Checkout Tools
  • last updated 34 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
*) mod_ssl: Fixes PR 62654 where "require ssl" did not work on HTTP/2

connections, and PR 61519 where $HTTPS was incorrect for the

"SSLEngine optional" case.

+1: jorton, jim, minfrin

  1. … 6 more files in changeset.
  1. … 8 more files in changeset.
Merge r1826995, r1827001 from trunk:

Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a

certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi yahoo.es>]

Fixed OCSPEnable to keep accepting "off", not "none".

Submitted by: icing

Reviewedby: icing, ylavic, rpluem

  1. … 8 more files in changeset.
  1. … 30 more files in changeset.
On the 2.4.x branch:

merge of 1804530,1804531,1805186,1806939,1807232,1808122 from trunk.

Backport of mod_md support in mod_ssl.

  1. … 5 more files in changeset.
Merge r1803392, r1803396, r1803398 from trunk:

mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

Follow up to r1803396: CHANGES entry.

Reviewed by: ylavic, jim, covener

  1. … 10 more files in changeset.
Merge r1781575, r1781577, r1781580, r1781687, r1783305 from trunk:

Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

Add back the file I removed in r1781575.

Add missing documentation for r1781575

Fix for PR 46037

Remove unused variable

Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone.

Submitted by: jfclere, druggeri, wrowe

Reviewed by: jfclere, jim, ylavic

Merge r1788430 from trunk:

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

Submitted by: ylavic

Reviewed by: jfclere, jim, ylavic

  1. … 10 more files in changeset.
Merge r1781187, r1781190, r1781312 from trunk:

mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

mod_ssl: follow up to r1781187.

The ssl_util_thread_*() functions are not necessary with openssl-1.1+

mod_ssl: follow up to r1781187.

Address SSL_CTX leak in (merged) proxy_ctx.

Reviewed by: ylavic, jim, wrowe

  1. … 7 more files in changeset.
Merge ^/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat:

Support OpenSSL 1.1.0

Proposed by: rjung

Reviewed by: wrowe, jorton, covener

  1. … 15 more files in changeset.
Merge r1706595 from trunk:

Follow-up to r1702948:

APR_HAVE_foo is checked via #if, not #ifdef (since it should always be

defined, to either 0 or 1)

This fixes a compile error on Windows introduced by r1702948

as well as straightens up two long-time glitches.

Submitted by: trawick

Reviewed/backported by: jim

  1. … 4 more files in changeset.
mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

Submitted by: ylavic

Reviewed by: icing, minfrin

  1. … 8 more files in changeset.
Merge r1726881, r1727111 from trunk:

* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.

Documentation to follow.

* Change entry and documentation for SSLOCSPProxyURL

Submitted by: rpluem

Reviewed/backported by: jim

  1. … 6 more files in changeset.
backport of r1718514,1721313
  1. … 4 more files in changeset.
Merge r1708107, r1709587, r1709602, r1709995, r1710231, r1710419, r1710572, r1710583, r1715023 from trunk:

mod_ssl: performing protocol switch directly after ALPN selection, mod_http2: connection hook inits network filters to force TLS handshake, reads input only if H2Direct explicitly enabled, changes H2Direct default to off even for cleartext connections

new ap_is_allowed_protocol() for testing configured protocols, added H2Upgrade on/off directive, changed H2Direct default back to on when h2c is in Protocols

moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl

mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection

announce protocol choices on first request

fixing compilation issue for older platform

disabling protocol upgrades on slave connections

first request on master connection only reports more preferred protocols in Upgrade header

mod_ssl: follow up to r1709602.

Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to

process_connection hook (r1709602) along with H2Direct speculative read.

Submitted by: icing, ylavic

Reviewed/backported by: jim

  1. … 11 more files in changeset.
merge r1703952 from trunk

Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",

in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand

Reviewed by: ylavic, jorton

  1. … 8 more files in changeset.
  1. … 28 more files in changeset.
Merge r1697855, r1697339, r1696428, r1696266, r1696264, r1695874, r1695727, r1692516, r1692486, r1610674, r1685069, r1693918, r1698116, r1698133, r1694950, r1700968, r1701005, r1701145, r1701178 from trunk:

adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get

changed Protocols to let vhosts override servers, removed old H2Engine example from readme

creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment

removed unnecessary lingering_close and sbh update on end of protocol upgrade handling

introducing ap_array_index in util, used in protocol and mod_h2

fixes existing protocol missing in selection if not explicitly proposed

new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging

removed accidental code

new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2

SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse

proxy configuration, a remote attacker could send a carefully crafted

request which could crash a server process, resulting in denial of

service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for

reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):

Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener

http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code

for clients requesting a hostname on a reused connection whose SNI (from the

TLS handshake) does not match.

