Skip to content
  1. Feb 18, 2016
    • Jim Jagielski's avatar
      Merge r1721899 from trunk: · 098357b0
      Jim Jagielski authored
      mod_cache_socache: Fix a possible cached entity body corruption when it
      is received from an origin server in multiple batches and forwarded by
      mod_proxy.
      
      Upstream buckets should be setaside when saving response body (store_body),
      but since those will finally be flatten in the cache buffer (commit_entity),
      let's save them directly into the buffer to avoid heap allocation(s) and
      the final copy.
      
      Reported by: Mike Pastore <mike oobak.org> 
      
      Submitted by: ylavic
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1731082 13f79535-47bb-0310-9956-ffa450edef68
      098357b0
    • Jim Jagielski's avatar
      Merge r1653941, r1653978, r1656225, r1686853, r1686856 from trunk: · 7fe649be
      Jim Jagielski authored
      mod_alias: Introduce expression parser support for Alias, ScriptAlias
      and Redirect.
      
      
      Use unsigned bit fields.
      
      
      mod_alias: follow up to r1653941.
      Fill empty APLOGNO().
      
      
      mod_alias: follow up to r1653941.
      Limit Redirect expressions to directory (Location) context
      and redirect statuses (implicit or explicit).
      
      
      mod_alias: follow up to r1686853.
      Factorize code (no functional change).
      Submitted by: minfrin, ylavic, ylavic, ylavic
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1731081 13f79535-47bb-0310-9956-ffa450edef68
      7fe649be
  2. Feb 16, 2016
  3. Feb 11, 2016
  4. Feb 09, 2016
  5. Jan 28, 2016
  6. Jan 21, 2016
  7. Jan 19, 2016
  8. Dec 30, 2015
  9. Dec 28, 2015
  10. Dec 08, 2015
  11. Dec 07, 2015
  12. Dec 04, 2015
  13. Nov 26, 2015
    • Jim Jagielski's avatar
      Merge r1711728, r1713209 from trunk: · 033018fd
      Jim Jagielski authored
      For the "SSLStaplingReturnResponderErrors off" case, make sure to only
      staple responses with certificate status "good". Also avoids including
      inaccurate responses when the OCSP responder is not completely up
      to date in terms of the CA-issued certificates (and provides interim
      "unknown" or "extended revoked" [RFC 6960] status replies).
      
      Log a certificate status other than "good" in stapling_check_response().
      
      Propagate the "ok" status from stapling_check_response() back via both
      stapling_renew_response() and get_and_check_cached_response() to the
      callback code in stapling_cb(), enabling the decision whether to include
      or skip the response.
      
      
      insert missing LOGNO in ssl_util_stapling.c
      Submitted by: kbrand
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1716652 13f79535-47bb-0310-9956-ffa450edef68
      033018fd
    • Jim Jagielski's avatar
      Merge r1710095, r1710105, r1711902 from trunk: · 9f9b598d
      Jim Jagielski authored
      core: Limit to ten the number of tolerated empty lines between request,
      and consume them before the pipelining check to avoid possible response
      delay when reading the next request without flushing.
      
      Before this commit, the maximum number of empty lines was the same as
      configured LimitRequestFields, defaulting to 100, which was way too much.
      We now use a fixed/hard limit of 10 (DEFAULT_LIMIT_BLANK_LINES).
      
      check_pipeline() is changed to check for (up to the limit) and comsume the
      trailing [CR]LFs so that they won't be interpreted as pipelined requests,
      otherwise we would block on the next read without flushing data, and hence
      possibly delay pending response(s) until the next/real request comes in or
      the keepalive timeout expires.
       
      Finally, when the maximum number of empty line is reached in
      read_request_line(), or that request line does not contains at least a method
      and an (valid) URI, we can fail early and avoid some failure detected in
      further processing.
      ...
      9f9b598d
  14. Nov 25, 2015
  15. Nov 24, 2015
  16. Nov 20, 2015
  17. Nov 18, 2015
    • Jim Jagielski's avatar
      Merge r1705194, r1705823, r1705826, r1705828, r1705833, r1706275, r1707230, r1707231 from trunk: · b8885db0
      Jim Jagielski authored
      mod_ssl: forward EOR (only) brigades to the core_output_filter().
      
      mod_ssl: don't FLUSH output (blocking) on read.
      This defeats deferred write (and pipelining), eg. check_pipeline() is not
      expecting the pipe to be flushed under it.
      So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
      are known to not handle all the cases, so we keep flushing with those).
      
      
      mod_ssl: follow up to r1705823.
      Oups, every #if needs a #endif...
      
      mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(),
      the core output filter needs them.
      
      Proposed by: jorton
      
      
      mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828.
      Add CHANGES entry, and restore ap_process_request_after_handler()'s comment
      as prior to r1705194 (the change makes no sense now).
      
      
      mod_ssl: follow up to r1705823.
      We still need to flush in the middle of a SSL/TLS handshake.
      
      
      mod_ssl: follow up to r1705823.
      Flush SSL/TLS handshake data when writing (instead of before reading),
      and only when necessary (openssl < 0.9.8m or proxy/client side).
      
      
      mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init().
      
