* modules/ssl/ssl_engine_init.c (ssl_init_PushCAList): Remove function.
(ssl_init_ca_cert_path): Use SSL_add_file_cert_subjects_to_stack()
instead.
[Edit: This does change behaviour: the acceptable client CA list is now
always be sent in sorted order rather than configured/file order.
In the case of SSLCACertificatePath and SSLCADNRequestPath, the
order will be stable rather than non-determistic as previously.]
PR: 61574
Github: closes#406
Reviewed by: jorton, jfclere, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915740 13f79535-47bb-0310-9956-ffa450edef68
Treat non-leaf certificates present in SSLProxyMachineCertificateFile
the same was as non-leaf certs are in SSLCertificateFile - use them to
build the trusted cert chain for the end-entity (client) cert.
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs):
For any non-leaf certificate present in the configured, trust as
if used in SSLProxyMachineCertificateChainFile.
Github: closes#403
Reviewed by: jorton, gbechis, jfclere
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915679 13f79535-47bb-0310-9956-ffa450edef68
fix build with LibreSSL 2.0.7+
PR: 64047
Follow up to r1874101: Axe useless LIBRESSL_VERSION_NUMBER check.
Since the fix to MODSSL_USE_OPENSSL_PRE_1_1_API in r1908537, we are sure that
!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
in this block.
Submitted by: gbechis, ylavic
Reviewed by: ylavic, minfrin, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915539 13f79535-47bb-0310-9956-ffa450edef68
* Makefile.in (build/config_vars.out): Rebuild if build/config_vars.sh
has changed.
sort safe_env_lst
bz 64371
mod_optional_hook_import: debug message at APLOG_DEBUG level.
*) de-duplicate ALOGNO from code copy.
ab: apr_base64_encode already NUL-terminate the output.
And returns the length including the trailing \0, so setting it at that
length is off by +1.
* Avoid an overflow on large inputs
PR: 66033
dav_get_liveprop_info() returns a long not an int.
Update the type of global_ns accordingly and update the format specifier when this variable is used in printf like functions.
This also aligns code with dav_core_insert_prop() in modules/dav/main/std_liveprop.c
Length computed by count_string() are accumulated in an apr_size_t, so be more consistent and use this data type also in this function.
Fix some typo
[skip ci]
Fix some typos
[skip ci]
Submitted by: jorton, gbechis, ylavic, icing, ylavic, rpluem, jailletc36, jailletc36, jailletc36, jailletc36
Reviewed by: jailletc36, rpluem, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1903618 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
PR: 63391
Github: closes#74
Submitted by: jorton
Reviewed by: rpluem, ylavic, jorton
Github: closes#264
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893099 13f79535-47bb-0310-9956-ffa450edef68
r1887337, r1887340, r1887342, r1887343, r1887360, r1887364,
r1887923, r1887965, r1887993, r1888006, r1888083, r1888084,
r1888723, r1888724, r1888726, r1888729, r1889788] from trunk:
*) core/mod_ssl/mod_md:
- adding new ap_ssl_*() functions for a backward
compatible replacement of the major optional mod_ssl functions. This
allows other ssl modules to work without impersonating mod_ssl and
also allows different ssl modules being active on separate ports.
- latest mod_md with support for multiple certificates per domain
and ECDSA certificates. Removed ACMEv1 support.
- Interworking mod_md and ssl modules changed to exchange PEM strings
instead of file paths for ACME challenges.
- core/mod_ssl/mod_md: adding OCSP response provisioning as core feature.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1889793 13f79535-47bb-0310-9956-ffa450edef68
deduplicate the code handling the directory traversal for the
SSL[Proxy]CACertificatePath and SSLProxyMachineCertificatePath
directives
* modules/ssl/ssl_engine_init.c (ssl_add_version_components,
ssl_init_Module): Use temporary pool for variable lookup results
which don't need to live in pconf.
mod_ssl: Factor out code to read a BIO into a palloc'ed string:
* modules/ssl/ssl_util_ssl.c (modssl_bio_free_read): New function.
(asn1_string_convert): Use it here.
* modules/ssl/ssl_engine_vars.c: Use it throughout.
* modules/ssl/ssl_scache.c (ssl_scache_init): Use <16 character
cname argument for socache ->init() per the API constraint.
Submitted by: kbrand, jorton, jorton, jorton
Reviewed by: jailletc36, minfrin, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1879598 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Add support for loading private keys from ENGINEs. Support
for PKCS#11 URIs only, and PIN entry is not threaded through
SSLPassPhraseDialog config yet.
* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Use it, skip check for file existence for engine keys.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):
New function.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
For engine keys, load via modssl_load_engine_pkey.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h:
Remove modssl_read_encrypted_pkey() and helpers, added in r1804087
but never used.
* modules/ssl/ssl_util_ssl.c (modssl_read_privatekey): Remove unused
second argument.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey): Adjust
accordingly.
Simplify the ssl_asn1_table API, remove abstraction (it is used only
to cache serialized EVP_PKEYs not any char * blobs), and document.
* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and
serialize internally. Use ap_realloc. Return the ssl_asn1_t *
pointer. Don't call apr_hash_set() for unchanged pointer case.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):
Adjust for the above.
* modules/ssl/ssl_private.h: Adjust as above, add docs.
mod_ssl: Add support for loading TLS certificates through the PKCS#11
engine.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed
from modssl_is_engine_key.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Adjust accordingly.
(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Rename from modssl_load_engine_key; load certificate if
cert id is passed.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally
load the certificate from the engine as well.
* docs/manual/: Update manual.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error
logno. Free EVP_PKEY in engine case. Never try reading ECDH/DH
parameters from engine ids.
Hook up PKCS#11 PIN entry through configured passphrase entry method.
* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API
around passphrase entry.
(modssl_load_engine_keypair): Take vhost ID and use above rather than
default OpenSSL UI.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Pass vhost ID.
Submitted by: Anderson Sasaki<ansaski redhat.com>, jorton
* modules/ssl/ssl_engine_pphrase.c: Add logno tags.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load
the engine associated with the private key (&cert) explicitly
rather than requiring the engine to be set as the default method
for all operations (with "SSLCryptoDevice <engine>").
(Thanks to Anderson Sasaki <ansasaki redhat.com> for suggested
improvement and guidance)
* modules/ssl/ssl_engine_pphrase.c: Fix linking against OpenSSL without
ENGINE support.
Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton
Reviewed by: jorton, jim, ylavic
Github: closes#92
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874196 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: negotiate the TLS protocol version per name based vhost configuration.
By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.
In other words:
SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).
Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).
We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.
mod_ssl: follow up to r1868645.
Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which
depends on its return value (OK/NOACK), mainly on session resumption, for
SSL_get_servername() to consider or ignore the SNI (returning NULL thus
making SSLStrictSNIVHostCheck fail for possibly legitimate cases).
This means that init_vhost() should accurately return whether the SNI exists
in the configured vhosts, even when it's called multiple times (e.g. first
from ClientHello callback and then from SNI callback), so save that state in
sslconn->vhost_found and reuse it.
mod_ssl: follow up to r1868645.
Keep the base server's SSLProtocol if none is configured on the vhost
selected by Hello/SNI callback.
mod_ssl: follow up to r1868645 and r1868929.
Merge ->protocol_set.
mod_ssl: follow up to r1868645.
CHANGES entry and docs' note.
Submitted by: ylavic
Reviewed by: ylavic, minfrin, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1873907 13f79535-47bb-0310-9956-ffa450edef68
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
adding certificates and keys to a virtual host. An additional hook allows
answering special TLS connections as used in ACME challenges.
Adding 2 new hooks for init/get of OCSP stapling status information when
other modules want to provide those. Falls back to own implementation with
same behaviour as before.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1863988 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes
post-handshake authentication.
(ssl_init_proxy_certs): Fix proxy client cert support with
TLSv1.3, which is now crippled by default.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840711 13f79535-47bb-0310-9956-ffa450edef68
Merged 1827912,1827924,1827992,1828222,1828720,1828723,1833588,1833589,1839920,1839946 from trunk
*) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9.
SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
as this would need to trigger the master connection thread - which we do not support
right now.
Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they
can match their needs onto the TLSv1.3 protocol.
[Yann Ylavic, Stefan Eissing]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840120 13f79535-47bb-0310-9956-ffa450edef68
Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a
certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi yahoo.es>]
Fixed OCSPEnable to keep accepting "off", not "none".
Submitted by: icing
Reviewedby: icing, ylavic, rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1834089 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Don't enable SSL
for a vhost if SSLEnable is not used and no certs are configured,
even if the Listen protocol is "https". Restores behaviour to that
prior to r1809303 for configs which would now otherwise fail at
startup.
Submitted by: jorton
Reviewed by: jorton, jim, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1832495 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP
is defined. PR 61206.