PR 5802.

This allows HTTP/2 clients to fall back to a new connection as per:

https://tools.ietf.org/html/rfc7540#section-9.1.2

Proposed by: Stefan Eissing <stefan eissing.org>

Reviewed by: ylavic

c89

Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com

giving ap_array_index a start parameter, adding ap_array_contains

ap_process_request needs exportation for use in mod_h2 on Windows

final final change to the new ap_array_str_* functions after review

changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon

mod_ssl: fix compiler warning (bad cast).

improvements in ap_select_protocol(), supplied by yann ylavic

Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing

Reviewed/backported by: jim

  1. … 16 more files in changeset.
Merge r1679032, r1679192, and r1680276 from trunk:

r1679032:

mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing

the OCSP response for a different certificate. mod_ssl has an additional

global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache

implementation which doesn't require it. (A further, unrelated

code change to mod_ssl is required to allow the use of memcache

as a stapling cache, and I haven't tested with distcache; thus

it isn't clear if this helps in practice yet.)

r1679192:

Fix regression in check for cached response

(Essentially) Submitted by: ylavic

r1680276:

OCSP stapling: slight simplification to some internal interfaces,

add a few comments and sanity checks

Submitted by: trawick (with assist from ylavic)

Reviewed by: jim, jorton

  1. … 7 more files in changeset.
Merge r1650047 from trunk:

Add support for extracting subjectAltName entries of type

rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n

variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction

of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with

individual on-demand lookup (ssl_var_lookup_ssl_cert_san),

or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and

SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common

code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where

suitable. Limit SSL_X509_getSAN to the two most common subjectAltName

entry types appearing in user or server certificates (i.e., rfc822Name

and dNSName), for the time being.

* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8

and SSL_X509_getSAN prototypes

Proposed by: kbrand

Reviewed by: ylavic, druggeri

  1. … 9 more files in changeset.
Merge r1653997 from trunk:

mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored

in virtualhost context (new version of r1653906 reverted by r1653993).

Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>

Committed/modified By: ylavic

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 4 more files in changeset.
Merge r1650310 and r1650320 from trunk:

mod_ssl: Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets (RFC 5077).

Default is unchanged (on).

Using session tickets without restarting the web server with

an appropriate frequency (e.g. daily) compromises perfect forward

secrecy. As long as we do not have a nice key management

there needs to be a way to deactivate the use of session tickets.

Submitted by: rjung

Reviewed by: rjung, covener, ylavic

Backported by: rjung

  1. … 7 more files in changeset.
Merge r1629372, r1629485, r1629519 from trunk:

Move OCSP stapling information from a per-certificate store

(ex_data attached to an X509 *) to a per-server hash which is

allocated from the pconf pool. Fixes PR 54357, PR 56919 and

a leak with the certinfo_free cleanup function (missing

OCSP_CERTID_free).

* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add

ssl_stapling_certid_free (used with apr_pool_cleanup_register).

Switch to a stapling_certinfo hash which is keyed by the SHA-1

digest of the certificate's DER encoding, rework ssl_stapling_init_cert

to only store info once per certificate (allocated from the pconf

to the extent possible) and extend the logging.

* modules/ssl/ssl_private.h: adjust prototype for

ssl_stapling_init_cert, replace ssl_stapling_ex_init with

ssl_stapling_certinfo_hash_init

* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls

Based on initial work by Alex Bligh <alex alex.org.uk>

Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).

Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).

Submitted by: kbrand, ylavic, ylavic

Reviewed/backported by: jim

  1. … 6 more files in changeset.
Merge r1597349,1598107,1603915,1605827,1605829 from trunk:

mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer

larger keys and support up to 8192-bit keys.

Submitted by: rpluem, jorton

Reviewed by: ylavic, kbrand

  1. … 6 more files in changeset.
Merge r1583191, r1584098, r1584665, r1591401 from trunk:

mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.

mod_ssl: follow up to r1583191.

New SSLOCSPUseRequestNonce directive's manual and CHANGES.

Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce

grouped with other OCSP ones, nested if turned to a single AND condition).

