summaryrefslogtreecommitdiffstats
path: root/CHANGES (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add a change entryChristophe Jaillet2021-04-181-1/+2
| | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888925 13f79535-47bb-0310-9956-ffa450edef68
* Apply CHANGES. [skip ci]Yann Ylavic2021-04-011-0/+26
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888270 13f79535-47bb-0310-9956-ffa450edef68
* mod_md:Stefan Eissing2021-03-221-0/+2
| | | | | | | | | - MDCertificateFile and MDCertificateKeyFile can now be specified several times to add multiple, static certificates to a MDomain. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887923 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_md: v2.4.0 with improvements and bugfixesStefan Eissing2021-03-081-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - MDPrivateKeys allows the specification of several types. Beside "RSA" plus optional key lengths elliptic curves can be configured. This means you can have multiple certificates for a Managed Domain with different key types. With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA certificate and all modern client will use the shorter ECDSA, while older client will get the RSA certificate. Many thanks to @tlhackque who pushed and helped on this. - Support added for MDomains consisting of a wildcard. Configuring ```MDomain *.host.net``` will match all virtual hosts matching that pattern and obtain one certificate for it (assuming you have 'dns-01' challenge support configured). Addresses #239. - Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt which has disabled that version more than a year ago for new accounts. - Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the ```renewing``` call to ```MDMessageCmd``` that can deny a certificate renewal attempt. This is useful in clustered installations, as discussed in #233). - New event ```challenge-setup:<type>:<domain>```, triggered when the challenge data for a domain has been created. This is invoked before the ACME server is told to check for it. The type is one of the ACME challenge types. This is invoked for every DNS name in a MDomain. - The max delay for retries has been raised to daily (this is like all retries jittered somewhat to avoid repeats at fixed time of day). - Certain error codes reported by the ACME server that indicate a problem with the configured data now immediately switch to daily retries. For example: if the ACME server rejects a contact email or a domain name, frequent retries will most likely not solve the problem. But daily retries still make sense as there might be an error at the server and un-supervised certificate renewal is the goal. Refs #222. - Test case and work around for domain names > 64 octets. Fixes #227. When the first DNS name of an MD is longer than 63 octets, the certificate request will not contain a CN field, but leave it up to the CA to choose one. Currently, Lets Encrypt looks for a shorter name in the SAN list given and fails the request if none is found. But it is really up to the CA (and what browsers/libs accept here) and may change over the years. That is why the decision is best made at the CA. - Retry delays now have a random +/-[0-50]% modification applied to let retries from several servers spread out more, should they have been restarted at the same time of day. - Fixed several places where the 'badNonce' return code from an ACME server was not handled correctly. The test server 'pebble' simulates this behaviour by default and helps nicely in verifying this behaviour. Thanks, pebble! - Set the default `MDActivationDelay` to 0. This was confusing to users that new certificates were deemed not usably before a day of delay. When clocks are correct, using a new certificate right away should not pose a problem. - When handling ACME authorization resources, the module no longer requires the server to return a "Location" header, as was necessary in ACMEv1. Fixes #216. - Fixed a theoretical uninitialized read when testing for JSON error responses from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>. - ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly. (Previously, the problem text would not be reported and retries could exist CA limits.) - Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an empty JSON object was sent - which apparently LE accepted, but others reject. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887337 13f79535-47bb-0310-9956-ffa450edef68
* typo in old CHANGES entryEric Covener2021-03-081-1/+1
| | | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887311 13f79535-47bb-0310-9956-ffa450edef68
* Changed ap_ssl_answer_challenge() and its hook to provide PEM data forStefan Eissing2021-03-031-1/+2
