL,
+                                             ctxt->sc->s,
+                                             selected);
+    if (status != APR_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, status, ctxt->c,
+                      "%s: Protocol switch to '%s' failed!",
+                      __func__, selected);
+        return GNUTLS_E_NO_APPLICATION_PROTOCOL;
+    }
+    /* ALPN done! */
+    return GNUTLS_E_SUCCESS;
+}
+/**
+ * (Re-)Load credentials and priorities for the connection. This is
+ * meant to be called after virtual host selection in the pre or post
+ * client hello hook.
+ */
+static int reload_session_credentials(mgs_handle_t *ctxt)
+{
+    int ret = 0;
+    gnutls_certificate_server_set_request(ctxt->session,
+                                          ctxt->sc->client_verify_mode);
     /* Set x509 credentials */
+    gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
+    gnutls_credentials_set(ctxt->session,
+                           GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
     /* Set Anon credentials */
+    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
+    gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON,
+                           ctxt->sc->anon_creds);
 #ifdef ENABLE_SRP
         /* Set SRP credentials */
     if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
+        gnutls_credentials_set(session, GNUTLS_CRD_SRP, ctxt->sc->srp_creds);
+        gnutls_credentials_set(ctxt->session, GNUTLS_CRD_SRP,
+                               ctxt->sc->srp_creds);
+    }
 #endif
+    /* update the priorities - to avoid negotiating a ciphersuite that is not
+    /* Enable session tickets */
+    if (session_ticket_key.data != NULL &&
+        ctxt->sc->tickets == GNUTLS_ENABLED_TRUE)
+    {
+        ret = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
+        if (ret != GNUTLS_E_SUCCESS)
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                          "gnutls_session_ticket_enable_server failed: %s (%d)",
+                          gnutls_strerror(ret), ret);
+    }
+    /* Update the priorities - to avoid negotiating a ciphersuite that is not
      * enabled on this virtual server. Note that here we ignore the version
+     * negotiation.
+     */
+    ret = gnutls_priority_set(session, ctxt->sc->priorities);
+     * negotiation. */
+    ret = gnutls_priority_set(ctxt->session, ctxt->sc->priorities);
+    return ret;
+}
+/**
+ * Post client hello hook function for GnuTLS. This function has two
+ * purposes: Firstly, it acts as a fallback for early_sni_hook(), by
+ * parsing SNI and selecting a virtual host based on it if
+ * necessary. Secondly, it calls ALPN processing.
+ *
+ * @param session the TLS session
+ *
+ * @return zero or a GnuTLS error code, as required by GnuTLS hook
+ * definition
+ */
+static int post_client_hello_hook(gnutls_session_t session)
+{
+    int ret = 0;
+    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
+    /* If ctxt->sni_name is set at this point the early_sni_hook()
+     * function ran, found an SNI server name, selected a virtual
+     * host, and set up credentials, so we don't need to do that
+     * again. Otherwise try again, to cover GnuTLS versions < 3.6.3
+     * and pick up future extensions to gnutls_server_name_get(). */
+    if (ctxt->sni_name == NULL)
+    {
+        /* try to find a virtual host */
+        mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
+        if (tsc != NULL)
+        {
+            /* Found a TLS vhost based on the SNI, configure the
+             * connection context. */
+            ctxt->sc = tsc;
+        }
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: Loading credentials in post client hello hook",
+                      __func__);
+        reload_session_credentials(ctxt);
+    }
+    ret = process_alpn_result(ctxt);
+    if (ret != GNUTLS_E_SUCCESS)
+        return ret;
     /* actually it shouldn't fail since we have checked at startup */
     return ret;
+}
 …
         *privkey = ctxt->sc->privkey_x509;
         return 0;
-    } else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
-                // OPENPGP CERTIFICATE
-        *pcerts = ctxt->sc->cert_pgp;
-        *pcert_length = 1;
-        *privkey = ctxt->sc->privkey_pgp;
-        return 0;
     } else {
                 // UNKNOWN CERTIFICATE
 …
+}
+/* Read the common name or the alternative name of the certificate.