Remove SSLOCSPUseRequestNonce OpenSSL-0.9.7 requirement (0.9.8 already required by httpd-2.4) and set availability to 2.5-dev until further notice.

mod_ssl: follow up to r1583191.

Use type BOOL for modssl_ctx_t's field ocsp_use_request_nonce.

Suggested by: kbrand.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 6 more files in changeset.
Fix typo in comments.

trunk commits:

r1491180

r1563894, r1566428, r1566449

  1. … 2 more files in changeset.
restore argument structure for exec-type SSLPassPhraseDialog

programs, and implement a special merging algorithm for

SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7

  1. … 5 more files in changeset.
Merge r1546804, r1553824, r1554192, r1555463, r1555467, r1563417, r1564760, r1565081 from trunk:

Throw away the myCtxVar{Set,Get} abomination and introduce

a pphrase_cb_arg_t struct instead, for passing stuff between

ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct

members instead of using additional local variables, to make

the data flow more transparent. (Doesn't "vastly simplify"

the code yet, but hopefully we'll get there when further

stripping down ssl_pphrase_Handle.)

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile

and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,

unfortunately, due to the heavily intertwined code in ssl_engine_config.c,

ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the

modssl_pk_server_t data structure. For better comprehensibility,

a detailed listing of the changes follows:

ssl_private.h

- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t

- use apr_array_header_t for cert_files and key_files

- drop tPublicCert from SSLModConfigRec

- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants

ssl_engine_config.c

- change to apr_array_header_t for SSLCertificate[Key]File

- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs

and keys (in theory; currently OpenSSL does not support more than

one cert/key per algorithm type)

- add deprecation warning for SSLCertificateChainFile

ssl_engine_init.c

- configure server certs/keys in ssl_init_server_certs (no longer via

ssl_pphrase_Handle in ssl_init_Module)

- in ssl_init_server_certs, read in certificates and keys with standard

OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to

ssl_load_encrypted_pkey when encountering an encrypted private key

- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,

and ssl_init_ctx_cleanup_server

- move the "problematic re-initialization" check to ssl_init_server_ctx

ssl_engine_pphrase.c

- use servername:port:index as the key identifier, instead of the

previously used servername:port:algorithm

- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,

make it only load a single (encrypted) private key, and rename

to ssl_load_encrypted_pkey

- in the passphrase prompt message, show the private key file name

instead of the vhost id and the algorithm name

- do no longer supply the algorithm name as an argument to "exec"-type

passphrase prompting programs

ssl_util.c

- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,

and ssl_asn1_table_keyfmt

ssl_util_ssl.{c,h}

- drop SSL_read_X509

- constify the filename arg for SSL_read_PrivateKey

CodeWarrior compiler doesnt allow vars as struct inits.

Remove per-certificate chain handling code (obsoleted by

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)

make the ppcb_arg initialization a bit more uniform and easier to read

Followup fix for r1553824:

also pass the file name to ssl_load_encrypted_pkey, to make sure that we

retry with the same filename we used for SSL_CTX_use_PrivateKey_file first

With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on

SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.

update APLOGNO for r1564760

Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand

Reviewed/backported by: jim

  1. … 14 more files in changeset.
Merge r1544774, r1544812 from trunk:

Address a todo listed in

https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E

"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead

of abruptly exit(1)ing, it will return APR_EGENERAL to the

ssl_init_* callers in ssl_engine_init.c, and these will propagate

the status back to ssl_init_Module.

Followup to r1544774: do not ignore failures from ssl_server_import_{cert,key}

in ssl_init_server_certs

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Backport r1544784 from trunk:

Remove SSLPKCS7CertificateFile support:

- was never documented, so very unlikely that it was ever used

- adds complexity without apparent benefit; PKCS#7 files can

be trivially converted to a file for use with SSLCertificateChainFile

(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)

- only supports PKCS7 files with PEM encoding, i.e. relies on a

non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)

- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E

were never fully addressed (cf. r424707 and r424735)

- has never worked in vhost context due to a cfgMergeString

call missing from modssl_ctx_cfg_merge

Proposed by: kbrand

Reviewed by: covener, druggeri

  1. … 7 more files in changeset.
Backport r1421323, r1534754, r1546693, r1555464 from trunk:

Add support for OpenSSL configuration commands by introducing

the SSLOpenSSLConfCmd directive.

Proposed by: kbrand

Reviewed by: drh, trawick

  1. … 8 more files in changeset.