Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1827924 is being indexed.

On the trunk:

mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which

are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity

to find a better name.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: reverting r1807709 (SSLEngine with addr:port spec) as a "seemed a good idea at the time" thing.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,

just the basic "modern", "intermediate" and "old" as specified by Mozilla security.

  1. … 7 more files in changeset.
Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi@yahoo.es>]

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour

for new server config merge flag. Denying global, only once used directives

inside a SSLPolicyDefine.

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: make the new module flag used.

mod_ssl: follow up to r1809302.

Make use of AP_MODULE_FLAG_ALWAYS_MERGE.

  1. … 1 more file in changeset.
On the trunk:

mod_ssl: Extending SSLEngine to alternatively get a list of add:port spec as used in VirtualHost.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: adding SSLPolicy and SSLProxyPolicy directives plus documentation.

  1. … 6 more files in changeset.
mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

  1. … 9 more files in changeset.
mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

  1. … 3 more files in changeset.
Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

  1. … 6 more files in changeset.
mod_ssl: follow up to r1781187.

The ssl_util_thread_*() functions are not necessary with openssl-1.1+

  1. … 1 more file in changeset.
mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

  1. … 3 more files in changeset.
Remove calling ERR_remove_thread_state when

using OpenSSL 1.1.0.

This API is now a no-op in OpenSSL 1.1.0 and

deprecated.

Compatibility with OpenSSL 1.1.0 pre6.

mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

allowing per backend TLS configuration.

  1. … 19 more files in changeset.
Support for OpenSSL 1.1.0:

- ERR_remove_thread_state() no longer has an

argument.

mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

  1. … 6 more files in changeset.
mod_ssl: Don't lose track of the SSL context if the ssl_run_pre_handshake()

hook returns an error.

  1. … 1 more file in changeset.
Support for OpenSSL 1.1.0:

- mod_ssl

Look out for "XXX: OpenSSL 1.1.0:" for a few

open problems.

Not tested with test suite yet.

  1. … 7 more files in changeset.
* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.

Documentation to follow.

  1. … 3 more files in changeset.
Better illustrate the ordering of hook processing
mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection
  1. … 3 more files in changeset.
moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl
  1. … 1 more file in changeset.
Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",

in accordance with RFC 7568. PR 58349, PR 57120.

  1. … 7 more files in changeset.
Add support for extracting the msUPN and dnsSRV forms

of subjectAltName entries of type "otherName" into

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment

variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which

currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and

"id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and

adapt modssl_X509_getSAN to take an optional otherName form

argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form

OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

  1. … 5 more files in changeset.
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
  1. … 37 more files in changeset.
mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing

the OCSP response for a different certificate. mod_ssl has an additional

global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache

implementation which doesn't require it. (A further, unrelated

code change to mod_ssl is required to allow the use of memcache

as a stapling cache, and I haven't tested with distcache; thus

it isn't clear if this helps in practice yet.)

  1. … 5 more files in changeset.