+ * We only support a single name per certificate.
+ *
+ * Returns negative on error.
+#if GNUTLS_VERSION_NUMBER >= 0x030506
+#define HAVE_KNOWN_DH_GROUPS 1
+#endif
+#ifdef HAVE_KNOWN_DH_GROUPS
+/**
+ * Try to estimate a GnuTLS security parameter based on the given
+ * private key. Any errors are logged.
+ *
+ * @param s The `server_rec` to use for logging
+ *
+ * @param key The private key to use
+ *
+ * @return `gnutls_sec_param_t` as returned by
+ * `gnutls_pk_bits_to_sec_param` for the key properties, or
+ * GNUTLS_SEC_PARAM_UNKNOWN in case of error
  */
+static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) {
+    int rv = 0;
+    size_t data_len;
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+    *cert_cn = NULL;
+    data_len = 0;
+    rv = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, NULL, &data_len);
+    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
+        *cert_cn = apr_palloc(p, data_len);
+        rv = gnutls_x509_crt_get_dn_by_oid(cert,
+                GNUTLS_OID_X520_COMMON_NAME,
+, 0, *cert_cn,
+                &data_len);
+    } else { /* No CN return subject alternative name */
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                "No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
+                s->server_hostname, s->port);
+        rv = 0;
+        /* read subject alternative name */
+        for (int i = 0; !(rv < 0); i++)
+        {
+            data_len = 0;
+            rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
+                    NULL,
+                    &data_len,
+                    NULL);
+            if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
+                    && data_len > 1) {
+                /* FIXME: not very efficient. What if we have several alt names
+                 * before DNSName?
+                 */
+                *cert_cn = apr_palloc(p, data_len + 1);
+                rv = gnutls_x509_crt_get_subject_alt_name
+                        (cert, i, *cert_cn, &data_len, NULL);
+                (*cert_cn)[data_len] = 0;
+                if (rv == GNUTLS_SAN_DNSNAME)
+                    break;
+            }
+        }
+    }
+    return rv;
+}
+static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
+        gnutls_openpgp_crt_t cert, char **cert_cn) {
+    int rv = 0;
+    size_t data_len;
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+    *cert_cn = NULL;
+    data_len = 0;
+    rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
+    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
+        *cert_cn = apr_palloc(p, data_len);
+        rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
+                &data_len);
+    } else { /* No CN return subject alternative name */
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                "No name found in PGP certificate for '%s:%d'.",
+                s->server_hostname, s->port);
+    }
+    return rv;
+}
+int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog __attribute__((unused)), apr_pool_t * ptemp __attribute__((unused)), server_rec * base_server) {
+static gnutls_sec_param_t sec_param_from_privkey(server_rec *server,
+                                                 gnutls_privkey_t key)
+{
+    unsigned int bits = 0;
+    int pk_algo = gnutls_privkey_get_pk_algorithm(key, &bits);
+    if (pk_algo < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server,
+                     "%s: Could not get private key parameters: %s (%d)",
+                     __func__, gnutls_strerror(pk_algo), pk_algo);
+        return GNUTLS_SEC_PARAM_UNKNOWN;
+    }
+    return gnutls_pk_bits_to_sec_param(pk_algo, bits);
+}
+#else
+/** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is
+ * the default DH group if mod_gnutls is compiled agains a GnuTLS
+ * version that does not provide known DH groups based on security
+ * parameters (before 3.5.6). */
+static const char FFDHE2048_PKCS3[] =
+    "-----BEGIN DH PARAMETERS-----\n"
+    "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+    "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+    "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+    "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+    "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+    "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"
+    "-----END DH PARAMETERS-----\n";
+const gnutls_datum_t default_dh_params = {
+    (void *) FFDHE2048_PKCS3,
+    sizeof(FFDHE2048_PKCS3)
+};
+#endif
+/**
+ * Configure the default DH groups to use for the given server. When
+ * compiled against GnuTLS version 3.5.6 or newer the known DH group
+ * matching the GnuTLS security parameter estimated from the private
+ * key is used. Otherwise the ffdhe2048 DH group as defined in RFC
+ * 7919, Appendix A.1 is the default.
