CHANGES

Checkout Tools
  • last updated 5 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1871810 is being indexed.

*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.

  1. … 7 more files in changeset.
PR63971 expose apr_table_unset for headers/envvars

via nil assignment

  1. … 1 more file in changeset.
*) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the

ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`

always `on`, irregardless of configuration. Found and reported by

<Armin.Abfalterer@united-security-providers.ch> and

<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

*) mod_http2: Multiple field length violations in the same request no longer cause

several log entries to be written. [@mkauf]

  1. … 4 more files in changeset.
*) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in

the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01"

is configured explicitly (related to #133). [@mkauf, Stefan Eissing]

  1. … 3 more files in changeset.
* Fix another typo
Fix some typo in CHANGES file.

None of these typo seem to be part of 2.4.x.

mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the

environment, using the standard format which can be parsed by (e.g.)

wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.

* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if

SSLKEYLOGFILE is set in the environment.

(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.

* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):

New function.

PR: 63391

Github: closes #74

  1. … 5 more files in changeset.
mod_proxy: Improve tunneling loop.

Support half closed connections and pending data draining (for protocols like

rsync). PR 61616.

When reading on one side goes faster than writing on the other side, the output

filters chain may start buffering data and finally block, which will break

bidirectional tunneling for some protocols.

To avoid this, proxy_tunnel_run() now stops polling/reading until pending data

are drained, and recovers appropriately.

  1. … 5 more files in changeset.
mod_proxy: Add proxy check_trans hook.

This allows proxy modules to decline request handling at early stage.

Then mod_proxy_wstunnel can implement that hook to verify that an Upgrade

is requested, and otherwise hand over to mod_proxy_http.

  1. … 4 more files in changeset.
update after backport of mod_md
*) mod_md v2.2.3:

- Configuring MDCAChallenges replaces any previous existing challenge configuration. It

had been additive before which was not the intended behaviour. [@mkauf]

- Fixing order of ACME challenges used when nothing else configured. Code now behaves as

documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.

- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].

- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted

"transfer-encoding" to POST requests. This failed in directy communication with

Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing.

  1. … 6 more files in changeset.
mod_proxy: factorize mod_proxy_{connect,wstunnel} tunneling code in proxy_util.

This commit adds struct proxy_tunnel_rec that contains the fields needed for a

poll() loop through the filters chains, plus functions ap_proxy_tunnel_create()

and ap_proxy_tunnel_run() to respectively initialize a tunnel and (re)start it.

Proxy connect and wstunnel modules now make use of this new API to avoid

duplicating logic and code.

  1. … 6 more files in changeset.
mod_proxy_http: fix load-balancer fallback for requests with a body.

Since r1656259 (or r1656259 in 2.4.41) and the move of prefetch before connect,

the balancer fallback case where proxy_http_handler() is re-entered with the

next balancer member broke.

We need to save the body (partially) prefetched the first time and reuse it on

successive calls, otherwise we might forward partial or empty body.

  1. … 1 more file in changeset.
mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

  1. … 1 more file in changeset.
update after backport of current mod_md
mod_proxy_http: Fix 100-continue deadlock for spooled request bodies. PR 63855.

Send "100 Continue", if needed, before fetching/blocking on the request body in

spool_reqbody_cl(), otherwise mod_proxy and the client can wait for each other,

leading to a request timeout (408).

While at it, make so that ap_send_interim_response() uses the default status

line if none is set in r->status_line.

  1. … 2 more files in changeset.
*) mod_md: Adding the several new features.

The module offers an implementation of OCSP Stapling that can replace fully or

for a limited set of domains the existing one from mod_ssl. OCSP handling

is part of mod_md's monitoring and message notifications. If can be used

for sites that do not have ACME certificates.

The url for a CTLog Monitor can be configured. It is used in the server-status

to link to the external status page of a certicate.

The MDMessageCmd is called with argument "installed" when a new certificate

has been activated on server restart/reload. This allows for processing of

the new certificate, for example to applications that require it in different

locations or formats.

  1. … 50 more files in changeset.
Honor "Accept-Encoding: foo;q=0" as per RFC 7231; which means 'foo' is "not acceptable". PR 58158
  1. … 2 more files in changeset.
Fix pool concurrency problems

Create a subpool of the connection pool for worker scoped DNS resolutions.

This is needed to avoid race conditions in using the connection pool by multiple

threads during ramp up.

Recheck after obtaining the lock if we still need to do things or if they

were already done by another thread while we were waiting on the lock.

* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker

scoped DNS resolutions and use it.

* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to

struct proxy_conn_pool.

* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that

worker->cp->addr is volatile in this location of the code.

PR: 63503

  1. … 4 more files in changeset.
Fix an issue on Windows where <IfFile> looks for a file on a non-existent drive (on a USB key that is not plugged for example)

Issue repported by Heather Lotz <knot22 hotmail.com>

  1. … 1 more file in changeset.
PR63688 balancer csrf problems

fix case-sensitive referer check

Submitted By: Armin Abfalterer

  1. … 1 more file in changeset.
Increase the maximum length of strings that can be cached by the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
  1. … 1 more file in changeset.
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration

for a domain managed by mod_md caused a startup error. This happened when mod_md installed

its fallback certificate, before it got the first real certificate from Lets Encrypt.

  1. … 1 more file in changeset.
set PCRE_DOTALL by default

Submitted by ylavic

  1. … 2 more files in changeset.
remove request details from error documents

  1. … 4 more files in changeset.
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on

merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  1. … 1 more file in changeset.
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection

throttling was in place. Stream resets by clients on streams initiated by them

are counted as possible trigger for throttling.

  1. … 5 more files in changeset.
update after mod_md backport
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing

more to write with streams ongoing (flow control block). The timeout waiting

for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not

Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  1. … 3 more files in changeset.
* All backported