| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2
streams, overriding server's 'Timeout' configuration. [rpluem]
- HTTP/2 connections now use pollsets to monitor the status of the
ongoing streams and their main connection when host OS allows this.
- Removed work-arounds for older versions of libnghttp2 and checking
during configure that at least version 1.15.0 is present.
- The HTTP/2 connection state handler, based on an experiment and draft
at the IETF http working group (abandoned for some time), has been removed.
- H2SerializeHeaders no longer has an effect. A warning is logged when it is
set to "on". The switch enabled the internal writing of requests to be parsed
by the internal HTTP/1.1 protocol handler and was introduced to avoid
potential incompatibilities during the introduction of HTTP/2.
- Removed the abort/redo of tasks when mood swings lower the active limit.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894163 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888083 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exist CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887337 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
| |
- Embeds the HAVE_PCRE2 define as a compiler flag rather than try to work around
.h file substitutions, because the flag is only relevant to compiling the single
server/util_pcre.c file.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881478 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This addresses several concerns;
- There is no valid release of OpenSSL < 1.0.2 to incorporate security fixes,
particularly on Windows, and particularly as vetted by the project.
- File structure of opensslv.h has changed in such as a way as to completely
invalidate the CMake FindOpenSSL macros, so 3.0.0 cannot be determined.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880754 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1868506 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
curl FIND_PACKAGE logic and completing the jansson detection logic.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1866131 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1866119 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
Adding module to CMakeLists, needs testing.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862041 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1856910 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1837717 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1836613 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function, along with ap_make_etag(), is used by the default_handler in
core.c, and in several modules other than builtin mod_http, breaking static
linking and httpdunit tests build.
The move is done by "svn move modules/http/http_etag.c server/util_etag.c".
MMN major bumped, not backportable (as is) to 2.4.x.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833083 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
also used by other modules (currently mod_ssl),
so it must be in the include path. It was
missing for cmake builds.
Note that this change does not yet enable building
mod_md itself using cmake. That part is still
missing.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828669 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1825504 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
Add a CMake version of the httpdunit build system. At the moment, the only
annoyance is that CMake doesn't like globbing source files, so the
generator must be re-run whenever test cases are added.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/httpdunit@1796206 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
| |
mod_http2: h2 workers with improved scalability for better scheduling
performance. There are H2MaxWorkers threads created at start and the
number is kept constant.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1788672 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
| |
*) mod_http2: rework of stream resource cleanup to avoid a crash in a close
of a lingering connection. Prohibit special file bucket beaming for
shared buckets. Files sent in stream output now use the stream pool
as read buffer, reducing memory footprint of connections.
[Yann Ylavic, Stefan Eissing]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1779738 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1774657 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Brotli repository.
With the recent update (https://github.com/google/brotli/pull/464), the
official repository now produces pkg-config metadata files (brotli.pc),
and has a fixed library layout (libbrotlicommon/libbrotlienc/libbrotlidec)
on both Windows and Linux. Expect this layout in the makefiles, and take
advantage of the pkg-config metadata, if it's available.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1771827 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
stability
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1763158 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new module supports dynamic Brotli (RFC 7932) compression. Existing
mod_deflate installations can benefit from better compression ratio by
sending Brotli-compressed data to the clients that support it:
SetOutputFilter BROTLI_COMPRESS;DEFLATE
The module features zero-copy processing, which is only possible with the
new API from the upcoming 1.0.x series of brotli [1]. The Linux makefile
works against libbrotli [2], as currently the core brotli repository doesn't
offer a way to build a library [3]. Apart from that, only the CMake build
is now supported.
[1] https://github.com/google/brotli
[2] https://github.com/bagder/libbrotli
[3] https://github.com/google/brotli/pull/332
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1761714 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
Deal with installation paths with spaces in them (e.g. "C:\Program
Files") by quoting the arguments to perl and xcopy.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1752333 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
| |
Multi-configuration generators, like Visual Studio, use a different
output directory (Debug, Release, etc.) for each configuration. To find
the output files reliably, switch to using generator expressions instead
of hardcoding the file paths for PDBs, export files, etc.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1752332 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using CMake with Visual Studio on Windows, invoking the
CHECK_SYMBOL_EXISTS macro with the full paths to the include files seems
to always result in failure.
Instead, use the documented CMAKE_REQUIRED_INCLUDES variable to set the
include directory, and pass only the headers' base names to
CHECK_SYMBOL_EXISTS.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1752331 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
h2_util.c, updated dsp and cmake as well as configure files
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1747550 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1743512 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1741596 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1740155 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
buffer copy. Code cleanup
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1739303 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
fixes CVE-2016-1546
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1733727 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1732295 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
http/2, needs more hardening
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1731096 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
| |
- include in Windows and Netware LoadModule lists
- add to cmake build file
Untested.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730075 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1720651 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
followup to r1713887
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1713937 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1712382 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1706640 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1706627 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
| |
and later.
PR: 56615
Submitted by: Chuck Liu <cliu81 gmail.com>, trawick
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1625196 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
Support build of mod_ssl_ct on Windows
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1589009 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
| |
several stages of initialization and connection handling. See
mod_ssl_openssl.h.
This is enough to allow implementation of Certificate Transparency
outside of mod_ssl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1587607 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1583005 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
| |
with embedded blanks.
The extra, escaped quoting in the original version is required for passing
the definition over the command-line, but it broke Visual Studio builds.
For now, avoid the extra quoting when generating for Visual Studio.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1543149 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1543147 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
for building that branch
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1541922 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
| |
before prereq include dirs in case httpd is installed to the same
place as the prereq, in which case we might be using an older
httpd .h file.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1529452 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1529440 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
ssl_engine_dh.c is still in 2.4.x, and (perhaps unexpectedly) this
cmake list supports both trunk and 2.4.x for the time being.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527570 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527295 13f79535-47bb-0310-9956-ffa450edef68
|