summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Pass NULL instead of a "null ACL"Eric Covener2021-04-213-54/+2
| | | | | | | | Submitted By: Ivan Zhakov git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889037 13f79535-47bb-0310-9956-ffa450edef68
* legacy default slash-matching behavior w/ 'MergeSlashes OFF'Eric Covener2021-04-211-3/+16
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889036 13f79535-47bb-0310-9956-ffa450edef68
* core/ap_ssl_*: changes after review by rpluemStefan Eissing2021-04-2016-79/+73
| | | | | | | | | | | | | | | - removed no longer needed (char*) casts when looking up ssl variables. - move 'goto cleanup;' on separate source line - fixed check for wrong optional function in ap_run_ssl_var_lookup - remove ap_bytes_t again from httpd.h and passes now ocsp identifier as separate const char* and apr_size_t. This follows more how such data is passed in the rest of the server. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889009 13f79535-47bb-0310-9956-ffa450edef68
* Fix some typosChristophe Jaillet2021-04-191-3/+3
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888963 13f79535-47bb-0310-9956-ffa450edef68
* Fix some typosChristophe Jaillet2021-04-191-3/+3
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888959 13f79535-47bb-0310-9956-ffa450edef68
* Fix a typoChristophe Jaillet2021-04-191-1/+1
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888958 13f79535-47bb-0310-9956-ffa450edef68
* Fix a typoChristophe Jaillet2021-04-191-1/+1
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888955 13f79535-47bb-0310-9956-ffa450edef68
* Add a change entryChristophe Jaillet2021-04-181-1/+2
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888925 13f79535-47bb-0310-9956-ffa450edef68
* fix StrictHostCheck crash w/ HTTP/1.0Eric Covener2021-04-171-1/+1
| | | | | | | | not released git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888871 13f79535-47bb-0310-9956-ffa450edef68
* server/protocol.c: remove old hooks links that had been moved to server/ssl.cStefan Eissing2021-04-131-5/+0
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888729 13f79535-47bb-0310-9956-ffa450edef68
* mod_md: fixed a conversion warning, bumped version number.Stefan Eissing2021-04-132-3/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888726 13f79535-47bb-0310-9956-ffa450edef68
* update the damn log tags.Stefan Eissing2021-04-132-3/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888724 13f79535-47bb-0310-9956-ffa450edef68
* *) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. ↵Stefan Eissing2021-04-1316-183/+515
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows modules to access and provide OCSP response data without being tied of each other. The data is exchanged in standard, portable formats (PEM encoded certificates and DER encoded responses), so that the actual SSL/crypto implementations used by the modules are independant of each other. Registration and retrieval happen in the context of a server (server_rec) which modules may use to decide if they are configured for this or not. The area of changes: 1. core: defines 2 functions in include/http_ssl.h, so that modules may register a certificate, together with its issuer certificate for OCSP response provisioning and ask for current response data (DER bytes) later. Also, 2 hooks are defined that allow modules to implement this OCSP provisioning. 2. mod_ssl uses the new functions, in addition to what it did already, to register its certificates this way. If no one is interested in providing OCSP, it falls back to its own (if configured) stapling implementation. 3. mod_md registers itself at the core hooks for OCSP provisioning. Depending on configuration, it will accept registrations of its own certificates only, all certficates or none. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
* max_attempts_set needs to be set too.Jean-Frederic Clere2021-04-081-0/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888518 13f79535-47bb-0310-9956-ffa450edef68
* fr doc rebuild.Lucien Gentis2021-04-022-3/+9
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888303 13f79535-47bb-0310-9956-ffa450edef68
* fr doc XML files updates.Lucien Gentis2021-04-022-5/+11
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888302 13f79535-47bb-0310-9956-ffa450edef68
* Apply CHANGES. [skip ci]Yann Ylavic2021-04-018-21/+26
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888270 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1888266, r1888268: fix PR in CHANGES entry.Yann Ylavic2021-04-011-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888269 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1888266: CHANGES entry.Yann Ylavic2021-04-011-0/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888268 13f79535-47bb-0310-9956-ffa450edef68
* mod_socache_shmcb: be safe from socache_shmcb_destroy() late call.Yann Ylavic2021-04-011-3/+18
| | | | | | | | | | | | | | | | | | | | | | | | | ssl_init_Module() in post_config early registers ssl_init_ModuleKill(), which will then run after all the next cleanups registered later in post_config, thus any shm_cleanup() registered from ssl_scache_init::socache_shmcb_init(). This can cause a double SHM cleanup when apr_shm_destroy() is called from ssl_init_ModuleKill() as pconf is cleared. Fix this in mod_socache_shmcb by registering a socache_shmcb_cleanup() after the SHM is created, and by letting socache_shmcb_destroy() run the cleanup, such that shm_cleanup() is always and ever called only once. Ideally apr_shm_create() would be consistent accross platforms to register its shm_cleanup() on the pool but that's not the case for now (I'm on it), so httpd has to call apr_shm_destroy() explicitely from several places (we'll be able to remove ssl_scache_kill() and other similar cleanups once the minimal APR version required by httpd is fixed..). We could also fix this by registering ssl_init_ModuleKill() late(r) in ssl_init_Module(), though the more robust mod_socache_shmcb the better for all the modules.. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888266 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_http2: Fixed a race condition that could lead to streams beingStefan Eissing2021-03-265-9/+20
