httpd

Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1844301 is being indexed.

make sure svn commit mails are correctly encoded

build bootstrap

Missing semicolon (though works without...).
Add 'use Net::SSLeay' required by Net::SSLeay::OPENSSL_VERSION_NUMBER().
Disable OCSP test for Openssl < 1.0.2.

Long term one could try to fix the CGI script

t/htdocs/modules/cgi/ocsp.pl.PL. Currently the

script passes the OCSP request to openssl via

"-reqin -" which is not supported in OpenSSL

before 1.0.2.

The script could instead read the data, place

it in a temp file and let OpenSSL use the temp

file.

For now we simply disable the test for the old

OpenSSL versions.

Post 2.4.37 tag updates
Tag HEAD of 2.4.x as 2.4.37
Get ready to tag httpd 2.4.37
fr doc : adding UTF-8 html files.

    • ?
    /httpd/branches/2.4.x/docs/manual/expr.html.fr.utf8
    • ?
    /httpd/branches/2.4.x/docs/manual/urlmapping.html.fr.utf8
  1. … 443 more files in changeset.
fr doc : deleting ISO-8859-1 html files.

  1. … 211 more files in changeset.
mod_ssl: Correctly merge configurations that have client certificates set

by SSLProxyMachineCertificate{File|Path}.

The certificates and keys loaded during configuration time got lost during

runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host

level and there was an SSL directive at directory level, e.g. SSLRequire.

This fixes a regression likely introduced in r1740928 (backported in r1824187).

Backport of r1844002 from trunk.

Submitted by: rjung

Reviewed by: rjung, rpluem, jorton

mod_ssl: We need to get the SSL_CTX for further processing

down below.

This fixes a crash during SSL renegotiation with OptRenegotiate set,

when client certificates are available from the original handshake

but were originally not verified and should get verified now.

This is a regression in 2.4.36 (unreleased).

Backport of r1828793 from trunk.

Submitted by: rjung

Reviewed by: rjung, rpluem, jorton

Vote, promote.
* Vote
Another mod_ssl backport proposal.

Propose backport to prevent crashes during

SSL renegotiation with OptRenegotiate set,

client certificates available from original

handshake but client certs were originaly not

verified and should get verified now.

rollback 1844001.

Add a changelog entry for r1844047.

*) mod_ssl: Handle SSL_read() return code 0 similarly to <0. It is needed

when using OpenSSL 1.1.1 and should not harm for versions before

1.1.1.

Without the patch for 1.1.1 a 0 byte read no longer results in

EAGAIN but instead in APR_EOF which leads to HTTP/2 failures.

For the changelog: Fix HTTP/2 failures when using OpenSSL 1.1.1.

trunk patch: http://svn.apache.org/r1843954

2.4.x patch: svn merge -c 1843954 ^/httpd/httpd/trunk .

+1: rjung, druggeri, rpluem

* Vote and promote
Can confirm this resolves H2 test failure issues introduced w/ OpenSSL 1.1.1
Typo in proposed revision number.

Thanks to Daniel for the heads up.

Died on the vine
* Correctly merge configurations that have client certificates set

by SSLProxyMachineCertificate{File|Path}.

The certificates and keys loaded during configuration time got lost during

runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host

level and there was an SSL directive at directory level, e.g. SSLRequire.

This fixes a regression likely introduced in r1740928.

And a way to custom modules to guess and extract ssl variable.

See https://github.com/jfclere/JBCSP-17 for example...

Propose.

SSL_read() doesn't distinguish between return value 0 and <0,

at least not for OpenSSL 1.1.1. This is documented in the man

page for SSL_read and let to h2 failures when using OpenSSL 1.1.1.

When no data could be read, our code returned EAGAIN up until

OpenSSL 1.1.0, but APR_EOF for OpenSSL 1.1.1.

Now instead check SSL_get_error() also when SSL_read() returns 0.

To keep changes small, this change should not influence behavior,

when (rc=SSL_read()):

- rc < 0

- rc == 0 && *len > 0

- rc == 0 &&

(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&

inctx->block == APR_NONBLOCK_READ

Behavior changes if

- rc == 0 &&

!(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&

!*len > 0

Instead of APR_EOF:

- same behavior as rc < 0 for SSL_ERROR_WANT_READ

- same behavior as rc < 0 for SSL_ERROR_SYSCALL && APR_STATUS_IS_EAGAIN(inctx->rc)

Another change is that rc == 0 && ssl_err == SSL_ERROR_ZERO_RETURN

also results in APR_EOF.

* Ensure that aborted connections are logged as such.

Set c->aborted before apr_brigade_cleanup to have the correct status

when logging the request as apr_brigade_cleanup triggers the logging

of the request if it contains an EOR bucket.

PR: 62823

Submitted by: Arnaud Grandville <contact@grandville.net>

Reviewed by:rpluem

backport votes

Revert r1832567, r1843476, r1843478

Restore jorton's detection from r1831398, and portably redirect stderr

to capture and evaluate the available command list,

from either stdout (1.1.0 and later) or stderr (1.0.2 and prior).