| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Since h2_headers_create() copies its passed in tables, make them const and
simplify the callers.
Thus create_response() in h2_from_h1 can use r->headers_out directly without
copying.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890564 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
h2 equivalent of r1889341 for h1.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890563 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
is available in 2.4.x
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890247 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
Github issue #188
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890076 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
generation from OpenSSL 1.1.0 and later. The
SSL_set_tmp_dh_callback() API is deprecated from OpenSSL 3.0 onwards.
Should not be a user-visible change (except mod_ssl gets smaller).
* modules/ssl/ssl_private.h,
modules/ssl/ssl_engine_kernel.c,
modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
Drop internal DH parameter generation and callback for OpenSSL 1.1+,
use SSL_CTX_set_dh_auto(, 1) instead.
Github: closes #188
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890067 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
| |
into mod_log_config itself. These now use the global `ap_ssl_var_lookup()`
functions and work for all running SSL modules.
The dependency from mod_ssl to mod_log_config and its header is removed.
mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR".
This change should be fully compatible to all deployed configurations.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890003 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
fix that disables ec key types not supported by libressl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890001 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889995 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889939 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssl_io_filter_coalesce() now uses apr_brigade_write() to save its retained data
in a heap bucket, and ap_filter_{setaside,reinstate}_brigade() to declare them
to the output filters' write completion mechanism.
This prevents MPM event to miss them when it enters write completion state, and
will allow the tunneling loop of mod_proxy to flush them in a following commit
too.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889938 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
| |
Daniel reported on user@ that hc connections do not timeout according to
the worker's tumeout= configuration, this fixes it.
While at it, copy the other timeout settings too.
Reported by: dferradal
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889936 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
| |
Allows to opt-out the fallback to mod_proxy_http to handle WebSocket upgrade,
and let mod_proxy_wstunnel handle the requests as in 2.4.46 and earlier.
Update docs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889792 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889788 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
read and trasnfered to the back-end worker.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889550 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
| |
Sumitted by Todd Lewis <utoddl email.unc.edu>
PR 65287
[skip ci]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889494 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
PR: 61820
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889341 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
While at it, fix some space related style issues and a doxygen like comment.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889327 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
number.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
| |
not, mod_watchdog thinks it has nothing to do, if no one else installs
any watchdog instance.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889101 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- removed no longer needed (char*) casts when looking
up ssl variables.
- move 'goto cleanup;' on separate source line
- fixed check for wrong optional function in ap_run_ssl_var_lookup
- remove ap_bytes_t again from httpd.h and passes now ocsp
identifier as separate const char* and apr_size_t. This
follows more how such data is passed in the rest of the
server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889009 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888726 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888724 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certficates or none.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888518 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssl_init_Module() in post_config early registers ssl_init_ModuleKill(), which
will then run after all the next cleanups registered later in post_config, thus
any shm_cleanup() registered from ssl_scache_init::socache_shmcb_init().
This can cause a double SHM cleanup when apr_shm_destroy() is called from
ssl_init_ModuleKill() as pconf is cleared.
Fix this in mod_socache_shmcb by registering a socache_shmcb_cleanup() after
the SHM is created, and by letting socache_shmcb_destroy() run the cleanup,
such that shm_cleanup() is always and ever called only once.
Ideally apr_shm_create() would be consistent accross platforms to register its
shm_cleanup() on the pool but that's not the case for now (I'm on it), so httpd
has to call apr_shm_destroy() explicitely from several places (we'll be able to
remove ssl_scache_kill() and other similar cleanups once the minimal APR
version required by httpd is fixed..).
We could also fix this by registering ssl_init_ModuleKill() late(r) in
ssl_init_Module(), though the more robust mod_socache_shmcb the better for
all the modules..
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888266 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
aborted (RST to the client), although a response had been produced.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888087 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888084 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888083 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
bumped version number.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888006 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
ap_read_request().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887999 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
[-Werror=format-extra-args]".
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887993 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887965 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
| |
- MDCertificateFile and MDCertificateKeyFile can now be specified several
times to add multiple, static certificates to a MDomain.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887923 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to PEM, to avoid newline mangling issues when using PEM in header
values.
* modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data):
New function, replacing ssl_var_lookup_ssl_cert_PEM.
(ssl_var_lookup_ssl): Use it, and add _B64CERT variants of
SSL_{CLIENT,SERVER}_CERT.
(ssl_var_lookup_ssl_cert_chain): Use it.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support
"ExportBase64CertData" argument.
* modules/ssl/ssl_engine_kernel.c (extract_to_env): New function.
(ssl_hook_Fixup): Use it, also export _B64CERT variables if
SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain
handling.
PR: 65169
Reviewed by: michaelo
Github: closes #177
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
| |
socket earlier to avoid possible leaks on error paths. (highlighted
by Coverity scan)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887727 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
Fix leak in error path in the do_malloc case, caught by covscan.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887720 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
| |
And set the current_thread of the connection.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887439 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887415 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
| |
modules.
* leaving mod_nw_ssl and mod_ssl itself untouched
* removing mod_ssl.h includes where no longer necessary
* some modules might skip post_config hooks, but those were left in, even when empty now.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887364 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887360 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887359 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887343 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887342 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887340 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exist CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887337 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
| |
Wrong version of the patch attached :(
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887245 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
| |
This is due to a non thread safe use of a counter.
Use a counter for each thread instead to avoid the issue.
PR 65159
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887244 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
|
|
|
|
|
|
| |
Include nonce in XML output.
PR: 63074
Submitted by: Federico Mennite <federico.mennite lifeware.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887192 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887176 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
| |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887152 13f79535-47bb-0310-9956-ffa450edef68
|