CHANGES

Checkout Tools
  • last updated 5 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1869842 is being indexed.

mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the

environment, using the standard format which can be parsed by (e.g.)

wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.

* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if

SSLKEYLOGFILE is set in the environment.

(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.

* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):

New function.

PR: 63391

Github: closes #74

  1. … 5 more files in changeset.
mod_proxy: Improve tunneling loop.

Support half closed connections and pending data draining (for protocols like

rsync). PR 61616.

When reading on one side goes faster than writing on the other side, the output

filters chain may start buffering data and finally block, which will break

bidirectional tunneling for some protocols.

To avoid this, proxy_tunnel_run() now stops polling/reading until pending data

are drained, and recovers appropriately.

  1. … 5 more files in changeset.
mod_proxy: Add proxy check_trans hook.

This allows proxy modules to decline request handling at early stage.

Then mod_proxy_wstunnel can implement that hook to verify that an Upgrade

is requested, and otherwise hand over to mod_proxy_http.

  1. … 4 more files in changeset.
update after backport of mod_md
*) mod_md v2.2.3:

- Configuring MDCAChallenges replaces any previous existing challenge configuration. It

had been additive before which was not the intended behaviour. [@mkauf]

- Fixing order of ACME challenges used when nothing else configured. Code now behaves as

documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.

- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].

- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted

"transfer-encoding" to POST requests. This failed in directy communication with

Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing.

  1. … 6 more files in changeset.
mod_proxy: factorize mod_proxy_{connect,wstunnel} tunneling code in proxy_util.

This commit adds struct proxy_tunnel_rec that contains the fields needed for a

poll() loop through the filters chains, plus functions ap_proxy_tunnel_create()

and ap_proxy_tunnel_run() to respectively initialize a tunnel and (re)start it.

Proxy connect and wstunnel modules now make use of this new API to avoid

duplicating logic and code.

  1. … 6 more files in changeset.
mod_proxy_http: fix load-balancer fallback for requests with a body.

Since r1656259 (or r1656259 in 2.4.41) and the move of prefetch before connect,

the balancer fallback case where proxy_http_handler() is re-entered with the

next balancer member broke.

We need to save the body (partially) prefetched the first time and reuse it on

successive calls, otherwise we might forward partial or empty body.

  1. … 1 more file in changeset.
mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

  1. … 1 more file in changeset.
update after backport of current mod_md
mod_proxy_http: Fix 100-continue deadlock for spooled request bodies. PR 63855.

Send "100 Continue", if needed, before fetching/blocking on the request body in

spool_reqbody_cl(), otherwise mod_proxy and the client can wait for each other,

leading to a request timeout (408).

While at it, make so that ap_send_interim_response() uses the default status

line if none is set in r->status_line.

  1. … 2 more files in changeset.
*) mod_md: Adding the several new features.

The module offers an implementation of OCSP Stapling that can replace fully or

for a limited set of domains the existing one from mod_ssl. OCSP handling

is part of mod_md's monitoring and message notifications. If can be used

for sites that do not have ACME certificates.

The url for a CTLog Monitor can be configured. It is used in the server-status

to link to the external status page of a certicate.

The MDMessageCmd is called with argument "installed" when a new certificate

has been activated on server restart/reload. This allows for processing of

the new certificate, for example to applications that require it in different

locations or formats.

  1. … 50 more files in changeset.
Honor "Accept-Encoding: foo;q=0" as per RFC 7231; which means 'foo' is "not acceptable". PR 58158
  1. … 2 more files in changeset.
Fix pool concurrency problems

Create a subpool of the connection pool for worker scoped DNS resolutions.

This is needed to avoid race conditions in using the connection pool by multiple

threads during ramp up.

Recheck after obtaining the lock if we still need to do things or if they

were already done by another thread while we were waiting on the lock.

* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker

scoped DNS resolutions and use it.

* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to

struct proxy_conn_pool.

* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that

worker->cp->addr is volatile in this location of the code.

PR: 63503

  1. … 4 more files in changeset.
Fix an issue on Windows where <IfFile> looks for a file on a non-existent drive (on a USB key that is not plugged for example)

Issue repported by Heather Lotz <knot22 hotmail.com>

  1. … 1 more file in changeset.
PR63688 balancer csrf problems

fix case-sensitive referer check

Submitted By: Armin Abfalterer

  1. … 1 more file in changeset.
Increase the maximum length of strings that can be cached by the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
  1. … 1 more file in changeset.
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration

for a domain managed by mod_md caused a startup error. This happened when mod_md installed

its fallback certificate, before it got the first real certificate from Lets Encrypt.

  1. … 1 more file in changeset.
set PCRE_DOTALL by default

Submitted by ylavic

  1. … 2 more files in changeset.
remove request details from error documents

  1. … 4 more files in changeset.
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on

merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  1. … 1 more file in changeset.
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection

throttling was in place. Stream resets by clients on streams initiated by them

are counted as possible trigger for throttling.

  1. … 5 more files in changeset.
update after mod_md backport
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing

more to write with streams ongoing (flow control block). The timeout waiting

for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not

Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  1. … 3 more files in changeset.
* All backported
* Backported in r1862410
*) mod_ssl/mod_md:

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 3 more files in changeset.
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

  1. … 4 more files in changeset.
*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

  1. … 48 more files in changeset.
mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.

Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862

  1. … 2 more files in changeset.
*) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502.

  1. … 3 more files in changeset.