Checkout Tools
  • last updated 1 hour ago
Constraints: committers
Constraints: files
Constraints: dates
Backport from HEAD:

* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early

(rather than segfault later) if a client cert is configured which is

missing either the certificate or private key.

PR: 24030

Reviewed by: jorton, minfrin, jerenkrantz, wrowe

Backport fix for CAN-2004-0885:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a

correct cipher suite has been negotiated, else deny access.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL

0.9.7, prevent session resumption during a renegotiation to force the

client to negotiate a new (and acceptable) cipher suite.

PR: 31505

Submitted by: Hartmut Keil <Hartmut.Keil>, Joe Orton

Reviewed by: jorton, pquerna, minfrin, wrowe

  1. … 1 more file in changeset.
Backport from HEAD:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer

overflow in FakeBasicAuth code if client's subject DN exceeds 6K in

length (CVE CAN-2004-0488); switch to using apr-util base64 encoder


* modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL

error stack contents if engine load/init fails.

* modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print

an unsigned long.

* modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation,

ssl_log_ssl_error): const-ify annotation strings and simplify


Reviewed by: Andr�� Malo, Jeff Trawick

  1. … 5 more files in changeset.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Disable

all OpenSSL-internal session caching.

* modules/ssl/ssl_toolkit_compat.h: Define SSL_SESS_CACHE_NO_INTERNAL


PR: 26562

Submitted by: Madhusudan Mathihalli

Reviewed by: Joe Orton, Jeff Trawick

  1. … 3 more files in changeset.
fix name of The Apache Software Foundation

  1. … 158 more files in changeset.
apply Apache License, Version 2.0

  1. … 38 more files in changeset.
Grrrr... don't build against APR HEAD :/



Obtained from:

Submitted by:

Reviewed by:

  1. … 3 more files in changeset.
If using apr_fnmatch() we should be using it's macros


Obtained from:

Submitted by:

Reviewed by:

  1. … 3 more files in changeset.
update license to 2004.

  1. … 274 more files in changeset.
Backport from HEAD:

* ssl_engine_log.c (ssl_log_ssl_error): Use the thread-safe

interface for retrieving error strings.

* mod_ssl.c (ssl_cleanup_pre_config): Don't free the error strings,

since they can't be loaded again once.

  1. … 3 more files in changeset.

Backport the RSA SSL-C compatibility changes. More work remains because

not all of the headers required for the 'openssl way' of doing things

are in the headers from the binary distribution. While the source distro

doesn't suffer as many problems, we should find ways to individually

cripple those features for the binary distro that most users will have


Mucho thanks to Trawick for his efforts in keeping the patch in sync.

  1. … 8 more files in changeset.

DougM confirms Madhu's suspicions, this change was inadvertent.

Reverting to no longer skip the first cert in the chain.

update license to 2003.

  1. … 265 more files in changeset.

After introducing tests in the cmds, we lose the absolute authority

of the CRYPTO_malloc_init() which must happen the moment we load the

module and prior to *any* ssl library fn invocation.

Moved the CRYPTO_malloc_init() into the ssl_register_hooks() function,

the absolute first call made into any loaded module.

  1. … 1 more file in changeset.

All we want is type and name, so ask for type and name.

  1. … 1 more file in changeset.