Skip to content
  1. May 24, 2015
  2. May 23, 2015
  3. May 22, 2015
  4. May 21, 2015
    • Rainer Jung's avatar
      Comments. · 11b6c0f8
      Rainer Jung authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680944 13f79535-47bb-0310-9956-ffa450edef68
      11b6c0f8
    • Yann Ylavic's avatar
      Merge r1664205 from trunk. · 1f3722a2
      Yann Ylavic authored
      
      r1664205 | covener | 2015-03-05 03:33:16 +0100 (Thu, 05 Mar 2015) | 12 lines
      
        *) SECURITY: CVE-2015-0253 (cve.mitre.org)
           core: Fix a crash introduced in with ErrorDocument 400 pointing
           to a local URL-path with the INCLUDES filter active, introduced
           in 2.4.11. PR 57531. [Yann Ylavic]
      
      
      Submitted By: ylavic
      Committed By: covener
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680927 13f79535-47bb-0310-9956-ffa450edef68
      1f3722a2
    • Yann Ylavic's avatar
      Merge r1526189, r1658765 from trunk. · 25970d35
      Yann Ylavic authored
      
      r1526189 | trawick | 2013-09-25 16:29:02 +0200 (Wed, 25 Sep 2013) | 8 lines
      
      mod_proxy: Add ap_connection_reusable() for checking if a connection
      is reusable as of this point in processing.
      
      mod_proxy_fcgi uses the new API to determine if FCGI_CONN_CLOSE
      should be enabled, but that doesn't change existing behavior
      since the connection is currently marked for closure elsewhere
      in the module.
      
      
      r1658765 | ylavic | 2015-02-10 18:25:54 +0100 (Tue, 10 Feb 2015) | 4 lines
      
      mod_proxy_http: Use the "Connection: close" header for requests to
      backends not recycling connections (disablereuse), including the default
      reverse and forward proxies.
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680923 13f79535-47bb-0310-9956-ffa450edef68
      25970d35
    • Yann Ylavic's avatar
      2.2.x only. · ed528b88
      Yann Ylavic authored
      mod_proxy: Reuse proxy/balancer workers' parameters and scores across
      graceful restarts, even if new workers are added, old ones removed, or
      the order changes.
      
      Proposed by: jkaluza
      Reviewed by: ylavic, jkaluza, wrowe
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680920 13f79535-47bb-0310-9956-ffa450edef68
      ed528b88
    • Yann Ylavic's avatar
      Merge r1653997 from trunk. · b3eaa012
      Yann Ylavic authored
      
      r1653997 | ylavic | 2015-01-22 19:37:06 +0100 (Thu, 22 Jan 2015) | 7 lines
      
      mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored
      in virtualhost context (new version of r1653906 reverted by r1653993).
      
      Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
      Committed/modified By: ylavic
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680917 13f79535-47bb-0310-9956-ffa450edef68
      b3eaa012
    • Yann Ylavic's avatar
      Merge r1526168, r1527291, r1527295, r1563420, r1588851, r1666363, r1679470 · b84b8648
      Yann Ylavic authored
      
      r1526168 | kbrand | 2013-09-25 14:52:35 +0200 (Wed, 25 Sep 2013) | 21 lines
      
      Streamline ephemeral key handling:
      
      - drop support for ephemeral RSA keys (only allowed/needed
        for export ciphers)
      
      - drop pTmpKeys from the per-process SSLModConfigRec, and remove
        the temp key generation at startup (unnecessary for DHE/ECDHE)
      
      - unconditionally disable null and export-grade ciphers by always
        prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
      
      - do not configure per-connection SSL_tmp_*_callbacks, as it is
        sufficient to set them for the SSL_CTX
      
      - set default curve for ECDHE at startup, obviating the need
        for a per-handshake callback, for the time being (and also
        configure SSL_OP_SINGLE_ECDH_USE, previously left out)
      
      For additional background, see
      https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
      
      
      r1527291 | kbrand | 2013-09-29 11:36:31 +0200 (Sun, 29 Sep 2013) | 9 lines
      
      Follow-up fixes for r1526168:
      
      - drop SSL_TMP_KEY_* constants from ssl_private.h, too
      
      - make sure we also disable aNULL, eNULL and EXP ciphers
        for per-directory SSLCipherSuite directives
      
      - apply the same treatment to SSLProxyCipherSuite
      
      
      r1527295 | kbrand | 2013-09-29 12:35:46 +0200 (Sun, 29 Sep 2013) | 20 lines
      
      Improve ephemeral key handling (companion to r1526168):
      
      - allow to configure custom DHE or ECDHE parameters via the
        SSLCertificateFile directive, and adapt its documentation
        accordingly (addresses PR 49559)
      