| | | | | | | | | | | certificate and key instead of file names. Added support for this in mod_ssl and verified with a local mod_md version that uses it. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887151 13f79535-47bb-0310-9956-ffa450edef68
* Adding more ap_ssl_* functions and hooks to the core server.Stefan Eissing2021-03-021-0/+11
| | | | | | | | | | | | | | | | | | - ap_ssl_add_cert_files() to enable other modules like mod_md to provide certificate and keys for an SSL module like mod_ssl. - ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to provide a fallback certificate in case no 'proper' certificate is available for an SSL module like mod_ssl. - ap_ssl_answer_challenge() to enable other modules like mod_md to provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge for the ACME protocol for an SSL module like mod_ssl. - Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and 'ssl_answer_challenge' where modules like mod_md can provide providers to the above mentioned functions. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887085 13f79535-47bb-0310-9956-ffa450edef68
* Sync CHANGES entries. [skip ci].Yann Ylavic2021-03-011-0/+39
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887053 13f79535-47bb-0310-9956-ffa450edef68
* Enable mod_cgid stderr handling via Unix socket fd transfer byJoe Orton2021-02-251-0/+3
| | | | | | | | | | | | | | | | | | | | | | | default, rather than as an opt-in configure flag. (This has been tested in Fedora for >12 months without seeing any new problems) * configure.in: Check for CMSG_DATA here, and define HAVE_FDPASSING and $ap_has_fdpassing if fd passing is supported. * modules/generator/config5.m4, modules/generator/mod_cgid.c: Drop configure flag for mod_cgid fdpassing support, instead enable where possible by default. * modules/proxy/config.m4: Rely on configure test for CMSG_DATA. * .travis.yml: Switch test for cgid fdpassing for testing w/o CMSG_DATA. Github: closes #172 PR: 54221 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1886912 13f79535-47bb-0310-9956-ffa450edef68
* Update CHANGES entry after r1885659 [skip ci].Yann Ylavic2021-01-181-0/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885661 13f79535-47bb-0310-9956-ffa450edef68
* Update CHANGES entries [skip ci].Yann Ylavic2021-01-181-0/+13
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885658 13f79535-47bb-0310-9956-ffa450edef68
* * Add missing line break [skip ci]Ruediger Pluem2020-12-161-0/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884494 13f79535-47bb-0310-9956-ffa450edef68
* Merge CHANGES entries [skip ci].Yann Ylavic2020-12-161-0/+30
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884492 13f79535-47bb-0310-9956-ffa450edef68
* Revert r1884456.Yann Ylavic2020-12-151-4/+0
| | | | | | | Let scripts (make update-changes) do a better work than me. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884466 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1884068: CHANGES entry needs to go to 2.5.x too.Yann Ylavic2020-12-151-0/+4
| | | | | | | [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884456 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1836032: docs for ReadBufferSize, FlushMaxThreshold and ↵Yann Ylavic2020-12-111-0/+3
| | | | | | | | | FlushMaxPipelined. Plus CHANGES entry. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884296 13f79535-47bb-0310-9956-ffa450edef68
* Revert r1480058, -1'ed on dev@ and STATUS.Yann Ylavic2020-12-101-4/+0
| | | | | | | | | | | Never backported (and never will supposedly), while often creating merge conflicts. See https://lists.apache.org/thread.html/be0e7bdc3510fddd2dd80accece44917eba361ef4fcc713dd0f7f7fa%401367999236%40%3Cdev.httpd.apache.org%3E and https://lists.apache.org/thread.html/6e63271b308a2723285d288857318e7bb51b6756690514d9bc75a71b%401371148914%40%3Ccvs.httpd.apache.org%3E git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884280 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_md: lowered the required minimal libcurl version from 7.50 to 7.29Stefan Eissing2020-10-151-0/+3
| | | | | | | | as proposed by <alexander.gerasimov@codeit.pro>. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1882542 13f79535-47bb-0310-9956-ffa450edef68
* * Update change entries via make update-changes [skip ci]Ruediger Pluem2020-09-151-0/+11
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881729 13f79535-47bb-0310-9956-ffa450edef68
* mention 304 headers handlingGiovanni Bechis2020-09-091-0/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881593 13f79535-47bb-0310-9956-ffa450edef68
* Found a PR lurking for the method type vs UBSan issue. [skip ci]Joe Orton2020-09-081-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881556 13f79535-47bb-0310-9956-ffa450edef68
