mod_substitute: follow up r1684900.
Introduce the SubstituteInheritBefore directive to configure the merge order.
This allows to preserve 2.4 and earlier behaviour.
mod_substitute: follow up to r1687539.
Use tristate single inherit_before variable instead of two, according to
wrowe's advices.
mod_substitute: follow up to r1687680.
Fix dir config merger 'over'-write, thanks Bill (again).
Very difficult to read, and therefore was wrong.
Assert that the SubstituteInheritBefore option was explicitly toggled,
and do not default in 2.x to this legacy behavior.
Optimize in all cases that the members are all explicitly initialized.
Useful for 2.2 and 2.4, but trunk will require the subsequent patch.
Increase legibility of the max_line_length behavior, and adjust for
the requirement that all members are initialized explicitly due to
the previous patch.
Net -8 LoC, my usual specialty.
This didn't need to be reinvented; please use established helpers.
mod_substitute: follow up r1688339.
SubstituteInheritBefore is the default in 2.5.x but wasn't for ealier versions.
mod_substitute: follow up r1697013.
Update the doc.
Submitted by: niq, ylavic, ylavic, ylavic, wrowe, wrowe, wrowe, wrowe, ylavic, ylavic
Reviewed/backported by: jim
Daniel Gruno [Sat, 3 Oct 2015 09:47:27 +0000 (09:47 +0000)]
Backport r1706533 to 2.4: Turn 5.1/5.2 order upside down, simplify. This should also (AFAIK) work with Ubuntu/Debian, which has previously been known to fail to compile mod_lua.so
Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.
Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.
Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.
Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables
* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
"id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
adapt modssl_X509_getSAN to take an optional otherName form
argument for the GEN_OTHERNAME case
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.
mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.
mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.
mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand
mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().
mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().
mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().
adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get
changed Protocols to let vhosts override servers, removed old H2Engine example from readme
creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment
removed unnecessary lingering_close and sbh update on end of protocol upgrade handling
introducing ap_array_index in util, used in protocol and mod_h2
fixes existing protocol missing in selection if not explicitly proposed
new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging
removed accidental code
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.
* server/util.c (ap_parse_token_list_strict): New function.
* modules/proxy/proxy_util.c (find_conn_headers): Use it here.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
Send a 400 for a malformed Connection header.
Submitted by: Edward Lu, breser, covener
http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
for clients requesting a hostname on a reused connection whose SNI (from the
TLS handshake) does not match.
PR 5802.
This allows HTTP/2 clients to fall back to a new connection as per:
https://tools.ietf.org/html/rfc7540#section-9.1.2
Proposed by: Stefan Eissing <stefan eissing.org>
Reviewed by: ylavic
c89
Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com
giving ap_array_index a start parameter, adding ap_array_contains
ap_process_request needs exportation for use in mod_h2 on Windows
final final change to the new ap_array_str_* functions after review
changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon
mod_ssl: fix compiler warning (bad cast).
improvements in ap_select_protocol(), supplied by yann ylavic
Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing
Reviewed/backported by: jim
Jim Jagielski [Mon, 28 Sep 2015 12:25:04 +0000 (12:25 +0000)]
Merge r1704099 from trunk:
Fix a spurious test where a condition is always true:
if ((cfg->skipto != NULL) && (ctx->flags | ENC_SKIPTO)) {
^^^^^^^^^^^^^^^^^^^^^^^
This is apparently harmless because, in 'xml2enc_filter_init', the ENC_SKIPTO bit of 'flags' is set to ENC_SKIPTO if 'skipto' is non-NULL.
Submitted by: jailletc36
Reviewed/backported by: jim
Graham Leggett [Sat, 26 Sep 2015 22:55:56 +0000 (22:55 +0000)]
mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
can't create new (clear) slots while previous children gracefully stopping
still use the old ones (e.g. Windows, OS2). PR 58024.
Jim Jagielski [Wed, 23 Sep 2015 12:35:57 +0000 (12:35 +0000)]
Merge r1664709, r1697323 from trunk:
* Do not reset the retry timeout if the worker is in error at this stage even
if the connection to the backend was successful. It was likely set into
error by a different thread / process in parallel e.g. for a timeout or
bad status. We should respect this and should not continue with a connection
via this worker even if we got one.
* Do a more complete cleanup here. At this point we cannot end up with something useful with the data we created so far.
Submitted by: rpluem
Reviewed/backported by: jim
projects / apache / log