Checkout Tools
  • last updated 7 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1868506 is being indexed.

*) mod_md: Adding the several new features.

The module offers an implementation of OCSP Stapling that can replace fully or

for a limited set of domains the existing one from mod_ssl. OCSP handling

is part of mod_md's monitoring and message notifications. If can be used

for sites that do not have ACME certificates.

The url for a CTLog Monitor can be configured. It is used in the server-status

to link to the external status page of a certicate.

The MDMessageCmd is called with argument "installed" when a new certificate

has been activated on server restart/reload. This allows for processing of

the new certificate, for example to applications that require it in different

locations or formats.

  1. … 50 more files in changeset.
Honor "Accept-Encoding: foo;q=0" as per RFC 7231; which means 'foo' is "not acceptable". PR 58158
  1. … 2 more files in changeset.
Fix pool concurrency problems

Create a subpool of the connection pool for worker scoped DNS resolutions.

This is needed to avoid race conditions in using the connection pool by multiple

threads during ramp up.

Recheck after obtaining the lock if we still need to do things or if they

were already done by another thread while we were waiting on the lock.

* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker

scoped DNS resolutions and use it.

* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to

struct proxy_conn_pool.

* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that

worker->cp->addr is volatile in this location of the code.

PR: 63503

  1. … 4 more files in changeset.
Fix an issue on Windows where <IfFile> looks for a file on a non-existent drive (on a USB key that is not plugged for example)

Issue repported by Heather Lotz <knot22>

  1. … 1 more file in changeset.
PR63688 balancer csrf problems

fix case-sensitive referer check

Submitted By: Armin Abfalterer

  1. … 1 more file in changeset.
Increase the maximum length of strings that can be cached by the module from 100 to 256. PR 62149 [<thorsten.meinl>]
  1. … 1 more file in changeset.
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration

for a domain managed by mod_md caused a startup error. This happened when mod_md installed

its fallback certificate, before it got the first real certificate from Lets Encrypt.

  1. … 1 more file in changeset.
set PCRE_DOTALL by default

Submitted by ylavic

  1. … 2 more files in changeset.
remove request details from error documents

  1. … 4 more files in changeset.
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on

merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  1. … 1 more file in changeset.
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection

throttling was in place. Stream resets by clients on streams initiated by them

are counted as possible trigger for throttling.

  1. … 5 more files in changeset.
update after mod_md backport
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing

more to write with streams ongoing (flow control block). The timeout waiting

for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not

Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  1. … 3 more files in changeset.
* All backported
* Backported in r1862410
*) mod_ssl/mod_md:

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 3 more files in changeset.
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

  1. … 4 more files in changeset.
*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

  1. … 48 more files in changeset.
mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.


  1. … 2 more files in changeset.
*) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502.

  1. … 3 more files in changeset.
* modules/http2: reverting r1859724, as no good.

  1. … 22 more files in changeset.
*) mod_http2: internal code cleanups and simplifications. Common output code for

h2 and h2c protocols, using nested mutex locks for simplified calls. [Stefan Eissing]

  1. … 23 more files in changeset.
mod_proxy/ssl: Proxy SSL client certificate

configuration and other proxy SSL configurations

broken inside <Proxy> context.

PR 63430

Triggered by r1855646+r1855748.

Patch from rpluem (proxy) and ylavic (ssl).

  1. … 2 more files in changeset.
Follow up to r1857129: CHANGES entry.
PR63305: fix graceful restart crashes in LDAP

The cache destruction was not protected by the lock used by other

cache callers.

Pull the static cleanup function into util_ldap.c so it's convenient to

use the existing locking.

Submitted By: Martin Fúsek <mfusek>

Commited By: covener

  1. … 2 more files in changeset.
mod_cache: Fix parsing of quoted Cache-Control token arguments. PR 63288.

Make cache_strqtok() return both the token and its unquoted argument (if any),

or an error if the parsing fails.

Cache-Control integer values (max-age, max-stale, ...) can then be parsed w/o

taking care of the (optional) quoting.

Suggested by: fielding

  1. … 3 more files in changeset.
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in

spite of umask. Fixes <>. [Stefan Eissing]

  1. … 2 more files in changeset.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly

restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail>

  1. … 1 more file in changeset.
*) mod_md: Explicitly setting file permissions to break out of umasks. We want our

non-privilegded apache user to be able to read them. See github issue

<>. [Stefan Eissing]

  1. … 1 more file in changeset.
Merge consecutive slashes in the URL by default

opt-out w/ `MergeSlashes OFF`.

  1. … 7 more files in changeset.