Stefan Eissing [Mon, 5 Nov 2018 10:37:32 +0000 (10:37 +0000)]
*) mod_ssl: clear *SSL errors before loading certificates and checking
afterwards. Otherwise errors are reported when other SSL using modules
are in play. Fixes PR 62880. [Michael Kaufmann]
Yann Ylavic [Sun, 28 Oct 2018 20:55:43 +0000 (20:55 +0000)]
Revert r1844928 and follow up r1844942.
Actually *len can be > 0 here, at least without a change I'm working on but now
think should be discussed first probably. Anyway r1844928 alone is broken, just
rollback for now.
Luca Toscano [Sat, 20 Oct 2018 09:21:47 +0000 (09:21 +0000)]
mod_headers.xml: clarify the difference between
onsuccess vs always
In PR 62380 a user was confused why Header set always
was not overriding a header set by a HTTP backend managed
via mod_proxy_http. The difference between 'onsuccess'
and 'always' is really subtle, even if somebody is familiar
with r->headers_out and r->err_headers_out and the httpd's
internals.
As Stefan mentioned over email, the absence of a "normalized"
headers list in the response should be explained, so I tried to
do so in this commit.
Ruediger Pluem [Tue, 16 Oct 2018 12:55:01 +0000 (12:55 +0000)]
* Correctly merge configurations that have client certificates set
by SSLProxyMachineCertificate{File|Path}.
The certificates and keys loaded during configuration time got lost during
runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host
level and there was an SSL directive at directory level, e.g. SSLRequire.
This fixes a regression likely introduced in r1740928.
Rainer Jung [Mon, 15 Oct 2018 21:14:21 +0000 (21:14 +0000)]
SSL_read() doesn't distinguish between return value 0 and <0,
at least not for OpenSSL 1.1.1. This is documented in the man
page for SSL_read and let to h2 failures when using OpenSSL 1.1.1.
When no data could be read, our code returned EAGAIN up until
OpenSSL 1.1.0, but APR_EOF for OpenSSL 1.1.1.
Now instead check SSL_get_error() also when SSL_read() returns 0.
To keep changes small, this change should not influence behavior,
when (rc=SSL_read()):
- rc < 0
- rc == 0 && *len > 0
- rc == 0 &&
(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&
inctx->block == APR_NONBLOCK_READ
Behavior changes if
- rc == 0 &&
!(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&
!*len > 0
Instead of APR_EOF:
- same behavior as rc < 0 for SSL_ERROR_WANT_READ
- same behavior as rc < 0 for SSL_ERROR_SYSCALL && APR_STATUS_IS_EAGAIN(inctx->rc)
Another change is that rc == 0 && ssl_err == SSL_ERROR_ZERO_RETURN
also results in APR_EOF.
Ruediger Pluem [Mon, 15 Oct 2018 19:25:20 +0000 (19:25 +0000)]
* Ensure that aborted connections are logged as such.
Set c->aborted before apr_brigade_cleanup to have the correct status
when logging the request as apr_brigade_cleanup triggers the logging
of the request if it contains an EOR bucket.
Luca Toscano [Sat, 13 Oct 2018 12:10:49 +0000 (12:10 +0000)]
md_acme_drive.c: remove unused variable
Compiling in maintainer mode leads to a failure
due to challenges_configured initialized but
not used. Removing it seems harmless, Stefan
please let me know if this is not the case.
Stefan Eissing [Thu, 11 Oct 2018 11:22:55 +0000 (11:22 +0000)]
On the trunk:
mod_md: eliminating compiler warnings re signedness and unused. Adding a APLOG_WARNING
when the only available ACME challenge is "tls-sni-01" since Let's Encrypt will
disable that completely beginning of 2019.
Eric Covener [Wed, 10 Oct 2018 21:47:53 +0000 (21:47 +0000)]
mpm_event: avoid AH00484 with idle threads
mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
there are still idle threads available. When there are less idle threads than
MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
Stefan Eissing [Wed, 10 Oct 2018 11:35:48 +0000 (11:35 +0000)]
mod_http2: adding defensive code for stream EOS handling, in case the request handler
missed to signal it the normal way (eos buckets). Addresses github issues
https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
and https://github.com/icing/mod_h2/issues/170.