      - add standardized DH parameters from RFCs 2409 and 3526,
        use them based on the length of the certificate's RSA/DSA key,
        and add a FAQ entry for clients which limit DH support
        to 1024 bits (such as Java 7 and earlier)
      
      - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
        ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
      
      - drop ssl_engine_dh.c from mod_ssl
      
      For the standardized DH parameters, OpenSSL version 0.9.8a
      or later is required, which was therefore made a new minimum
      requirement in r1527294.
      
      
      r1563420 | kbrand | 2014-02-01 15:04:23 +0100 (Sat, 01 Feb 2014) | 3 lines
      
      enable auto curve selection for ephemeral ECDH keys
      when compiled against OpenSSL 1.0.2 or later
      
      
      r1588851 | kbrand | 2014-04-21 08:39:24 +0200 (Mon, 21 Apr 2014) | 3 lines
      
      ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the
      one actually used for the connection before calling SSL_get_privatekey(ssl)
      
      
      r1666363 | jkaluza | 2015-03-13 08:32:46 +0100 (Fri, 13 Mar 2015) | 4 lines
      
      * mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
      SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,
      otherwise eckey will not be freed.
      
      
      r1679470 | ylavic | 2015-05-15 00:38:20 +0200 (Fri, 15 May 2015) | 5 lines
      
      mod_ssl: follow up to r1527291.
      Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
      SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
      not yet included by default.
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680916 13f79535-47bb-0310-9956-ffa450edef68
      b84b8648
    • Yann Ylavic's avatar
      Bigger mod_log_config backport proposal? · d599209c
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680913 13f79535-47bb-0310-9956-ffa450edef68
      d599209c
    • Rainer Jung's avatar
      Propose. · 8588091a
      Rainer Jung authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680912 13f79535-47bb-0310-9956-ffa450edef68
      8588091a
    • Yann Ylavic's avatar
      Merge r1200040, r1200372, r1200374, r1213380 from trunk. · c7573784
      Yann Ylavic authored
      
      r1200040 | pquerna | 2011-11-10 00:37:37 +0100 (Thu, 10 Nov 2011) | 5 lines
      
      Add support for RFC 5077 TLS Session tickets.  This adds two new directives:
      
      * SSLTicketKeyFile: To store the private information for the encryption of the ticket.
      * SSLTicketKeyDefault To set the default, otherwise the first listed token is used.  This enables key rotation across servers.
      
      
      r1200372 | pquerna | 2011-11-10 16:17:18 +0100 (Thu, 10 Nov 2011) | 4 lines
      
      Apply ap_server_root_relative to the path used for the ticket secrets file.
      
      Suggested by: Rüdiger Plüm
      
      
      r1200374 | pquerna | 2011-11-10 16:19:15 +0100 (Thu, 10 Nov 2011) | 4 lines
      
      Remove unneeded memcpy.
      
      Spotted by: Rüdiger Plüm
      
      
      r1213380 | kbrand | 2011-12-12 20:21:35 +0100 (Mon, 12 Dec 2011) | 9 lines
      
      Streamline TLS session ticket key handling (added in r1200040):
      - drop the SSLTicketKeyDefault directive, and only support a single
        ticket key per server/vhost
      - rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
        remove the keyname parameter
      - move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
      - configure the tlsext_ticket_key_cb only when in server mode
      - add documentation for SSLSessionTicketKeyFile
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680905 13f79535-47bb-0310-9956-ffa450edef68
      c7573784
    • Yann Ylavic's avatar
      Be (possibly) more precise/clear. · c2b8e24b
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680889 13f79535-47bb-0310-9956-ffa450edef68
      c2b8e24b
    • Yann Ylavic's avatar
      I'll -0+1 your -0+1 :p · e49c44f6
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680885 13f79535-47bb-0310-9956-ffa450edef68
      e49c44f6
    • Jeff Trawick's avatar
      I'll +1 your -0 · 2b331a05
      Jeff Trawick authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680846 13f79535-47bb-0310-9956-ffa450edef68
      2b331a05
    • Rainer Jung's avatar
      mod_proxy_ajp: Fix get_content_length(). · 873f100f
      Rainer Jung authored
      clength in request_rec is for response sizes, not
      request body size.  It is initialized to 0, so the
      "if" branch was never taken and thus there's no
      functional change (and no CHANGES).
      
      Backport of r1649043 from trunk resp. r1651096 from 2.4.x.
      
      Committed By: rjung
      Reviewed By: rjung, ylavic, wrowe
      Backported By: rjung
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680815 13f79535-47bb-0310-9956-ffa450edef68
      873f100f