| | | | | | | | aborted (RST to the client), although a response had been produced. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888087 13f79535-47bb-0310-9956-ffa450edef68
* Fixing mod_lua to use new http_ssl.h header file as well.Stefan Eissing2021-03-261-0/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888084 13f79535-47bb-0310-9956-ffa450edef68
* *) core: provide ap_ssl_* functions in new http_ssl.h header file.Stefan Eissing2021-03-2623-261/+391
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888083 13f79535-47bb-0310-9956-ffa450edef68
* mod_md: make certain that the post config after ssl part runs really late.Stefan Eissing2021-03-242-4/+4
| | | | | | | | bumped version number. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888006 13f79535-47bb-0310-9956-ffa450edef68
* drive home the purpose of forward-dnsEric Covener2021-03-241-2/+2
| | | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888004 13f79535-47bb-0310-9956-ffa450edef68
* pull in forward-dns example from authz_hostEric Covener2021-03-241-0/+5
| | | | | | | | lots of people miss it reading the doc for Require in authz_core only git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888002 13f79535-47bb-0310-9956-ffa450edef68
* Make sure that conn->keepalive is NOT reset after being set in ↵Jean-Frederic Clere2021-03-242-6/+1
| | | | | | ap_read_request(). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887999 13f79535-47bb-0310-9956-ffa450edef68
* Resolving gcc's "error: too many arguments for format ↵Stefan Eissing2021-03-241-1/+1
| | | | | | [-Werror=format-extra-args]". git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887993 13f79535-47bb-0310-9956-ffa450edef68
* Fixing trace logging printf to have the correct args now that we number certs.Stefan Eissing2021-03-231-3/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887965 13f79535-47bb-0310-9956-ffa450edef68
* mod_md:Stefan Eissing2021-03-2211-122/+156
| | | | | | | | | - MDCertificateFile and MDCertificateKeyFile can now be specified several times to add multiple, static certificates to a MDomain. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887923 13f79535-47bb-0310-9956-ffa450edef68
* fr doc rebuild.Lucien Gentis2021-03-2016-23/+20
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887850 13f79535-47bb-0310-9956-ffa450edef68
* fr doc XML file updates.Lucien Gentis2021-03-203-81/+75
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887849 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl: Add base64-encoded DER certificate variables as alternativeJoe Orton2021-03-195-36/+79
| | | | | | | | | | | | | | | | | | | | | | | | | | | | to PEM, to avoid newline mangling issues when using PEM in header values. * modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant. * modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data): New function, replacing ssl_var_lookup_ssl_cert_PEM. (ssl_var_lookup_ssl): Use it, and add _B64CERT variants of SSL_{CLIENT,SERVER}_CERT. (ssl_var_lookup_ssl_cert_chain): Use it. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support "ExportBase64CertData" argument. * modules/ssl/ssl_engine_kernel.c (extract_to_env): New function. (ssl_hook_Fixup): Use it, also export _B64CERT variables if SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain handling. PR: 65169 Reviewed by: michaelo Github: closes #177 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68
* * modules/generators/mod_cgid.c (cgid_server): Register cleanup forJoe Orton2021-03-161-3/+3
| | | | | | | | socket earlier to avoid possible leaks on error paths. (highlighted by Coverity scan) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887727 13f79535-47bb-0310-9956-ffa450edef68
* * modules/proxy/proxy_util.c (ap_proxy_define_balancer):Joe Orton2021-03-161-0/+2
| | | | | | | Fix leak in error path in the do_malloc case, caught by covscan. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887720 13f79535-47bb-0310-9956-ffa450edef68
* Axe modules.apache.org.Christophe Jaillet2021-03-143-9/+3
| | | | | | | | It has been off-line for a long time now, and there is no plan to bring it up, AFAIK. [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887636 13f79535-47bb-0310-9956-ffa450edef68
* * build/config_vars.sh.in: Improve comment language, no functional change.Joe Orton2021-03-111-1/+2
| | | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887480 13f79535-47bb-0310-9956-ffa450edef68
* Fix the fixed timeout, thanks Rüdiger.Jean-Frederic Clere2021-03-101-6/+17
| | | | | | | And set the current_thread of the connection. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887439 13f79535-47bb-0310-9956-ffa450edef68
* Add CPING to health check logic.Jean-Frederic Clere2021-03-104-1/+63
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887415 13f79535-47bb-0310-9956-ffa450edef68
* Using the new ap_ssl_conn_is_ssl() and ap_ssl_var_lookup() in all internal ↵Stefan Eissing2021-03-0912-124/+32
