Going forwards, keep win32 build in svn once a tree is stable.
Visual Studio 2010 users cannot convert our .dsp files, and
ddk toolchain users couldn't either.
Applies the same logic as r1100294 on the 2.2.x branch.
Until the cmake build schema is entirely mature, these files
are needed for command-line builds of the 2.4 tree, and are
expected to change very little until the EOL of 2.4 branch.
The .dsp source files are not directly usable for any shipping
version of MSVC/Visual Studio (post-Visual Studio 97 release),
while the .mak exports of these projects are usable on any flavor
of the MS nmake build environment. The .dsp source files are
retained for those users wishing to import these projects into
the modern vcproj/sln file format.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1736270 13f79535-47bb-0310-9956-ffa450edef68
mod_authz_host: add a new "forward-dns" authorization type
This new type does not rely on reverse DNS lookups.
Submitted by: fabien
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735947 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h.
This is enough to allow implementation of Certificate Transparency
outside of mod_ssl.
Initialize post_handshake_rc for case where a failure has
already occurred (doesn't change execution but avoids warning
with some levels of gcc).
Pointed out by: kbrand
Submitted by: trawick
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735886 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Free dhparams when getting DH params. This fixes issue when
SSLCryptoDevice does not get unregistered because of non-zero refcount
during the mod_ssl unload happening on httpd startup.
mod_ssl: follow up to r1720129.
Free ecparams read from certificate file(s) on startup.
Follow up to r1720129 and r1723295: CHANGES entry.
Rephrase r1733088 since leaking means horrible things in cryptography.
This is not a security fix :p
Submitted by: jkaluza, ylavic, ylavic, ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735770 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: when SSLVerify is disabled (NONE), don't force a renegotiation if
the SSLVerifyDepth applied with the default/handshaken vhost differs from
the one applicable with the finally selected vhost.
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733476 13f79535-47bb-0310-9956-ffa450edef68
hostname: Test and log useragent_host per-request across various modules,
including the scoreboard, expression and rewrite engines, setenvif,
authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
PR55348 [William Rowe]
This is the complete change set which applies cleanly to 2.4.x as well,
the server/scoreboard.c will follow, which does not apply due to drift.
A rather ugly patch since the code was refactored recently to exclude
the simple patch for 2.4.x, illustrated below.
Completes the changeset r1729930 and resolves all 2.4.19-dev corrections,
but other 2.5.0-dev specific changes may still be needed on trunk.
--- server/scoreboard.c (revision 1729907)
+++ server/scoreboard.c (working copy)
@@ -491,9 +491,8 @@
ws->conn_bytes = 0;
}
if (r) {
- const char *client = ap_get_remote_host(c, r->per_dir_config,
- REMOTE_NOLOOKUP, NULL);
- if (!client || !strcmp(client, c->client_ip)) {
+ const char *client;
+ if (!(client = ap_get_useragent_host(r, REMOTE_NOLOOKUP, NULL))) {
apr_cpystrn(ws->client, r->useragent_ip, sizeof(ws->client));
}
else {
Submitted by: wrowe
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733282 13f79535-47bb-0310-9956-ffa450edef68
* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.
Documentation to follow.
* Change entry and documentation for SSLOCSPProxyURL
Submitted by: rpluem
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733066 13f79535-47bb-0310-9956-ffa450edef68
Added many log numbers to log statements that
had none.
Those were not detected by the coccinelle script.
Submitted by: rjung
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1731085 13f79535-47bb-0310-9956-ffa450edef68
detected by coccinelle).
There are some more but they are easier to
backport once these here are applied.
Backport of r1725392, r1725394, r1725395
and r1725468 from trunk.
Submitted by: rjung
Reviewed by: jim, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1729495 13f79535-47bb-0310-9956-ffa450edef68
For the "SSLStaplingReturnResponderErrors off" case, make sure to only
staple responses with certificate status "good". Also avoids including
inaccurate responses when the OCSP responder is not completely up
to date in terms of the CA-issued certificates (and provides interim
"unknown" or "extended revoked" [RFC 6960] status replies).
Log a certificate status other than "good" in stapling_check_response().