+ *
+ * @param server the host to configure
+ *
+ * @return `OK` on success, `HTTP_UNAUTHORIZED` otherwise
+ */
+static int set_default_dh_param(server_rec *server)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(server->module_config, &gnutls_module);
+#ifdef HAVE_KNOWN_DH_GROUPS
+    gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN;
+    if (sc->privkey_x509)
+    {
+        seclevel = sec_param_from_privkey(server, sc->privkey_x509);
+        ap_log_error(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, server,
+                     "%s: GnuTLS security param estimated based on "
+                     "private key '%s': %s",
+                     __func__, sc->x509_key_file,
+                     gnutls_sec_param_get_name(seclevel));
+    }
+    if (seclevel == GNUTLS_SEC_PARAM_UNKNOWN)
+        seclevel = GNUTLS_SEC_PARAM_MEDIUM;
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
+                 "%s: Setting DH params for security level '%s'.",
+                 __func__, gnutls_sec_param_get_name(seclevel));
+    int ret = gnutls_certificate_set_known_dh_params(sc->certs, seclevel);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server,
+                     "%s: setting known DH params failed: %s (%d)",
+                     __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+    ret = gnutls_anon_set_server_known_dh_params(sc->anon_creds, seclevel);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server,
+                     "%s: setting known DH params failed: %s (%d)",
+                     __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+#else
+    int ret = gnutls_dh_params_init(&sc->dh_params);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
+                     "%s: Failed to initialize DH params structure: "
+                     "%s (%d)", __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+    ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,
+                                        GNUTLS_X509_FMT_PEM);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
+                     "%s: Failed to import default DH params: %s (%d)",
+                     __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+    gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
+    gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
+#endif
+    return OK;
+}
+/**
+ * Post config hook.
+ *
+ * Must return OK or DECLINED on success, something else on
+ * error. These codes are defined in Apache httpd.h along with the
+ * HTTP status codes, so I'm going to use HTTP error codes both for
+ * fun (and to avoid conflicts).
+ */
+int mgs_hook_post_config(apr_pool_t *pconf,
+                         apr_pool_t *plog __attribute__((unused)),
+                         apr_pool_t *ptemp,
+                         server_rec *base_server)
+{
     int rv;
     server_rec *s;
-    gnutls_dh_params_t dh_params = NULL;
     mgs_srvconf_rec *sc;
     mgs_srvconf_rec *sc_base;
 …
+    rv = mgs_cache_post_config(p, s, sc_base);
+    if (rv != 0) {
+    rv = mgs_cache_post_config(pconf, ptemp, s, sc_base);
+    if (rv != APR_SUCCESS)
+    {
         ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
+                "GnuTLS: Post Config for GnuTLSCache Failed."
+                " Shutting Down.");
+        exit(-1);
+                     "Post config for cache failed.");
+        return HTTP_INSUFFICIENT_STORAGE;
+    }
+    if (sc_base->ocsp_mutex == NULL)
+    {
+        rv = ap_global_mutex_create(&sc_base->ocsp_mutex, NULL,
+                                    MGS_OCSP_MUTEX_NAME, NULL,
+                                    base_server, pconf, 0);
+        if (rv != APR_SUCCESS)
+            return rv;
+    }
 …
                 rv = gnutls_pkcs11_add_provider(p11_module, NULL);
                 if (rv != GNUTLS_E_SUCCESS)
                     ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                    ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EGENERAL, s,
                                  "GnuTLS: Loading PKCS #11 provider module %s "
                                  "failed: %s (%d).",
                                  p11_module, gnutls_strerror(rv), rv);
+                else
+                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                                 "%s: PKCS #11 provider module %s loaded.",
+                                 __func__, p11_module);
+            }
+        }
+    }
+    for (s = base_server; s; s = s->next) {
+    sc_base->singleton_wd =
+        mgs_new_singleton_watchdog(base_server, MGS_SINGLETON_WATCHDOG, pconf);
+    for (s = base_server; s; s = s->next)
+    {
         sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
+        sc->cache_type = sc_base->cache_type;
+        sc->cache_config = sc_base->cache_config;
+        sc->cache_timeout = sc_base->cache_timeout;
+        rv = mgs_load_files(p, s);
+        if (rv != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                "GnuTLS: Loading required files failed."
