* modules/ssl/ssl_engine_init.c (ssl_init_PushCAList): Remove function.
(ssl_init_ca_cert_path): Use SSL_add_file_cert_subjects_to_stack()
instead.
[Edit: This does change behaviour: the acceptable client CA list is now
always be sent in sorted order rather than configured/file order.
In the case of SSLCACertificatePath and SSLCADNRequestPath, the
order will be stable rather than non-determistic as previously.]
PR: 61574
Github: closes#406
Reviewed by: jorton, jfclere, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915740 13f79535-47bb-0310-9956-ffa450edef68
Treat non-leaf certificates present in SSLProxyMachineCertificateFile
the same was as non-leaf certs are in SSLCertificateFile - use them to
build the trusted cert chain for the end-entity (client) cert.
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs):
For any non-leaf certificate present in the configured, trust as
if used in SSLProxyMachineCertificateChainFile.
Github: closes#403
Reviewed by: jorton, gbechis, jfclere
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915679 13f79535-47bb-0310-9956-ffa450edef68
Check for and use gettid() directly if available; glibc 2.30 and later
provides a wrapper for the system call:
* configure.in: Check for gettid() and define HAVE_SYS_GETTID if
gettid() is only usable via syscall().
* server/log.c (log_tid): Use gettid() directly if available.
Submitted by: jorton
Reviewed by: jorton, jfclere, gbechis
Github: closes#404
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915544 13f79535-47bb-0310-9956-ffa450edef68
fix build with LibreSSL 2.0.7+
PR: 64047
Follow up to r1874101: Axe useless LIBRESSL_VERSION_NUMBER check.
Since the fix to MODSSL_USE_OPENSSL_PRE_1_1_API in r1908537, we are sure that
!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
in this block.
Submitted by: gbechis, ylavic
Reviewed by: ylavic, minfrin, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915539 13f79535-47bb-0310-9956-ffa450edef68
Add support for SHA-2 crypt() algorithm in htpasswd.
* configure.in: Detect SHA-2 support in crypt().
* support/passwd_common.h: Define ALG_CRYPT_SHA256, ALG_CRYPT_SHA512,
include ap_config_auto.h.
* support/htpasswd.c (check_args): Allow -2, -5, -r arguments for
SHA-256, SHA-256 and rounds options respectively.
* support/passwd_common.c
(parse_common_options): Parse -2, -5, -r args.
(mkhash): Generate crypt hash for SHA256/SHA512 algorithms.
Update transform.
* support/htpasswd.c (usage): More usage fixes for SHA-2; describe
as "secure", leave bcrypt only algorithm described as "very secure".
* support/passwd_common.c (mkhash): Fix salt buffer size for SHA2
(caught by gcc 10).
configure: Assume crypt() does not support SHA-2 when cross-compiling.
Can be forced with "./configure ap_cv_crypt_sha2=yes ..." still.
* configure.in:
Give AC_RUN_IFELSE a cross-compiling action, otherwise it fails with:
configure: error: cannot run test program while cross compiling
Submitted by: jorton, ylavic
Reviewed by: minfrin, ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915516 13f79535-47bb-0310-9956-ffa450edef68
* server/util_script.c (ap_add_common_vars): Allow mod_env to override
all system path environment variables, not just PATH. (The
behaviour for PATH alone was changed in r965679 for PR 43906.)
Submitted by: jorton
Reviewed by: minfrin, ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915496 13f79535-47bb-0310-9956-ffa450edef68
