Skip to content
  1. Apr 18, 2014
    • Jim Jagielski's avatar
      Merge r1588427 from trunk: · 2b189730
      Jim Jagielski authored 
      Also clear the error queue before calling SSL_CTX_use_certificate[_chain]_file
(workaround for OpenSSL versions before 0.9.8h, see
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1513).

PR 56410.

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588496 13f79535-47bb-0310-9956-ffa450edef68
      2b189730
    • Jim Jagielski's avatar
      Merge r1587036, r1587040, r1587053, r1587654 from trunk: · fa6d270c
      Jim Jagielski authored 
        *) mod_proxy_wstunnel: Don't pool backend websockets connections,
     because we need to handshake every time. PR 55890.
     [Eric Covener]



actually remove mod_reqtimeout, since the util_filter functions involved
only manipulate c->input_filters no matter what we pass. We need to make
copies of c->input_filters after, not before, it skips over reqtimeout.

Note: reqtimeout doesn't really interfere today with normal operation,
but this is misleading/confusing when dealing with other
wstunnel issues.



cleanup wstunnel error handling

Submitted By: covener, ylavic, Edward Lu
Commited By: covener



followup to r1587036.

if backend->close is set too early, proxy_util.c will close it right 
away and then blow away the field.

Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588495 13f79535-47bb-0310-9956-ffa450edef68
      fa6d270c
    • Kaspar Brand's avatar
      Merge r1585090 from trunk: · 33843d58
      Kaspar Brand authored 
      Bring SNI behavior into better conformance with RFC 6066:

- no longer send a warning-level unrecognized_name(112) alert
  when no matching vhost is found (PR 56241)

- at startup, only issue warnings about IP/port conflicts and name-based
  SSL vhosts when running with an OpenSSL without TLS extension support
  (almost 5 years after SNI was added to 2.2.x, the
  "[...] only work for clients with TLS server name indication support"
  warning feels obsolete)

Proposed by: kbrand
Reviewed by: jorton, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588424 13f79535-47bb-0310-9956-ffa450edef68
      33843d58
  3. Apr 17, 2014
  5. Apr 16, 2014
    • Jeff Trawick's avatar
      Merged... · 24e8776d
      Jeff Trawick authored 
      Merged /httpd/httpd/trunk:r1515403,1515411,1515420,1517175,1521909,1526647,1541181,1578762,1585054,1585072,1588054

mod_authnz_fcgi: New module to enable FastCGI authorizer
applications to authenticate and/or authorize clients.

Submitted by: trawick, jailletc36, gsmith
Approved by: trawick, jim, gsmith

(Thanks gsmith for the Windows build bits!)



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588064 13f79535-47bb-0310-9956-ffa450edef68
      24e8776d
  7. Apr 15, 2014
  9. Apr 03, 2014
  11. Mar 31, 2014
  13. Mar 29, 2014
  15. Mar 27, 2014
  17. Mar 18, 2014
  19. Mar 13, 2014
  21. Mar 11, 2014
  23. Mar 10, 2014
  25. Mar 03, 2014
  27. Mar 02, 2014
    • Jim Jagielski's avatar
      Merge r1553204, r1555240, r1572198 from trunk: · 3c73c41b
      Jim Jagielski authored 
      * Do not perform SNI / Host header comparison in case of a forward proxy request as
  in case of a forward proxy request the host header can not be used for virtual
  host selection in our webserver.


* Update comment. No functional change.

* Put a note in CHANGES about r1553204
Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573362 13f79535-47bb-0310-9956-ffa450edef68
      3c73c41b
    • Jim Jagielski's avatar
      Merge r1546804, r1553824, r1554192, r1555463, r1555467, r1563417, r1564760, r1565081 from trunk: · 10c578cc
      Jim Jagielski authored 
      Throw away the myCtxVar{Set,Get} abomination and introduce
a pphrase_cb_arg_t struct instead, for passing stuff between
ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct
members instead of using additional local variables, to make
the data flow more transparent. (Doesn't "vastly simplify"
the code yet, but hopefully we'll get there when further
stripping down ssl_pphrase_Handle.)


Remove the hardcoded algorithm-type dependency for the SSLCertificateFile
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:

ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants

ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
  and keys (in theory; currently OpenSSL does not support more than
  one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile

ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
  ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
  OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
  ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
  and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx

ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
  previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
  make it only load a single (encrypted) private key, and rename
  to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
  instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
  passphrase prompting programs

ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
  and ssl_asn1_table_keyfmt

ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey


CodeWarrior compiler doesnt allow vars as struct inits.


Remove per-certificate chain handling code (obsoleted by
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)


make the ppcb_arg initialization a bit more uniform and easier to read

Followup fix for r1553824:

also pass the file name to ssl_load_encrypted_pkey, to make sure that we
retry with the same filename we used for SSL_CTX_use_PrivateKey_file first


With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on
SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.


update APLOGNO for r1564760
Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573360 13f79535-47bb-0310-9956-ffa450edef68
      10c578cc
  29. Feb 21, 2014
  31. Feb 20, 2014