Commits · fa00e2c25e6f3959f474bcc7cdff94f696ef5b62 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

Oct 08, 2004

Fix CAN-2004-0885: · fa00e2c2

Joe Orton authored Oct 08, 2004

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.

Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105396 13f79535-47bb-0310-9956-ffa450edef68

fa00e2c2

Sep 30, 2004

Use the right length. · d1906a16

Jean-Frederic Clere authored Sep 30, 2004


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105354 13f79535-47bb-0310-9956-ffa450edef68

d1906a16

Sep 22, 2004

* modules/ssl/ssl_engine_io.c (ssl_io_filter_connect): Return · af33b539

Joe Orton authored Sep 22, 2004

502 not 501 if SSL_connect() fails for a proxy connection.

PR: 31083

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105252 13f79535-47bb-0310-9956-ffa450edef68

af33b539

* modules/ssl/ssl_scache_shmcb.c (ssl_scahe_shmcb_init): If anonymous · 07fd1595

Joe Orton authored Sep 22, 2004

shm is not supported, always remove the named segment first to cope
with unclean shutdowns.

PR: 21335 (continued)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105249 13f79535-47bb-0310-9956-ffa450edef68

07fd1595

* modules/ssl/ssl_engine_vars.c: Map "UID" suffix to the same OID · ec91d958

Joe Orton authored Sep 22, 2004

(2.5.4.45) for old and new versions of OpenSSL.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105244 13f79535-47bb-0310-9956-ffa450edef68

ec91d958

Aug 18, 2004

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_remain): New · d2d4df51

Joe Orton authored Aug 18, 2004

function.  (ssl_var_lookup_ssl_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.

* modules/ssl_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if
+StdEnvVars is configured.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104700 13f79535-47bb-0310-9956-ffa450edef68

d2d4df51

Aug 17, 2004

* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback · 8a2760e5

Joe Orton authored Aug 17, 2004

handling for AP_MODE_SPECULATIVE.

PR: 30134


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104687 13f79535-47bb-0310-9956-ffa450edef68

8a2760e5

Aug 11, 2004

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify_CRL), · 62f1dab9

Joe Orton authored Aug 11, 2004

* server/log.c (ap_log_pid),
* server/mpm/prefork/prefork.c (accept_mutex_on, accept_mutex_off),
* support/htdbm.c (htdbm_list):
Fix some non-literal format strings (warnings from gcc -Wformat-security).

PR: 30585
Submitted by: Ulf Harnhammar (SITIC), Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104548 13f79535-47bb-0310-9956-ffa450edef68

62f1dab9

* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix potential · 73a278c7

Joe Orton authored Aug 11, 2004

infinite loop in ssl_io_input_getline if connection is aborted without
inctx->rc being set.

PR: 29964


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104547 13f79535-47bb-0310-9956-ffa450edef68

73a278c7

Jul 13, 2004

Tokenize the header while parsing it for the upgrade tokens and once the... · f6d41b1d

Bradley Nicholes authored Jul 13, 2004

Tokenize the header while parsing it for the upgrade tokens and once the protocol has been upgraded, allow the request to complete encrypted.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104273 13f79535-47bb-0310-9956-ffa450edef68

