* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCompression): Fail if
enabled *and* if OpenSSL does not make any compression methods
available. Tweak wording for failure without SSL_OP_NO_COMPRESSION.
Submitted by: jorton
Reviewed by: jorton, jim, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1823625 13f79535-47bb-0310-9956-ffa450edef68
config: allow to specify flags when registering modules.
First one is AP_MODULE_FLAG_ALWAYS_MERGE.
mod_ssl: follow up to r1809302.
Make use of AP_MODULE_FLAG_ALWAYS_MERGE.
config: follow up to r1809302.
We need to check that the module itself is at the right version.
config: follow up to r1809302.
Provide a convenient function to get module flags, and remove useless
AP_MODULE_HAS_FLAGS checks in the core, core's version is at current MMN.
config: follow up to r1809302.
Associate ap_get_module_flags() to MMN bump.
On the trunk:
mod_ssl: make the new module flag used.
Submitted by: ylavic, icing
Reviewed by: icing, ylavic, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1821071 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).
Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library
will call cb again with an enc argument of 1 to set the new ticket (see
RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can
continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket
and the SSL/TLS session will continue by by negotiating a set of
cryptographic parameters or using the alternate SSL/TLS resumption
mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a
new set of parameters.
less than 0
This indicates an error.
"
So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).
Reported/Proposed by: oknet on github, pull request #18.
Reviewed by: jorton, ylavic, wrowe
[Closes#18]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811742 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP
is defined. PR 61206.
Submitted by: Michael Schlenker <msc contact.de>
mod_ssl, ab: compatibility with LibreSSL. PR 61184.
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
Follow up to r1803396: CHANGES entry.
Reviewed by: ylavic, jim, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1807734 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
Merge r1796343 from trunk:
mod_ssl: fix ctx passed to ssl_io_filter_error()
Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().
Submitted by: ylavic, covener
Reviewed by: covener, ylavic, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68
Save a few bytes in the conf pool.
'push_item' and 'add_alt' already duplicate their parameters, so we can safely use the temp_pool here.
Use 'ap_cstr_casecmp' to simplify code.
Remove useless case. We know that to can not be NULL at this point.
Follow up to r1772812: update APLOGNO().
* modules/ssl/ssl_engine_kernel.c: Constify the ssl_hook_Fixup_vars array itself.
winnt/service: each log message should use its own APLOGNO.
Submitted by: jailletc36, ylavic, jorton, ylavic
Reviewed by: jailletc36, covener, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1793466 13f79535-47bb-0310-9956-ffa450edef68
allow building with OpenSSL 1.1.0
ab.c (abs)
----------
applink.c has been moved in this version of OpenSSL
dsw/dsp
-------
use srclib\apr\build\cvtdsp.pl -ossl11
from apr-1.6.x
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1790999 13f79535-47bb-0310-9956-ffa450edef68
Add Configuration for trusted OCSP responder certificates
Fix for PR 46037
Add back the file I removed in r1781575.
Add missing documentation for r1781575
Fix for PR 46037
Remove unused variable
Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone.
Submitted by: jfclere, druggeri, wrowe
Reviewed by: jfclere, jim, ylavic
Merge r1788430 from trunk:
mod_ssl: follow up to r1781575
Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested
by wrowe.
Submitted by: ylavic
Reviewed by: jfclere, jim, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1789970 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: work around leaks on (graceful) restart.
Tested with valgrind and --with-ssl shared/static.
mod_ssl: follow up to r1781187.
The ssl_util_thread_*() functions are not necessary with openssl-1.1+
mod_ssl: follow up to r1781187.
Address SSL_CTX leak in (merged) proxy_ctx.
Reviewed by: ylavic, jim, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1788442 13f79535-47bb-0310-9956-ffa450edef68
Silence compiler warning:
"686: warning: 'ok' may be used uninitialized in
this function"
This is a false positive, because the value of "ok"
will only be used if stapling_get_cached_response()
sets "rsp" to non-NULL in which case it will always
have set "ok".
Submitted by: rjung
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1775826 13f79535-47bb-0310-9956-ffa450edef68
Follow-up to r1702948:
APR_HAVE_foo is checked via #if, not #ifdef (since it should always be
defined, to either 0 or 1)
This fixes a compile error on Windows introduced by r1702948
as well as straightens up two long-time glitches.
Submitted by: trawick
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1774626 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
in the client certificate chain. PR 55786.
This is done by handling an empty cert chain as no/NULL chain.
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770838 13f79535-47bb-0310-9956-ffa450edef68
ssl: clear the error queue before SSL_read/write/accept()
If other modules or libraries do not clear the OpenSSL error queue after
a failed operation, other code that relies on SSL_get_error() -- in
particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will
malfunction later on. To prevent this, explicitly clear the error queue
before calls like SSL_read/write/accept().
