Skip to content
  1. May 25, 2015
  2. May 24, 2015
  3. May 23, 2015
  4. May 22, 2015
  5. May 21, 2015
    • Rainer Jung's avatar
      Comments. · 11b6c0f8
      Rainer Jung authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680944 13f79535-47bb-0310-9956-ffa450edef68
      11b6c0f8
    • Yann Ylavic's avatar
      Merge r1664205 from trunk. · 1f3722a2
      Yann Ylavic authored
      
      r1664205 | covener | 2015-03-05 03:33:16 +0100 (Thu, 05 Mar 2015) | 12 lines
      
        *) SECURITY: CVE-2015-0253 (cve.mitre.org)
           core: Fix a crash introduced in with ErrorDocument 400 pointing
           to a local URL-path with the INCLUDES filter active, introduced
           in 2.4.11. PR 57531. [Yann Ylavic]
      
      
      Submitted By: ylavic
      Committed By: covener
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680927 13f79535-47bb-0310-9956-ffa450edef68
      1f3722a2
    • Yann Ylavic's avatar
      Merge r1526189, r1658765 from trunk. · 25970d35
      Yann Ylavic authored
      
      r1526189 | trawick | 2013-09-25 16:29:02 +0200 (Wed, 25 Sep 2013) | 8 lines
      
      mod_proxy: Add ap_connection_reusable() for checking if a connection
      is reusable as of this point in processing.
      
      mod_proxy_fcgi uses the new API to determine if FCGI_CONN_CLOSE
      should be enabled, but that doesn't change existing behavior
      since the connection is currently marked for closure elsewhere
      in the module.
      
      
      r1658765 | ylavic | 2015-02-10 18:25:54 +0100 (Tue, 10 Feb 2015) | 4 lines
      
      mod_proxy_http: Use the "Connection: close" header for requests to
      backends not recycling connections (disablereuse), including the default
      reverse and forward proxies.
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680923 13f79535-47bb-0310-9956-ffa450edef68
      25970d35
    • Yann Ylavic's avatar
      2.2.x only. · ed528b88
      Yann Ylavic authored
      mod_proxy: Reuse proxy/balancer workers' parameters and scores across
      graceful restarts, even if new workers are added, old ones removed, or
      the order changes.
      
      Proposed by: jkaluza
      Reviewed by: ylavic, jkaluza, wrowe
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680920 13f79535-47bb-0310-9956-ffa450edef68
      ed528b88
    • Yann Ylavic's avatar
      Merge r1653997 from trunk. · b3eaa012
      Yann Ylavic authored
      
      r1653997 | ylavic | 2015-01-22 19:37:06 +0100 (Thu, 22 Jan 2015) | 7 lines
      
      mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored
      in virtualhost context (new version of r1653906 reverted by r1653993).
      
      Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
      Committed/modified By: ylavic
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680917 13f79535-47bb-0310-9956-ffa450edef68
      b3eaa012
    • Yann Ylavic's avatar
      Merge r1526168, r1527291, r1527295, r1563420, r1588851, r1666363, r1679470 · b84b8648
      Yann Ylavic authored
      
      r1526168 | kbrand | 2013-09-25 14:52:35 +0200 (Wed, 25 Sep 2013) | 21 lines
      
      Streamline ephemeral key handling:
      
      - drop support for ephemeral RSA keys (only allowed/needed
        for export ciphers)
      
      - drop pTmpKeys from the per-process SSLModConfigRec, and remove
        the temp key generation at startup (unnecessary for DHE/ECDHE)
      
      - unconditionally disable null and export-grade ciphers by always
        prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
      
      - do not configure per-connection SSL_tmp_*_callbacks, as it is
        sufficient to set them for the SSL_CTX
      
      - set default curve for ECDHE at startup, obviating the need
        for a per-handshake callback, for the time being (and also
        configure SSL_OP_SINGLE_ECDH_USE, previously left out)
      
      For additional background, see
      https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
      
      
      r1527291 | kbrand | 2013-09-29 11:36:31 +0200 (Sun, 29 Sep 2013) | 9 lines
      
      Follow-up fixes for r1526168:
      
      - drop SSL_TMP_KEY_* constants from ssl_private.h, too
      
      - make sure we also disable aNULL, eNULL and EXP ciphers
        for per-directory SSLCipherSuite directives
      
