We never tested for invalid 'additional' arguments that were ignored.
Was there any point to allowing additional, unused args after the
various supported switches?
This prevents the Apache server from starting with an httpd somefooness
invocation.
Doug MacEachern [Thu, 29 Nov 2001 07:07:36 +0000 (07:07 +0000)]
the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth
is happening. so avoid calling that unless needed and just stash a
pointer to the client cert for the boolean checks that the client
provided a cert.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:52:18 +0000 (06:52 +0000)]
avoid a call to X509_NAME_oneline() and ASN1_INTEGER_get() in
ssl_callback_SSLVerify_CRL() unless SSLLogLevel >= info, otherwise the
expense is unused.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:34:53 +0000 (06:34 +0000)]
get rid of ssl_log_applies() function. it does more than we need and
what should be done with a macro. it was only used once anyhow.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:27:41 +0000 (06:27 +0000)]
ssl_callback_SSLVerify() was calling (the expensive) X509_NAME_oneline()
function and free() of the return value twice each, for logging
regardless of SSLLogLevel. changed to happen only if SSLLogLevel >= trace
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:15:01 +0000 (06:15 +0000)]
fix for last change that removed ssl_util_getmodconfig():
go back to using s->process->pool userdata, but just to store the
global module config during startup so we only create _one_ SSLModConfigRec.
(didn't realize this function was called in both ssl_init_Module and
ssl_config_server_create)
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 05:45:48 +0000 (05:45 +0000)]
ssl_util_getmodconfig() and ssl_util_getmodconfig_ssl() show up high
in the gprof profile. there's no need for the "global" SSLModConfigRec
to live in the s->process->pool userdata table. we now just point the
SSLSrvConfigRec in each server_rec.module_config to the SSLModConfigRec
so we can access it directly which is much faster.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 05:17:38 +0000 (05:17 +0000)]
SSL_rand() does a mutex lock/unlock with threaded MPMs, so collapse
two calls that seed pid and time into one.
PR:
Obtained from:
Submitted by:
Reviewed by:
Greg Ames [Wed, 28 Nov 2001 19:41:07 +0000 (19:41 +0000)]
get binbuild.sh working enough to create a binary which serves the It Works!
page
* change seds for apachectl and httpd*.conf to do the right thing
* use /usr/local/apache2 for the default install directory
* use a shell variable for the above, in case it needs to change again
* use httpd-std.conf in place of httpd.conf.default
* get rid of the httpd -R option in apachectl (not valid in 2.0)
* don't overlay httpd.conf if it already exists (1.3 does this - wtf?!?!)
not done in this commit:
* install manual/ and error/ correctly
* switch to --enable-mods-shared=most now that it works (thanks, aaron!)
* investigate weird behavior when .tar.gz already exists in parent dir
* investigate setting a Group directive that actually works in httpd*.conf
Downgrade the input filtering from a showstopper. No one seems interested
in discussing OtherBill and my points at this time, so it can't be a bug
in anyone's rear end. As stated, the code works for the most part.
And, if we did do another round of filter changes, I'm inclined to see it
happen in 2.1.
Doug MacEachern [Wed, 28 Nov 2001 05:50:55 +0000 (05:50 +0000)]
calculate VHostID length at startup rather than request time.
change ap_md5() call in ssl_hook_pre_connection() to ap_md5_binary()
that uses the precalculated sc->nVHostID_length to avoid a strlen() call.
Doug MacEachern [Wed, 28 Nov 2001 05:44:50 +0000 (05:44 +0000)]
avoid calling ssl_util_vhostid() (and apr_sprintf underneath) at
request time by calling it at startup time and saving the value in the
SSLSrvConfigRec.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 05:05:04 +0000 (05:05 +0000)]
replace strlen(cpVHostMD5) with MD5_DIGESTSIZE*2 in ssl_hook_pre_connection()
since we know the string returned by ap_md5() will always be that length
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 05:00:34 +0000 (05:00 +0000)]
use apr_pstrndup() instead of apr_pstrdup() to avoid a strlen call in
ap_md5_binary, since we know the length of the string is always
MD5_DIGESTSIZE * 2
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 03:15:41 +0000 (03:15 +0000)]
moving chunk of logic that deals with writing ssl data from
ssl_io_filter_Output() to a new ssl_filter_write() function.
this will make it easier to optimize how we deal with file buckets
than cannot be mmaped.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Tue, 27 Nov 2001 23:37:20 +0000 (23:37 +0000)]
implement a custom BIO which allows us to hook SSL_write directly into
an apr_bucket_brigade and use transient buckets with the SSL
malloc-ed buffer, rather than copying into a mem BIO.
also allows us to pass the brigade as data is being written
rather than buffering up the entire response in the mem BIO.
Ian Holsman [Tue, 27 Nov 2001 22:07:09 +0000 (22:07 +0000)]
Change the magic #
as we have changed the conn_rec structure
and have change the open_log and post_config hook function
PR:
Obtained from:
Submitted by:
Reviewed by:
Brian Pane [Tue, 27 Nov 2001 08:39:02 +0000 (08:39 +0000)]
Another performance-related change to core_output_filter(): if we
get a long stream of small buckets, so that multiple concatenation
steps are required in a single pass through the brigade, re-use the
buckets from the previous temp brigade when creating the next one.
This allows us to avoid making yet another copy of the previously
concatenated data.
