Skip to content
  1. Mar 03, 2014
  2. Mar 02, 2014
    • Jim Jagielski's avatar
      Merge r1553204, r1555240, r1572198 from trunk: · 3c73c41b
      Jim Jagielski authored
      * Do not perform SNI / Host header comparison in case of a forward proxy request as
        in case of a forward proxy request the host header can not be used for virtual
        host selection in our webserver.
      
      
      * Update comment. No functional change.
      
      * Put a note in CHANGES about r1553204
      Submitted by: rpluem
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573362 13f79535-47bb-0310-9956-ffa450edef68
      3c73c41b
    • Jim Jagielski's avatar
      Merge r1546804, r1553824, r1554192, r1555463, r1555467, r1563417, r1564760, r1565081 from trunk: · 10c578cc
      Jim Jagielski authored
      Throw away the myCtxVar{Set,Get} abomination and introduce
      a pphrase_cb_arg_t struct instead, for passing stuff between
      ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct
      members instead of using additional local variables, to make
      the data flow more transparent. (Doesn't "vastly simplify"
      the code yet, but hopefully we'll get there when further
      stripping down ssl_pphrase_Handle.)
      
      
      Remove the hardcoded algorithm-type dependency for the SSLCertificateFile
      and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile
      
      Splitting the patch into smaller pieces turned out to be infeasible,
      unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
      ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
      modssl_pk_server_t data structure. For better comprehensibility,
      a detailed listing of the changes follows:
      
      ssl_private.h
      - drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
      - use apr_array_header_t for cert_files and key_files
      - drop tPublicCert from SSLModConfigRec
      - drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants
      
      ssl_engine_config.c
      - change to apr_array_header_t for SSLCertificate[Key]File
      - drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
        and keys (in theory; currently OpenSSL does not support more than
        one cert/key per algorithm type)
      - add deprecation warning for SSLCertificateChainFile
      
      ssl_engine_init.c
      - configure server certs/keys in ssl_init_server_certs (no longer via
        ssl_pphrase_Handle in ssl_init_Module)
      - in ssl_init_server_certs, read in certificates and keys with standard
        OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
        ssl_load_encrypted_pkey when encountering an encrypted private key
      - drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
        and ssl_init_ctx_cleanup_server
      - move the "problematic re-initialization" check to ssl_init_server_ctx
      
      ssl_engine_pphrase.c
      - use servername:port:index as the key identifier, instead of the
        previously used servername:port:algorithm
      - ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
        make it only load a single (encrypted) private key, and rename
        to ssl_load_encrypted_pkey
      - in the passphrase prompt message, show the private key file name
        instead of the vhost id and the algorithm name
      - do no longer supply the algorithm name as an argument to "exec"-type
        passphrase prompting programs
      
      ssl_util.c
      - drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
        and ssl_asn1_table_keyfmt
      
      ssl_util_ssl.{c,h}
      - drop SSL_read_X509
      - constify the filename arg for SSL_read_PrivateKey
      
      
      CodeWarrior compiler doesnt allow vars as struct inits.
      
      
      Remove per-certificate chain handling code (obsoleted by
      https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)
      
      
      make the ppcb_arg initialization a bit more uniform and easier to read
      
      Followup fix for r1553824:
      
      also pass the file name to ssl_load_encrypted_pkey, to make sure that we
      retry with the same filename we used for SSL_CTX_use_PrivateKey_file first
      
      
      With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on
      SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.
      
      
      update APLOGNO for r1564760
      Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573360 13f79535-47bb-0310-9956-ffa450edef68
      10c578cc
  3. Feb 21, 2014
  4. Feb 20, 2014
  5. Feb 17, 2014
  6. Feb 11, 2014
  7. Feb 10, 2014
  8. Feb 05, 2014
  9. Feb 04, 2014
    • Jim Jagielski's avatar
      Merge r1523387 from trunk: · 76a50d75
      Jim Jagielski authored
      In 2.4, the MPM leaves a copy of the non-disconnected FD sitting in
      context->accept_socket. This FD will be closed a second time, often
      shortly after a worker picks it up in this same FD being reused.  The
      first recv fails with WSAENOTSOCK since the same FD was closed in the
      listener thread while the worker was pulling it off the queue
      
      (The second close is of the underlying FD/socket, not a shared
      apr_socket_t, so it's not short-circuited)
      
      This patch makes it a bit more 2.2.x-ish and solves my problem -- the
      context->accept_socket gets zapped at the bottom of the loop if
      !disconnected.
      
      
      Submitted by: covener
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1564313 13f79535-47bb-0310-9956-ffa450edef68
      76a50d75
  10. Jan 25, 2014
  11. Jan 24, 2014
  12. Jan 23, 2014
  13. Jan 21, 2014
    • Jim Jagielski's avatar
      Merge r1451633, r1451905, r1451921, r1452259, r1453981, r1501913, r1513508,... · 625d5a11
      Jim Jagielski authored
      Merge r1451633, r1451905, r1451921, r1452259, r1453981, r1501913, r1513508, r1531340, r1531370, r1531962, r1533065, r1540052 from trunk:
      
      Add in rough uds support (Bugx 54101) from Blaise Tarr <blaise.tarr@gmail.com>
      
      Make AF_UNIX aware... fix Windows/Netware??
      
      Follow-up to r1451905 to fix NetWare/Windows compilation.
      
      
      apr trunk-able
      
      
      message tag for dom sock
      
      Note about new UDS support
      
      UDS subsequent request on a connection fix
      
      Reformat the UDS support inline with a new naming structure.
      Use a flag for speed for testing.
      
      syntax sugar... if the worker is associated w/ a UDS,
      then make sure the log reporting has a visual clue.
      
      Ensure that userland format of UDS is the same as how it is
      configured, no matter how we store and use it internally.
      
      Eclipse code analysis warning
      
      UDS urls need to be desockified when configuring...
      Submitted by: jim, fuankg, jim, jim, druggeri, druggeri, jim, jim, jim, jim, jim
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1560081 13f79535-47bb-0310-9956-ffa450edef68
      625d5a11
  14. Jan 09, 2014
  15. Jan 06, 2014
  16. Jan 05, 2014
  17. Dec 26, 2013
  18. Dec 18, 2013
  19. Nov 29, 2013