      Submitted by: ylavic
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1715014 13f79535-47bb-0310-9956-ffa450edef68
      b8885db0
  18. Nov 03, 2015
  19. Oct 25, 2015
  20. Oct 09, 2015
  21. Oct 08, 2015
    • Yann Ylavic's avatar
      r1678763 | ylavic | 2015-05-11 16:53:34 +0200 (Mon, 11 May 2015) | 7 lines · 91f55435
      Yann Ylavic authored
      mod_proxy: only cleanup the socket for a connection asked to be closed but
      whose address can still be reused.
      
      This saves unnecessary socket pool destroy and creation at cleanup and reuse
      time, plus the same initialization of conn->pool's associated data which can
      be reused in that case.
      
      
      r1703807 | ylavic | 2015-09-18 12:58:58 +0200 (Fri, 18 Sep 2015) | 5 lines
      
      mod_proxy: don't recyle backend announced "Connection: close" connections.
      Failing to do this may lead to a race condition where we send a new request
      before the backend really closes the connection (or lost SSL-Alert/FIN make
      us think the connection is still alive, until the retransmission).
      
      
      r1703813 | ylavic | 2015-09-18 13:48:31 +0200 (Fri, 18 Sep 2015) | 1 line
      
      mod_proxy: follow up to r1703807: CHANGES entry.
      
      
      Submitted by: ylavic
      Committed by: ylavic
      Reviewed  by: ylavic, rjung, trawick
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1707556 13f79535-47bb-0310-9956-ffa450edef68
      91f55435
  22. Oct 06, 2015
    • Jim Jagielski's avatar
      Merge r1684900, r1687539, r1687680, r1688331, r1688339, r1688340, r1688341,... · af2c42fb
      Jim Jagielski authored
      Merge r1684900, r1687539, r1687680, r1688331, r1688339, r1688340, r1688341, r1688343, r1697013, r1697015 from trunk:
      
      mod_substitute: Fix configuraton merge order.
      PR 57641 [Marc.Stern]
      
      
      mod_substitute: follow up r1684900.
      Introduce the SubstituteInheritBefore directive to configure the merge order.
      This allows to preserve 2.4 and earlier behaviour.
      
      
      mod_substitute: follow up to r1687539.
      Use tristate single inherit_before variable instead of two, according to
      wrowe's advices.
      
      
      mod_substitute: follow up to r1687680.
      Fix dir config merger 'over'-write, thanks Bill (again).
      
      Very difficult to read, and therefore was wrong.
      
      Assert that the SubstituteInheritBefore option was explicitly toggled,
      and do not default in 2.x to this legacy behavior.
      
      
      
      Optimize in all cases that the members are all explicitly initialized.
      
      Useful for 2.2 and 2.4, but trunk will require the subsequent patch.
      
      
      
      
      Increase legibility of the max_line_length behavior, and adjust for
      the requirement that all members are initialized explicitly due to
      the previous patch.
      
      
      
      Net -8 LoC, my usual specialty.
      
      This didn't need to be reinvented; please use established helpers.
      
      
      
      mod_substitute: follow up r1688339.
      SubstituteInheritBefore is the default in 2.5.x but wasn't for ealier versions.
      
      
      mod_substitute: follow up r1697013.
      Update the doc.
      Submitted by: niq, ylavic, ylavic, ylavic, wrowe, wrowe, wrowe, wrowe, ylavic, ylavic
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1707039 13f79535-47bb-0310-9956-ffa450edef68
      af2c42fb
  23. Sep 30, 2015
    • Jim Jagielski's avatar
      Merge r1703902 from trunk: · dbda2446
      Jim Jagielski authored
      mod_proxy: Fix ProxySourceAddress binding failure with AH00938.  PR 56687.
      Proposed by: Arne de Bruijn <apache arbruijn.dds.nl>
      Reviewed by: ylavic
      
      Submitted by: ylavic
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706028 13f79535-47bb-0310-9956-ffa450edef68
      dbda2446
    • asf-sync-process's avatar
      merge r1703952 from trunk · 6278188c
      asf-sync-process authored
      Support compilation against libssl built with OPENSSL_NO_SSL3,
      and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
      in accordance with RFC 7568. PR 58349, PR 57120.
      
      Proposed by: kbrand
      Reviewed by: ylavic, jorton
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
      6278188c
    • Kaspar Brand's avatar
      merge r1702643 from trunk · 213c5b06
      Kaspar Brand authored
      Append :!aNULL:!eNULL:!EXP to the cipher string settings,
      instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
      and later). Enables support for configuring the SUITEB* cipher
      strings introduced in OpenSSL 1.0.2. PR 58213.
      
      Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.
      
      Proposed by: kbrand
      Reviewed by: ylavic, jorton
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68
      213c5b06
    • Kaspar Brand's avatar
      merge r1693792 from trunk · c41d0340
      Kaspar Brand authored
      Add support for extracting the msUPN and dnsSRV forms
      of subjectAltName entries of type "otherName" into
      SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
      variables. Addresses PR 58020.
      
      * docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
        environment variables table
      
      * modules/ssl/ssl_engine_vars.c: add support for retrieving the
        SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables
      
      * modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
        currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
        "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
        adapt modssl_X509_getSAN to take an optional otherName form
        argument for the GEN_OTHERNAME case
      
      * modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype
      
      * modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
        OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table
      
      Proposed by: kbrand
      Reviewed by: ylavic, jorton
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68
      c41d0340
  24. Sep 28, 2015