Joe Orton [Mon, 25 Feb 2008 21:28:09 +0000 (21:28 +0000)]
Session cache interface redesign, Part 5:
Use the ap_provider interface for session cache storage providers.
* modules/ssl/mod_ssl.c (modssl_register_scache): New function.
(ssl_register_hooks): Call it.
* modules/ssl/ssl_private.h: Define MODSSL_SESSCACHE_PROVIDER_GROUP
and MODSSL_SESSCACHE_PROVIDER_VERSION constants.
Remove ssl_scmode_t type. Change nSessionCacheMode in
SSLModConfigRec into a long sesscache_mode, storing the OpenSSL
SSL_SESS_CACHE_* flags directly.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Set
sesscache_mode to SSL_SESS_CACHE_OFF by default.
(ssl_cmd_SSLSessionCache): Remove ifdef spaghetti; fetch configured
session cache by provider name. Set mc->sesscache_mode for
configured providers.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Use the
configured mode flags directly from mc->sesscache_mode.
Joe Orton [Mon, 25 Feb 2008 20:09:38 +0000 (20:09 +0000)]
Session cache interface redesign, Part 4:
Move provider-specific configuration handling down into the provider
code. Eliminate all use of SSLModConfigRec within provider code.
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add 'create'
function which creates and configures the cache provider, before
initialisation. Change 'init' function to take the context pointer
as an input parameter, and reorder to be first.
* modules/ssl/ssl_scache_memcache.c (struct context): Add servers
field.
(ssl_scache_mc_create): New function.
(ssl_scache_mc_init): Use servers from context not SSLModConfigRec.
* modules/ssl/ssl_scache_dbm.c (struct context): Define.
(ssl_scache_dbm_create): New function.
(ssl_scache_dbm_init, ssl_scache_dbm_kill): Adjust to use filename
and pool from context.
(ssl_scache_dbm_store, ssl_scache_dbm_retrieve,
ssl_scache_dbm_status): Use filename from context. Use context pool
for temp storage of the DBM object, and clear before use.
(ssl_scache_dbm_expire): Remove static tLast; use last_expiry from
context. Use context pool for temp storage and clear before use.
* modules/ssl/ssl_scache_dc.c (struct context): Add target field.
(ssl_scache_dc_init, ssl_scache_dc_status): Use target from context.
* modules/ssl/ssl_scache_shmcb.c (struct context): Add data_file,
shm_size fields.
(ssl_scache_shmcb_create): New function; moved argument parsing
logic from ssl_cmd_SSLSessionCache
(ssl_scache_shmcb_init, ssl_scache_shmcb_status): Use config from
context.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Remove
handling of old provider-specific fields.
(ssl_cmd_SSLSessionCache): Call provider ->create function to parse
the argument and create provider-specific context structure.
Joe Orton [Mon, 25 Feb 2008 14:18:32 +0000 (14:18 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_FindCAList): Cast return
value of sk_X509_NAME_set_cmp_func to void, to avoid warnings with
recent version of OpenSSL.
Ruediger Pluem [Fri, 22 Feb 2008 22:58:42 +0000 (22:58 +0000)]
* Second part of fix for PR 44402:
- Fix the same race condition in event MPM.
- Slightly optimize code in worker MPM by removing the need for an additional
dereference operation.
- Do some word smithing on the CHANGES entry.
Joe Orton [Fri, 22 Feb 2008 21:09:40 +0000 (21:09 +0000)]
Session cache interface redesign, Part 3:
Move provider-private context out of SSLModConfigRec and into an
opaque context pointer. Use real error propagation in the ->init
functions rather than ssl_die().
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Take a
context out-parameter from ->init, and return an apr_status_t.
Add context pointer as first arg for the other function types.
(SSLModConfigRec): Remove tSessionCacheData* fields; add
sesscache_context field.
* modules/ssl/ssl_scache.c (ssl_scache_init): Move once-per-process
invocation check back into here.
(ssl_scache_*): Adjust to use context pointer.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_dc.c,
modules/ssl/ssl_scache_dbm.c: Adjust all implementations to use
opaque context pointer.
* modules/ssl/ssl_scache_memcache.c: Move memcache context into the
context structure rather than using global state.
* modules/ssl/ssl_engine_config.c: Remove handling of
pSessionCacheData* fields in SSLModConfigRec.
Joe Orton [Fri, 22 Feb 2008 19:58:39 +0000 (19:58 +0000)]
Move SSL session data deserialization up out of the session cache
storage providers; includes a significant change to the shmcb storage
structure:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
retrieve function to take dest/destlen output buffer, to take a
constant id paramater, and to return a BOOL.
* modules/ssl/ssl_scache_shmcb.c: Store the whole ID in the cache
before the data, so that each index can be compared against the
requested ID without deserializing the data. This requires approx
20% extra storage per session in the common case, though should
reduce CPU overhead in some retrieval paths.
(SHMCBIndex): Replace s_id2 field with id_len.
(shmcb_cyclic_memcmp): New function.
(ssl_scache_shmcb_init): Change the heuristics to allow for increase
in per-session storage requirement.
(ssl_scache_shmcb_retrieve): Drop requirement on ID length.
(shmcb_subcache_store): Store the ID in the cyclic buffer.