PR: 60223
Submitted by: Paul Spangler <paul.spangler ni.com>
Submitted by: jchampion
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770673 13f79535-47bb-0310-9956-ffa450edef68
to opt-in previous behaviour (2.2) with CRLs verification when checking
certificate(s) with no corresponding CRL.
Submitted by: ylavic
Reviewed by: icing, minfrin
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748338 13f79535-47bb-0310-9956-ffa450edef68
such that disabling either disables both, and that enabling either will
trigger the more comprehensive SSLProxyCheckPeerName behavior.
Only a single configuration remains to enable the legacy behavior, which
is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.
Changes to the proxy config directives leads us to a different 2.4 fix...
https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch
Backports: 1746647
Reviewed by: wrowe, icing, rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1747069 13f79535-47bb-0310-9956-ffa450edef68
compilation on win32 (haven't worked out the clean patch
to apr/build/fixwin32mak.pl for this, yet).
This caused no issues in the 2.4.20 package, and does not
block a release.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1738140 13f79535-47bb-0310-9956-ffa450edef68
Going forwards, keep win32 build in svn once a tree is stable.
Visual Studio 2010 users cannot convert our .dsp files, and
ddk toolchain users couldn't either.
Applies the same logic as r1100294 on the 2.2.x branch.
Until the cmake build schema is entirely mature, these files
are needed for command-line builds of the 2.4 tree, and are
expected to change very little until the EOL of 2.4 branch.
The .dsp source files are not directly usable for any shipping
version of MSVC/Visual Studio (post-Visual Studio 97 release),
while the .mak exports of these projects are usable on any flavor
of the MS nmake build environment. The .dsp source files are
retained for those users wishing to import these projects into
the modern vcproj/sln file format.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1736270 13f79535-47bb-0310-9956-ffa450edef68
mod_authz_host: add a new "forward-dns" authorization type
This new type does not rely on reverse DNS lookups.
Submitted by: fabien
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735947 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h.
This is enough to allow implementation of Certificate Transparency
outside of mod_ssl.
Initialize post_handshake_rc for case where a failure has
already occurred (doesn't change execution but avoids warning
with some levels of gcc).
Pointed out by: kbrand
Submitted by: trawick
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735886 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Free dhparams when getting DH params. This fixes issue when
SSLCryptoDevice does not get unregistered because of non-zero refcount
during the mod_ssl unload happening on httpd startup.
mod_ssl: follow up to r1720129.
Free ecparams read from certificate file(s) on startup.
Follow up to r1720129 and r1723295: CHANGES entry.
Rephrase r1733088 since leaking means horrible things in cryptography.
This is not a security fix :p
Submitted by: jkaluza, ylavic, ylavic, ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735770 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: when SSLVerify is disabled (NONE), don't force a renegotiation if
the SSLVerifyDepth applied with the default/handshaken vhost differs from
the one applicable with the finally selected vhost.
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733476 13f79535-47bb-0310-9956-ffa450edef68
hostname: Test and log useragent_host per-request across various modules,
including the scoreboard, expression and rewrite engines, setenvif,
authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
PR55348 [William Rowe]
This is the complete change set which applies cleanly to 2.4.x as well,
the server/scoreboard.c will follow, which does not apply due to drift.
A rather ugly patch since the code was refactored recently to exclude
the simple patch for 2.4.x, illustrated below.
Completes the changeset r1729930 and resolves all 2.4.19-dev corrections,
but other 2.5.0-dev specific changes may still be needed on trunk.
--- server/scoreboard.c (revision 1729907)
+++ server/scoreboard.c (working copy)
@@ -491,9 +491,8 @@
ws->conn_bytes = 0;
}
if (r) {
- const char *client = ap_get_remote_host(c, r->per_dir_config,
- REMOTE_NOLOOKUP, NULL);
- if (!client || !strcmp(client, c->client_ip)) {
+ const char *client;
+ if (!(client = ap_get_useragent_host(r, REMOTE_NOLOOKUP, NULL))) {
apr_cpystrn(ws->client, r->useragent_ip, sizeof(ws->client));
}
else {
Submitted by: wrowe
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733282 13f79535-47bb-0310-9956-ffa450edef68
* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.
Documentation to follow.
* Change entry and documentation for SSLOCSPProxyURL
Submitted by: rpluem
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733066 13f79535-47bb-0310-9956-ffa450edef68
Added many log numbers to log statements that
had none.
Those were not detected by the coccinelle script.
Submitted by: rjung
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1731085 13f79535-47bb-0310-9956-ffa450edef68
detected by coccinelle).
There are some more but they are easier to
backport once these here are applied.
Backport of r1725392, r1725394, r1725395
and r1725468 from trunk.
Submitted by: rjung
Reviewed by: jim, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1729495 13f79535-47bb-0310-9956-ffa450edef68
