Skip to content
  1. Nov 19, 2013
  3. Nov 17, 2013
  5. Nov 16, 2013
  7. Nov 15, 2013
    • Jim Jagielski's avatar
      Merge r1523281, r1524368, r1525276, r1525280, r1525281 from trunk: · 675e9c8f
      Jim Jagielski authored 
      Switch from private FastCGI protocol handling to util_fcgi API.


Use apr_socket_timeout_get instead of hard-coded 30 seconds timeout.


Bring some envvar flexibility from mod_authnz_fcgi to mod_proxy_fcgi:

mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
An individual envvar with an encoded length of more than 16K will be
omitted.


Borrow a fix from mod_authnz_fcgi:

mod_proxy_fcgi: Handle reading protocol data that is split between
packets.


Use ap_log_rdata() to dump the FastCGI header, axing a bunch
of custom data dumping code.

Submitted by: trawick, jkaluza, trawick, trawick, trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542330 13f79535-47bb-0310-9956-ffa450edef68
      675e9c8f
    • Jim Jagielski's avatar
      Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk: · 3a14aba1
      Jim Jagielski authored 
      Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed
  for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove
  the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always
  prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is
  sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need
  for a per-handshake callback, for the time being (and also
  configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E


Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers
  for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite


Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether
  they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward
  #ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E


Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the
  SSLCertificateFile directive, and adapt its documentation
  accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,
  use them based on the length of the certificate's RSA/DSA key,
  and add a FAQ entry for clients which limit DH support
  to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
  ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.


PR 55616 (add missing APLOGNO), part 2
Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
      3a14aba1
  9. Nov 14, 2013
  11. Nov 13, 2013
  13. Nov 09, 2013
  15. Oct 28, 2013
  17. Oct 18, 2013
    • Jim Jagielski's avatar
      Merge r1529559, r1531505 from trunk: · 484255f2
      Jim Jagielski authored 
      Fix PR 55397: dav_resource->uri treated as an unparsed uri.

The change made for PR 54611 caused this field to be treated as
unescaped.  mod_dav_svn however, provided escaped URIs.  Essentially
breaking support for paths with non-URI safe characters in SVN.

Adjust the code so that dav_resource->uri is assumed to be escaped and
adjust mod_dav_fs so that it uses escaped URIs in this field.

* modules/dav/fs/repos.c
  (dav_fs_get_resource): Use the unparsed_uri to contruct the resource uri.

* modules/dav/main/mod_dav.c
  (dav_xml_escape_uri): Do not uri escape, just handle xml escaping.
  (dav_created): Assume that locn if provided is escaped.
  (dav_method_copymove, dav_method_bind): Use the unparsed_uri on the request
    when calling dav_created() to adjust to locn assuming it is escaped.

* modules/dav/main/mod_dav.h
  (dav_resource): Document that uri is escaped.


Followup to r1529559: mod_dav_fs: Fix encoding of hrefs in PROPFIND response.

Previous commit missed encoding the names of the children of the PROPFIND
request when the depth wasn't 0.

* modules/dav/fs/repos.c
  (dav_fs_append_uri): New function
  (dav_fs_walker): Use dav_fs_append_uri() and adjust length calculations to
    use the encoded length.


Submitted by: breser
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1533448 13f79535-47bb-0310-9956-ffa450edef68
      484255f2
    • Jim Jagielski's avatar
      Merge r1528718 from trunk: · da9cdf04
      Jim Jagielski authored 
      mod_dav: Fix PR 55306.

Makes mod_dav no longer require that the lock token be provided when the
source of a COPY is locked.  The prior behavior was in violating of
RFC 4918 which says that the lock token is only required on resources
that may be modified by the method.

* modules/dav/main/mod_dav.h
  (DAV_VALIDATE_NO_MODIFY): New flag to be passed to dav_validate_* functions.

* modules/dav/main/mod_dav.c
  (dav_method_copymove): Use the new flag when calling dav_validate_request()
    on the COPY source.

* modules/dav/main/util.c
  (dav_validate_resource_state): Use the flag to decide to ignore if the lock
    token is not provided.

Submitted by: breser
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1533447 13f79535-47bb-0310-9956-ffa450edef68
      da9cdf04
  19. Oct 14, 2013
  21. Oct 10, 2013
    • Jim Jagielski's avatar
      Merge r1526666, r1527220 from trunk: · 37b01e35
      Jim Jagielski authored 
      WinNT MPM: Exit the child if the parent process crashes or is terminated.

Submitted by: Oracle, via trawick

The original modification was made some years ago for Oracle HTTP Server
by an Oracle employee.  trawick made additional changes for style and
for trunk/2.4.x changes.


Follow up to r1526666:

Use SYNCHRONIZE instead of PROCESS_ALL_ACCESS because

a. it is sufficient
b. it avoids an issue where PROCESS_ALL_ACCESS is larger on
   newer SDKs, resulting in a run-time error when running on
   older Windows

Close the handle.

Submitted by: Ivan Zhakov <ivan visualsvn.com>

Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1531000 13f79535-47bb-0310-9956-ffa450edef68
      37b01e35
    • Jim Jagielski's avatar
      Merge r1530793 from trunk: · 55337b30
      Jim Jagielski authored 
      core: Don't truncate output when sending is interrupted by a signal,
      such as from an exiting CGI process.

PR: 55643

Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1530999 13f79535-47bb-0310-9956-ffa450edef68
      55337b30
  23. Oct 08, 2013
  25. Oct 07, 2013
  27. Oct 03, 2013
  29. Oct 02, 2013
  31. Oct 01, 2013
  33. Sep 26, 2013
  35. Sep 17, 2013