information:

* modules/ssl/mod_ssl.c (ssl_hook_pre_config): Call
ssl_scache_status_register.

* modules/ssl/ssl_scache.c (ssl_scache_status): Removed function.
(ssl_ext_status_hook): Renamed from ssl_ext_ms_display: switch to
2.1's mod_status "status_hook" API.
(ssl_scache_status_register): Register optional hook.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_status): Adjust to use
new API.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_status): Adjust
to use new API.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101889 13f79535-47bb-0310-9956-ffa450edef68

data corruption bugs since being apr_rmm'ified.

* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.

* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.

* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.

* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.

* ssl_scache.c: Remove shmht hooks throughout.

* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101888 13f79535-47bb-0310-9956-ffa450edef68

unused variable from previous commit.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101881 13f79535-47bb-0310-9956-ffa450edef68

ssl_var_lookup_ssl for a real SSL connection; fix lookup of "HTTPS"
for non-SSL connections.
(ssl_var_log_handler_x): Give results for non-SSL connections too;
e.g. %{HTTPS}x does the right thing.

PR: 23956


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101880 13f79535-47bb-0310-9956-ffa450edef68

Determine the library version string at run-time rather than at
compile-time.

Submitted by: Eric Seidel <eseidel@apple.com>
PR: 23956


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101879 13f79535-47bb-0310-9956-ffa450edef68

(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.

PR: 24030


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101878 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101789 13f79535-47bb-0310-9956-ffa450edef68

interface for retrieving error strings.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101625 13f79535-47bb-0310-9956-ffa450edef68

* mod_ssl.c (ssl_cleanup_pre_config): Don't free the error strings,
since they can't be loaded again once.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101624 13f79535-47bb-0310-9956-ffa450edef68

segfault on a non-SSL request.

PR: 22741
Submitted by: Gary E. Miller <gem@rellim.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101534 13f79535-47bb-0310-9956-ffa450edef68

during pass phrase entry.

* ssl_engine_pphrase.c (ssl_pphrase_Handle): Clear the OpenSSL error
stack before reading the private key.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101515 13f79535-47bb-0310-9956-ffa450edef68

  SSL-C doesn't declare the char* file arg const, so we shouldn't either.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101303 13f79535-47bb-0310-9956-ffa450edef68

use APR'd dbm. mod_ssl had hacked sdbm for larger sizes.

PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101214 13f79535-47bb-0310-9956-ffa450edef68

  Simplify includes - we always (in HTTPD 2.1 forward) are looking
  for the openssl/foo.h headers explicitly.  Fix the abs.dsp build
  to define HAVE_OPENSSL instead of USE_SSL so the correct headers
  are included upfront.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101195 13f79535-47bb-0310-9956-ffa450edef68

because of the changes to the argument lists of apr_mmap_dup and apr_socket_create,
2.1-dev won't build with apr and apr-util's 0.9 branch anymore


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101154 13f79535-47bb-0310-9956-ffa450edef68

library code as well as the reason code when looking for the
plain-HTTP-request error.

Submitted by: Stephen Henson <steve@openssl.org>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101135 13f79535-47bb-0310-9956-ffa450edef68

openssl-engine (ie, you're missing the headers).  ssl_cmd_SSLCryptoDevice()
is thrown away by the preprocessor if you're missing the header, so the
call to it should have the same condition applied.  otherwise, mod_ssl
will fail to link.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100970 13f79535-47bb-0310-9956-ffa450edef68

encountered with respect to FakeBasicAuth.

Submitted by: Greg Stein


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100941 13f79535-47bb-0310-9956-ffa450edef68

have been here in the first place.  Makes issues like these be found
easier in the future.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100937 13f79535-47bb-0310-9956-ffa450edef68

#1364 in Subversion:

  http://subversion.tigris.org/issues/show_bug.cgi?id=1364

The fix is to make mod_ssl's check_user_id hook stop tripping
over it's own checks in case of a subrequest.  That is, it
should DECLINE in case of a subrequest.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100926 13f79535-47bb-0310-9956-ffa450edef68

  Although we initialize mc->pid in the child init phase,
  we haven't initialized it before initially performing
  our ssl_rand_seed() in the parent/postconfig phase.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100912 13f79535-47bb-0310-9956-ffa450edef68

function after mod_ssl is unloaded.

* ssl_util.c (ssl_util_thread_cleanup): Clear the id_callback.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100767 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.

* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.

PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100720 13f79535-47bb-0310-9956-ffa450edef68

client certificate chain.

