ssl_engine_io.c

Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1705672 is being indexed.

Merge r1697855, r1697339, r1696428, r1696266, r1696264, r1695874, r1695727, r1692516, r1692486, r1610674, r1685069, r1693918, r1698116, r1698133, r1694950, r1700968, r1701005, r1701145, r1701178 from trunk:

adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get

changed Protocols to let vhosts override servers, removed old H2Engine example from readme

creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment

removed unnecessary lingering_close and sbh update on end of protocol upgrade handling

introducing ap_array_index in util, used in protocol and mod_h2

fixes existing protocol missing in selection if not explicitly proposed

new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging

removed accidental code

new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2

SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse

proxy configuration, a remote attacker could send a carefully crafted

request which could crash a server process, resulting in denial of

service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for

reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):

Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener

http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code

for clients requesting a hostname on a reused connection whose SNI (from the

TLS handshake) does not match.

PR 5802.

This allows HTTP/2 clients to fall back to a new connection as per:

https://tools.ietf.org/html/rfc7540#section-9.1.2

Proposed by: Stefan Eissing <stefan eissing.org>

Reviewed by: ylavic

c89

Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com

giving ap_array_index a start parameter, adding ap_array_contains

ap_process_request needs exportation for use in mod_h2 on Windows

final final change to the new ap_array_str_* functions after review

changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon

mod_ssl: fix compiler warning (bad cast).

improvements in ap_select_protocol(), supplied by yann ylavic

Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing

Reviewed/backported by: jim

  1. … 16 more files in changeset.
Backport r1690137.

Doc and comment fix only

  1. … 11 more files in changeset.
core, modules: Avoid error response/document handling by the core if some

handler or input filter already did it while reading the request (causing

a double response body).

Submitted by: ylavic

Backports: r1482522 (partial, ap_map_http_request_error() things only!),

r1529988, r1529991, r1643537, r1643543, r1657897, r1665625,

r1665721, r1674056

Reviewed by: ylavic, minfrin, wrowe

  1. … 26 more files in changeset.
Merge r1601919, r1650061 from trunk:

mod_ssl: dump SSL IO/state for the write side of the connection(s), like reads.

mod_ssl: follow up to r1601919.

Likewise when set from SNI callback.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 4 more files in changeset.
Merge r1533765, r1621419, r1638159, r1638188, r1601603, r1638412, r1418763 from trunk

ssl: Axe needless string duplication in setup for call to apr_proc_create()

Fix sscanf format spotted by cppcheck

fix indent.

fix style

Private function doesn't need ap_ prefix.

tab vs space

rename variables: s should be the server_rec

Submitted by: trawick, jailletc36, jailletc36, jailletc36, takashi, jailletc36, sf

Reviewed by: jailletc36, ylavic, covener

Backported by: jailletc36

  1. … 8 more files in changeset.
Merge r1633031, r1633522, r1633529, r1633530 from trunk

Style fix

Submitted by: jailletc36

Reviewed by: jailletc36, jim, ylavic

Backported by: jailletc36

  1. … 4 more files in changeset.
Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

PR 55616 (add missing APLOGNO), part 2

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 24 more files in changeset.
Merge r1470679, r1477094 from trunk:

core, mod_ssl: Lift the restriction that prevents mod_ssl taking

full advantage of the event MPM. Enable the ability for a module

to reverse the sense of a poll event from a read to a write or vice

versa.

Update the docs to note that SSL now works with the event MPM as per r1470679.

Submitted by: minfrin

Reviewed/backported by: jim

  1. … 11 more files in changeset.
Merge r1425874, r1426850 from trunk:

mod_ssl: add support for subjectAltName-based host name checking in proxy mode

(PR 54030)

factor out code from ssl_engine_init.c:ssl_check_public_cert()

to ssl_util_ssl.c:SSL_X509_match_name()

introduce new SSLProxyCheckPeerName directive, which should eventually

obsolete SSLProxyCheckPeerCN

ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication

when aborting with HTTP_BAD_GATEWAY

Fix warning about discarding 'const' qualifier from pointer

Submitted by: kbrand, sf

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1375584 from trunk:

* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a

wildcard common name match.

PR: 53006

Submitted by: jorton

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1328325, r1328326:

When receiving http on https, send the error response with http 1.0

It is important that we send a proper error status, or search engines

may index the error message.

Remove the link in the speaking-http-on-https error message.

With SNI, the link will usually be wrong. So better send no link at all.

PR: 50823

Reviewed by: sf, jorton, trawick

  1. … 5 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.
merge r1203491 from trunk:

drop SSLv2 support (set SSL_OP_NO_SSLv2 for any new SSL_CTX)

  1. … 6 more files in changeset.