When TLS1_3_VERSION is defined by the SSL library, bump the maximum TLS
protocol to that and use it for "-f ALL" or "-f TLSv1.3".
This mixes proposed patches from BZ 63594 and 64699.
BZ: 63594, 64699
Submitted by: abhilash <abhilash1232 gmail.com>
Submitted by: xiaolongx.jiang intel.com
Submitted & Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900157 13f79535-47bb-0310-9956-ffa450edef68
OSX supports TCP_NOPUSH but does not release the data retained (in TCP stack)
when the option is unset. It seems that unsetting it before the last write
does not help either so just disable the optimization for OSX in the core
output filter to avoid uncontrollable transmission delays.
* server/core_filters.c():
Add the sock_nopush() helper that does nothing on OSX and platforms not
supporting TCP_NOPUSH or TCP_CORK.
* server/core_filters.c(send_brigade_nonblocking):
Use sock_nopush() instead of apr_socket_opt_set() for APR_TCP_NOPUSH option.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900100 13f79535-47bb-0310-9956-ffa450edef68
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
[Rainer Jung]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900039 13f79535-47bb-0310-9956-ffa450edef68
*) core/mod_http: use REQUEST meta buckets and a new HTTP/1.x specific
input filter to separate the handling for HTTP requests from the
handling of HTTP/1.x request parsing and checks.
A new HTTP1_REQUEST_IN filter installs itself on http/1.1 connections
before a request is being read. It generates either a REQUEST meta
bucket on success or an ERROR bucket with the proposed response status.
The core connection processing, relying on ap_read_request(), now expects
a REQUEST or ERROR bucket from the input filters and is agnostic to
specific HTTP versions and how they bring requests into the server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899799 13f79535-47bb-0310-9956-ffa450edef68
filter to send responses through the output filter chain.
Specifically: the HTTP_HEADER output filter and ap_send_interim_response()
create a RESPONSE bucket and no longer are concerned with HTTP/1.x
serialization.
A new HTTP1_RESPONSE_OUT transcode filter writes the proper HTTP/1.x
bytes when dealing with a RESPONSE bucket. That filter installs itself
on the pre_read_request hook when the connection has protocol 'http/1.1'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899648 13f79535-47bb-0310-9956-ffa450edef68
create_secondary_connection and ap_create_secondary_connection()
to setup connections related to a "master" one, as used in
the HTTP/2 protocol implementation.
*) mod_http2: using the new API calls to get rid of knowledge
about how the core handles conn_rec specifics.
Improvements in pollset stream handling to use less sets.
Using atomic read/writes instead of volatiles now.
Keeping a reserve of "transit" pools and bucket_allocs for
use on secondary connections to avoid repeated setup/teardowns.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899032 13f79535-47bb-0310-9956-ffa450edef68
LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the
body without failing to allocate memory, so enforce this at load time based
on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds.
Document the limits for LimitXMLRequestBody in our docs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898686 13f79535-47bb-0310-9956-ffa450edef68
If ap_discard_request_body() sets AP_CONN_CLOSE by itself it simplifies and
allows to consolidate end_output_stream() and error_output_stream().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898683 13f79535-47bb-0310-9956-ffa450edef68
Since mod_rewrite works on r->filename and mod_proxy's mapping=servlet|decoded
sets its "proxy:" URL there at pre_translate_name stage (i.e. before
mod_rewrite's translate_name hook), users have to match the full proxy URL in
their RewriteRules to handle proxy mappings, which is not very friendly nor
consistent with how proxy non-mapping requests have to be matched.
Let's use r->filename = r->uri in hook_uri2file() for pre_trans'ed reverse
proxy requests, and restore r->filename to its original value if the request
was finally DECLINED (like in hook_fixup).
But if a proxy mapping gets rewritten to a non-proxy request, clear any
proxy specific r->proxyreq or r->handler so that processing continues
accordingly.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898509 13f79535-47bb-0310-9956-ffa450edef68
backend socket) instead of the minimum as backend timeouts can be
configured more selectively (per worker if needed) as front end timeouts
and typically the backend timeouts reflect the application requirements
better.
PR: 65886
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898127 13f79535-47bb-0310-9956-ffa450edef68
connection close as per RFC7230 6.3.1. We must check whedther the
connection was previously kept alive, and not whether the current
closed request is keepalive.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897912 13f79535-47bb-0310-9956-ffa450edef68
as to not trigger denial of service protection in the network. Report
levels of concurrency achieved in cases where the test completes before
full concurrency is achieved.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897866 13f79535-47bb-0310-9956-ffa450edef68
md-status handler (if configure) did sometimes not carry the correct
message when certificates needed renew.
[Stefan Eissing]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897819 13f79535-47bb-0310-9956-ffa450edef68
to stabilize CI tests again. Previous revision of trunk has been copied
to branches/trunk-ssl-handshake-unblocking to make those into a PR where
changes can be discussed and tested separately.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897760 13f79535-47bb-0310-9956-ffa450edef68
Previously the correct event was polled for, but the response to the poll
would call write instead of read, and read instead of write. PR 55952
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897458 13f79535-47bb-0310-9956-ffa450edef68
If the SSL handshake is initiated by ssl_hook_process_connection() in
AP_MODE_INIT mode, we still want to adapt the socket timeout according
to the time left for the handshake.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897422 13f79535-47bb-0310-9956-ffa450edef68
When the listener starts accepting more connections than the number of workers
already started (due to scheduling), the listening sockets gets disabled (per
AH03269) but nothing was re-enabling them before the end of the connections,
despite the creation of more idle/available workers in the meantime.
In the wost case there is no idle worker when the listener accepts the first
connection thus nothing to wake up the listener blocked in poll() with no
socket, hence a deadlock.
Fix this by waking up the listener when a worker becomes idle and this unblocks
connections_above_limit(). This is also worthwhile when all the workers are
started (fully initialized runtime) since the number of idle workers is a
condition for connections_above_limit() anyway so the sooner the listeners are
re-enabled the better (the other condition is the number of connections which
is unblocked appropriately by decrement_connection_count() already).
Also when a child exists with ps->quiescing == 1 and it's caught by
server_main_loop() before perform_idle_server_maintenance(), active_daemons was
not decrement as needed (including accross restarts), leading to an invalid
active_daemons accounting.
* server/mpm/event/event.c(should_enable_listensocks):
New helper that returns whether listenning sockets can be poll()ed again.
* server/mpm/event/event.c(decrement_connection_count, listener_thread):
Use should_enable_listensocks() where previously open-coded.
* server/mpm/event/event.c(worker_thread):
Wake up the listener when is_idle => 1 and should_enable_listensocks().
Have a single point of exit when workers_may_exit to make sure that the
wake always occurs (even when exiting).
* server/mpm/event/event.c(server_main_loop):
Decrement active_daemons not only when !ps->quiescing but also when
ps->quiescing == 1, i.e. all the cases not handled by
perform_idle_server_maintenance() already.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896505 13f79535-47bb-0310-9956-ffa450edef68
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
The early checks avoid failing the request later on and thus save cycles
for those invalid cases.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895921 13f79535-47bb-0310-9956-ffa450edef68
loop when clients close connections prematurely.
Enhanced the scoreboard status updates on h2 connections for
mod_status. 'server-status' now gives a better idea what the
connection is working on.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895614 13f79535-47bb-0310-9956-ffa450edef68
Some connect/wstunnel protocols might want half-close forwarding while some
might not, let's provide an r->subprocess_env opt-out.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895304 13f79535-47bb-0310-9956-ffa450edef68