* not my day, it seemsStefan Eissing2020-07-291-1/+1
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880398 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_http2: remote support for abandoned http-wg draftStefan Eissing2020-07-291-0/+4
| | | | | | | | <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880395 13f79535-47bb-0310-9956-ffa450edef68
* mod_proxy_uwsgi: Error out on HTTP header larger than 16KYann Ylavic2020-07-231-0/+3
| | | | | | | | | The uwsgi protocol does not let us serialize more than 16K of HTTP header, so fail early with 500 if it happens. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880205 13f79535-47bb-0310-9956-ffa450edef68
* mod_dav: Some DAV extensions, like CalDAV, specify both documentGraham Leggett2020-07-151-0/+6
| | | | | | | | | | elements and property elements that need to be taken into account when generating a property. The document element and property element are made available in the dav_liveprop_elem structure under the DAV_PROP_ELEMENT key in the resource pool. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879889 13f79535-47bb-0310-9956-ffa450edef68
* mod_dav: Add utility functions dav_validate_root_ns(),Graham Leggett2020-07-151-0/+4
| | | | | | | | dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() so that other modules get to play too. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879888 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_http2: Stefan Eissing2020-07-131-0/+8
| | | | | | | | | | | | Fixes <https://github.com/icing/mod_h2/issues/200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <https://github.com/icing/mod_h2/issues/201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879832 13f79535-47bb-0310-9956-ffa450edef68
* * Make get_line more robust in the case that it is called multiple times:Ruediger Pluem2020-07-061-0/+4
| | | | | | | | | - Safe the brigade between mutiple calls to correctly handle transient buckets. - Detect possible endless loops. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879546 13f79535-47bb-0310-9956-ffa450edef68
* core: Remove support for the Content-MD5 header, removed in RFC7231.Graham Leggett2020-07-031-0/+4
| | | | | | | | Functions ap_md5digest() and ap_md5contextTo64() removed, and ContentDigest directive. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879472 13f79535-47bb-0310-9956-ffa450edef68
* mod_dav: Allow other DAV modules to use dav_get_resource().Graham Leggett2020-07-031-0/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879466 13f79535-47bb-0310-9956-ffa450edef68
* mpm_common: remove ap_mpm_unregister_poll_callback().Yann Ylavic2020-07-021-0/+3
| | | | | | | | | | | It's now called automatically by mpm_event and anyway can't be called safely outside the MPM code without racing. MAJOR bump. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879422 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1879419: CHANGES entry.Yann Ylavic2020-07-021-0/+4
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879421 13f79535-47bb-0310-9956-ffa450edef68
* mod_dav: Add method_precondition hook. WebDAV extensions defineGraham Leggett2020-06-291-0/+5
| | | | | | | | conditions that must exist before a WebDAV method can be executed. This hook allows a WebDAV extension to verify these preconditions. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879339 13f79535-47bb-0310-9956-ffa450edef68
* Add hooks deliver_report and gather_reports to mod_dav.h. Allows otherGraham Leggett2020-06-281-0/+4
| | | | | | | modules apart from versioning implementations to handle the REPORT method. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879306 13f79535-47bb-0310-9956-ffa450edef68
* Add dav_get_provider(), dav_open_lockdb() and dav_close_lockdb() mod_dav.h.Graham Leggett2020-06-281-0/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879305 13f79535-47bb-0310-9956-ffa450edef68
* "[mod_dav_fs etag handling] should really honor the FileETag setting".Graham Leggett2020-06-281-0/+13
| | | | | | | | | | | | | | | | - It now does. - Add "Digest" to FileETag directive, allowing a strong ETag to be generated using a file digest. - Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over ETag generation. - Add concept of "binary notes" to request_rec, allowing packed bit flags to be added to a request. - First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force the ETag to a strong ETag to comply with RFC requirements, such as those mandated by various WebDAV extensions. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879285 13f79535-47bb-0310-9956-ffa450edef68
* Follow up to r1879179: CHANGES entry.Yann Ylavic2020-06-251-0/+4
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879180 13f79535-47bb-0310-9956-ffa450edef68