Luca Toscano [Tue, 9 Oct 2018 12:29:08 +0000 (12:29 +0000)]
mod_session_cookie: avoid adding the Set-Cookie header
in both r->headers_out and r->err_headers_out
to avoid duplication.
In session_cookie_save it seems that ap_cookie_write is called
with r->headers_out and r->err_headers_out, ending up in the same
Set-Cookie header on both tables and eventually duplicated in the
HTTP response. I took Emmanuel's patch and trimmed out the bits
that remove the header only from r->err_headers_out (leaving it
to do the work on both tables) as attempt to change this bit of code
in the most conservative way as possible. Sending a commit for
a broader review.
Evgeny Kotkov [Tue, 9 Oct 2018 12:16:08 +0000 (12:16 +0000)]
mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
responses allowing these modules to properly set or fix-up the response
headers such as Vary or ETag.
This change follows up on r1837056 that disabled that special handling and
thus resulted in a potential violation of RFC7232, 4.1:
The server generating a 304 response MUST generate any of the following
header fields that would have been sent in a 200 (OK) response to the
same request: Cache-Control, Content-Location, Date, ETag, Expires,
and Vary.)
Joe Orton [Fri, 5 Oct 2018 12:06:27 +0000 (12:06 +0000)]
* modules/ldap/util_ldap_cache_mgr.c (util_ald_create_caches): Destroy
rather than leak caches if all three cannot be allocated (Coverity
warning). Remove unnecessary pointer.
Joe Orton [Fri, 5 Oct 2018 10:17:18 +0000 (10:17 +0000)]
* modules/slotmem/mod_slotmem_shm.c (restore_slotmem): Remove
redundant assignment (clang warning), the apr_file_eof(fp)=>APR_EOF
case assigns rv to APR_EOF and then to APR_SUCCESS after already.
Ruediger Pluem [Mon, 1 Oct 2018 18:21:18 +0000 (18:21 +0000)]
* Pickup the proxy related configuration for verify mode and verify depth and
not the configuration settings for frontend connections in case of
connections by the proxy to the backend.
* dav_stream_response processes data that has been allocated from the propdb
pool. Hence close the propdb *after* dav_stream_response which clears thei
probdb pool.
* Doing a PROPFIND on a large collection e.g. 50.000 elements can easily
consume 1 GB of memory as the subrequests and propdb pools are not
destroyed and cleared after each element was handled.
Do this now. There is one case in dav_get_props where elem->priv
lives longer then the propdb pool. In this case allocate from r->pool.
Furthermore also recycle propdb's which allows to clear the propdb's
pools instead of destroying them and creating them again.
Joe Orton [Tue, 18 Sep 2018 11:05:43 +0000 (11:05 +0000)]
* modules/ssl/ssl_engine_kernel.c (ssl_check_post_client_verify):
Retrieve and set sslconn->client_cert here for both "modern" and
classic access control.
(ssl_hook_Access_classic, ssl_hook_Access_modern, ssl_hook_Access):
Restore SSLRequire and FakeBasicAuth checks to ssl_hook_Access so tests
are still applied for TLSv1.3.
Joe Orton [Wed, 12 Sep 2018 15:54:24 +0000 (15:54 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes
post-handshake authentication.
(ssl_init_proxy_certs): Fix proxy client cert support with
TLSv1.3, which is now crippled by default.
Follow up to r1840265: really privatize ap_filter_{recycle,adopt_brigade}().
Move ap_filter_adopt_brigade()'s declaration to "server/core.h" (private).
For ap_filter_recycle(), make it static/internal to util_filter (renamed to
recycle_dead_filters() which better fits what it does). It's now also called
unconditionally from ap_filter_input_pending() which itself is always called
after the request processing and from MPM event (as input_pending hook).
Joe Orton [Tue, 11 Sep 2018 16:01:47 +0000 (16:01 +0000)]
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
403 if SSL_verify_client_post_handshake() fails, e.g. when the
TLS/1.3 client didn't send the Post-Handshake Authentication
extension.
projects / apache / log