Checkout Tools
  • last updated 55 mins ago
Constraints: committers
Constraints: files
Constraints: dates
Add compatibility note as already noted in new_features_2_4.xml

(r1850539 in trunk)

+ remove a trailing space to synch with trunk

Improve hyperlinks (r1737462 in trunk)
Related to httpd-doc bug 53530; uniform use of quotation marks.

Put quotation marks around most arbitrary-text or filesystem

strings for directives:

* {Alias,Redirect,Proxy*}{,Match}

* <{Directory,Files,Location}{,Match}>

  1. … 85 more files in changeset.
* We track the mergeinfo only at the root
  1. … 4 more files in changeset.
Merge r1524192, r1524770, r1527925, r1541270, r1541368 from trunk:

Update rationale

draft-ietf-httpbis-p1-messaging-23 fixes regarding interactions

between TE and content-length in the same req/resp.

PR 55616 (add missing APLOGNO), part 1

Wrap at 80 still, here at httpd project

Use a distinguishing APLOGNO for unk t-e with read-until-close behavior

Submitted by: jim, kbrand, wrowe, wrowe

Reviewed/backported by: jim

  1. … 9 more files in changeset.
Merge r1546804, r1553824, r1554192, r1555463, r1555467, r1563417, r1564760, r1565081 from trunk:

Throw away the myCtxVar{Set,Get} abomination and introduce

a pphrase_cb_arg_t struct instead, for passing stuff between

ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct

members instead of using additional local variables, to make

the data flow more transparent. (Doesn't "vastly simplify"

the code yet, but hopefully we'll get there when further

stripping down ssl_pphrase_Handle.)

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile

and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,

unfortunately, due to the heavily intertwined code in ssl_engine_config.c,

ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the

modssl_pk_server_t data structure. For better comprehensibility,

a detailed listing of the changes follows:


- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t

- use apr_array_header_t for cert_files and key_files

- drop tPublicCert from SSLModConfigRec

- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants


- change to apr_array_header_t for SSLCertificate[Key]File

- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs

and keys (in theory; currently OpenSSL does not support more than

one cert/key per algorithm type)

- add deprecation warning for SSLCertificateChainFile


- configure server certs/keys in ssl_init_server_certs (no longer via

ssl_pphrase_Handle in ssl_init_Module)

- in ssl_init_server_certs, read in certificates and keys with standard

OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to

ssl_load_encrypted_pkey when encountering an encrypted private key

- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,

and ssl_init_ctx_cleanup_server

- move the "problematic re-initialization" check to ssl_init_server_ctx


- use servername:port:index as the key identifier, instead of the

previously used servername:port:algorithm

- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,

make it only load a single (encrypted) private key, and rename

to ssl_load_encrypted_pkey

- in the passphrase prompt message, show the private key file name

instead of the vhost id and the algorithm name

- do no longer supply the algorithm name as an argument to "exec"-type

passphrase prompting programs


- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,

and ssl_asn1_table_keyfmt


- drop SSL_read_X509

- constify the filename arg for SSL_read_PrivateKey

CodeWarrior compiler doesnt allow vars as struct inits.

Remove per-certificate chain handling code (obsoleted by;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)

make the ppcb_arg initialization a bit more uniform and easier to read

Followup fix for r1553824:

also pass the file name to ssl_load_encrypted_pkey, to make sure that we

retry with the same filename we used for SSL_CTX_use_PrivateKey_file first

With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on

SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.

update APLOGNO for r1564760

Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand

Reviewed/backported by: jim

  1. … 14 more files in changeset.
Merge r1542562 from trunk:

We were not being consistent between http and others

if we added the default port or not during the canonizing

phase... Baseline the http method (don't add unless the

port provided isn't the default).

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1556206 from trunk:

avoid a tight busy loop with memory allocations when the [N] flag

isn't making progress.

If backported, probably increase the hard-coded limit to 32k from 10k.

Submitted by: covener

Reviewed/backported by: jim

  1. … 8 more files in changeset.
Merge r1557317, r1556911, r1556914, r1555259, r1556912, r1556937, r1559351, r1463046 from trunk:

Style, indentation. No functional change.

As in 'dav_generic_do_refresh', add missing break in 'dav_fs_do_refresh' to avoid useless computation.

Add missing break in 'dav_generic_do_refresh' to avoid useless computation.

Allocate correct size for the array to avoid useless memory allocation and copy

Add missing break.

Oops (fix r1556912)

No need to test for NULL, apr_pstrndup already handles it.

Remove some useless declarations that were shadowing other local

variables of the same name.

Submitted by: jailletc36, sf

Reviewed/backported by: jim

  1. … 14 more files in changeset.
Merge r1544774, r1544812 from trunk:

Address a todo listed in

"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead

of abruptly exit(1)ing, it will return APR_EGENERAL to the

ssl_init_* callers in ssl_engine_init.c, and these will propagate

the status back to ssl_init_Module.

