Ruediger Pluem [Fri, 22 Feb 2008 22:58:42 +0000 (22:58 +0000)]
* Second part of fix for PR 44402:
- Fix the same race condition in event MPM.
- Slightly optimize code in worker MPM by removing the need for an additional
dereference operation.
- Do some word smithing on the CHANGES entry.
Joe Orton [Fri, 22 Feb 2008 21:09:40 +0000 (21:09 +0000)]
Session cache interface redesign, Part 3:
Move provider-private context out of SSLModConfigRec and into an
opaque context pointer. Use real error propagation in the ->init
functions rather than ssl_die().
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Take a
context out-parameter from ->init, and return an apr_status_t.
Add context pointer as first arg for the other function types.
(SSLModConfigRec): Remove tSessionCacheData* fields; add
sesscache_context field.
* modules/ssl/ssl_scache.c (ssl_scache_init): Move once-per-process
invocation check back into here.
(ssl_scache_*): Adjust to use context pointer.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_dc.c,
modules/ssl/ssl_scache_dbm.c: Adjust all implementations to use
opaque context pointer.
* modules/ssl/ssl_scache_memcache.c: Move memcache context into the
context structure rather than using global state.
* modules/ssl/ssl_engine_config.c: Remove handling of
pSessionCacheData* fields in SSLModConfigRec.
Joe Orton [Fri, 22 Feb 2008 19:58:39 +0000 (19:58 +0000)]
Move SSL session data deserialization up out of the session cache
storage providers; includes a significant change to the shmcb storage
structure:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
retrieve function to take dest/destlen output buffer, to take a
constant id paramater, and to return a BOOL.
* modules/ssl/ssl_scache_shmcb.c: Store the whole ID in the cache
before the data, so that each index can be compared against the
requested ID without deserializing the data. This requires approx
20% extra storage per session in the common case, though should
reduce CPU overhead in some retrieval paths.
(SHMCBIndex): Replace s_id2 field with id_len.
(shmcb_cyclic_memcmp): New function.
(ssl_scache_shmcb_init): Change the heuristics to allow for increase
in per-session storage requirement.
(ssl_scache_shmcb_retrieve): Drop requirement on ID length.
(shmcb_subcache_store): Store the ID in the cyclic buffer.
(shmcb_subcache_retrieve, shmcb_subcache_remove): Compare against
the stored ID rather than deserializing the data.
(ssl_scache_shmcb_retrieve, ssl_scache_shmcb_store): Update
accordingly.
Joe Orton [Fri, 22 Feb 2008 12:00:49 +0000 (12:00 +0000)]
Move SSL session data serialization up out of the session cache
storage providers:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
'store' interface to take a data/length pair rather than an
SSL_SESSION pointer.
* modules/ssl/ssl_scache.c (ssl_scache_store): Serialize the SSL
session here and pass down the raw DER.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c,
modules/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Adjust ->store
implementations accordingly, removing the four sets of identical
code doing the i2d dance.
Joe Orton [Fri, 22 Feb 2008 11:36:51 +0000 (11:36 +0000)]
Re-implement the SSL session cache abstraction using a vtable; first
step towards use of the ap_provider interface:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add new
vtable type.
(SSLModConfigRec): Reference the vtable here.
Replace all the ssl_scache_* prototypes with provider vtable objects.
* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_retrieve, ssl_scache_store, ssl_scache_remove,
ssl_ext_status_hook): Use callbacks from vtable rather than ifdef
spaghetti.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache):
Only install the OpenSSL callbacks if a vtable is configured.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Set up
vtable pointer.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c: Adjust to make
implementations static, and add vtable definition.
* modules/ssl_scache_shmcb.c: Likewise; also move the init
one-per-process requirement down here.
* modules/ssl_scache_dbm.c: Likewise; also (temporarily) use a local
subpool in the store callback.