+                " Shutting Down.");
+            exit(-1);
+        }
+        sc->s = s;
+        sc->cache_enable = sc_base->cache_enable;
+        sc->cache = sc_base->cache;
+        if (sc->cache_timeout == MGS_TIMEOUT_UNSET)
+            sc->cache_timeout = sc_base->cache_timeout;
+        sc->ocsp_cache = sc_base->ocsp_cache;
+        sc->singleton_wd = sc_base->singleton_wd;
         /* defaults for unset values: */
 …
             sc->enabled = GNUTLS_ENABLED_FALSE;
         if (sc->tickets == GNUTLS_ENABLED_UNSET)
+            sc->tickets = GNUTLS_ENABLED_TRUE;
+        {
+            /* GnuTLS 3.6.4 introduced automatic master key rotation */
+            if (gnutls_check_version_numeric(3, 6, 4))
+                sc->tickets = GNUTLS_ENABLED_TRUE;
+            else
+                sc->tickets = GNUTLS_ENABLED_FALSE;
+        }
         if (sc->export_certificates_size < 0)
             sc->export_certificates_size = 0;
 …
             sc->client_verify_method = mgs_cvm_cartel;
+        // TODO: None of the stuff below needs to be done if
+        // sc->enabled == GNUTLS_ENABLED_FALSE, we could just continue
+        // to the next host.
+        /* Load certificates and stuff (includes parsing priority) */
+        rv = mgs_load_files(pconf, ptemp, s);
+        if (rv != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "%s: Loading credentials failed!", __func__);
+            return HTTP_NOT_FOUND;
+        }
+        sc->ocsp_mutex = sc_base->ocsp_mutex;
+        /* init OCSP configuration unless explicitly disabled */
+        if (sc->enabled && sc->ocsp_staple != GNUTLS_ENABLED_FALSE)
+        {
+            const char *err = mgs_ocsp_configure_stapling(pconf, ptemp, s);
+            if (err != NULL)
+            {
+                /* If OCSP stapling is enabled only by default ignore
+                 * error and disable stapling */
+                if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET)
+                {
+                    ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
+                                 "Cannnot enable OCSP stapling for "
+                                 "host '%s:%d': %s",
+                                 s->server_hostname, s->addrs->host_port, err);
+                    sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
+                }
+                /* If OCSP stapling is explicitly enabled this is a
+                 * critical error. */
+                else
+                {
+                    ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, s,
+                                 "OCSP stapling configuration failed for "
+                                 "host '%s:%d': %s",
+                                 s->server_hostname, s->addrs->host_port, err);
+                    return HTTP_INTERNAL_SERVER_ERROR;
+                }
+            }
+            else
+            {
+                /* Might already be set */
+                sc->ocsp_staple = GNUTLS_ENABLED_TRUE;
+                /* Set up stapling */
+                rv = mgs_ocsp_enable_stapling(pconf, ptemp, s);
+                if (rv != OK && rv != DECLINED)
+                    return rv;
+            }
+        }
         /* Check if the priorities have been set */
         if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                    "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
+                    s->server_hostname, s->port);
+            exit(-1);
+        }
+        /* Check if DH params have been set per host */
+            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                         "No GnuTLSPriorities directive for host '%s:%d', "
+                         "using default '%s'.",
+                         s->server_hostname, s->addrs->host_port,
+                         MGS_DEFAULT_PRIORITY);
+            sc->priorities = mgs_get_default_prio();
+        }
+        /* Set host DH params from user configuration or defaults */
         if (sc->dh_params != NULL) {
             gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
             gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
+        } else if (dh_params) {
+            gnutls_certificate_set_dh_params(sc->certs, dh_params);
+            gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