Followup to r1544774: do not ignore failures from ssl_server_import_{cert,key}

in ssl_init_server_certs

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1451633, r1451905, r1451921, r1452259, r1453981, r1501913, r1513508, r1531340, r1531370, r1531962, r1533065, r1540052 from trunk:

Add in rough uds support (Bugx 54101) from Blaise Tarr <>

Make AF_UNIX aware... fix Windows/Netware??

Follow-up to r1451905 to fix NetWare/Windows compilation.

apr trunk-able

message tag for dom sock

Note about new UDS support

UDS subsequent request on a connection fix

Reformat the UDS support inline with a new naming structure.

Use a flag for speed for testing.

syntax sugar... if the worker is associated w/ a UDS,

then make sure the log reporting has a visual clue.

Ensure that userland format of UDS is the same as how it is

configured, no matter how we store and use it internally.

Eclipse code analysis warning

UDS urls need to be desockified when configuring...

Submitted by: jim, fuankg, jim, jim, druggeri, druggeri, jim, jim, jim, jim, jim

Reviewed/backported by: jim

  1. … 13 more files in changeset.
Sync a few doc with trunk
  1. … 2 more files in changeset.
Merge r1554300, r1554301, r1554994, r1555266 from trunk:

core: Support named groups and backreferences within the LocationMatch,

DirectoryMatch, FilesMatch and ProxyMatch directives.

Documentation for the support of named groups and backreferences.

c89 fix

Add a "MATCH_" prefix to variables set within


Submitted by: minfrin, covener, minfrin

Reviewed/backported by: jim

  1. … 17 more files in changeset.
Merge r1523281, r1524368, r1525276, r1525280, r1525281 from trunk:

Switch from private FastCGI protocol handling to util_fcgi API.

Use apr_socket_timeout_get instead of hard-coded 30 seconds timeout.

Bring some envvar flexibility from mod_authnz_fcgi to mod_proxy_fcgi:

mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.

An individual envvar with an encoded length of more than 16K will be


Borrow a fix from mod_authnz_fcgi:

mod_proxy_fcgi: Handle reading protocol data that is split between


Use ap_log_rdata() to dump the FastCGI header, axing a bunch

of custom data dumping code.

Submitted by: trawick, jkaluza, trawick, trawick, trawick

Reviewed/backported by: jim

  1. … 9 more files in changeset.
Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

PR 55616 (add missing APLOGNO), part 2

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 24 more files in changeset.
Merge r1538490 from trunk:

c->sbh can be unexpectedly NULL when the thread that pulls the ready keepalive

connection out of the queue laps the thread that put it on the queue.

Submitted by: covener

Reviewed/backported by: jim

  1. … 7 more files in changeset.
Broken markup in example
  1. … 4 more files in changeset.
Merge r1526666, r1527220 from trunk:

WinNT MPM: Exit the child if the parent process crashes or is terminated.

Submitted by: Oracle, via trawick

The original modification was made some years ago for Oracle HTTP Server

by an Oracle employee. trawick made additional changes for style and

for trunk/2.4.x changes.

Follow up to r1526666:


a. it is sufficient

b. it avoids an issue where PROCESS_ALL_ACCESS is larger on

newer SDKs, resulting in a run-time error when running on

older Windows

Close the handle.

Submitted by: Ivan Zhakov <ivan>

Submitted by: trawick

Reviewed/backported by: jim

  1. … 10 more files in changeset.
Merge r1513492 from trunk:

follow up to r1513454: fill in missing log number

Submitted by: trawick

Reviewed/backported by: jim

* util_fcgi API to 2.4.x (allows mod_proxy_fcgi to be kept in sync, along

with other less important reasons)

trunk: and

2.4.x: copy server/util_fcgi.c and include/util_fcgi.h, then apply

+1: trawick, jim, chrisd

  1. … 12 more files in changeset.
Missing '$' in variable.

Merges doc restructure from trunk.

2.4 syntax instead of order/allow/deny

property fixes.

  1. … 6 more files in changeset.
add last changed revision.

  1. … 1 more file in changeset.
mention mod_macro in CHANGES and add compatibility note

  1. … 1 more file in changeset.
fixed validation error
  1. … 1 more file in changeset.
Merge r1435811 from trunk:

Add "mod_macro" as a standard module, compiled in with "most".

This module was created in 1998 and has been distributed independently

ever since. It is hereby donated to the Apache Software Foundation.

There are quite a few comments in the source code to explain how it works,

as well as extensive non regression tests.

Some utilities about array processing could be moved to "core.c".

However, I finally decided against for now so that it stays as an external

and independent module, and thus may be backported with minimal impact

on the source tree.

Details of the addition:

* modules/core/mod_macro.c: module source code

* modules/core/test: non regression tests

modules/core/test/conf/: configuration files

modules/core/test/ref/: expected results

* docs/manual/mod/mod_macro.xml: English documentation

* docs/manual/mod/ French documentation

Submitted by: fabien

Reviewed/backported by: jim

  1. … 8 more files in changeset.