Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68

Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68

Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
  currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
  "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
  adapt modssl_X509_getSAN to take an optional otherName form
  argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
  OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68

Don't count initial handshake I/O when determining the first byte.
PR58454

Submitted By: Konstantin J. Chernov
Committed By: covener




Avoid storing request stuff in r->connection->conn_config to
avoid problems with e.g. write completion.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705666 13f79535-47bb-0310-9956-ffa450edef68

r->headers when mod_cache is enabled and the response
is cached for the first time.

Submitted by: elu
Reviewed by: ylavic, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705528 13f79535-47bb-0310-9956-ffa450edef68

can't create new (clear) slots while previous children gracefully stopping
still use the old ones (e.g. Windows, OS2). PR 58024.

Submitted by: ylavic
Reviewed by: jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705499 13f79535-47bb-0310-9956-ffa450edef68

PR 57785

Submitted by: niq
Reviewed by: jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705496 13f79535-47bb-0310-9956-ffa450edef68

records for scalability.

Submitted by: Yingqi Lu <yingqi.lu@intel.com>, Jeff Trawick,
              Jim Jagielski, Yann Ylavic

Reviewed by: ylavic, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705492 13f79535-47bb-0310-9956-ffa450edef68

 * Do not reset the retry timeout if the worker is in error at this stage even
   if the connection to the backend was successful. It was likely set into
   error by a different thread / process in parallel e.g. for a timeout or
   bad status. We should respect this and should not continue with a connection
   via this worker even if we got one.


* Do a more complete cleanup here. At this point we cannot end up with something useful with the data we created so far.
Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1704835 13f79535-47bb-0310-9956-ffa450edef68

allow autoindex w/o mod_dir/mod_mime setting the DIR_MAGIC_TYPE.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1703404 13f79535-47bb-0310-9956-ffa450edef68

With the current implementation, it is likely to connect/close a socket with the memcache server for each command sent.
The root cause is a too small idle timeout (600 microseconds).

Add a new directive, 'MemcacheConnTTL',  to control this idle connection timeout with the memcache server(s).
Change the default value from 600 usec (!) to 15 sec as per Yann suggestion.

I've limited accepted values from 1 to 1800 seconds (half an hour) because internaly, the value passed to 'apr_memcache_server_create' is still in mirco-seconds.