Submitted by: Michael Schlenker <msc contact.de>
mod_ssl, ab: compatibility with LibreSSL. PR 61184.
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
Follow up to r1803396: CHANGES entry.
Reviewed by: ylavic, jim, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1807734 13f79535-47bb-0310-9956-ffa450edef68
Add Configuration for trusted OCSP responder certificates
Fix for PR 46037
Add back the file I removed in r1781575.
Add missing documentation for r1781575
Fix for PR 46037
Remove unused variable
Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone.
Submitted by: jfclere, druggeri, wrowe
Reviewed by: jfclere, jim, ylavic
Merge r1788430 from trunk:
mod_ssl: follow up to r1781575
Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested
by wrowe.
Submitted by: ylavic
Reviewed by: jfclere, jim, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1789970 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: work around leaks on (graceful) restart.
Tested with valgrind and --with-ssl shared/static.
mod_ssl: follow up to r1781187.
The ssl_util_thread_*() functions are not necessary with openssl-1.1+
mod_ssl: follow up to r1781187.
Address SSL_CTX leak in (merged) proxy_ctx.
Reviewed by: ylavic, jim, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1788442 13f79535-47bb-0310-9956-ffa450edef68
to opt-in previous behaviour (2.2) with CRLs verification when checking
certificate(s) with no corresponding CRL.
Submitted by: ylavic
Reviewed by: icing, minfrin
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748338 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h.
This is enough to allow implementation of Certificate Transparency
outside of mod_ssl.
Initialize post_handshake_rc for case where a failure has
already occurred (doesn't change execution but avoids warning
with some levels of gcc).
Pointed out by: kbrand
Submitted by: trawick
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735886 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Free dhparams when getting DH params. This fixes issue when
SSLCryptoDevice does not get unregistered because of non-zero refcount
during the mod_ssl unload happening on httpd startup.
mod_ssl: follow up to r1720129.
Free ecparams read from certificate file(s) on startup.
Follow up to r1720129 and r1723295: CHANGES entry.
Rephrase r1733088 since leaking means horrible things in cryptography.
This is not a security fix :p
Submitted by: jkaluza, ylavic, ylavic, ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735770 13f79535-47bb-0310-9956-ffa450edef68
detected by coccinelle).
There are some more but they are easier to
backport once these here are applied.
Backport of r1725392, r1725394, r1725395
and r1725468 from trunk.
Submitted by: rjung
Reviewed by: jim, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1729495 13f79535-47bb-0310-9956-ffa450edef68
Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.
Proposed by: kbrand
Reviewed by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.
Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.
Proposed by: kbrand
Reviewed by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,
r1677834, r1677835 from trunk
mod_ssl namespacing
Proposed by: kbrand
Reviewed by: ylavic, jorton
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.
mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey
mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown
mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC
mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.
mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.
mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string
mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN
mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the
file ssl_util_ssl.c (no outside callers). Rename to just getIDs().
mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name
mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file
mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand
mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().
mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().
mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get
changed Protocols to let vhosts override servers, removed old H2Engine example from readme
creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment
removed unnecessary lingering_close and sbh update on end of protocol upgrade handling
introducing ap_array_index in util, used in protocol and mod_h2
fixes existing protocol missing in selection if not explicitly proposed
new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging
removed accidental code
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.
* server/util.c (ap_parse_token_list_strict): New function.
* modules/proxy/proxy_util.c (find_conn_headers): Use it here.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
Send a 400 for a malformed Connection header.
Submitted by: Edward Lu, breser, covener
http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
for clients requesting a hostname on a reused connection whose SNI (from the
TLS handshake) does not match.
PR 5802.
This allows HTTP/2 clients to fall back to a new connection as per:
https://tools.ietf.org/html/rfc7540#section-9.1.2
Proposed by: Stefan Eissing <stefan eissing.org>
Reviewed by: ylavic
c89
Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com
giving ap_array_index a start parameter, adding ap_array_contains
ap_process_request needs exportation for use in mod_h2 on Windows
final final change to the new ap_array_str_* functions after review
changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon
mod_ssl: fix compiler warning (bad cast).
improvements in ap_select_protocol(), supplied by yann ylavic
Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705672 13f79535-47bb-0310-9956-ffa450edef68
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
EC_KEY_free, otherwise eckey will not be freed.
Backports: r1666363
Author: jkaluza
Reviewed by: rjung, ylavic, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682074 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: follow up to r1527291.
Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
not yet included by default.
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679989 13f79535-47bb-0310-9956-ffa450edef68