+        } else {
+            rv = set_default_dh_param(s);
+            if (rv != OK)
+                return rv;
+        }
 …
         if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
             sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            sc->enabled == GNUTLS_ENABLED_TRUE) {
                         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                                                 "GnuTLS: Host '%s:%d' is missing a Certificate File!",
                                                 s->server_hostname, s->port);
             exit(-1);
+                                                s->server_hostname, s->addrs->host_port);
+            return HTTP_UNAUTHORIZED;
+        }
         if (sc->enabled == GNUTLS_ENABLED_TRUE &&
             ((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||
              (sc->cert_crt_pgp[0] != NULL && sc->privkey_pgp == NULL))) {
+            (sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL))
+        {
                         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                                                 "GnuTLS: Host '%s:%d' is missing a Private Key File!",
+                                                s->server_hostname, s->port);
+            exit(-1);
+        }
+        if (sc->enabled == GNUTLS_ENABLED_TRUE) {
+            rv = -1;
+            if (sc->certs_x509_chain_num > 0) {
+                rv = read_crt_cn(s, p, sc->certs_x509_crt_chain[0], &sc->cert_cn);
+            }
+            if (rv < 0 && sc->cert_pgp != NULL) {
+                rv = read_pgpcrt_cn(s, p, sc->cert_crt_pgp[0], &sc->cert_cn);
+                        }
+            if (rv < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                                                        "GnuTLS: Cannot find a certificate for host '%s:%d'!",
+                                                        s->server_hostname, s->port);
+                sc->cert_cn = NULL;
+                continue;
+            }
+                                                s->server_hostname, s->addrs->host_port);
+            return HTTP_UNAUTHORIZED;
+        }
         if (sc->enabled == GNUTLS_ENABLED_TRUE
             && sc->proxy_enabled == GNUTLS_ENABLED_TRUE
             && load_proxy_x509_credentials(s) != APR_SUCCESS)
+            && load_proxy_x509_credentials(pconf, ptemp, s) != APR_SUCCESS)
+        {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                          "%s: loading proxy credentials for host "
                          "'%s:%d' failed, exiting!",
                          __func__, s->server_hostname, s->port);
             exit(-1);
+        }
+    }
     ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
+                         __func__, s->server_hostname, s->addrs->host_port);
+            return HTTP_PROXY_AUTHENTICATION_REQUIRED;
+        }
+    }
+    ap_add_version_component(pconf, "mod_gnutls/" MOD_GNUTLS_VERSION);
+    {
         const char* libvers = gnutls_check_version(NULL);
         char* gnutls_version = NULL;
         if(libvers && (gnutls_version = apr_psprintf(p, "GnuTLS/%s", libvers))) {
             ap_add_version_component(p, gnutls_version);
+        if(libvers && (gnutls_version = apr_psprintf(pconf, "GnuTLS/%s", libvers))) {
+            ap_add_version_component(pconf, gnutls_version);
         } else {
             // In case we could not create the above string go for the static version instead
             ap_add_version_component(p, "GnuTLS/" GNUTLS_VERSION "-static");
+            ap_add_version_component(pconf, "GnuTLS/" GNUTLS_VERSION "-static");
+        }
+    }
 …
+}
+void mgs_hook_child_init(apr_pool_t * p, server_rec *s) {
+void mgs_hook_child_init(apr_pool_t *p, server_rec *s)
+{
     apr_status_t rv = APR_SUCCESS;
     mgs_srvconf_rec *sc =
         (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     /* if we use PKCS #11 reinitialize it */
     if (mgs_pkcs11_reinit(s) < 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
 …
+    }
+    if (sc->cache_type != mgs_cache_none) {
+        rv = mgs_cache_child_init(p, s, sc);
+        if (rv != APR_SUCCESS) {
+    if (sc->cache_enable == GNUTLS_ENABLED_TRUE)
+    {
