Checkout Tools
  • last updated 35 mins ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1874056 is being indexed.

RHEL and CentOS now use dnf. Call out yum as the outlier, rather than

the other way around.

Avoid UBSan exception calling memcpy(,NULL,0) at startup.

Follow-up to r1874011 which did the same for the event MPM.

* server/mpm/event/event.c (event_open_logs): Avoid UBSan exception

calling memcpy(,NULL,0) at startup. Thanks to rpluem.

* modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header

to close to indicate that we do not want to keep the HTTP connection to the

OCSP responder alive. We don't reuse the connections currently and if the

OCSP responder keeps the connection alive this could cause us to wait for

keepalive timeout of the OCSP responder to timeout until we finish our

reading of the OCSP response.

PR: 64135

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Avoid some bogus

gcc -Wmaybe-uninitialized warnings in (slightly odd) SSLFIPS


* This actually a blocker as r1873747 introduced a regression
Propose fix for spelling errors found by codespell. [skip ci]

Add CHANGES entry for Travis CI testing. [skip ci]

Fix spelling errors found by codespell. [skip ci]

  1. … 86 more files in changeset.
* Already addressed. Otherwise I was fine. [skip ci]
* Add a comment [skip ci]
propose substitute fix [skip ci]

don't use DOTALL from mod_substitute which leaves \n at the end of the line.

Propose [skip ci]
Add a missing APLOGNO()
Reserve a number
Who knew this was even still here?!

Transforms rhymes with [skip ci]

Merge r1873913 from trunk:

Clarify compatibility and interpretation of CGIDScriptTimeout. [skip ci]

Merge r1873835, r1873889 from trunk:

mod_systemd.xml: add basic unit example [skip ci]

Add some blurb on correctly stopping the service w/mod_systemd. [skip ci]

Submitted by: elukey, jorton

Clarify compatibility and interpretation of CGIDScriptTimeout. [skip ci]

CHANGES w/ credit for 1873906


  1. … 14 more files in changeset.
Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at

the earliest connection stage, we can switch the SSL_CTX of the SSL connection

early enough for OpenSSL to take into account the protocol configuration of the


In other words:


followed by:


works as expected at this stage (while the same from the SNI callback is

ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback

is not as easy as calling SSL_get_servername() though, we have to work with

the raw TLS extensions helpers provided by OpenSSL. I stole this code from a

test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in


We can then call init_vhost() as with the SNI callback (in use only for OpenSSL

versions earlier than 1.1.1 now), and pass it the extracted SNI.

mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which

depends on its return value (OK/NOACK), mainly on session resumption, for

SSL_get_servername() to consider or ignore the SNI (returning NULL thus

making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists

in the configured vhosts, even when it's called multiple times (e.g. first

from ClientHello callback and then from SNI callback), so save that state in

sslconn->vhost_found and reuse it.

mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost

selected by Hello/SNI callback.

mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.

mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

Submitted by: ylavic

Reviewed by: ylavic, minfrin, jim

Merge r1873748 from trunk:

factor out TE=chunked checking

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873747 from trunk:

factor out default regex flags

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873745 from trunk:

trap bad FTP responses

Submitted by: covener

Reviewed by: covener, minfrin, jorton


test and vote

Update xforms. [skip ci]