PR 58091
~~~~~~~~~~~~~~~~~~~_
Homemade measurement (on a slighly modified version of httpd) shows a +30% in number of processed requests using memcache to cache /index.html.
Comparison made between the 600 usec and 15 sec TTL.

Memcache config:
    default
httpd Config:
    CacheEnable socache /
    CacheSocache memcache:127.0.0.1
    LoadModule mpm_event_module modules/mod_mpm_event.so
httpd compiled with:
    ./configure --enable-mpms-shared=all --with-included-apr --with-mysql --with-libxml2 --enable-modules=reallyall --enable-ssl-ct=no --enable-maintainer-mode --prefix=$HOME/httpd-2.5
httpd and memcache running on the same VM running under Ubuntu 15.04
Load tested using:
    ab -n 20000 http://127.0.0.1/index.html

Creation/closing of connections beetween httpd and memcache confirmed using the telnet connection to memcache and the stats command



Allow 0 as a valid value (never close idle connections)
Increased maximum allowed value to 3600 s (1 hour)
Use 'ap_timeout_parameter_parse' to allow more flexible configuration (i.e. h, min, s, ms suffixes)
Use 'apr_time_from_sec' when applicable.
Submitted by: jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1701771 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-http2@1701655 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1701442 13f79535-47bb-0310-9956-ffa450edef68

Allow cookies set by mod_rewrite to contain ':' by accepting
';' as an alternate separator.  PR47241. 

Submitted By: <bugzilla schermesser com>, covener
Committed By: covener



Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1701409 13f79535-47bb-0310-9956-ffa450edef68

Add HTTPD_VERSION and HTTPD_MMN to the variables available with apxs -q

PR58202. 

Submitted By: Daniel Shahaf 
Committed By: covener



Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1701408 13f79535-47bb-0310-9956-ffa450edef68

mod_authz_dbd: Avoid a crash when lacking correct DB access permissions. PR 57868.

Submitted by: Jose Kahan <jose w3.org>

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1701404 13f79535-47bb-0310-9956-ffa450edef68

mod_dir: when we bail out of fixups, make sure Content-Type is not still
httpd/unix-directory.  This only happens when the generator sets
no content-type which is more common w/ no DefaultType in 2.4.

Submitted By: covener
Reviewed By: ylavic, niq



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1698384 13f79535-47bb-0310-9956-ffa450edef68

by Julian Foad.  2.2.x CHANGES has this for a recent not-released
version.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1693278 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1690308 13f79535-47bb-0310-9956-ffa450edef68

into LDAP_NO_SUCH_ATTRIBUTE + some new tracing.

     trunk patch: http://svn.apache.org/r1687980
                  http://svn.apache.org/r1689694
                  http://svn.apache.org/r1689698
Backports: 1687980, 1689694, 1689698
Submitted by: covener
Reviewied by: covener, wrowe, ylavic



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1690114 13f79535-47bb-0310-9956-ffa450edef68

HTML response when LimitRequestFieldSize is reached.

Submitted by: ylavic
Backports: 1683123
Reviewed by: jailletc36, ylavic, covener




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1689961 13f79535-47bb-0310-9956-ffa450edef68

with the timeouts computed for subsequent requests.  PR 56729.

Submitted by: covener, ylavic
Backports: 1621453, 1641376, 1689325
Reviewed by: ylavic, wrowe, covener



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1689922 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1689885 13f79535-47bb-0310-9956-ffa450edef68

testing is done on possible fixes (r1686853, r1686856).

Reviewed by: wrowe, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1689815 13f79535-47bb-0310-9956-ffa450edef68

http: Fix LimitRequestBody checks when there is no more bytes to read.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Committed by: ylavic
Reviewed  by: ylavic, mrumph, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1688935 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686449 13f79535-47bb-0310-9956-ffa450edef68

LDAP connection pool did not release/close connections with 
"LDAPConnectionPoolTTL 0".  PR58037.

Submitted by: Ted Phelps <phelps gnusto.com>
committed by: covener


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686275 13f79535-47bb-0310-9956-ffa450edef68

*) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
   data during read of chunked request bodies. PR 58049. 
   [Edward Lu <Chaosed0 gmail.com>]

Submitted By: Edward Lu <Chaosed0 gmail.com>


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686272 13f79535-47bb-0310-9956-ffa450edef68

Follow up to r1684513: allow spaces before and after chunk-size.
Slightly modified version of trawick's proposal.

Follow up to r1685345: don't accept spaces *before* the chunk-size.

Follow up to r1685345: CHANGES entry.

Follow up to r1685349: remove a tab.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686271 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1685986 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Remove deprecated SSLCertificateChainFile warning.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1685870 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684895 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684533 13f79535-47bb-0310-9956-ffa450edef68

Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.  

Submitted by: breser
Backports: r1684524
Reviewed by: wrowe, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684525 13f79535-47bb-0310-9956-ffa450edef68

Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.

Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.

Submitted by: graham, ylavic
Reviewed by: ylavic, wrowe, jim
Backports: 1484852, 1684513
Reported by: Régis Leroy



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684515 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1683585 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy: Don't put the worker in error state for 500 or 503 errors
returned by the backend unless failonstatus is configured to.  PR 56925.


mod_proxy: follow up to r1681694.

Handle the proxy-error-override note also in mod_proxy_ajp.

The note is not needed in mod_proxy_fcgi (which also handles
ProxyErrorOverride) since it calls ap_die() by itself, and always
returns OK to proxy_handler().

Add a comment about the note where used.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1683112 13f79535-47bb-0310-9956-ffa450edef68

PR 57968: Don't lowercase the argument to SetHandler if the handler is
proxy:unix.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682888 13f79535-47bb-0310-9956-ffa450edef68

handler or input filter already did it while reading the request (causing
a double response body).

Submitted by: ylavic
Backports: r1482522 (partial, ap_map_http_request_error() things only!),
           r1529988, r1529991, r1643537, r1643543, r1657897, r1665625, 
           r1665721, r1674056
Reviewed by: ylavic, minfrin, wrowe




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682544 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682360 13f79535-47bb-0310-9956-ffa450edef68