CHANGES

Checkout Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1865405 is being indexed.

Increase the maximum length of strings that can be cached by the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
  1. … 1 more file in changeset.
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration

for a domain managed by mod_md caused a startup error. This happened when mod_md installed

its fallback certificate, before it got the first real certificate from Lets Encrypt.

  1. … 1 more file in changeset.
set PCRE_DOTALL by default

Submitted by ylavic

  1. … 2 more files in changeset.
remove request details from error documents

  1. … 4 more files in changeset.
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on

merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  1. … 1 more file in changeset.
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection

throttling was in place. Stream resets by clients on streams initiated by them

are counted as possible trigger for throttling.

  1. … 5 more files in changeset.
update after mod_md backport
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing

more to write with streams ongoing (flow control block). The timeout waiting

for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not

Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  1. … 3 more files in changeset.
* All backported
* Backported in r1862410
*) mod_ssl/mod_md:

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 3 more files in changeset.
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

  1. … 4 more files in changeset.
*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

  1. … 48 more files in changeset.
mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.

Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862

  1. … 2 more files in changeset.
*) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502.

  1. … 3 more files in changeset.
* modules/http2: reverting r1859724, as no good.

  1. … 22 more files in changeset.
*) mod_http2: internal code cleanups and simplifications. Common output code for

h2 and h2c protocols, using nested mutex locks for simplified calls. [Stefan Eissing]

  1. … 23 more files in changeset.
mod_proxy/ssl: Proxy SSL client certificate

configuration and other proxy SSL configurations

broken inside <Proxy> context.

PR 63430

Triggered by r1855646+r1855748.

Patch from rpluem (proxy) and ylavic (ssl).

  1. … 2 more files in changeset.
Follow up to r1857129: CHANGES entry.
PR63305: fix graceful restart crashes in LDAP

The cache destruction was not protected by the lock used by other

cache callers.

Pull the static cleanup function into util_ldap.c so it's convenient to

use the existing locking.

Submitted By: Martin Fúsek <mfusek newps.cz>

Commited By: covener

  1. … 2 more files in changeset.
mod_cache: Fix parsing of quoted Cache-Control token arguments. PR 63288.

Make cache_strqtok() return both the token and its unquoted argument (if any),

or an error if the parsing fails.

Cache-Control integer values (max-age, max-stale, ...) can then be parsed w/o

taking care of the (optional) quoting.

Suggested by: fielding

  1. … 3 more files in changeset.
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in

spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]

  1. … 2 more files in changeset.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly

restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>

  1. … 1 more file in changeset.
*) mod_md: Explicitly setting file permissions to break out of umasks. We want our

non-privilegded apache user to be able to read them. See github issue

<https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]

  1. … 1 more file in changeset.
Merge consecutive slashes in the URL by default

opt-out w/ `MergeSlashes OFF`.

  1. … 7 more files in changeset.
allow mod_mime to be de disabled per-dir too

  1. … 2 more files in changeset.
mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.

The SSL dir config of proxy/backend connections is stored in r->per_dir_config

but those connections have a lifetime independent of the requests they handle.

So we need to allow the external ssl_engine_set() function to reset mod_ssl's

dir config in between proxy requests, or the first sslconn->dc could be used

after free for the next requests.

mod_proxy can then reset/reinit the request config when recycling its backend

connections.

PR 63256.

  1. … 2 more files in changeset.
mod_mime: Add `MimeOptions`

mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata

detection to use only the last (right-most) file extension.

  1. … 2 more files in changeset.
update after backport, mod_http2/proxy_http2 now equivalent
MPMs unix: bind the bucket number of each child to its slot number

We need not remember each child's bucket number in SHM for restarts, for the

lifetime of the httpd main process the bucket number can be bound to the slot

number such that: bucket = slot % num_buckets.

This both simplifies the logic and helps children maintenance per bucket in

threaded MPMs, where previously perform_idle_server_maintenance() could create

or kill children processes for the buckets it was not in charge of.

  1. … 5 more files in changeset.