SSLCertificateChainFile support

Like kerberos auth, this works around non-SSL vhosts by printing a
warning and ignore the directive.

diff --git a/lib/apache.dtl b/lib/apache.dtl
index 8b7051c..98dca55 100644 (file)
--- a/lib/apache.dtl
+++ b/lib/apache.dtl
@@ -26,6 +26,9 @@ For others, it has only one value, [true].}}
 extern type ssl_cert_path;
 {{Filesystem path to an SSL certificate in your 'cert' list}}
 
 extern type ssl_cert_path;
 {{Filesystem path to an SSL certificate in your 'cert' list}}
 

+extern type ssl_cacert_path;
+{{Filesystem path to an intermediate CA certificate in your 'cacert' list}}
+

 extern type ssl;
 extern val no_ssl : ssl;
 extern val use_cert : ssl_cert_path -> ssl;
 extern type ssl;
 extern val no_ssl : ssl;
 extern val use_cert : ssl_cert_path -> ssl;


@@ -87,3 +90,7 @@ extern val serverAliasDefault : [Vhost];
   instead of any of their hosts/"subdomains".}}
 
 extern val testNoHtaccess : [Location];
   instead of any of their hosts/"subdomains".}}
 
 extern val testNoHtaccess : [Location];

+
+extern val sslCertificateChainFile : ssl_cacert_path -> [Vhost];
+{{Intermediate file to serve as part of the chain of authority for
+  your ssl certificate}}
\ No newline at end of file

diff --git a/src/plugins/apache.sml b/src/plugins/apache.sml
index b5edd64..d53d687 100644 (file)
--- a/src/plugins/apache.sml
+++ b/src/plugins/apache.sml
@@ -118,10 +118,18 @@ fun validCert s = Acl.query {user = Domain.getUser (),
                             class = "cert",
                             value = s}
 
                             class = "cert",
                             value = s}
 

+fun validCaCert s = Acl.query {user = Domain.getUser (),
+                              class = "cacert",
+                              value = s}
+

 val _ = Env.type_one "ssl_cert_path"
        Env.string
        validCert
 
 val _ = Env.type_one "ssl_cert_path"
        Env.string
        validCert
 

+val _ = Env.type_one "ssl_cacert_path"
+       Env.string
+       validCaCert
+

 fun ssl e = case e of
                (EVar "no_ssl", _) => SOME NONE
              | (EApp ((EVar "use_cert", _), s), _) => Option.map SOME (Env.string s)
 fun ssl e = case e of
                (EVar "no_ssl", _) => SOME NONE
              | (EApp ((EVar "use_cert", _), s), _) => Option.map SOME (Env.string s)


@@ -1127,6 +1135,16 @@ val () = Env.action_two "addOutputFilter"
              write "\n")
           | _ => ())
 
              write "\n")
           | _ => ())
 

+val () = Env.action_one "sslCertificateChainFile"
+        ("ssl_cacert_path", Env.string)
+        (fn cacert =>
+            if !sslEnabled then
+                (write "\tSSLCertificateChainFile \"";
+                 write cacert;
+                 write "\"\n")
+            else
+                print "WARNING: Skipped sslCertificateChainFile because this isn't an SSL vhost.\n")
+

 val () = Domain.registerResetLocal (fn () =>
                                       ignore (OS.Process.system (Config.rm ^ " -rf /var/domtool/vhosts/*")))
 
 val () = Domain.registerResetLocal (fn () =>
                                       ignore (OS.Process.system (Config.rm ^ " -rf /var/domtool/vhosts/*")))