| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certficates or none.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888270 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888269 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888268 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
| |
aborted (RST to the client), although a response had been produced.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888087 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888083 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to PEM, to avoid newline mangling issues when using PEM in header
values.
* modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data):
New function, replacing ssl_var_lookup_ssl_cert_PEM.
(ssl_var_lookup_ssl): Use it, and add _B64CERT variants of
SSL_{CLIENT,SERVER}_CERT.
(ssl_var_lookup_ssl_cert_chain): Use it.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support
"ExportBase64CertData" argument.
* modules/ssl/ssl_engine_kernel.c (extract_to_env): New function.
(ssl_hook_Fixup): Use it, also export _B64CERT variables if
SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain
handling.
PR: 65169
Reviewed by: michaelo
Github: closes #177
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
| |
This is due to a non thread safe use of a counter.
Use a counter for each thread instead to avoid the issue.
PR 65159
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887244 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
| |
Include nonce in XML output.
PR: 63074
Submitted by: Federico Mennite <federico.mennite lifeware.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887192 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mod_md: tolerate missing revokeCert or keyChange resource
RFC 8555 §7.1 states:
The server MUST provide "directory" and "newNonce" resources.
But RFC 8555 makes no explicit statement anywhere whether other
resources are, or are not, required (with the exception of
"newAuthz" which is optional).
Therefore it is possible that some ACME server implementations may
omit some resources; in particular those that are not an essential
part of the "order" workflow. Indeed, I am working with one such
server implementation, which does not at this time implement
"keyChange". mod_md refuses to interact with this server because it
is checking that a certain set of resources are defined in the
directory object - despite some of those resources not currently
being used.
Update the check to require only "newNonce", "newAccount" and
"newOrder". Omit from the check and therefore tolerate the absense
of resources which are not always required: "revokeCert" and
"keyChange".
If mod_md implements revocation and/or key rollover in the future,
the availability of those features should be predicated on the
server's advertised capabilities.
https://github.com/icing/mod_md/commit/38ff597f3ccb3c942e68701fb185c6a68f0708e4
Submitted by: Fraser Tweedale <ftweedal redhat.com>
Github: closes #122
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887148 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887053 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1886840 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
| |
- logio: improvements to reporting of sent bytes for http2 responses
- directive H2OutputBuffering, controls if any output should be sent immediately.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1886792 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885941 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent health checks from running for a worker until the last one is fully
finished, to avoid making things worse (memory growth, #connections, ..).
This is done by zeroing worker->s->updated before scheduling the worker in the
threadpool, and resetting the time when it's finished. The scheduler then does
nothing if worker->s->updated is zero.
Also, to save some apr_time_now() calls when !HC_USE_THREADS, *baton->now is
updated in the callback and reused by the scheduler.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885691 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885661 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
| |
the format can't match anyway.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885659 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885658 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let mod_proxy_http's canon and scheme handlers accept "ws[s]:" schemes so that
mod_proxy_wstunnel can decline requests when mod_proxy_http is loaded.
* modules/proxy/{mod_proxy.h,proxy_util.c} (ap_proxy_worker_can_upgrade):
Add a "dflt" argument to ap_proxy_worker_can_upgrade() which, if not NULL,
is matched when no worker upgrade= parameter is configured. This allows to
handle the default "Upgrade: websocket" case for "ws[s]:" schemes.
* modules/proxy/mod_proxy_http.c (proxy_http_canon, proxy_http_handler):
Add and use the new get_url_scheme() helper to parse URL schemes handled by
mod_proxy_http and use it in canon and scheme handlers. This helper now
accepts ws[s] schemes.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_post_config):
New post_config hook to detect whether mod_proxy_http is loaded and set
global fallback_to_mod_proxy_http flag in this case.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_check_trans,
proxy_wstunnel_canon,
proxy_wstunnel_handler):
These hooks now early return DECLINED if fallback_to_mod_proxy_http is set.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885239 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
the same was as non-leaf certs are in SSLCertificateFile - use them to
build the trusted cert chain for the end-entity (client) cert.
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs):
For any non-leaf certificate present in the configured, trust as
if used in SSLProxyMachineCertificateChainFile.
Github: closes #151
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884552 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mimetypes like:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
This mimetypes contains 'xml', but is unfortunately not an xml file.
xml2enc processes these files (in particular, when mod_proxy_html is
used), typically resulting in them being corrupted as it seems to
attempt to perform a ISO-8859-1 to UTF-8 conversion on them.
* modules/filters/mod_xml2enc.c (xml2enc_ffunc): Restrict test for XML
types to matching "+xml".
Submitted by: Joseph Heenan <joseph.heenan fintechlabs.io>
PR: 64339
Github: closes #150
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884505 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884492 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884220 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When proxy-sendcl is set, spool the request body to memory/disk so that a
Content-Length can be computed and provided to the backend.
If not set, still try to prefetch the body in non blocking mode, which allows
to handle small bodies (< 16K) the same way by default.
PR 57087.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884068 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
| |
uuencoder table.
PR: 57044
Submitted by: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883947 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
| |
Committed By: covener
Submitted By: Marcel Montes <spiceman gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883203 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
While httpd is supposed to do lingering close for incoming data, it has no
control anyway over outgoing/pending data once they are handled by the
system.
So don't reset the connection after lingering close times out, otherwise the
system won't do its own lingering close to flush un-acked data.
The connection reset was introduced by r1802875 and backported to 2.4.28.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883097 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Before r1819855 (backported to 2.4.30), mpm_event killed keepalive connections
only when workers were exhausted, while this commit set workers_were_busy for
connections_above_limit().
Restore prior to r1819855 behaviour, and since ap_queue_info_num_idlers() is
now part of connections_above_limit(), let's update workers_were_busy there
only when necessary.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883096 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to configure the Basic auth credentials to send to the remote proxy.
(Note that credentials are always sent w/o waiting for a challenge as
with proxy-chain-auth, and only Basic is supported - both of which are
not exactly ideal - but better than nothing.)
* modules/proxy/mod_proxy.h (struct proxy_remote): Add creds field.
* modules/proxy/mod_proxy.c (proxy_handler): Pass forward proxy
credentials via r->notes.
(add_proxy): Take credentials and base64-encode into ->creds field if
passed.
(add_proxy_noregex, add_proxy_regex): Take optional creds argument.
* modules/proxy/proxy_util.c (ap_proxy_determine_connection):
Use proxy credentials from r->notes if available.
(ap_proxy_create_hdrbrgd): Set Proxy-Authorization header from
credentials in r->notes if present.
PR: 37355
Github: closes #135
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881790 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
|
|
|
|
|
|
|
|
| |
different modes in dav_fs_open_stream(), indicate failure because of
different file open modes. Also add the filepath in the log messages.
Github: closes #138
PR: 64413
Submitted by: Bingyu Shen <ahshenbingyu gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881736 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881729 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881635 13f79535-47bb-0310-9956-ffa450edef68
|
| |
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881552 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879878 13f79535-47bb-0310-9956-ffa450edef68
|