Propagate the "ok" status from stapling_check_response() back via both
stapling_renew_response() and get_and_check_cached_response() to the
callback code in stapling_cb(), enabling the decision whether to include
or skip the response.
insert missing LOGNO in ssl_util_stapling.c
Submitted by: kbrand
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1716652 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: forward EOR (only) brigades to the core_output_filter().
mod_ssl: don't FLUSH output (blocking) on read.
This defeats deferred write (and pipelining), eg. check_pipeline() is not
expecting the pipe to be flushed under it.
So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
are known to not handle all the cases, so we keep flushing with those).
mod_ssl: follow up to r1705823.
Oups, every #if needs a #endif...
mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(),
the core output filter needs them.
Proposed by: jorton
mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828.
Add CHANGES entry, and restore ap_process_request_after_handler()'s comment
as prior to r1705194 (the change makes no sense now).
mod_ssl: follow up to r1705823.
We still need to flush in the middle of a SSL/TLS handshake.
mod_ssl: follow up to r1705823.
Flush SSL/TLS handshake data when writing (instead of before reading),
and only when necessary (openssl < 0.9.8m or proxy/client side).
mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init().
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1715014 13f79535-47bb-0310-9956-ffa450edef68
ssl variables in any expression using
mod_rewrite syntax "%{SSL:VARNAME}" or function
syntax "ssl(VARNAME)".
Backport of r1707002 and r1709596 from trunk.
Committed By: rjung
Backported By: rjung
Reviewed by: rjung, ylavic, sf
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1710433 13f79535-47bb-0310-9956-ffa450edef68
Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.
Proposed by: kbrand
Reviewed by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.
Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.
Proposed by: kbrand
Reviewed by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68
Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables
* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
"id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
adapt modssl_X509_getSAN to take an optional otherName form
argument for the GEN_OTHERNAME case
* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype
* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table
Proposed by: kbrand
Reviewed by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,
r1677834, r1677835 from trunk
mod_ssl namespacing
Proposed by: kbrand
Reviewed by: ylavic, jorton
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.
mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey
mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown
mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC
mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.
mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.
mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string
mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN
mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the
file ssl_util_ssl.c (no outside callers). Rename to just getIDs().
mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name
mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file
mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand
mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().
mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().
mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get
changed Protocols to let vhosts override servers, removed old H2Engine example from readme
creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment
removed unnecessary lingering_close and sbh update on end of protocol upgrade handling
introducing ap_array_index in util, used in protocol and mod_h2
fixes existing protocol missing in selection if not explicitly proposed
new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging
removed accidental code
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.
* server/util.c (ap_parse_token_list_strict): New function.
* modules/proxy/proxy_util.c (find_conn_headers): Use it here.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
Send a 400 for a malformed Connection header.
Submitted by: Edward Lu, breser, covener
http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
for clients requesting a hostname on a reused connection whose SNI (from the
TLS handshake) does not match.
PR 5802.
This allows HTTP/2 clients to fall back to a new connection as per:
https://tools.ietf.org/html/rfc7540#section-9.1.2
Proposed by: Stefan Eissing <stefan eissing.org>
Reviewed by: ylavic
c89
Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com
giving ap_array_index a start parameter, adding ap_array_contains
ap_process_request needs exportation for use in mod_h2 on Windows
final final change to the new ap_array_str_* functions after review
changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon
mod_ssl: fix compiler warning (bad cast).
improvements in ap_select_protocol(), supplied by yann ylavic
Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705672 13f79535-47bb-0310-9956-ffa450edef68
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
EC_KEY_free, otherwise eckey will not be freed.
Backports: r1666363
Author: jkaluza
Reviewed by: rjung, ylavic, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682074 13f79535-47bb-0310-9956-ffa450edef68
r1679032:
mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
the OCSP response for a different certificate. mod_ssl has an additional
global mutex, "ssl-stapling-refresh".
Not mentioned in CHANGES:
Stapling no longer uses a mutex when using a stapling cache
implementation which doesn't require it. (A further, unrelated
code change to mod_ssl is required to allow the use of memcache
as a stapling cache, and I haven't tested with distcache; thus
it isn't clear if this helps in practice yet.)
r1679192:
Fix regression in check for cached response
(Essentially) Submitted by: ylavic
r1680276:
OCSP stapling: slight simplification to some internal interfaces,
add a few comments and sanity checks
Submitted by: trawick (with assist from ylavic)
Reviewed by: jim, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681320 13f79535-47bb-0310-9956-ffa450edef68
