* modules/ssl/ssl_engine_kernel.c (ssl_check_post_client_verify):
  Retrieve and set sslconn->client_cert here for both "modern" and
  classic access control.
  (ssl_hook_Access_classic, ssl_hook_Access_modern, ssl_hook_Access):
  Restore SSLRequire and FakeBasicAuth checks to ssl_hook_Access so tests
  are still applied for TLSv1.3.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1841219 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
  Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes
  post-handshake authentication.
  (ssl_init_proxy_certs): Fix proxy client cert support with
  TLSv1.3, which is now crippled by default.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840711 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
  403 if SSL_verify_client_post_handshake() fails, e.g. when the
  TLS/1.3 client didn't send the Post-Handshake Authentication
  extension.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840664 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840530 13f79535-47bb-0310-9956-ffa450edef68

Merged 1827912,1827924,1827992,1828222,1828720,1828723,1833588,1833589,1839920,1839946 from trunk

  *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9. 
     SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
     Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
     Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
     as this would need to trigger the master connection thread - which we do not support
     right now.
     Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
     does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
     TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
     Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they 
     can match their needs onto the TLSv1.3 protocol.
     [Yann Ylavic, Stefan Eissing]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840120 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840105 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840096 13f79535-47bb-0310-9956-ffa450edef68

conversion from apr_time_t to milliseconds instead
of hard-coded division by 1000.

Backport of r1839780 from trunk.

Submitted by: rjung
Reviewed by: rjung, rpluem, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840032 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840030 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840029 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839911 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839786 13f79535-47bb-0310-9956-ffa450edef68

in milliseconds.

Backport of remaining parts of r1837590 from trunk
(only html mode changes, auto parts were already
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839785 13f79535-47bb-0310-9956-ffa450edef68

in mod_status when "ProxyStatus" is "On":
add "busy" count to html mode.

Backport of remaining parts of r1837588 from trunk
(only html mode changes, auto parts were already
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839784 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839584 13f79535-47bb-0310-9956-ffa450edef68

server-status proposals back to the list.

I have only applied the uncontroversial "auto"
mode part of the accepted patches.

The "html" part is now back in STATUS (with
adjusted smaller patches) to give some more
time for feedback whether the HTML output
format is allowed to change during a patch
release.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839535 13f79535-47bb-0310-9956-ffa450edef68

format.

Followon to r1839533.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839534 13f79535-47bb-0310-9956-ffa450edef68

in milliseconds to auto mode.

Partial backport of r1839532 from trunk
(only auto mode changes, html parts not yet
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839533 13f79535-47bb-0310-9956-ffa450edef68

in mod_status when "ProxyStatus" is "On":
add "busy" count to auto mode and show byte counts
in auto mode always in units of kilobytes.

Partial backport of r1837588 from trunk
(only auto mode changes, html parts not yet
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839532 13f79535-47bb-0310-9956-ffa450edef68

processes in the "cu" and "cs" values.
Add CPU time of the parent process to the
"c" and "s" values.

Backport of r1837595 from trunk.

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839531 13f79535-47bb-0310-9956-ffa450edef68

MPMs in "auto" mode.  Added number of processes,
number of stopping processes and number
of busy and idle workers.

This changes only the key/value list of the
server-status "auto" output. The data is already
part of the "html" output.

Backport of r1837589 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839530 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839500 13f79535-47bb-0310-9956-ffa450edef68

mod_ratelimit: Don't interfere with "chunked" encoding.

By the time ap_http_header_filter() sends the header brigade and adds the
"CHUNK" filter, we need to garantee that the header went through all the
filters' stack, and more specifically above ap_http_chunk_filter() which
assumes that all it receives is content data.
Since rate_limit_filter() may retain the header brigade, make it run after
ap_http_chunk_filter(), just before AP_FTYPE_CONNECTION filters.

Also, ap_http_header_filter() shouldn't eat the EOS for HEAD/no-body responses.
For instance mod_ratelimit depends on it since r1835168, but any next request
filter may as well to flush and/or bail out approprietely.

This fixes the regression introduced in 2.4.34 (r1835168).
PR 62568.

Submitted by: ylavic
Reviewed by: covener, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839497 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839446 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839443 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839438 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839437 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839328 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839327 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839318 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839309 13f79535-47bb-0310-9956-ffa450edef68

r1839250 in trunk

+ remove some trailing spaces to synch with trunk
+ add the optional [s] in WatchdogInterval syntax

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839254 13f79535-47bb-0310-9956-ffa450edef68

(r1839245 on trunk)

+ remove some trailling spaces to synch with trunk

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839246 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838953 13f79535-47bb-0310-9956-ffa450edef68

Synch with trunk and improve alignment in examples.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838946 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838944 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838849 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838848 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838846 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838838 13f79535-47bb-0310-9956-ffa450edef68