Brian Pane [Tue, 27 Nov 2001 06:35:29 +0000 (06:35 +0000)]
Optimization for core_output_filter: if the iovec is full,
don't try to concatenate buffers if we already have at least
8KB of data ready to send. Instead, just split the brigade
and send what's currently in the iovec.
Changes by Mladen Turk <mturk@mappingsoft.com>, with dialog touchup by
myself [I can't stand misordered dialog interfaces ;], to allow the user
to connect and disconnect remote PCs into the ApacheMonitor.
Needs other mild changes, e.g. machine\service rather than machine@service
[since @ could be part of a service/machine name, slash and backslash may
never be.] And still, the sync behavior leaves something to be desired.
Note one bug - the browse for computer actually won't browse computers,
but that can be fixed in another patch.
Jeff Trawick [Mon, 26 Nov 2001 14:38:03 +0000 (14:38 +0000)]
very minor tweaks:
. convert a comment to English
. zap an unnecessary '.' from a log message
. rearrange the setting of some variables controlling pipes and cmd-type
in the cgi process so that the differences in their values for ssi vs. cgi
can be more readily seen
Brian Pane [Mon, 26 Nov 2001 08:49:29 +0000 (08:49 +0000)]
Another fix for the core_output_filter() code that concatenates
small buckets: It's possible for the temporary brigade to
contain more than one bucket. If this happens, we need to
recover the buckets after the first from the temporary brigade
before destroying it.
Brian Pane [Mon, 26 Nov 2001 03:51:40 +0000 (03:51 +0000)]
Fix for the code in core_output_filter() that concatenates small buckets
into one big bucket...it was putting a pointer to a deleted bucket in
the iovec, so the output was corrupted.
Brian Pane [Sat, 24 Nov 2001 10:52:27 +0000 (10:52 +0000)]
short-circuit out of xbithack_handler immediately if xbithack
isn't enabled, and use strcmp instead of ap_strcmp_match for
comparing against a non-wildcard pattern
Ryan Bloom [Sat, 24 Nov 2001 00:17:01 +0000 (00:17 +0000)]
Fix the cmd command for mod_include. When we are processing
a cmd command, we do not want to use the r->filename to set
the command name. The command comes from the SSI tag. To do this,
I added a variable to the function that builds the command line
in mod_cgi. This allows the include_cmd function to specify
the command line itself.
Ian Holsman [Fri, 23 Nov 2001 23:49:24 +0000 (23:49 +0000)]
Fix post-config hook to return a int.
I left the service start/stop/restart 'exits' in there, and changed the
other ones to return HTTP_INTERNAL_SERVER_ERROR
Aaron Bannert [Fri, 23 Nov 2001 17:45:52 +0000 (17:45 +0000)]
mod_ssl is big and bulky, takes awhile to load, sometimes must wait for
entropy to be collected, and has a nasty little bug that prevents the
server from being started in non-SSL mode. This patch corrects some of
those problems, but is not intended as a workaround for the bug.
Ian Holsman [Fri, 23 Nov 2001 16:35:22 +0000 (16:35 +0000)]
Modify post_config hook so that it can return a error,
causing the server not to start.
previous method was to call exit(1) which would not fail
gracefully
PR:
Obtained from:
Submitted by:
Reviewed by: (Idea only Jeff Trawick)
Doug MacEachern [Thu, 22 Nov 2001 02:23:09 +0000 (02:23 +0000)]
optimize lookup of ssl-{unclean,accurate}-shutdown flags:
- only look through the table once, rather than 2 apr_table_gets()
- case-sensitive and use strcmp() as little as possible
- only lookup once per-connection, as the flags will not change across
keepalive requests
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 01:40:26 +0000 (01:40 +0000)]
return from ssl_callback_LogTracingState if sc->nLogLevel < SSL_LOG_INFO
else there are 5 (expensive!) calls made to ssl_var_lookup on every request
for info that will never be logged
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 00:42:35 +0000 (00:42 +0000)]
get rid of 'apctx' table that used to live in SSL_get_app_data2(ssl)
change app_data2 to be the request_rec itself.
if something needs per-request context in the future,
it can use r->request_config
Doug MacEachern [Thu, 22 Nov 2001 00:25:00 +0000 (00:25 +0000)]
move c->notes.ssl::verify::depth to SSLConnRec.verify_depth
note: may actually be removed unless somebody can figure out why it is in
there to begin with
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 21 Nov 2001 22:58:28 +0000 (22:58 +0000)]
get rid of SSL_get_app_data2_idx() which had a race condition when
writing to app_data2_idx, and another inside OpenSSL when calling
SSL_get_ex_new_index().
add SSL_init_app_data2_idx() to provide the same functionality but in
a safe place: called during ssl_init_Module
PR:
Obtained from:
Submitted by:
Reviewed by:
Ryan Bloom [Wed, 21 Nov 2001 18:25:40 +0000 (18:25 +0000)]
Fix a bug in our output filter buffering. If a lot of small brigades are
sent, the core will send the first 16 buckets, regardless of how much
data there is. In the pathological case, this can cause a lot of 16
byte packets. Now, if we see less than AP_MIN_BYTES, we combine
all of the buckets into a single bucket to be sent in a later packet.
This can cause a lot of memory copies, but it eases our network traffic.
projects / apache / log