Luca Toscano [Thu, 25 May 2017 08:44:09 +0000 (08:44 +0000)]
Remove warning about nested If/ElseIf/Else evaluation
As noted by Christophe Jaillet in the dev@ ml nested
if/elseif/else conditions are now evaluated. The code
change has been already backported to 2.4.x.
Jacob Champion [Tue, 23 May 2017 16:19:33 +0000 (16:19 +0000)]
buildconf: check in APR[-util] m4 macros
Suggestion by wrowe. These files haven't changed in years; since we need
them anyway, check them in directly. buildconf will still copy over the
latest versions during setup, and SVN will tell us if there are any
changes.
Jacob Champion [Mon, 22 May 2017 16:40:54 +0000 (16:40 +0000)]
ab: don't call malloc_init for OpenSSL 1.1.0
Patch by rjung.
The 1.1.0 compatibility macro for OpenSSL_malloc_init() causes problems
when mixed with procedure linkage stubs with some toolchains (e.g. GCC).
OpenSSL's malloc implementation doesn't recognize that the PLT stub
points back to it, which leads to infinite recursion.
Since the 1.1.0 documentation states that calling this function
explicitly is no longer necessary except "in certain shared-library
situations"(?), get rid of it.
Remove 3DES by default for users of older crypto librarys; the cipher
has been reclassified in current OpenSSL releases as WEAK due to 112
or fewer bits of remaining cipher strength, while the Sweet32 disclosure
extended the criticism of RC4 on to 3DES. (IDEA, which potentially has the
same issue, is never enabled by default in OpenSSL, due to patent concerns.)
This commit does not change default httpd behavior, but alters the suggested
behavior of newly provisioned httpd servers. Where adopted, XP with IE8 will
no longer handshake with mod_ssl (previously, XP with IE6 would not handshake.)
The same net effect occurs where OpenSSL is updated to 1.1.0.
Luca Toscano [Sat, 6 May 2017 14:07:08 +0000 (14:07 +0000)]
Remove unclear sentence in mod_remoteip doc
This sentence has been discussed in the docs@
mailing list since it wasn't super clear for
some people. I propose to just remove it,
the rest of the content is already clear in
my opinion.
Stefan Eissing [Fri, 5 May 2017 13:03:41 +0000 (13:03 +0000)]
On the trunk:
mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request.
Jacob Champion [Thu, 4 May 2017 23:41:16 +0000 (23:41 +0000)]
override index: remove invalid <override>s from directives
Remove the bogus "none" and "n/a" type <override>s from the
documentation. If a directive can't be put in .htaccess, it shouldn't
have an <override> element.
Jacob Champion [Thu, 4 May 2017 22:53:58 +0000 (22:53 +0000)]
Add an Override Class Index
This page pulls in directives that declare an <override> element and
groups them by class. The documentation for each class comes from
overrides.xml. Any undocumented classes are flagged with a boilerplate
fallback text (this situation is only likely to occur with a misspelling
or otherwise invalid <override> somewhere else in the documentation).
It has been reported multiple times that nested
If/ElseIf/Else sections are not evaluated but
silently ignored.
This patch adds a simple recursion to the ap_if_walk
logic in order to allow arbitrary nested configs.
The overhead seems negligible compared to the actual
version of the ap_if_walk, but more expert feedback
is surely needed since this code gets called for every
HTTP request.
Tests are going to be added to t/apache/if_sections.t
Stefan Eissing [Fri, 21 Apr 2017 12:21:31 +0000 (12:21 +0000)]
On the trunk:
mod_http2: fixed possible deadlock that could occur when connections were
terminated early with ongoing streams. Fixed possible hanger with timeout
on race when connection considers itself idle.
Add upgrade parameter to mod_proxy_wstunnel.
That allows to upgrade to jboss-remoting for example
or to run an HTTP/1.1 backend that needs to upgrade to
WebSocket.