| | | | | | | | | | | | modules. * leaving mod_nw_ssl and mod_ssl itself untouched * removing mod_ssl.h includes where no longer necessary * some modules might skip post_config hooks, but those were left in, even when empty now. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887364 13f79535-47bb-0310-9956-ffa450edef68
* lets try ASN1_STRING_data() for openssl 1.0.2Stefan Eissing2021-03-091-2/+4
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887360 13f79535-47bb-0310-9956-ffa450edef68
* Use an optional function as adviced by Rüdiger.Jean-Frederic Clere2021-03-092-2/+12
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887359 13f79535-47bb-0310-9956-ffa450edef68
* refrain from handling ip address alt names in pre 1.1 opensslStefan Eissing2021-03-081-4/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887343 13f79535-47bb-0310-9956-ffa450edef68
* Use ASN1_STRING_data() if openssl verison < 1.1.Stefan Eissing2021-03-081-0/+4
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887342 13f79535-47bb-0310-9956-ffa450edef68
* log tags, my nemesisStefan Eissing2021-03-082-2/+2
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887340 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_md: v2.4.0 with improvements and bugfixesStefan Eissing2021-03-0848-1275/+2254
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - MDPrivateKeys allows the specification of several types. Beside "RSA" plus optional key lengths elliptic curves can be configured. This means you can have multiple certificates for a Managed Domain with different key types. With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA certificate and all modern client will use the shorter ECDSA, while older client will get the RSA certificate. Many thanks to @tlhackque who pushed and helped on this. - Support added for MDomains consisting of a wildcard. Configuring ```MDomain *.host.net``` will match all virtual hosts matching that pattern and obtain one certificate for it (assuming you have 'dns-01' challenge support configured). Addresses #239. - Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt which has disabled that version more than a year ago for new accounts. - Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the ```renewing``` call to ```MDMessageCmd``` that can deny a certificate renewal attempt. This is useful in clustered installations, as discussed in #233). - New event ```challenge-setup:<type>:<domain>```, triggered when the challenge data for a domain has been created. This is invoked before the ACME server is told to check for it. The type is one of the ACME challenge types. This is invoked for every DNS name in a MDomain. - The max delay for retries has been raised to daily (this is like all retries jittered somewhat to avoid repeats at fixed time of day). - Certain error codes reported by the ACME server that indicate a problem with the configured data now immediately switch to daily retries. For example: if the ACME server rejects a contact email or a domain name, frequent retries will most likely not solve the problem. But daily retries still make sense as there might be an error at the server and un-supervised certificate renewal is the goal. Refs #222. - Test case and work around for domain names > 64 octets. Fixes #227. When the first DNS name of an MD is longer than 63 octets, the certificate request will not contain a CN field, but leave it up to the CA to choose one. Currently, Lets Encrypt looks for a shorter name in the SAN list given and fails the request if none is found. But it is really up to the CA (and what browsers/libs accept here) and may change over the years. That is why the decision is best made at the CA. - Retry delays now have a random +/-[0-50]% modification applied to let retries from several servers spread out more, should they have been restarted at the same time of day. - Fixed several places where the 'badNonce' return code from an ACME server was not handled correctly. The test server 'pebble' simulates this behaviour by default and helps nicely in verifying this behaviour. Thanks, pebble! - Set the default `MDActivationDelay` to 0. This was confusing to users that new certificates were deemed not usably before a day of delay. When clocks are correct, using a new certificate right away should not pose a problem. - When handling ACME authorization resources, the module no longer requires the server to return a "Location" header, as was necessary in ACMEv1. Fixes #216. - Fixed a theoretical uninitialized read when testing for JSON error responses from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>. - ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly. (Previously, the problem text would not be reported and retries could exist CA limits.) - Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an empty JSON object was sent - which apparently LE accepted, but others reject. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887337 13f79535-47bb-0310-9956-ffa450edef68
* typo in old CHANGES entryEric Covener2021-03-081-1/+1
| | | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887311 13f79535-47bb-0310-9956-ffa450edef68
* fr doc rebuild.Lucien Gentis2021-03-062-13/+20
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887259 13f79535-47bb-0310-9956-ffa450edef68
* fr doc XML file update.Lucien Gentis2021-03-061-15/+27
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887258 13f79535-47bb-0310-9956-ffa450edef68
* Follow-up to r1887244.Christophe Jaillet2021-03-061-5/+5
| | | | | | Wrong version of the patch attached :( git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887245 13f79535-47bb-0310-9956-ffa450edef68
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 00:55:59 +0100