+        rv = mgs_cache_child_init(p, s, sc->cache, MGS_CACHE_MUTEX_NAME);
+        if (rv != APR_SUCCESS)
             ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
+                    "GnuTLS: Failed to run Cache Init");
+        }
+    }
+                    "Child init for session cache failed!");
+    }
+    if (sc->ocsp_cache != NULL)
+    {
+        rv = mgs_cache_child_init(p, s, sc->ocsp_cache,
+                                  MGS_OCSP_CACHE_MUTEX_NAME);
+        if (rv != APR_SUCCESS)
+            ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
+                    "Child init for OCSP cache failed!");
+    }
+    /* reinit OCSP request mutex */
+    const char *lockfile = apr_global_mutex_lockfile(sc->ocsp_mutex);
+    rv = apr_global_mutex_child_init(&sc->ocsp_mutex, lockfile, p);
+    if (rv != APR_SUCCESS)
+        ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
+                     "Failed to reinit mutex '" MGS_OCSP_MUTEX_NAME "'.");
     /* Block SIGPIPE Signals */
     rv = apr_signal_block(SIGPIPE);
 …
+}
+#define MAX_HOST_LEN 255
+#if USING_2_1_RECENT
 typedef struct {
 …
  * @param x vhost callback record
  * @param s server record
+ * @param tsc mod_gnutls server data for `s`
+ *
  * @return true if a match, false otherwise
+ *
  */
+int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc) {
+        apr_array_header_t *names;
+        int rv = 0;
+        char ** name;
+        /* Check ServerName First! */
+        if(apr_strnatcasecmp(x->sni_name, s->server_hostname) == 0) {
+                // We have a match, save this server configuration
+                x->sc = tsc;
+                rv = 1;
+        /* Check any ServerAlias directives */
+        } else if(s->names->nelts) {
+                names = s->names;
+                name = (char **)names->elts;
+                for (int i = 0; i < names->nelts; ++i)
+int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc)
+{
+    apr_array_header_t *names;
+    int rv = 0;
+    char ** name;
+    /* Check ServerName First! */
+    if (strcasecmp(x->sni_name, s->server_hostname) == 0) {
+        // We have a match, save this server configuration
+        x->sc = tsc;
+        rv = 1;
+        /* Check any ServerAlias directives */
+    } else if(s->names->nelts) {
+        names = s->names;
+        name = (char **) names->elts;
+        for (int i = 0; i < names->nelts; ++i)
+        {
+                        if (!name[i]) { continue; }
+                                if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) {
+                                        // We have a match, save this server configuration
+                                        x->sc = tsc;
+                                        rv = 1;
+                        }
+                }
+        /* Wild any ServerAlias Directives */
+        } else if(s->wild_names->nelts) {
+                names = s->wild_names;
+        name = (char **)names->elts;
+                for (int i = 0; i < names->nelts; ++i)
+            if (!name[i])
+                continue;
+            if (strcasecmp(x->sni_name, name[i]) == 0)
+            {
+                // We have a match, save this server configuration
+                x->sc = tsc;
+                rv = 1;
+            }
+        }
+        /* ServerAlias directives may contain wildcards, check those last. */
+    } else if(s->wild_names->nelts) {
+        names = s->wild_names;
+        name = (char **) names->elts;
+        for (int i = 0; i < names->nelts; ++i)
+        {
+                        if (!name[i]) { continue; }
+                                if(apr_fnmatch(name[i], x->sni_name ,
+                                                                APR_FNM_CASE_BLIND|
+                                                                APR_FNM_PERIOD|
+                                                                APR_FNM_PATHNAME|
+                                                                APR_FNM_NOESCAPE) == APR_SUCCESS) {
+                                x->sc = tsc;
+                                rv = 1;
+                        }
+                }
+        }
+        return rv;
+}
+static int vhost_cb(void *baton, conn_rec * conn __attribute__((unused)), server_rec * s) {
+            if (!name[i])
+                continue;