See also:
https://issues.jboss.org/browse/JBCS-254
https://issues.jboss.org/browse/JBCS-291
Jacob Champion [Wed, 19 Apr 2017 20:38:26 +0000 (20:38 +0000)]
PR61009: be as helpful as possible during -V operation
A configtest isn't useful if you're just trying to get compile settings.
Move the settings dump up to just after ap_read_config(), which has
already done the minimum necessary to figure out which MPM is in use.
Even if ap_read_config() failed, still print as many compile settings as
we can. The user will see the error log entry on stderr.
Jacob Champion [Wed, 19 Apr 2017 01:32:58 +0000 (01:32 +0000)]
mod_ssl_ct: fix return values for custom extension callback
This is most likely a follow-up to r1628833.
At some point during the OpenSSL 1.0.2 beta, the contract for custom
extension callbacks changed from "returning -1 skips the extension" to
"returning -1 will issue a TLS fatal alert". This caused mod_ssl_ct to
abort TLS connections that it intended to ignore. Zero is the correct
return value for "do nothing" in 1.0.2.
KISS: RemoveType is a simpler fix for .tr; explain .da files; order our
LanguagePriority by a first-order comparison and drop negligable translations
from our ordered priority preference list entirely.
A better comparison would be total number of documents in-sync, or some
convoluted weight ordering each document by which are more in sync than
others. Leaving that puzzle to an interested hacker.
Jacob Champion [Tue, 18 Apr 2017 00:19:32 +0000 (00:19 +0000)]
PR60947: avoid CRYPTO_THREADID_set_callback() if possible
CRYPTO_THREADID_set_callback() is write-once, so if mod_ssl is unloaded
and reloaded into a different address, we'll crash if OpenSSL wasn't
also unloaded and reloaded at the same time. This can happen if another
module or library is using OpenSSL as well.
- OpenSSL 1.1.0 isn't affected.
- Certain platforms (Windows, BeOS, and POSIX-compliant systems) can
make use of the default THREADID callback in OpenSSL 1.0.x.
- If the deprecated CRYPTO_set_id_callback() is available, we can use it
instead of CRYPTO_THREADID_set_callback().
Otherwise, we have to fall back to CRYPTO_THREADID_set_callback(), but
hopefully that applies to a small percentage of users at this point.
Eric Covener [Fri, 14 Apr 2017 19:38:34 +0000 (19:38 +0000)]
mod_substitute: use local/native LF for splitting
On platforms where the APR_ASCII_LF != '\n', like EBCDIC systems,
strmatch or pcre patterns from the source or config will be in
the native encoding, and this module will really only work on
content in the native encoding.
(mod_substitute runs before mod_charset_lite for a similar reason)
I thought #if APR_CHARSET_EBCDIC or even #ifdef __MVS__ was overkill
here.
Stefan Eissing [Fri, 14 Apr 2017 15:08:32 +0000 (15:08 +0000)]
On the trunk:
mod_http2: only when 'HttpProtocolOptions Unsafe' is configured, will
control characters in response headers or trailers be forwarded to the
client. Otherwise, in the default configuration, a request will eiher
fail with status 500 or the stream will be reset by a RST_STREAM frame.
Jacob Champion [Tue, 11 Apr 2017 23:59:31 +0000 (23:59 +0000)]
configure: check if &errno is thread-local for OpenSSL
This is step one for fixing, or at least mitigating, PR60947. Determine
which platforms can use the default OpenSSL (1.0.x) threadid-callback,
by recording the address of errno for several threads and testing that
they're all different.
The result of this test is put into the new macro,
AP_OPENSSL_USE_ERRNO_THREADID.
mod_brotli: Fix leftovers from mod_deflate or incorrect directives in
the "Serving pre-compressed content" section of the docs.
Generally speaking, this section would benefit from a rewrite pointing
out how to configure a mod_deflate + mod_brotli configuration with
precompressed contents, but for now at least fix the mistakes in the
configuration.
mod_brotli: Tweak the descriptions of the directives provided by mod_brotli
in the documentation (BrotliCompressionQuality, BrotliCompressionWindow,
BrotliCompressionMaxInputBlock, BrotliAlterETag).
projects / apache / log