Upgrade header check; allow upgrades on any method; don't drop the
ap_pass_brigade return value.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@111159 13f79535-47bb-0310-9956-ffa450edef68

unnecessary check of the Connection request header.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@109499 13f79535-47bb-0310-9956-ffa450edef68

The first client I tested was sending 'upgrade'.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@109447 13f79535-47bb-0310-9956-ffa450edef68

Improve error messages.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@106573 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@106103 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105796 13f79535-47bb-0310-9956-ffa450edef68

change to mod_proxy_http):

* modules/ssl/ssl_engine_io.c (bio_filter_in_read): Return an error if
the read would block so that the SSL_read() caller checks for
SSL_ERROR_WANT_READ, rather than 0, which is treated like EOF.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105768 13f79535-47bb-0310-9956-ffa450edef68

configured SSL certificates to stdout, useful for cron-ing through a
"do I need to renew any of my certificates this week" tool:

* modules/ssl/ssl_engine_config.c (ssl_hook_ConfigTest): New function.

* modules/ssl/mod_ssl.c (ssl_register_hooks): ...register it as a
test_config hook.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105741 13f79535-47bb-0310-9956-ffa450edef68

hide all global symbols defined by mod_ssl other than the module
structure (where possible).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105740 13f79535-47bb-0310-9956-ffa450edef68

modules/mod_ssl.c: Switch to using ap_log_cerror() in place of
ap_log_error() everywhere that the conn_rec * is available.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105739 13f79535-47bb-0310-9956-ffa450edef68

defined and documented and can't be changed.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105683 13f79535-47bb-0310-9956-ffa450edef68

NULL pointer dereference in some configurations.

PR: 31848


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105663 13f79535-47bb-0310-9956-ffa450edef68

Add a check for SSL_ENABLED_OPTIONAL to the http_method and default_port hook so that they return the correct values for an upgradeable connection.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105426 13f79535-47bb-0310-9956-ffa450edef68

* modules/mappers/mod_rewrite.c, modules/ssl/ssl_engine_mutex.c: Use
AP_NEED_SET_MUTEX_PERMS to determine whether unixd_set_*_mutex_perms
calls are necessary.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105411 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.

Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105396 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105354 13f79535-47bb-0310-9956-ffa450edef68

502 not 501 if SSL_connect() fails for a proxy connection.

PR: 31083


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105252 13f79535-47bb-0310-9956-ffa450edef68

shm is not supported, always remove the named segment first to cope
with unclean shutdowns.

PR: 21335 (continued)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105249 13f79535-47bb-0310-9956-ffa450edef68

(2.5.4.45) for old and new versions of OpenSSL.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105244 13f79535-47bb-0310-9956-ffa450edef68

function.  (ssl_var_lookup_ssl_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.

* modules/ssl_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if
+StdEnvVars is configured.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104700 13f79535-47bb-0310-9956-ffa450edef68

handling for AP_MODE_SPECULATIVE.

PR: 30134


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104687 13f79535-47bb-0310-9956-ffa450edef68

* server/log.c (ap_log_pid),
* server/mpm/prefork/prefork.c (accept_mutex_on, accept_mutex_off),
* support/htdbm.c (htdbm_list):
Fix some non-literal format strings (warnings from gcc -Wformat-security).

PR: 30585
Submitted by: Ulf Harnhammar (SITIC), Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104548 13f79535-47bb-0310-9956-ffa450edef68

infinite loop in ssl_io_input_getline if connection is aborted without
inctx->rc being set.

PR: 29964


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104547 13f79535-47bb-0310-9956-ffa450edef68

Tokenize the header while parsing it for the upgrade tokens and once the protocol has been upgraded, allow the request to complete encrypted.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104273 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104082 13f79535-47bb-0310-9956-ffa450edef68

brigade for sending output after passing on the current one.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103967 13f79535-47bb-0310-9956-ffa450edef68

environment variable name.

* modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add
szUserName field.

* modules/ssl/ssl_engine_config.c (ssl_config_perdir_create,
ssl_config_perdir_merge): Initialize and merge szUserName field.
(ssl_cmd_SSLUserName): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to
 the value of the chosen SSL environment variable.

* modules/ssl/mod_ssl.c: Add SSLUserName config directive.

PR: 20957
Submitted by: Martin v. Loewis <martin v.loewis.de>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103834 13f79535-47bb-0310-9956-ffa450edef68

which uses the server's cipher preference order rather than the
client's.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.

PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103832 13f79535-47bb-0310-9956-ffa450edef68

never implemented in 2.0 and never needed to be.

* docs/ssl/ssl-std.conf.in: Remove CompatEnvVars examples.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Don't allow
the CompatEnvVars argument.

* modules/ssl/ssl_private.h: Remove SSL_OPT_COMPATENVVARS macro.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103829 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_expire): Likewise.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_expire): Likewise.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_expire): Make static.

* modules/ssl/ssl_private.h: Remove prototypes.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103793 13f79535-47bb-0310-9956-ffa450edef68

functions ssl_util_strupper, ssl_util_ptxtstub, and
ssl_util_uuencode*.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103755 13f79535-47bb-0310-9956-ffa450edef68

overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103754 13f79535-47bb-0310-9956-ffa450edef68

strict-aliasing warning.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103688 13f79535-47bb-0310-9956-ffa450edef68

When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68

just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.

PR: 26562
Reviewed by: Geoff Thorpe, Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103165 13f79535-47bb-0310-9956-ffa450edef68

send an SSL shutdown from a pool cleanup.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103156 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102943 13f79535-47bb-0310-9956-ffa450edef68

  Pick up mod_status.h


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102938 13f79535-47bb-0310-9956-ffa450edef68

ssl_log_ssl_error): const-ify annotation strings and simplify
ssl_log_annotation.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102927 13f79535-47bb-0310-9956-ffa450edef68

stop linking all of support/* against the SSL libraries:

* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.

* support/Makefile.in: Link ab against SSL_LIBS.

* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.

PR: 17217


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102870 13f79535-47bb-0310-9956-ffa450edef68