Checkout Tools
  • last updated 28 mins ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1788430 is being indexed.

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

  1. … 3 more files in changeset.
Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

  1. … 6 more files in changeset.
mod_ssl: follow up to r1781187.

The ssl_util_thread_*() functions are not necessary with openssl-1.1+

  1. … 1 more file in changeset.
mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

  1. … 3 more files in changeset.
Remove calling ERR_remove_thread_state when

using OpenSSL 1.1.0.

This API is now a no-op in OpenSSL 1.1.0 and


Compatibility with OpenSSL 1.1.0 pre6.

mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

allowing per backend TLS configuration.

  1. … 19 more files in changeset.
Support for OpenSSL 1.1.0:

- ERR_remove_thread_state() no longer has an


mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

  1. … 6 more files in changeset.
mod_ssl: Don't lose track of the SSL context if the ssl_run_pre_handshake()

hook returns an error.

  1. … 1 more file in changeset.
Support for OpenSSL 1.1.0:

- mod_ssl

Look out for "XXX: OpenSSL 1.1.0:" for a few

open problems.

Not tested with test suite yet.

  1. … 7 more files in changeset.
* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.

Documentation to follow.

  1. … 3 more files in changeset.
Better illustrate the ordering of hook processing
mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection
  1. … 3 more files in changeset.
moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl
  1. … 1 more file in changeset.
Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",

in accordance with RFC 7568. PR 58349, PR 57120.

  1. … 7 more files in changeset.
Add support for extracting the msUPN and dnsSRV forms

of subjectAltName entries of type "otherName" into

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment

variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the


* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which

currently recognizes the "msUPN" ( and

"id-on-dnsSRV" ( otherName forms, and

adapt modssl_X509_getSAN to take an optional otherName form

argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form

OID ( in OpenSSL's objects table

  1. … 5 more files in changeset.
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
  1. … 37 more files in changeset.
mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing

the OCSP response for a different certificate. mod_ssl has an additional

global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache

implementation which doesn't require it. (A further, unrelated

code change to mod_ssl is required to allow the use of memcache

as a stapling cache, and I haven't tested with distcache; thus

it isn't clear if this helps in practice yet.)

  1. … 5 more files in changeset.
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

  1. … 6 more files in changeset.
Formatting and wording improvements for ALPN (no code changes)

  1. … 5 more files in changeset.
Remove NPN support and focus on ALPN (RFC 7301)

* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop

modssl_register_npn optional function and related declarations.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):

no longer set NPN advertisement callback.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove

NPN handling.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):

remove callback.

* modules/ssl/ssl_private.h: remove NPN prototypes, set

HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.

Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.

Previous commits related to NPN and ALPN, for reference purposes:

r1332643 - Add support for TLS Next Protocol Negotiation

r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API

to avoid use of hooks API and inter-module hard linkage

r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set

r1670434 - More ALPN goodness

(plus some minor tweaks: r1670578, r1670440, r1670578,

r1670738, r1675459, and r1675549)

  1. … 10 more files in changeset.
More ALPN goodness

  1. … 3 more files in changeset.
ALPN support, based on mod_spdy/mod_h2 patch set

  1. … 4 more files in changeset.
Provide separate SSL_CT_*_STATUS variables for client vs. proxy

connections, courtesy of a new flag passed from mod_ssl on its

pre_connection "optional hook."

  1. … 4 more files in changeset.
Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets

(RFC 5077). Default is unchanged (on).

Using session tickets without restarting

the web server with an appropriate frequency

(e.g. daily) compromises perfect forward


As long as we do not have a nice key management

there should be a way to deactivate session


  1. … 4 more files in changeset.
* mod_ssl: call ERR_free_strings() with OpenSSL >= 0.9.8e. Fixes memory leak

in mod_ssl on graceful restart. PR 53435.

mod_ssl: Add hooks to allow other modules to perform processing at

several stages of initialization and connection handling. See


This is enough to allow implementation of Certificate Transparency

outside of mod_ssl.

  1. … 10 more files in changeset.
mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.

  1. … 3 more files in changeset.
Remove SSLPKCS7CertificateFile support:

- was never documented, so very unlikely that it was ever used

- adds complexity without apparent benefit; PKCS#7 files can

be trivially converted to a file for use with SSLCertificateChainFile

(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)

- only supports PKCS7 files with PEM encoding, i.e. relies on a

non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)

- issues pointed out in

were never fully addressed (cf. r424707 and r424735)

- has never worked in vhost context due to a cfgMergeString

call missing from modssl_ctx_cfg_merge

  1. … 6 more files in changeset.