* modules/ssl/ssl_private.h (ssl_verify_error_is_optional): Add
X509_V_ERR_CERT_HAS_EXPIRED to the list of error exceptions
permitted for "optional_no_ca" mode.
Submitted by: Naveen Albert <apache2 phreaknet.org>
PR: 60028
Github: closes#509
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926714 13f79535-47bb-0310-9956-ffa450edef68
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes#377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925979 13f79535-47bb-0310-9956-ffa450edef68
Fixes a regression from 2.4.59 (r1913907).
For a reverse proxy setup with a worker (enablereuse=on) and a
forward/CONNECT ProxyRemote to reach it, an open connection/tunnel
to/through the remote proxy for the same origin server (and using the
same proxy auth) should be reusable. Avoid closing them like r1913534
did.
* modules/proxy/proxy_util.c:
Rename the struct to remote_connect_info since it's only used for
connecting through remote CONNECT proxies. Axe the use_http_connect
field, always true.
* modules/proxy/proxy_util.c(ap_proxy_connection_reusable):
Remote CONNECT (forward) proxy connections can be reused if the auth
and origin server infos are the same, so conn->forward != NULL is not
a condition to prevent reusability.
* modules/proxy/proxy_util.c(ap_proxy_determine_connection):
Fix the checks around conn->forward reuse and connection cleanup if
that's not possible.
Submitted by: jfclere, ylavic
GH: closes#531
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925743 13f79535-47bb-0310-9956-ffa450edef68
Previously, the SSLProtocol directive was checked at runtime. Apache quit if
the directive contained an invalid combination of protocols, and logged the
message "AH02231: No SSL protocols available [hint: SSLProtocol]".
With this change, most invalid SSLProtocol directives are detected when
checking the configuration, e.g. with \"httpd -t -f httpd.conf\".
Examples of invalid protocol combinations that are caught:
* SSLProtocol "-TLSv1"
* SSLProtocol "-all"
* SSLProtocol "TLSv1.2 -TLSv1.2"
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes#523
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924955 13f79535-47bb-0310-9956-ffa450edef68
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924145 13f79535-47bb-0310-9956-ffa450edef68
- Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923148 13f79535-47bb-0310-9956-ffa450edef68
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1922279 13f79535-47bb-0310-9956-ffa450edef68
has global effect.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd):
Disallow use within vhost context.
PR: 69397
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68
This completes the option of setting the remote user by the authentication
mechanism which actually verified the user.
One possible usecase is that a proxied (upstream) server performs the
authentication, but the access log of HTTPd does not contain this information.
The upstream server can pass this kind of information back to HTTPd and both
servers will have consistent access logs.
Submitted by: Michael Osipov <michaelo apache.org>
PR: 62497
Github: closes#67
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921260 13f79535-47bb-0310-9956-ffa450edef68
- When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in 'md/staging/<domain>' is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
- Fix certificate retrieval on ACME renewal to not require a 'Location:'
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let's Encrypt still supports this,
but other CAs do not. [icing]
- Restore compatibility with OpenSSL < 1.1. [ylavic]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920747 13f79535-47bb-0310-9956-ffa450edef68
via the ENGINE API without SSLCryptoDevice configured.
* modules/ssl/ssl_engine_pphrase.c
(modssl_load_keypair_engine): Return APR_ENOTIMPL if the ENGINE
could not be loaded for the key.
(modssl_load_engine_keypair): Always try loading via ENGINE
(as prior to r1914365) but fall back to the STORE API for
the new APR_ENOTIMPL case.
Github: closes#480
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920597 13f79535-47bb-0310-9956-ffa450edef68
enough not space to store the macro. Replaced MAX_STRING_LEN by
sizeof(line).
PR: 69258
Submitted by: Marc Stern <marc.stern approach-cyber.com>
Github: closes#479
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920588 13f79535-47bb-0310-9956-ffa450edef68
When mod_rewrite sets a "proxy:" URL with [P], it should be canonicalized by
mod_proxy still, notably to handle any "unix:" local socket part.
To avoid double encoding in perdir context, a follow up commit should remove the
ap_escape_uri() done in mod_rewrite since it's now on mod_proxy to canonicalize,
per PR 69260.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920570 13f79535-47bb-0310-9956-ffa450edef68
Before r1918550 (r1918559 in 2.4.60), "SetHandler proxy:..." configurations
did not pass through proxy_fixup() hence the proxy_canon_handler hooks, leaving
fcgi's SCRIPT_FILENAME environment variable (from r->filename) decoded, or more
exactly not re-encoded.
We still want to call ap_proxy_canon_url() for "fcgi:" to handle/strip the UDS
"unix:" case and check that r->filename is valid and contains no controls, but
proxy_fcgi_canon() will not ap_proxy_canonenc_ex() thus re-encode anymore.
Note that this will do the same for "ProxyPass fcgi:...", there is no reason
that using SetHandler or ProxyPass don't result in the same thing. If an opt
in/out makes sense we should probably look at ProxyFCGIBackendType.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919620 13f79535-47bb-0310-9956-ffa450edef68
With "ProxyPassMatch ^/([^/]+)/(.*)$ https://$1/$2", ap_proxy_get_worker_ex()
should not consider the length of scheme://host part of the given URL because
of the globbing match on the host part.
Fix it by setting worker->s>is_host_matchable when creating a worker with host
substitution and avoiding the min_match check in worker_matches() in this case.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919617 13f79535-47bb-0310-9956-ffa450edef68
in <Location> (incomplete fix in 2.4.62). PR 69160.
When SetHandler "unix:..." is used in a <Location "/path"> block, the path
gets appended (including $DOCUMENT_ROOT somehow) to r->filename hence the
current checks in fixup_uds_filename() to add "localhost" when missing don't
work. Fix them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919532 13f79535-47bb-0310-9956-ffa450edef68
Track in do_expand() whether a '?' in the uri-path comes from a literal in
the substitution string or from an expansion (variable, lookup, ...).
In the former case it's safe to assume that it's the query-string separator
but for the other case it's not (could be a decoded %3f from r->uri).
This allows to avoid [UnsafeAllow3F] for most cases.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919325 13f79535-47bb-0310-9956-ffa450edef68
"balancer:" URLs set via SetHandler, also allowing for "unix:"
sockets with BalancerMember(s). PR 69168.
* modules/proxy/proxy_util.h, modules/proxy/proxy_util.c:
Move proxy_interpolate() from mod_proxy.c to ap_proxy_interpolate(),
exported locally only (non public).
Move proxy_fixup() from mod_proxy.c to ap_proxy_canon_url(), exported
locally only too (non public).
Rollback ap_proxy_fixup_uds_filename() to a local fixup_uds_filename()
usable from proxy_util.c only. The public function will be removed in
a following commit.
* modules/proxy/mod_proxy.h:
Note that ap_proxy_fixup_uds_filename() is deprecated.
* modules/proxy/mod_proxy.c:
Just use ap_proxy_canon_url() from proxy_fixup() and proxy_handler()
for SetHandler URLs.
* modules/proxy/mod_proxy_balancer.c:
Do not canonicalize the path from proxy_balancer_canon() anymore but
rather from balancer_fixup() where the balancer URL is rewritten to
the BalancerMember URL.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919022 13f79535-47bb-0310-9956-ffa450edef68
The hostname part of the URL is not mandated for UDS though the canon_handler
hooks will require it, so add "localhost" if it's missing (won't be used anyway
for an AF_UNIX socket).
This can trigger with SetHandler "unix:" URLs which are now also fixed up.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919015 13f79535-47bb-0310-9956-ffa450edef68