PR:  21371


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100605 13f79535-47bb-0310-9956-ffa450edef68

static string or something parsed from the config


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100603 13f79535-47bb-0310-9956-ffa450edef68

SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one.  [Ben Laurie]


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100518 13f79535-47bb-0310-9956-ffa450edef68

  Narrow the scope of several OPENSSL-specific setup and teardown calls
  to only OpenSSL based builds.

  Also introduce success result for the registered cleanup callback
  to clean up a compiler emit.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100348 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100314 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100313 13f79535-47bb-0310-9956-ffa450edef68

  Reaction to Jeff Trawick's observations that we are double-initializing
  dynalinked OpenSSL Engines and Configs.  Move the library teardown code
  so that it is torn down in the proper order, corresponding to when the
  library itself was initialized.  And leave a little reminder that some
  memory diagnostics would be good if OpenSSL is built for malloc debugging.

Suggested by: Geoff Thorpe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100288 13f79535-47bb-0310-9956-ffa450edef68

  OPENSSL_load_builtin_modules -appears- to have been introduced in beta-1,
  but boy is this a hassle to determine without gstein's viewcvs ;-)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100211 13f79535-47bb-0310-9956-ffa450edef68

unixd_set_global|proc_mutex_perms().  Allow the functions to be
called for any type of mutex.

This resolves a fatal problem with mod_rewrite on systems where
APR uses flock-based mutex.

It simplifies mod_ssl as well, which had special logic to perform
the chown().  It fixed an init error with mod_ssl on systems where
flock is used when the user had no SSLMutex directive.

The Unix MPMs continue to call unixd_set_global|proc_mutex_perms()
only for SysV sems.  There is no permission problem with flock-based
accept mutexes since the child init logic for the MPMs is done
prior to switching identity.

PR:              20312


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100189 13f79535-47bb-0310-9956-ffa450edef68

  The right patch (thanks to Eric for identifying the wrong patch) to move
  SSL_library_init() into the register hooks phase.  OpenSSL_add_ssl_algorithms
  devolves to SSL_library_init, which is the same for most toolkits (and would
  be accomodated in ssl_toolkit_config.h if not.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100136 13f79535-47bb-0310-9956-ffa450edef68

No idea where this was seen, but OpenSSL 0.9.7b does not have this.  This
gets mod_ssl working again.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100122 13f79535-47bb-0310-9956-ffa450edef68

  OpenSSL_add_all_algorithms is simply an alias for SSL_load_library.

  Note that the entire schema of what-we-load-how follows from
  OpenSSL 0.9.7's own apps/ example applications.  More review
  is greatly desired, but that's where I believed I should
  start looking for the 'correct' order of operations.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100110 13f79535-47bb-0310-9956-ffa450edef68

  Provide a far more useful explanation when SSLCryptoDevice fails to
  find a device.  Still would be nice to implement dynamic:{options}
  but this gets us to display the usual, builtin devices.

  We now load builtin engines up front, in the pre_config phase, because
  this and any other config cmd processor must have an already valid
  library config.  So loading builtin engines becomes redundant in this
  cmd handler.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100108 13f79535-47bb-0310-9956-ffa450edef68

  Solve a pretty horrific bug in SSLCryptoDevice and other places where
  the config cmd processors should be examining the SSL context.  We must
  initialize the SSL library before we can actually obtain any useful
  information from the SSL library.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100107 13f79535-47bb-0310-9956-ffa450edef68

  Based on list discussion between myself and Geoff, it seems prudent
  to check for both the existence of the openssl/engine.h header file
  and some 'expected function' such as ENGINE_init() (better suggestions
  are welcome.)  Also clear up some confusion; so long as we have
  ENGINE_load_builtin_engines() we should attempt to preload those.

  This patch protects all ENGINE-based code within the tests for the
  engine header and function, and changes a version test into a
  function test.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100104 13f79535-47bb-0310-9956-ffa450edef68

  These tests now exist in acinclude.m4


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100041 13f79535-47bb-0310-9956-ffa450edef68

  The patch below reverts the prior commit to eliminate SSL_set_state().
  Some additional work or research is required in order to pass the
  perl-framework regressions, but I don't have the cycles and don't
  care to leave the broken code in cvs HEAD.

REVERTING: wrowe 2003/05/19 08:13:19

  Modified:    modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c
                        ssl_toolkit_compat.h
  Log:
    Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
    rehandshaking the SSL connection, vis-a-vis ApacheSSL.

  Revision  Changes    Path
  1.15      +0 -1      httpd-2.0/modules/ssl/config.m4
  1.108     +1 -1      httpd-2.0/modules/ssl/ssl_engine_io.c
  1.93      +1 -1      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  1.34      +0 -6      httpd-2.0/modules/ssl/ssl_toolkit_compat.h


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100004 13f79535-47bb-0310-9956-ffa450edef68