httpd

Checkout Tools
  • last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1873941 is being indexed.

don't use DOTALL from mod_substitute which leaves \n at the end of the line.

Propose [skip ci]
Add a missing APLOGNO()
Reserve a number
Who knew this was even still here?!

Transforms rhymes with [skip ci]

Merge r1873913 from trunk:

Clarify compatibility and interpretation of CGIDScriptTimeout. [skip ci]

Merge r1873835, r1873889 from trunk:

mod_systemd.xml: add basic unit example [skip ci]

Add some blurb on correctly stopping the service w/mod_systemd. [skip ci]

Submitted by: elukey, jorton

Clarify compatibility and interpretation of CGIDScriptTimeout. [skip ci]

CHANGES w/ credit for 1873906

xforms

  1. … 14 more files in changeset.
Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at

the earliest connection stage, we can switch the SSL_CTX of the SSL connection

early enough for OpenSSL to take into account the protocol configuration of the

vhost.

In other words:

SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)

followed by:

SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))

works as expected at this stage (while the same from the SNI callback is

ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback

is not as easy as calling SSL_get_servername() though, we have to work with

the raw TLS extensions helpers provided by OpenSSL. I stole this code from a

test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in

test/handshake_helper.c).

We can then call init_vhost() as with the SNI callback (in use only for OpenSSL

versions earlier than 1.1.1 now), and pass it the extracted SNI.

mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which

depends on its return value (OK/NOACK), mainly on session resumption, for

SSL_get_servername() to consider or ignore the SNI (returning NULL thus

making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists

in the configured vhosts, even when it's called multiple times (e.g. first

from ClientHello callback and then from SNI callback), so save that state in

sslconn->vhost_found and reuse it.

mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost

selected by Hello/SNI callback.

mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.

mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

Submitted by: ylavic

Reviewed by: ylavic, minfrin, jim

Merge r1873748 from trunk:

factor out TE=chunked checking

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873747 from trunk:

factor out default regex flags

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873745 from trunk:

trap bad FTP responses

Submitted by: covener

Reviewed by: covener, minfrin, jorton

promote

test and vote

Update xforms. [skip ci]

backport proposal for r1873888.
Add some blurb on correctly stopping the service w/mod_systemd. [skip ci]

*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github

issue mod_md#172 (https://github.com/icing/mod_md/issues/172).

[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

Vote, promote, [skip ci]

fr doc rebuild

XML update.

mod_systemd.xml: add basic unit example [skip ci]

fr doc rebuild.

fr doc XML files updates.

Add some missing spaces

(r1873820 on trunk)

Add some missing spaces
documentation rebuild [skip ci]
  1. … 12 more files in changeset.