Jim Jagielski

reflow

Backported to 2.4.x

Backported

Merge r1876616 from trunk:

*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.

PR64330

Submitted by: icing

Reviewed by: steffenal, rpluem, gbechis, jim

Merge r1877783 from trunk:

*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout

was configured with a handshake timeout. Fixes gitub issue #196.

Submitted by: icing

Reviewed by: icing, steffenal, rpluem

Merge r1876548 from trunk:

mod_ssl: Fix memory leak in stapling code. PR63687.

Free issuer's X509 in ssl_stapling_init_cert()'s early return paths.

Submitted by: icing

Submitted by: ylavic

Reviewed by: gbechis, jorton, icing

Votes

Merge r1876540 from trunk:

PR64295 cannot override default Virtualhost's mod_reqtimeout

of course only body=n can work the headers have to parsed to get the virtualhost.

Submitted by: jfclere

Reviewed by: jailletc36, rpluem, jim

Merge r1876484, r1876493 from trunk:

PR64313 htcacheclean: Empty directories in CacheRoot are still present even after using "-t"

* Whitespace style fixes. No functional change.

Submitted by: jfclere, rpluem

Reviewed by: jailletc36, rpluem, jim

Merge r1783041 from trunk:

default_handler: cleanup outputed brigade before leaving.

Submitted by: ylavic

Reviewed by: jailletc36, rpluem, jim

Merge r1534995, r1560482, r1728779, r1805491, r1861528, r1868016, r1874470, r1874602, r1875769, r1875811 from trunk:

don't ignore some apr_procattr failures (clang scan-build)

doxygen improvements

Standardize order of "extern" and XXX_DECLARE_YYY.

Fix some compilation warning when MIME_MAGIC_DEBUG is defined.

warning: format ‘%x’ expects argument of type ‘unsigned int’, but argument <n> has type ‘<something> *’ [-Wformat=]

style: cmd_rec at the bottom

no functional change

Fix a typo in a message.

Reported and fixed by Christian Bartolomäus (bartolin gmx.de)

PR 63806

malloc -> ap_malloc

bz #63967

Slighly simplify code.

No need to set to NULL or 0 fields that are apr_pcalloc'ed.

Axe 'set_cookie_enable' and use 'ap_set_flag_slot' instead.

(based on ideas taken from r1874389)

Parentheses around AP_BUCKET_IS_EOR argument.

Fix a typo

Submitted by: trawick, rjung, jailletc36, covener, jailletc36, gbechis, jailletc36, ylavic, jailletc36

Reviewed by: jailletc36, gbechis, jim

and promote

votes

2.4.42 was DOA

Merge r1874689 from trunk:

*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request

identifier under load, see <https://github.com/icing/mod_h2/issues/195>.

[Michael Kaufmann, Stefan Eissing]

Submitted by: icing

Reviewed by: icing, ylavic, jim

Merge r1874616 from trunk:

PR64140: Allow %{Content-Type} in health check expressions

Submitted By: Renier Velazco <renier.velazco upr.edu>

Commited By: covener

Github: closes #97

Submitted by: covener

Reviewed by: covener, ylavic, jim

Merge r1874424 from trunk:

PR64172: drop severity of AH01666

Submitted by: covener

Reviewed by: covener, ylavic, jim

promote

provide votes

some votes

xforms

  1. … 14 more files in changeset.
Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at

the earliest connection stage, we can switch the SSL_CTX of the SSL connection

early enough for OpenSSL to take into account the protocol configuration of the

vhost.

In other words:

SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)

followed by:

SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))

works as expected at this stage (while the same from the SNI callback is

ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback

is not as easy as calling SSL_get_servername() though, we have to work with

the raw TLS extensions helpers provided by OpenSSL. I stole this code from a

test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in

test/handshake_helper.c).

We can then call init_vhost() as with the SNI callback (in use only for OpenSSL

versions earlier than 1.1.1 now), and pass it the extracted SNI.

mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which

depends on its return value (OK/NOACK), mainly on session resumption, for

SSL_get_servername() to consider or ignore the SNI (returning NULL thus

making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists

in the configured vhosts, even when it's called multiple times (e.g. first

from ClientHello callback and then from SNI callback), so save that state in

sslconn->vhost_found and reuse it.

mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost

selected by Hello/SNI callback.

mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.

mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

Submitted by: ylavic

Reviewed by: ylavic, minfrin, jim

Merge r1873748 from trunk:

factor out TE=chunked checking

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873747 from trunk:

factor out default regex flags

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873745 from trunk:

trap bad FTP responses

Submitted by: covener

Reviewed by: covener, minfrin, jorton

promote

test and vote

Merge r1871810 from trunk:

*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.

Submitted by: icing

Reviewed by: icing, jim, steffenal

Merge r1872455 from trunk:

add r/o iterable tables

The current apr tables exposed support get/set but we cannot get the keys

or iterate. add _table() alternatives

Submitted by: covener

Reviewed by: covener, jim, humbedooh

Merge r1870650 from trunk:

PR63971 expose apr_table_unset for headers/envvars

via nil assignment

Submitted by: covener

Reviewed by: covener, jim, humbedooh