      - apply the same treatment to SSLProxyCipherSuite
      
      
      r1527295 | kbrand | 2013-09-29 12:35:46 +0200 (Sun, 29 Sep 2013) | 20 lines
      
      Improve ephemeral key handling (companion to r1526168):
      
      - allow to configure custom DHE or ECDHE parameters via the
        SSLCertificateFile directive, and adapt its documentation
        accordingly (addresses PR 49559)
      
      - add standardized DH parameters from RFCs 2409 and 3526,
        use them based on the length of the certificate's RSA/DSA key,
        and add a FAQ entry for clients which limit DH support
        to 1024 bits (such as Java 7 and earlier)
      
      - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
        ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
      
      - drop ssl_engine_dh.c from mod_ssl
      
      For the standardized DH parameters, OpenSSL version 0.9.8a
      or later is required, which was therefore made a new minimum
      requirement in r1527294.
      
      
      r1563420 | kbrand | 2014-02-01 15:04:23 +0100 (Sat, 01 Feb 2014) | 3 lines
      
      enable auto curve selection for ephemeral ECDH keys
      when compiled against OpenSSL 1.0.2 or later
      
      
      r1588851 | kbrand | 2014-04-21 08:39:24 +0200 (Mon, 21 Apr 2014) | 3 lines
      
      ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the
      one actually used for the connection before calling SSL_get_privatekey(ssl)
      
      
      r1666363 | jkaluza | 2015-03-13 08:32:46 +0100 (Fri, 13 Mar 2015) | 4 lines
      
      * mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
      SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,
      otherwise eckey will not be freed.
      
      
      r1679470 | ylavic | 2015-05-15 00:38:20 +0200 (Fri, 15 May 2015) | 5 lines
      
      mod_ssl: follow up to r1527291.
      Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
      SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
      not yet included by default.
      
      
      Reviewed by: ylavic, wrowe, rjung
      Backported by: ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680916 13f79535-47bb-0310-9956-ffa450edef68
      b84b8648
    • Yann Ylavic's avatar
      Bigger mod_log_config backport proposal? · d599209c
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680913 13f79535-47bb-0310-9956-ffa450edef68
      d599209c
    • Rainer Jung's avatar
      Propose. · 8588091a
      Rainer Jung authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680912 13f79535-47bb-0310-9956-ffa450edef68
      8588091a
    • Yann Ylavic's avatar
      Merge r1200040, r1200372, r1200374, r1213380 from trunk. · c7573784
      Yann Ylavic authored
      
      r1200040 | pquerna | 2011-11-10 00:37:37 +0100 (Thu, 10 Nov 2011) | 5 lines
      
      Add support for RFC 5077 TLS Session tickets.  This adds two new directives:
      
      * SSLTicketKeyFile: To store the private information for the encryption of the ticket.
      * SSLTicketKeyDefault To set the default, otherwise the first listed token is used.  This enables key rotation across servers.
      
      
      r1200372 | pquerna | 2011-11-10 16:17:18 +0100 (Thu, 10 Nov 2011) | 4 lines
      
      Apply ap_server_root_relative to the path used for the ticket secrets file.
      
      Suggested by: Rüdiger Plüm
      
      
      r1200374 | pquerna | 2011-11-10 16:19:15 +0100 (Thu, 10 Nov 2011) | 4 lines
      
      Remove unneeded memcpy.
      
      Spotted by: Rüdiger Plüm
      
      
      r1213380 | kbrand | 2011-12-12 20:21:35 +0100 (Mon, 12 Dec 2011) | 9 lines
      
      Streamline TLS session ticket key handling (added in r1200040):
      - drop the SSLTicketKeyDefault directive, and only support a single
        ticket key per server/vhost
      - rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
        remove the keyname parameter
      - move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
      - configure the tlsext_ticket_key_cb only when in server mode
      - add documentation for SSLSessionTicketKeyFile
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680905 13f79535-47bb-0310-9956-ffa450edef68
      c7573784
    • Yann Ylavic's avatar
      Be (possibly) more precise/clear. · c2b8e24b
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680889 13f79535-47bb-0310-9956-ffa450edef68
      c2b8e24b
    • Yann Ylavic's avatar
      I'll -0+1 your -0+1 :p · e49c44f6
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680885 13f79535-47bb-0310-9956-ffa450edef68
      e49c44f6