Checkout Tools
  • last updated 1 hour ago
Constraints: committers
Constraints: files
Constraints: dates
Try to clarify extended uses of SSLCertificateFile.

Backport of r1682923 from trunk.

  1. … 2 more files in changeset.
Applies fix recommended in bz56346

Related to httpd-doc bug 53530; uniform use of quotation marks.

Put quotation marks around most arbitrary-text or filesystem

strings for directives:

* {Alias,Redirect,Proxy*}{,Match}

* <{Directory,Files,Location}{,Match}>

  1. … 85 more files in changeset.
Correct typo as spoted in a comment in online doc
  1. … 1 more file in changeset.
fix broken references

  1. … 28 more files in changeset.
Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

PR 55616 (add missing APLOGNO), part 2

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 24 more files in changeset.
Add support for TLS-SRP (Secure Remote Password key exchange

for TLS, RFC 5054).

Including some improvements as suggested by Kaspar

PR: 51075

Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou,

Peter Sylvester

Backported by: sf

Reviewed by: sf, minfrin, rjung

Backports of r1347980 and r1348653 form trunk.

  1. … 11 more files in changeset.
typo fix
Backporting syntax highlighting and igor's changes for ssl/
  1. … 7 more files in changeset.
Merge r1303804, r1303805 from trunk (again):

Remove link to outdated (and deleted) question about ssl errors in old browsers.

rebuild html.

Submitted by: humbedooh

  1. … 1 more file in changeset.
Typos and broken links (via Daniel Gruno - rumble at cord dk)

  1. … 4 more files in changeset.
As per mention

that subjectAltName and wildcard certs are viable solutions.

  1. … 1 more file in changeset.