CHANGES

Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1862413 is being indexed.

* Backported in r1862410
*) mod_ssl/mod_md:

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 3 more files in changeset.
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

  1. … 4 more files in changeset.
*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

  1. … 48 more files in changeset.
mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.

Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862

  1. … 2 more files in changeset.
*) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502.

  1. … 3 more files in changeset.
* modules/http2: reverting r1859724, as no good.

  1. … 22 more files in changeset.
*) mod_http2: internal code cleanups and simplifications. Common output code for

h2 and h2c protocols, using nested mutex locks for simplified calls. [Stefan Eissing]

  1. … 23 more files in changeset.
mod_proxy/ssl: Proxy SSL client certificate

configuration and other proxy SSL configurations

broken inside <Proxy> context.

PR 63430

Triggered by r1855646+r1855748.

Patch from rpluem (proxy) and ylavic (ssl).

  1. … 2 more files in changeset.
Follow up to r1857129: CHANGES entry.
PR63305: fix graceful restart crashes in LDAP

The cache destruction was not protected by the lock used by other

cache callers.

Pull the static cleanup function into util_ldap.c so it's convenient to

use the existing locking.

Submitted By: Martin Fúsek <mfusek newps.cz>

Commited By: covener

  1. … 2 more files in changeset.
mod_cache: Fix parsing of quoted Cache-Control token arguments. PR 63288.

Make cache_strqtok() return both the token and its unquoted argument (if any),

or an error if the parsing fails.

Cache-Control integer values (max-age, max-stale, ...) can then be parsed w/o

taking care of the (optional) quoting.

Suggested by: fielding

  1. … 3 more files in changeset.
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in

spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]

  1. … 2 more files in changeset.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly

restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>

  1. … 1 more file in changeset.
*) mod_md: Explicitly setting file permissions to break out of umasks. We want our

non-privilegded apache user to be able to read them. See github issue

<https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]

  1. … 1 more file in changeset.
Merge consecutive slashes in the URL by default

opt-out w/ `MergeSlashes OFF`.

  1. … 7 more files in changeset.
allow mod_mime to be de disabled per-dir too

  1. … 2 more files in changeset.
mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.

The SSL dir config of proxy/backend connections is stored in r->per_dir_config

but those connections have a lifetime independent of the requests they handle.

So we need to allow the external ssl_engine_set() function to reset mod_ssl's

dir config in between proxy requests, or the first sslconn->dc could be used

after free for the next requests.

mod_proxy can then reset/reinit the request config when recycling its backend

connections.

PR 63256.

  1. … 2 more files in changeset.
mod_mime: Add `MimeOptions`

mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata

detection to use only the last (right-most) file extension.

  1. … 2 more files in changeset.
update after backport, mod_http2/proxy_http2 now equivalent
MPMs unix: bind the bucket number of each child to its slot number

We need not remember each child's bucket number in SHM for restarts, for the

lifetime of the httpd main process the bucket number can be bound to the slot

number such that: bucket = slot % num_buckets.

This both simplifies the logic and helps children maintenance per bucket in

threaded MPMs, where previously perform_idle_server_maintenance() could create

or kill children processes for the buckets it was not in charge of.

  1. … 5 more files in changeset.
*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is

in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.

Fixed. [Michael Kaufmann]

  1. … 1 more file in changeset.
*) mod_http2: new configuration directive: ```H2Padding numbits``` to control

padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,

controlling the range of padding bytes added to a frame. The actual number

added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE

frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]

*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2

has no more need for it. Optional functions are still declared but no longer implemented.

While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching

versions of both modules. [Stefan Eissing]

*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which

resolve PR63170. The proxy module does now a single h2 request on the (reused)

connection and returns. [Stefan Eissing]

  1. … 21 more files in changeset.
*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status

to trigger immediate shutdown of backend connections. This is now always signalled

by mod_http2 when the the session is being released.

proxy_http2 now only sends a PING frame to the backend when there is not already one

in flight. [Stefan Eissing]

*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite

loop when encountering certain errors on the backend connection.

See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]

  1. … 4 more files in changeset.
http: Fix possible empty response with mod_ratelimit for HEAD requests.

Don't eat the EOS in ap_http_header_filter() if it comes in single brigade

with a full response to a HEAD request, otherwise mod_ratelimit will never

flush its pending data.

  1. … 1 more file in changeset.
Follow up to r1853874: CHANGES entry.
mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.

The timeouts apply between the process_connection and pre_read_request hooks.

They are disabled by default for compatibily reasons.

  1. … 2 more files in changeset.
Fix a race condition.

Authentication with valid credentials could be refused in case of concurrent accesses from different users.

PR 63124 [Simon Kappel <simon.kappel axis.com>]

  1. … 1 more file in changeset.
Follow up to r1853133: CHANGES entry.
*) mod_http2: Configuration directoves H2Push and H2Upgrade can now be specified per

Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]

*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to

terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.

Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]

  1. … 29 more files in changeset.