Checkout Tools
  • last updated 2 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1873907 is being indexed.

Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at

the earliest connection stage, we can switch the SSL_CTX of the SSL connection

early enough for OpenSSL to take into account the protocol configuration of the


In other words:


followed by:


works as expected at this stage (while the same from the SNI callback is

ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback

is not as easy as calling SSL_get_servername() though, we have to work with

the raw TLS extensions helpers provided by OpenSSL. I stole this code from a

test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in


We can then call init_vhost() as with the SNI callback (in use only for OpenSSL

versions earlier than 1.1.1 now), and pass it the extracted SNI.

mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which

depends on its return value (OK/NOACK), mainly on session resumption, for

SSL_get_servername() to consider or ignore the SNI (returning NULL thus

making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists

in the configured vhosts, even when it's called multiple times (e.g. first

from ClientHello callback and then from SNI callback), so save that state in

sslconn->vhost_found and reuse it.

mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost

selected by Hello/SNI callback.

mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.

mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

Submitted by: ylavic

Reviewed by: ylavic, minfrin, jim

Merge r1873748 from trunk:

factor out TE=chunked checking

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873747 from trunk:

factor out default regex flags

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873745 from trunk:

trap bad FTP responses

Submitted by: covener

Reviewed by: covener, minfrin, jorton


test and vote

Update xforms. [skip ci]

backport proposal for r1873888.
Add some blurb on correctly stopping the service w/mod_systemd. [skip ci]

*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github

issue mod_md#172 (

[Michael Kaufmann <mail>, Stefan Eissing]

Vote, promote, [skip ci]

fr doc rebuild

XML update.

mod_systemd.xml: add basic unit example [skip ci]

fr doc rebuild.

fr doc XML files updates.

Add some missing spaces

(r1873820 on trunk)

Add some missing spaces
documentation rebuild [skip ci]
  1. … 12 more files in changeset.
flags.xml: remove extra </dl> to allow clean builds

...otherwise it was fine.


Add a comment.

Add a comment.

Fix a typo (doubled "(") and a small grammar issue

(r1873767 in trunk)

Fix a typo (doubled "(") and a small grammar issue
add SameSite to RewriteRule ... ... [CO]


factor out TE=chunked checking

factor out default regex flags