httpd

Checkout Tools
  • last updated 7 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1862040 is being indexed.

* modules/dav/main/props.c (dav_do_prop_subreq): Allocate escaped URI

out of propdb pool, fixing small per-resource leak during a PROPFIND

walk.

Submitted by: jorton, rpluem

Simplify handling of short-lived pool for dav_propdb in mod_dav. No

functional change.

* modules/dav/main/props.c (dav_popen_propdb): Rename from

dav_open_propdb, take a pool argument.

(dav_open_propdb): Reimplement in terms of above, using

r->pool.

(dav_propfind_walker): Switch to using dav_open_propdb

with scratchpool.

* Leave a breadcrumb note for another backport proposal that needs to be done.
Set connectiontimeout for mod_proxy_hcheck.

Fix for https://issues.jboss.org/browse/JBCS-448

*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

    • ?
    /httpd/trunk/modules/md/mod_md_status.c
    • ?
    /httpd/trunk/modules/md/md_acme_drive.h
    • ?
    /httpd/trunk/modules/md/md_acme_order.h
    • ?
    /httpd/trunk/modules/md/md_acmev1_drive.c
    • ?
    /httpd/trunk/modules/md/mod_md_drive.h
    • ?
    /httpd/trunk/modules/md/mod_md_drive.c
  1. … 34 more files in changeset.
mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.

Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862

After reinstatement of DSO support in APR/APR-util, revert r1837437,

r1837435, r1834553, r1833598, r1833452, r1833383, r1833368.

Undoes the following:

mod_ssl: OpenSSL now initializes fully through APR, use that.

mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).

So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7

compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the

former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,

while the latter has never been (and will never be) defined. So don't call any

with LibreSSL.

Follow up to r1833368: share openssl between modules.

Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto

can use the same crypto library (e.g. openssl), use the new APR crypto loading

API so that they can work together and initialize/terminate the lib either once

for all or on demand and reusable by the others.

Follow up to r1833368: apr_crypto_prng_after_fork() now used a PID.

Make use of the new apr_crypto_rng API if available.

French doc rebuild.

French doc rebuild.

xml fr doc update.

french doc rebuild.

Version num update.

Version num mismatch.

Misplaced contextlist tag.

xml fr doc update.

Add support for SHA-2 crypt() algorithm in htpasswd.

* configure.in: Detect SHA-2 support in crypt().

* support/passwd_common.h: Define ALG_CRYPT_SHA256, ALG_CRYPT_SHA512,

include ap_config_auto.h.

* support/htpasswd.c (check_args): Allow -2, -5, -r arguments for

SHA-256, SHA-256 and rounds options respectively.

* support/passwd_common.c

(parse_common_options): Parse -2, -5, -r args.

(mkhash): Generate crypt hash for SHA256/SHA512 algorithms.

* configure.in, acinclude.m4: Inline APACHE_GEN_MAKEFILES in AC_CONFIG_COMMANDS

and run during the "normal" phase of ./config.status rather than as init-cmds.

* configure.in: Move modules.c creation to config.status.

* configure.in: Fix enabling httpdunit w/o --enable-reduced-exports.

* build/config_vars.sh.in: Remove test-suite (builddir-specific) vars

from installed config_vars.mk.

* server/scoreboard.c (open_scoreboard): Create the scoreboard in the

parent of pconf rather than creating another global pool.

PR: 43471

Note that rotatelogs -D was added in 2.4.34.

PR: 46669

* server/util.c: Make "nul" symbol private.

Add an --enable-reduced-exports configure option to link libmain.a

using ld's --whole-archive mode and avoid building exports.c entirely.

This reduces the size of a minimal httpd binary by 18% on Linux/x86_64

(687K to 560K) with no difference to the set of symbols available to

modules.

This option is only appropriate to use if using a shared libapr*

build, hence is non-default.

* configure.in: Add --enable-reduced-exports; disable httpdunit build

if used. Define AP_FORCE_EXPORTS if not enabled (default) in place

of AP_USING_AUTOCONF.

* server/main.c (ap_suck_in_APR): Only build if AP_FORCE_EXPORTS is

defined.

* Makefile.in: Link libmain.la using LIBMAIN_LIB.

* server/Makefile.in: Conditionally build exports.c into libmain.

Clarify pool lifetime constraints when modifying ap_server_config_defines.

PR: 63516

test RedirectRelative in trunk

followup to r1861542: return early from error path

avoid setting a location: header of a non-URL 500 error path

add RedirectRelative directive to allow relative Redirect targets

2616 forbade relative redirect URLs, but 7231 allows them

Early 2.2 maintenance levels did not fix them up, but later 2.2 and all 2.4

fixed them up with ap_construct_url().

Allow opt-in to not fixing up relative URLs with RedirectRelative

style: cmd_rec at the bottom

no functional change

Add missing space in default string of MimeOptions