* Add "v6only" Listen option to enable IPV6_V6ONLY in v4mapped buildsJoe Orton2020-06-231-1/+1
| | | | | | | | | | | | | | | where it is otherwise always disabled. * include/ap_listen.h: Define AP_LISTEN_V6ONLY. * server/listen.c (make_sock): Set v6only_setting to 1 if AP_LISTEN_V6ONLY flag is set for the listener. (parse_listen_flags): Parse "v6only" flag. PR: 54878 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879106 13f79535-47bb-0310-9956-ffa450edef68
* Backported to 2.4.xJim Jagielski2020-06-201-19/+0
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879038 13f79535-47bb-0310-9956-ffa450edef68
* Oups, axe spurious copypasta.Yann Ylavic2020-06-191-6/+0
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879002 13f79535-47bb-0310-9956-ffa450edef68
* CHANGES entry for ap_proxy_define_match_worker().Yann Ylavic2020-06-191-0/+11
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879001 13f79535-47bb-0310-9956-ffa450edef68
* mod_proxy_http: always stream the request body by default.Yann Ylavic2020-06-191-0/+6
| | | | | | | | | | | | | Simplify streaming by using Content-Length if the length is available, or chunked Transfer-Encoding otherwise. Spooling to memory/file will only be used for HTTP/1.0 requests or if proxy-sendcl is set. This removes the handling of proxy-sendchunked and proxy-sendchunks. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878991 13f79535-47bb-0310-9956-ffa450edef68
* * Revert r1878939, r1878938, r1878936, the changes toRuediger Pluem2020-06-191-7/+0
| | | | | | | | | | modules/http2/h2_request.c and CHANGES of r1878926 and r1878708 as a result of https://lists.apache.org/thread.html/red499ac4750b88e5943c25abb86434c59dfff4d4f386ffc53742755d%40%3Cdev.httpd.apache.org%3E and https://lists.apache.org/thread.html/ra79eee019e2357703b0ea81153458a29817b58ce92e3605949eee1fe%40%3Cdev.httpd.apache.org%3E git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878985 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_http2: workaround to facilitate use of common internal ↵Stefan Eissing2020-06-171-0/+4
| | | | | | | | | | | protocol/method/uri checks. The module now handles master/secondary connections and has marked methods according to use. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878926 13f79535-47bb-0310-9956-ffa450edef68
* mod_ldap: Use the LDAP API directly to implement the rebind callbackJoe Orton2020-06-161-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | for modern versions of OpenLDAP, avoiding the overhead of the apr-util implementation. * modules/ldap/util_ldap.c: Define USE_APR_LDAP_REBIND if a modern version of OpenSSL is used. (uldap_rebind_proc): New function. (uldap_rebind_init, uldap_rebind_add): Define, using either the callback or the (bad) APR-util versions. (uldap_connection_unbind): Clear the rebind pool to remove rebind references prior to destroying the LDAP *. Omit for !USE_APR_LDAP_REBIND. (uldap_connection_init): Use new wrappers, only create the rebind pool if USE_APR_LDAP_REBIND. * include/util_ldap.h: Don't include apr_ldap_rebind.h here. PR: 64414 Github: closes #124 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878890 13f79535-47bb-0310-9956-ffa450edef68
* * Have the HTTP 0.9 / 1.1 processing code reject requests forRuediger Pluem2020-06-101-1/+5
| | | | | | | HTTP >= 2.0 with a HTTP Version Not Support status code. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878708 13f79535-47bb-0310-9956-ffa450edef68
* *) mod_proxy_http2: the "ping" proxy parameter Stefan Eissing2020-06-031-0/+7
| | | | | | | | | | | | (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878433 13f79535-47bb-0310-9956-ffa450edef68
* mod_proxy_http: don't strip EOS when spooling request body to file.Yann Ylavic2020-05-291-0/+3
| | | | | | | | | | | | | | | | To prevent stream_reqbody() from sending the FILE and EOS bucket in separate brigades, and thus apr_file_setaside() to trigger if network congestion occurs with the backend, restore the EOS in spool_reqbody_cl() which was stripped when spooling the request body to a file. Until APR r1878279 is released (and installed by users), apr_file_setaside() on a temporary file (mktemp) will simply drop the file cleanup, leaking the fd and inode.. This fixes BZ 64452. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878280 13f79535-47bb-0310-9956-ffa450edef68
* revert r1878268Stefan Eissing2020-05-291-0/+3
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878272 13f79535-47bb-0310-9956-ffa450edef68
* update after backportStefan Eissing2020-05-291-3/+0
| | | | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878268 13f79535-47bb-0310-9956-ffa450edef68
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 19:59:15 +0100