Stefan Eissing [Mon, 24 Jun 2019 16:04:32 +0000 (16:04 +0000)]
*) mod_md: bringing over v2.0.6 from github.
- supports the ACMEv2 protocol
- supports the new challenge method 'tls-alpn-01'
- supports command configuration to setup/teardown 'dns-01' challenges
- supports wildcard certificates when dns challenges are configured
- ACMEv2 is the new default and will be used on the next certificate renewal,
unless another MDCertificateAuthority is configured
- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
- a domain exposes its status at https://<domain>/.httpd/certificate-status
- Managed Domains are now in Apache's 'server-status' page
- A new handler 'md-status' exposes verbose status information in JSON format
- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a
Managed Domain that uses static files. Auto-renewal is turned off for those.
- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and
'errored'. New 'MDWarnWindow' directive to configure when expiration warnings
shall be issued.
- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
announcement by Let's Encrypt:
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
Graham Leggett [Sun, 23 Jun 2019 21:10:23 +0000 (21:10 +0000)]
After reinstatement of DSO support in APR/APR-util, revert r1837437,
r1837435, r1834553, r1833598, r1833452, r1833383, r1833368.
Undoes the following:
mod_ssl: OpenSSL now initializes fully through APR, use that.
mod_ssl: build with LibreSSL.
LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).
So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7
compatibility-exceptions are handled explicitely but overall it's simpler.
Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the
former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,
while the latter has never been (and will never be) defined. So don't call any
with LibreSSL.
Follow up to r1833368: share openssl between modules.
Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto
can use the same crypto library (e.g. openssl), use the new APR crypto loading
API so that they can work together and initialize/terminate the lib either once
for all or on demand and reusable by the others.
Follow up to r1833368: apr_crypto_prng_after_fork() now used a PID.
Make use of the new apr_crypto_rng API if available.
Joe Orton [Fri, 21 Jun 2019 13:30:17 +0000 (13:30 +0000)]
* configure.in, acinclude.m4: Inline APACHE_GEN_MAKEFILES in AC_CONFIG_COMMANDS
and run during the "normal" phase of ./config.status rather than as init-cmds.
Joe Orton [Thu, 20 Jun 2019 13:00:37 +0000 (13:00 +0000)]
Add an --enable-reduced-exports configure option to link libmain.a
using ld's --whole-archive mode and avoid building exports.c entirely.
This reduces the size of a minimal httpd binary by 18% on Linux/x86_64
(687K to 560K) with no difference to the set of symbols available to
modules.
This option is only appropriate to use if using a shared libapr*
build, hence is non-default.
* configure.in: Add --enable-reduced-exports; disable httpdunit build
if used. Define AP_FORCE_EXPORTS if not enabled (default) in place
of AP_USING_AUTOCONF.
* server/main.c (ap_suck_in_APR): Only build if AP_FORCE_EXPORTS is
defined.
* Makefile.in: Link libmain.la using LIBMAIN_LIB.
* server/Makefile.in: Conditionally build exports.c into libmain.
Eric Covener [Mon, 17 Jun 2019 18:35:24 +0000 (18:35 +0000)]
add RedirectRelative directive to allow relative Redirect targets
2616 forbade relative redirect URLs, but 7231 allows them
Early 2.2 maintenance levels did not fix them up, but later 2.2 and all 2.4
fixed them up with ap_construct_url().
Allow opt-in to not fixing up relative URLs with RedirectRelative
Follow up to r1847232.
There is no point to use "old" numbers in recent commit.
Also avoid number duplication. The messages are the same but in different code path, so having different numbers makes sense.
This also avoids a warning when running:
make update-log-msg-tags
Joe Orton [Thu, 13 Jun 2019 15:34:28 +0000 (15:34 +0000)]
* modules/ssl/ssl_engine_config.c (ssl_cmd_check_file):
If dumping the config, don't validate the paths. Allows
e.g. "httpd -L" to work w/ certs configured but not present,
doesn't affect "httpd -t".
Stefan Eissing [Wed, 22 May 2019 13:41:36 +0000 (13:41 +0000)]
*) mod_http2: internal code cleanups and simplifications. Common output code for
h2 and h2c protocols, using nested mutex locks for simplified calls. [Stefan Eissing]
Ruediger Pluem [Wed, 22 May 2019 09:54:05 +0000 (09:54 +0000)]
* Fix the logic to follow the comment. So far we only forwarded the header if
we have NOT used it AND the env variable was set. But if we have not
used it we should forward it in any case independent of the env variable
setting.
This aligns also with the behaviour in ap_proxy_create_hdrbrgd.
Yann Ylavic [Fri, 17 May 2019 08:42:17 +0000 (08:42 +0000)]
Follow up to r1859371: extend to other ap_proxy_connection_create[_ex]() users.
This function now now handles SSL reuse as well as the "proxy-request-hostname"
note (SNI), so let's also call it unconditionnaly in all proxy modules.
On the mod_ssl side, since this note has the lifetime of the connection, don't
reset/unset it during handshake (ssl_io_filter_handshake).
Arrange balancer_handler() to be able to call
balancer_process_balancer_worker() to create/enable/disable
workers from another modules via a provider.
No functional changes in this first commit.
Joe Orton [Thu, 18 Apr 2019 10:25:33 +0000 (10:25 +0000)]
Fix use of StateDir directive after r1852982:
* server/core.c (reset_config): Rename from reset_config_defines;
tie core_state_dir to pconf lifetime in this cleanup.
(core_pre_config): Adjust accordingly.
* modules/md/mod_md_config.c (md_config_post_config): Pick up base_dir
from statedir in post-config phase so StateDir can influence it.
* modules/dav/fs/mod_dav_fs.c (dav_fs_create_server_config): Don't
init lockdb_path here. (dav_fs_post_config): New function; set
lockdb_path based on configured statedir.
r1853901 lowercased the [stage] for MRT_DEFAULT_[stage]_* macros but missed
to change the ones used in reqtimeout_hooks() to initialize the default rate
factors, leading to no default rate in 2.4.39. Fix that now. PR 63325.
Stefan Eissing [Tue, 26 Mar 2019 10:57:51 +0000 (10:57 +0000)]
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
Stefan Eissing [Mon, 18 Mar 2019 16:05:04 +0000 (16:05 +0000)]
*) mod_md: Explicitly setting file permissions to break out of umasks. We want our
non-privilegded apache user to be able to read them. See github issue
<https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
Ruediger Pluem [Mon, 18 Mar 2019 10:18:55 +0000 (10:18 +0000)]
* Solve a chicken and egg problem here:
We need to have sslconn->dc set correctly when we want to
init sslconn, but we need to allocate memory for it first.
Yann Ylavic [Sat, 16 Mar 2019 13:45:17 +0000 (13:45 +0000)]
mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.
The SSL dir config of proxy/backend connections is stored in r->per_dir_config
but those connections have a lifetime independent of the requests they handle.
So we need to allow the external ssl_engine_set() function to reset mod_ssl's
dir config in between proxy requests, or the first sslconn->dc could be used
after free for the next requests.
mod_proxy can then reset/reinit the request config when recycling its backend
connections.
projects / apache / log