f6d41b1d

Jun 29, 2004
- Use the correct Apache-2.x EBCDIC conversion function (not the old apache-1.3 routine) · a63ac3b5
  Martin Kraemer authored Jun 29, 2004
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104082 13f79535-47bb-0310-9956-ffa450edef68
```
  a63ac3b5
Jun 15, 2004

* modules/ssl/ssl_engine_io.c (bio_filter_out_flush): Create a new · 23a3f4f1

Joe Orton authored Jun 15, 2004

brigade for sending output after passing on the current one.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103967 13f79535-47bb-0310-9956-ffa450edef68

23a3f4f1

Jun 03, 2004

Add "SSLUserName" directive to set r->user based on a chosen SSL · cab33293

Joe Orton authored Jun 03, 2004

environment variable name.

* modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add
szUserName field.

* modules/ssl/ssl_engine_config.c (ssl_config_perdir_create,
ssl_config_perdir_merge): Initialize and merge szUserName field.
(ssl_cmd_SSLUserName): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to
 the value of the chosen SSL environment variable.

* modules/ssl/mod_ssl.c: Add SSLUserName config directive.

PR: 20957
Submitted by: Martin v. Loewis <martin v.loewis.de>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103834 13f79535-47bb-0310-9956-ffa450edef68

cab33293

Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag · 9329dc4f

Joe Orton authored Jun 03, 2004

which uses the server's cipher preference order rather than the
client's.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.

PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103832 13f79535-47bb-0310-9956-ffa450edef68

9329dc4f

Drop support for the "CompatEnvVars" argument to SSLOptions, which was · 38dba79c

Joe Orton authored Jun 03, 2004

never implemented in 2.0 and never needed to be.

* docs/ssl/ssl-std.conf.in: Remove CompatEnvVars examples.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Don't allow
the CompatEnvVars argument.

* modules/ssl/ssl_private.h: Remove SSL_OPT_COMPATENVVARS macro.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103829 13f79535-47bb-0310-9956-ffa450edef68

38dba79c

May 27, 2004

* modules/ssl/ssl_scache.c (ssl_scache_expire): Remove unused function. · 28a897db

Joe Orton authored May 27, 2004

* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_expire): Likewise.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_expire): Likewise.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_expire): Make static.

* modules/ssl/ssl_private.h: Remove prototypes.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103793 13f79535-47bb-0310-9956-ffa450edef68

28a897db

May 25, 2004

* modules/ssl/ssl_util.c, modules/ssl/ssl_private.h: Remove unused · 95cd5133

Joe Orton authored May 25, 2004

functions ssl_util_strupper, ssl_util_ptxtstub, and
ssl_util_uuencode*.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103755 13f79535-47bb-0310-9956-ffa450edef68

95cd5133

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer · cac1ec32

Joe Orton authored May 25, 2004

overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103754 13f79535-47bb-0310-9956-ffa450edef68

cac1ec32

May 17, 2004

* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Fix gcc · 1380d507

Joe Orton authored May 17, 2004

strict-aliasing warning.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103688 13f79535-47bb-0310-9956-ffa450edef68

1380d507

May 12, 2004

Fix SEGV in 'shmcb' session cache: · adb3011f

Madhusudan Mathihalli authored May 12, 2004

When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68

adb3011f

Mar 26, 2004

In the newer versions of OpenSSL, the flag SSL_SESS_CACHE_NO_INTERNAL_LOOKUP · 3547116a

Madhusudan Mathihalli authored Mar 26, 2004

just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.

PR: 26562
Reviewed by: Geoff Thorpe, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103165 13f79535-47bb-0310-9956-ffa450edef68

3547116a

Mar 25, 2004

* modules/ssl/ssl_engine_io.c (ssl_io_filter_cleanup): Don't try and · 57e57864

Joe Orton authored Mar 25, 2004

send an SSL shutdown from a pool cleanup.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103156 13f79535-47bb-0310-9956-ffa450edef68

57e57864

Mar 12, 2004

* modules/ssl/ssl_engine_log.c (ssl_log_annotation): const-ify more. · d3442381

Joe Orton authored Mar 12, 2004


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102943 13f79535-47bb-0310-9956-ffa450edef68

d3442381

Mar 11, 2004

· 4dc3cee8

William A. Rowe Jr authored Mar 11, 2004

  Pick up mod_status.h


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102938 13f79535-47bb-0310-9956-ffa450edef68

4dc3cee8

Mar 10, 2004

* modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation, · fd32edbd

Joe Orton authored Mar 10, 2004

ssl_log_ssl_error): const-ify annotation strings and simplify
ssl_log_annotation.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102927 13f79535-47bb-0310-9956-ffa450edef68

fd32edbd

Mar 06, 2004

Fix use of mod_ssl as a DSO linked against static SSL libraries; also · 326277a6

Joe Orton authored Mar 06, 2004

stop linking all of support/* against the SSL libraries:

* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.

* support/Makefile.in: Link ab against SSL_LIBS.

* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.

PR: 17217


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102870 13f79535-47bb-0310-9956-ffa450edef68

326277a6

Mar 05, 2004

Allow the enabled flag to be set to more than just TRUE or FALSE so that · 2987752a

Bradley Nicholes authored Mar 05, 2004

the OPTIONAL flag can be correctly merged within the
ssl_config_server_merge() function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102860 13f79535-47bb-0310-9956-ffa450edef68

2987752a

Allow the enabled flag to be set to more that just TRUE or FALSE so that · 236db251

Bradley Nicholes authored Mar 05, 2004

the OPTIONAL flag is correctly merged within the
ssl_config_server_merge() function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102859 13f79535-47bb-0310-9956-ffa450edef68

236db251

Mar 04, 2004

* modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL · 1bfbef66