Checkout Tools
  • last updated 7 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1817381 is being indexed.

On the trunk:

mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour

for new server config merge flag. Denying global, only once used directives

inside a SSLPolicyDefine.

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: make the new module flag used.

mod_ssl: follow up to r1809302.


  1. … 1 more file in changeset.
On the trunk:

mod_ssl: Extending SSLEngine to alternatively get a list of add:port spec as used in VirtualHost.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: adding SSLPolicy and SSLProxyPolicy directives plus documentation.

  1. … 6 more files in changeset.
mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd>

Reviewed by: ylavic

  1. … 9 more files in changeset.
mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc>

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

  1. … 3 more files in changeset.
Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

  1. … 6 more files in changeset.
mod_ssl: follow up to r1781187.

The ssl_util_thread_*() functions are not necessary with openssl-1.1+

  1. … 1 more file in changeset.
mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

  1. … 3 more files in changeset.
Remove calling ERR_remove_thread_state when

using OpenSSL 1.1.0.

This API is now a no-op in OpenSSL 1.1.0 and


Compatibility with OpenSSL 1.1.0 pre6.

mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

allowing per backend TLS configuration.

  1. … 19 more files in changeset.
Support for OpenSSL 1.1.0:

- ERR_remove_thread_state() no longer has an


mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

  1. … 6 more files in changeset.
mod_ssl: Don't lose track of the SSL context if the ssl_run_pre_handshake()

hook returns an error.

  1. … 1 more file in changeset.
Support for OpenSSL 1.1.0:

- mod_ssl

Look out for "XXX: OpenSSL 1.1.0:" for a few

open problems.

Not tested with test suite yet.

  1. … 7 more files in changeset.
* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.

Documentation to follow.

  1. … 3 more files in changeset.
Better illustrate the ordering of hook processing
mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection
  1. … 3 more files in changeset.
moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl
  1. … 1 more file in changeset.
Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",

in accordance with RFC 7568. PR 58349, PR 57120.

  1. … 7 more files in changeset.
Add support for extracting the msUPN and dnsSRV forms

of subjectAltName entries of type "otherName" into

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment

variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the


* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which

currently recognizes the "msUPN" ( and

"id-on-dnsSRV" ( otherName forms, and

adapt modssl_X509_getSAN to take an optional otherName form

argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form

OID ( in OpenSSL's objects table

  1. … 5 more files in changeset.
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
  1. … 37 more files in changeset.
mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing

the OCSP response for a different certificate. mod_ssl has an additional

global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache

implementation which doesn't require it. (A further, unrelated

code change to mod_ssl is required to allow the use of memcache

as a stapling cache, and I haven't tested with distcache; thus

it isn't clear if this helps in practice yet.)

  1. … 5 more files in changeset.
mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

  1. … 6 more files in changeset.
Formatting and wording improvements for ALPN (no code changes)

  1. … 5 more files in changeset.
Remove NPN support and focus on ALPN (RFC 7301)

* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop

modssl_register_npn optional function and related declarations.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):

no longer set NPN advertisement callback.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove

NPN handling.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):

remove callback.

* modules/ssl/ssl_private.h: remove NPN prototypes, set

HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.

Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.

Previous commits related to NPN and ALPN, for reference purposes:

r1332643 - Add support for TLS Next Protocol Negotiation

r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API

to avoid use of hooks API and inter-module hard linkage

r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set

r1670434 - More ALPN goodness

(plus some minor tweaks: r1670578, r1670440, r1670578,

r1670738, r1675459, and r1675549)

  1. … 10 more files in changeset.
More ALPN goodness

  1. … 3 more files in changeset.