+            if (ap_strcasecmp_match(x->sni_name, name[i]) == 0)
+            {
+                x->sc = tsc;
+                rv = 1;
+            }
+        }
+    }
+    return rv;
+}
+static int vhost_cb(void *baton, conn_rec *conn, server_rec * s)
+{
     mgs_srvconf_rec *tsc;
     vhost_cb_rec *x = baton;
 …
             &gnutls_module);
     if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) {
+    if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
         return 0;
+    }
 …
         ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_crt_chain[0], s->server_hostname);
         if (0 == ret)
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                          "GnuTLS: the certificate doesn't match requested hostname "
                          "'%s'", s->server_hostname);
+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
+                          "GnuTLS: the certificate doesn't match requested "
+                          "hostname '%s'", s->server_hostname);
     } else {
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                     "GnuTLS: SNI request for '%s' but no X.509 certs available at all",
+                     s->server_hostname);
+        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, conn,
+                      "GnuTLS: SNI request for '%s' but no X.509 certs "
+                      "available at all",
+                      s->server_hostname);
+    }
         return check_server_aliases(x, s, tsc);
+}
+#endif
+mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
+/**
+ * Get SNI data from GnuTLS (if any) and search for a matching virtual
+ * host configuration. This method is called from the post client
+ * hello function.
+ *
+ * @param ctxt the mod_gnutls connection handle
+ *
+ * @return either the matching mod_gnutls server config, or `NULL`
+ */
+mgs_srvconf_rec *mgs_find_sni_server(mgs_handle_t *ctxt)
+{
+    int rv;
+    unsigned int sni_type;
+    size_t data_len = MAX_HOST_LEN;
+    char sni_name[MAX_HOST_LEN];
+    mgs_handle_t *ctxt;
+#if USING_2_1_RECENT
+    vhost_cb_rec cbx;
+#else
+    server_rec *s;
+    mgs_srvconf_rec *tsc;
+#endif
+    if (session == NULL)
+        return NULL;
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+    ctxt = gnutls_transport_get_ptr(session);
+    rv = gnutls_server_name_get(ctxt->session, sni_name,
+            &data_len, &sni_type, 0);
+    if (rv != 0) {
+        return NULL;
+    }
+    if (sni_type != GNUTLS_NAME_DNS) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
+                ctxt->c->base_server,
+                "GnuTLS: Unknown type '%d' for SNI: "
+                "'%s'", sni_type, sni_name);
+        return NULL;
+    }
+    /**
+     * Code in the Core already sets up the c->base_server as the base
+     * for this IP/Port combo.  Trust that the core did the 'right' thing.
+     */
+#if USING_2_1_RECENT
+    cbx.ctxt = ctxt;
+    cbx.sc = NULL;
+    cbx.sni_name = sni_name;
+    rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
+    if (ctxt->sni_name == NULL)
+    {
+        const char *sni_name = mgs_server_name_get(ctxt);
+        if (sni_name != NULL)
+            ctxt->sni_name = sni_name;
+        else
+            return NULL;
+    }
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                  "%s: client requested server '%s'.",
+                  __func__, ctxt->sni_name);
+    /* Search for vhosts matching connection parameters and the
+     * SNI. If a match is found, cbx.sc will contain the mod_gnutls
+     * server config for the vhost. */
+    vhost_cb_rec cbx = {
+        .ctxt = ctxt,
+        .sc = NULL,
+        .sni_name = ctxt->sni_name
+    };
+    int rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
     if (rv == 1) {
         return cbx.sc;
+    }
+#else
+    for (s = ap_server_conf; s; s = s->next) {
+        tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                       &gnutls_module);
+        if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; }
+        if(check_server_aliases(x, s, tsc)) {
+            return tsc;
+        }
+    }
+    return NULL;
+}
+#ifdef ENABLE_EARLY_SNI
+/**
+ * Pre client hello hook function for GnuTLS that implements early SNI
+ * processing using `gnutls_ext_raw_parse()` (available since GnuTLS