Eric Covener [Wed, 20 Feb 2008 21:17:17 +0000 (21:17 +0000)]
*) mod_charset_lite: Add ForceAllMimeTypes sub-option to
CharsetOptions, allowing the administrator to skip the
mimetype checking that precedes translation.
PR 44458 [Eric Covener]
Jim Jagielski [Thu, 14 Feb 2008 13:16:52 +0000 (13:16 +0000)]
This is really really out of date... try to refresh it;
remove the current "list" of people for now, maybe add link
to httpd.apache.org or http://people.apache.org/~jim/projects.html#httpd
instead
Kasper Brand came across a flaw in the current implementation when CRL
information - i.e. SSLCARevocationFile/SSLCARevocationPath - is set
on a per-vhost basis (don't know how much sense it makes to have
non-global CRLs, but anyway...).
The attached patch (47B2B1A7.1060009@velox.ch on httpd-dev) addresses
this issue, and it also improves the logging behavior for an SNI
enabled configuration (previously some of the messages would
always go to the first vhost, or wouldn't appear at
all, depending on the LogLevel of the first vhost).
Addition of a test script which creates a Sample/test configuration for installations
that wants to support SNI. Primarily done as a lot of web developers find the creation
of certificates hard - and do not want to go to the expense of sourcing a handful
from a well-known CA just for testing and experimenting.
Also update the CHANGES log with the word 'SNI' as to make googling it easier.
Return a little bit more error information when, say a disk is full or something gets write protected. Note that in some cases mod_cache.c will_also_ log a 'cache: store_headers failed' subsequently.
Sub-requests are created and used with two purposes; sometimes
simply to 'see' what a request would do; as to fill out an SSI,
validate access or similar - and is then discarded. And sometimes
as the precursor to becoming the actual request; e.g. when mod_dir
checks if an /index.html can be served for a '/'.
In the latter case it is important to preserve the output filters
'for real'; whereas in the first case they have to be reset to
purely the minimal proto filters (if at all). This patch instates
the output filters in 3 cases where sub-requests are/may in fact
be used as the real request later on.
This is a relatively risky change (which should not be back-ported
without further discussion) and may break caches in combination
with internal redirects/vary/negotiation in subtle ways.
See the thread starting at [1] and in particular the general
concerns of rpluem at [2] with respect to sub requests
and (fast_)internal redirects possibly needing a more
thorough overhaul.
Paul J. Reder [Wed, 23 Jan 2008 18:14:41 +0000 (18:14 +0000)]
This adds Apache support (taking advantage of the new APR capability)
for ldap rebind callback while chasing referrals. This allows direct
searches on LDAP servers (in particular MS Active Directory 2003+)
using referrals without the use of the global catalog.
This addresses PRs 26538, 40268, and 42557
Joe Orton [Fri, 18 Jan 2008 20:49:46 +0000 (20:49 +0000)]
* server/mpm_common.c (reclaim_one_pid): Retrieve the exit status from
apr_proc_wait(); call ap_process_child_status() for children which
terminate, to ensure that abnormal exits (e.g. SIGSEGV) are logged.
Joe Orton [Fri, 18 Jan 2008 20:31:28 +0000 (20:31 +0000)]
* server/mpm/prefork/prefork.c (child_main): If apr_pollset_poll()
fails with EINTR and die_now has been set (indicating a graceful
stop/restart), terminate the child quickly rather than re-entering
poll().
Noirin Plunkett [Wed, 16 Jan 2008 15:31:07 +0000 (15:31 +0000)]
Tidying up the SSL FAQ, incorporating changes suggested by Lucien Gentis
http://mail-archives.apache.org/mod_mbox/httpd-docs/200801.mbox/raw/%3c478A1806.1090307@lorraine.iufm.fr%3e
Eric Covener [Fri, 11 Jan 2008 20:30:23 +0000 (20:30 +0000)]
*) mod_proxy_http: Return HTTP status codes instead of apr_status_t
values for errors encountered while forwarding the request body
PR 44165 [Eric Covener]
projects / apache / log