Skip to content
  1. Jan 15, 2015
    • Rainer Jung's avatar
      Merge r1650310 and r1650320 from trunk: · 870472a1
      Rainer Jung authored
      mod_ssl: Add SSLSessionTickets (on|off).
      It controls the use of TLS session tickets (RFC 5077).
      Default is unchanged (on).
      Using session tickets without restarting the web server with
      an appropriate frequency (e.g. daily) compromises perfect forward
      secrecy. As long as we do not have a nice key management
      there needs to be a way to deactivate the use of session tickets.
      
      Submitted by: rjung
      Reviewed by: rjung, covener, ylavic
      Backported by: rjung
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1652074 13f79535-47bb-0310-9956-ffa450edef68
      870472a1
  2. Jan 14, 2015
  3. Jan 12, 2015
  4. Jan 09, 2015
  5. Dec 17, 2014
  6. Dec 16, 2014
    • Jim Jagielski's avatar
      Merge r1641077, r1641095 from trunk: · 610b4763
      Jim Jagielski authored
      mod_ssl: Fix recognition of OCSP stapling responses that are encoded
               improperly or too large.
      
      The one byte "ok" flag stored with the response was accounted for in
      the wrong condition.
      
      
      follow up to r1641077: 
      
      one bug was traded for another in r1641077; track the response
      length and the cached object length separately to avoid such
      confusion
      
      Submitted by: trawick
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1645935 13f79535-47bb-0310-9956-ffa450edef68
      610b4763
  7. Dec 14, 2014
  8. Dec 05, 2014
  9. Dec 02, 2014
  10. Nov 29, 2014
  11. Nov 25, 2014
    • Joe Orton's avatar
      Merge r1640036, r1640331 from trunk: · 55ad7eb6
      Joe Orton authored
      mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)
      Fix a potential crash with response headers' size above 8K.
      
      The code changes to mod_authnz_fcgi keep the handle_headers()
      function in sync between the two modules.  mod_authnz_fcgi
      does not have this issue because it allocated a separate byte
      for terminating '\0'.
      
      Submitted by: ylavic, trawick
      Reviewed by: ylavic, trawick, mrumph
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1641551 13f79535-47bb-0310-9956-ffa450edef68
      55ad7eb6
  12. Nov 11, 2014
  13. Nov 01, 2014
  14. Oct 29, 2014
  15. Oct 27, 2014
    • Jim Jagielski's avatar
      Merge r1629372, r1629485, r1629519 from trunk: · 1046d0c0
      Jim Jagielski authored
      Move OCSP stapling information from a per-certificate store
      (ex_data attached to an X509 *) to a per-server hash which is
      allocated from the pconf pool. Fixes PR 54357, PR 56919 and
      a leak with the certinfo_free cleanup function (missing
      OCSP_CERTID_free).
      
      * modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
        ssl_stapling_certid_free (used with apr_pool_cleanup_register).
        Switch to a stapling_certinfo hash which is keyed by the SHA-1
        digest of the certificate's DER encoding, rework ssl_stapling_init_cert
        to only store info once per certificate (allocated from the pconf
        to the extent possible) and extend the logging.
      
      * modules/ssl/ssl_private.h: adjust prototype for
        ssl_stapling_init_cert, replace ssl_stapling_ex_init with
        ssl_stapling_certinfo_hash_init
      
      * modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls
      
      Based on initial work by Alex Bligh <alex alex.org.uk>
      
      
      Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).
      
      Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).
      Submitted by: kbrand, ylavic, ylavic
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634529 13f79535-47bb-0310-9956-ffa450edef68
      1046d0c0
    • Jim Jagielski's avatar
      Merge r1629508 from trunk: · ce82d980
      Jim Jagielski authored
      mod_cache_socache: Change average object size
      hint from 32 bytes to 2048 bytes.
      
      Submitted by: rjung
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634528 13f79535-47bb-0310-9956-ffa450edef68
      ce82d980
    • Jim Jagielski's avatar
      Merge r1629507, r1629652 from trunk: · 51882af9
      Jim Jagielski authored
      mod_cache_socache: Add cache status to server-status.
      
      The status_hook simply calls the status function of
      socache, very much like mod_ssl does for the ssl
      session cache.
      
      
      Silence build warning about missing prototype.
      Followup to r1629507.
      
      Submitted by: rjung
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634527 13f79535-47bb-0310-9956-ffa450edef68
      51882af9