(shmcb_subcache_retrieve, shmcb_subcache_remove): Compare against
the stored ID rather than deserializing the data.
(ssl_scache_shmcb_retrieve, ssl_scache_shmcb_store): Update
accordingly.
Joe Orton [Fri, 22 Feb 2008 12:00:49 +0000 (12:00 +0000)]
Move SSL session data serialization up out of the session cache
storage providers:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
'store' interface to take a data/length pair rather than an
SSL_SESSION pointer.
* modules/ssl/ssl_scache.c (ssl_scache_store): Serialize the SSL
session here and pass down the raw DER.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c,
modules/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Adjust ->store
implementations accordingly, removing the four sets of identical
code doing the i2d dance.
Joe Orton [Fri, 22 Feb 2008 11:36:51 +0000 (11:36 +0000)]
Re-implement the SSL session cache abstraction using a vtable; first
step towards use of the ap_provider interface:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add new
vtable type.
(SSLModConfigRec): Reference the vtable here.
Replace all the ssl_scache_* prototypes with provider vtable objects.
* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_retrieve, ssl_scache_store, ssl_scache_remove,
ssl_ext_status_hook): Use callbacks from vtable rather than ifdef
spaghetti.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache):
Only install the OpenSSL callbacks if a vtable is configured.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Set up
vtable pointer.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c: Adjust to make
implementations static, and add vtable definition.
* modules/ssl_scache_shmcb.c: Likewise; also move the init
one-per-process requirement down here.
* modules/ssl_scache_dbm.c: Likewise; also (temporarily) use a local
subpool in the store callback.
Eric Covener [Wed, 20 Feb 2008 21:17:17 +0000 (21:17 +0000)]
*) mod_charset_lite: Add ForceAllMimeTypes sub-option to
CharsetOptions, allowing the administrator to skip the
mimetype checking that precedes translation.
PR 44458 [Eric Covener]
Jim Jagielski [Thu, 14 Feb 2008 13:16:52 +0000 (13:16 +0000)]
This is really really out of date... try to refresh it;
remove the current "list" of people for now, maybe add link
to httpd.apache.org or http://people.apache.org/~jim/projects.html#httpd
instead
Kasper Brand came across a flaw in the current implementation when CRL
information - i.e. SSLCARevocationFile/SSLCARevocationPath - is set
on a per-vhost basis (don't know how much sense it makes to have
non-global CRLs, but anyway...).
The attached patch (47B2B1A7.1060009@velox.ch on httpd-dev) addresses
this issue, and it also improves the logging behavior for an SNI
enabled configuration (previously some of the messages would
always go to the first vhost, or wouldn't appear at
all, depending on the LogLevel of the first vhost).
Addition of a test script which creates a Sample/test configuration for installations
that wants to support SNI. Primarily done as a lot of web developers find the creation
of certificates hard - and do not want to go to the expense of sourcing a handful
from a well-known CA just for testing and experimenting.
Also update the CHANGES log with the word 'SNI' as to make googling it easier.
Return a little bit more error information when, say a disk is full or something gets write protected. Note that in some cases mod_cache.c will_also_ log a 'cache: store_headers failed' subsequently.
Sub-requests are created and used with two purposes; sometimes
simply to 'see' what a request would do; as to fill out an SSI,
validate access or similar - and is then discarded. And sometimes
as the precursor to becoming the actual request; e.g. when mod_dir
checks if an /index.html can be served for a '/'.
In the latter case it is important to preserve the output filters
'for real'; whereas in the first case they have to be reset to
purely the minimal proto filters (if at all). This patch instates
the output filters in 3 cases where sub-requests are/may in fact
be used as the real request later on.
This is a relatively risky change (which should not be back-ported
without further discussion) and may break caches in combination
with internal redirects/vary/negotiation in subtle ways.
See the thread starting at [1] and in particular the general
concerns of rpluem at [2] with respect to sub requests
and (fast_)internal redirects possibly needing a more
thorough overhaul.
Paul J. Reder [Wed, 23 Jan 2008 18:14:41 +0000 (18:14 +0000)]
This adds Apache support (taking advantage of the new APR capability)
for ldap rebind callback while chasing referrals. This allows direct
searches on LDAP servers (in particular MS Active Directory 2003+)
using referrals without the use of the global catalog.
This addresses PRs 26538, 40268, and 42557
Joe Orton [Fri, 18 Jan 2008 20:49:46 +0000 (20:49 +0000)]
* server/mpm_common.c (reclaim_one_pid): Retrieve the exit status from
apr_proc_wait(); call ap_process_child_status() for children which
terminate, to ensure that abnormal exits (e.g. SIGSEGV) are logged.
Joe Orton [Fri, 18 Jan 2008 20:31:28 +0000 (20:31 +0000)]
* server/mpm/prefork/prefork.c (child_main): If apr_pollset_poll()
fails with EINTR and die_now has been set (indicating a graceful
stop/restart), terminate the child quickly rather than re-entering
poll().
Noirin Plunkett [Wed, 16 Jan 2008 15:31:07 +0000 (15:31 +0000)]
Tidying up the SSL FAQ, incorporating changes suggested by Lucien Gentis
http://mail-archives.apache.org/mod_mbox/httpd-docs/200801.mbox/raw/%3c478A1806.1090307@lorraine.iufm.fr%3e
projects / apache / log