Checkout Tools
  • last updated 1 hour ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1868812 is being indexed.

The process_connection hook for mod_ftp must run before the process_connection

hook(s) for mod_http2 because http2 attempts a 24-byte speculative read. FTP

connections don't send headers, so mod_http2 hangs until this read times out.

http2's hook cannot be registered as a successor to ftp's because there are two mod_http2

process_connection hook functions. This change makes mod_ftp register as APR_HOOK_FIRST

and before mod_ssl & mod_reqtimeout to ensure that it runs before any other

protocol handlers.

Use the httpd-2.4 API function ap_get_conn_socket to set the socket timeout.

This has been wrong since 2.4, and the socket timeout hasn't been set correctly.

mod_ftp segfaults after httpd change r1839997 because setting the timeout

clobbers the filter context.

Swap 2 modules in order to synch with 2.4.x.

Keep alphabetical order.

mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which

depends on its return value (OK/NOACK), mainly on session resumption, for

SSL_get_servername() to consider or ignore the SNI (returning NULL thus

making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists

in the configured vhosts, even when it's called multiple times (e.g. first

from ClientHello callback and then from SNI callback), so save that state in

sslconn->vhost_found and reuse it.

Axe some outdated references to httpd 1.2.x and 2.0.x.

AFAIK, in 2.4.x, references to older branches are limited to 2.2.x. and 2.0.44 is 16 years old.

(r1868717 in trunk)

Axe some outdated references to httpd 1.2.x and 2.0.x.

AFAIK, in 2.4.x, references to older branches are limited to 2.2.x. and 2.0.44 is 16 years old.

fr doc rebuild

fr doc adding a new translated file.

fr doc rebuild.

fr doc adding a new translated file.

    • ?
Use native EOL for intended-duplicates.
Put intended duplicates AHs in their own file (outside the script).

AH01241 is intentionally duplicated.

Depending on the configured child error output, messages go to ErrorLog or

stderr, but AH should be the same.

update-log-msg-tags: allow to reference intended duplicate tags.

To avoid noise warnings when running "make update-log-tags".

mod_md: resolve duplicate tag.
mod_proxy_http: follow up to r1868576.

Omit sending 100 continue if the body is (partly) prefetched, per

RFC 7231 (section 5.1.1).

mod_proxy_http: revert r1868625.

The HTTP_IN filter handles "100 Continue" the first time it's called only,

and in spool_reqbody_cl() we have already tried to prefetch the body, so

it's too late.

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at

the earliest connection stage, we can switch the SSL_CTX of the SSL connection

early enough for OpenSSL to take into account the protocol configuration of the


In other words:


followed by:


works as expected at this stage (while the same from the SNI callback is

ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback

is not as easy as calling SSL_get_servername() though, we have to work with

the raw TLS extensions helpers provided by OpenSSL. I stole this code from a

test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in


We can then call init_vhost() as with the SNI callback (in use only for OpenSSL

versions earlier than 1.1.1 now), and pass it the extracted SNI.

Synch 2.4.x and trunk.

There is an extra space on trunk. Axe it.

mod_proxy_http: follow up to r1868576.

As suggested by Ruediger, let the HTTP_IN filter handle the 100 continue from


Also, according to rfc7231#section-5.1.1, we don't need the interim response

if we "already received some or all of the message body", which is now also

taken into account.

fr doc new built file.

fr doc adding a new file.

fr doc new built file.

fr doc adding a new file.

    • ?
mod_proxy_http: Fix 100-continue deadlock for spooled request bodies. PR 63855.

Send "100 Continue", if needed, before fetching/blocking on the request body in

spool_reqbody_cl(), otherwise mod_proxy and the client can wait for each other,

leading to a request timeout (408).

While at it, make so that ap_send_interim_response() uses the default status

line if none is set in r->status_line.


I"ve not voted for the 2 last proposals because I don't have time, knowledge or configuration to test.

However, it looks interesting and good backport candidates.

*) mod_md: Adding the several new features.

The module offers an implementation of OCSP Stapling that can replace fully or

for a limited set of domains the existing one from mod_ssl. OCSP handling

is part of mod_md's monitoring and message notifications. If can be used

for sites that do not have ACME certificates.

The url for a CTLog Monitor can be configured. It is used in the server-status

to link to the external status page of a certicate.

The MDMessageCmd is called with argument "installed" when a new certificate

has been activated on server restart/reload. This allows for processing of

the new certificate, for example to applications that require it in different

locations or formats.

    • ?
  1. … 36 more files in changeset.
update mod_md tags
provide note re backport