Checkout Tools
  • last updated 21 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
'flags' are optional in SSLCARevocationCheck. Update the syntax accordingly.

(r1861442 in trunk)

Backport r1852478 to fix some typo in <syntax>

+ tweak mod_privilege to synch with trunk

  1. … 2 more files in changeset.
Add compatibility note missing in r1740967, backported in 2.4.x branch in r1824187.

(r1851643 in trunk)

Remove garbage.

Backport of r1842639 from trunk.

  1. … 1 more file in changeset.
documentation rebuild
  1. … 4 more files in changeset.
mod_ssl.xml: bring balance to the force
  1. … 8 more files in changeset.
Merge r1826995, r1827001 from trunk:

Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a

certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi yahoo.es>]

Fixed OCSPEnable to keep accepting "off", not "none".

Submitted by: icing

Reviewedby: icing, ylavic, rpluem

  1. … 8 more files in changeset.
Have code and doc consistent.

The SSLRandomSeed builtin, uses 128 bytes of stack, not 1kb of scoreboard data.

(r1832346 in trunk)

See PR 54752

Merge r1811976 from trunk:

Add optional _RAW suffix to SSL_*_DN_xx attribute names, allowing

users to convert an attribute value without conversion to UTF-8. (A

public CA has issued certs with attributes tagged as the wrong ASN.1

string types.)

* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from

asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as

macro.

(modssl_X509_NAME_ENTRY_to_string): Add raw argument.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw

string conversion if _RAW suffix is present in DN component.

Submitted by: jorton

Reviewed by: jorton, jim, ylavic

  1. … 5 more files in changeset.
mod_ssl.xml: remove <override>Not applicable</override>

These tags generate a "Not applicable" section in

docs/manual/mod/overrides.html that doesn't make a lot of

sense, plus it breaks ./build.sh validate-xhtml.

  1. … 30 more files in changeset.
Sync with trunk the override suggestions for directives in:

mod_authn_socache.xml

mod_logio.xml

mod_ssl.xml

This caused two issues:

1) ./build.sh validate-xhtml failing due to xml validation

failures for the string "Not applicable".

2) weird categories ('none', 'Not applicable', 'None') in

overrides.html that don't make much sense.

  1. … 2 more files in changeset.
Merge r1792336 from trunk
Merge r1781575, r1781577, r1781580, r1781687, r1783305 from trunk:

Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

Add back the file I removed in r1781575.

Add missing documentation for r1781575

Fix for PR 46037

Remove unused variable

Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone.

Submitted by: jfclere, druggeri, wrowe

Reviewed by: jfclere, jim, ylavic

Merge r1788430 from trunk:

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

Submitted by: ylavic

Reviewed by: jfclere, jim, ylavic

  1. … 10 more files in changeset.
Correct some typos across the documentation.

This commit was made thanks to the tool and PR

created by Lajos Veres (vlajos) on github.

PR: https://github.com/apache/httpd/pull/6

Tool: https://github.com/vlajos/misspell_fixer

  1. … 9 more files in changeset.
Merge r1761215 from trunk:

feedback in http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#comment_5818

This added paragraph about optional and optional_no_ca isn't helpful.

At the TLS layer, the challenge for otpional and required are no different.

Move the caution about _no_ca up into where the option is defined

and reword.

Fix PR 59856.

Fix directive name. (ProxyRequest vs ProxyRequests)

Improve highlight.

(r1752747 in trunk)

mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

Submitted by: ylavic

Reviewed by: icing, minfrin

  1. … 8 more files in changeset.
Correct the behavior and interaction between SSLProxyCheckPeer[CN|Name],

such that disabling either disables both, and that enabling either will

trigger the more comprehensive SSLProxyCheckPeerName behavior.

Only a single configuration remains to enable the legacy behavior, which

is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.

Changes to the proxy config directives leads us to a different 2.4 fix...

https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch

Backports: 1746647

Reviewed by: wrowe, icing, rpluem

  1. … 4 more files in changeset.
Revert 1746645, was sitting in the wrong tree, mea culpa...
  1. … 1 more file in changeset.
Correct the behavior and interaction between SSLProxyCheckPeer[CN|Name],

such that disabling either disables both, and that enabling either will

trigger the more comprehensive SSLProxyCheckPeerName behavior.

Only a single configuration remains to enable the legacy behavior, which

is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.

Major refactoring leads us to an alternate implementation for 2.4.21;

https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch

  1. … 1 more file in changeset.
Remove useless <br \> in highlight blocks.
  1. … 5 more files in changeset.
Fix doc as spotted by Mike Matthews in online doc

Fix link to distcache.

http://www.distcache.org/ --> http://distcache.sourceforge.net/

(r1740717 in trunk)

  1. … 2 more files in changeset.
Backporting documentation commits from trunk (new mod_ssl note about ECC): r1734058,r1734060,r1734067,r1734069
Fix version in compatibility note
Merge r1726881, r1727111 from trunk:

* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.

Documentation to follow.

* Change entry and documentation for SSLOCSPProxyURL

Submitted by: rpluem

Reviewed/backported by: jim

  1. … 6 more files in changeset.
Merge r1711728, r1713209 from trunk:

For the "SSLStaplingReturnResponderErrors off" case, make sure to only

staple responses with certificate status "good". Also avoids including

inaccurate responses when the OCSP responder is not completely up

to date in terms of the CA-issued certificates (and provides interim

"unknown" or "extended revoked" [RFC 6960] status replies).

Log a certificate status other than "good" in stapling_check_response().

Propagate the "ok" status from stapling_check_response() back via both

stapling_renew_response() and get_and_check_cached_response() to the

callback code in stapling_cb(), enabling the decision whether to include

or skip the response.

insert missing LOGNO in ssl_util_stapling.c

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 4 more files in changeset.
Fix a typo in doc as spotted by ceving in online doc
Extend expression parser registration to support

ssl variables in any expression using

mod_rewrite syntax "%{SSL:VARNAME}" or function

syntax "ssl(VARNAME)".

Backport of r1707002 and r1709596 from trunk.

Committed By: rjung

Backported By: rjung

Reviewed by: rjung, ylavic, sf

  1. … 4 more files in changeset.