- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527295 13f79535-47bb-0310-9956-ffa450edef68
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
for 0.9.8, we never touched win32. Resolve this for all of the
common win32 HAVE SSL related macros building against 0.9.8.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@607383 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@599385 13f79535-47bb-0310-9956-ffa450edef68
operation. This ensures the exported (Studio 97 generated) .mak
files create a usable Apache directly from the VC 8 (Studio 2005)
command line environment.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@495126 13f79535-47bb-0310-9956-ffa450edef68
While it solves the studio 2005 (we desire this), it breaks
the studio 6 packaging (we require this). Discussion on list
of practical solutions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@419644 13f79535-47bb-0310-9956-ffa450edef68
of switching linkers from the x86 (default linker) to x64 or other
possible target platforms. (Also, this commit cleans up lingering
/GX switches from the 'BASE' options that are supposed to be unused).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@397407 13f79535-47bb-0310-9956-ffa450edef68
build, outside of the normal "mod_ssl - Win32 Debug|Release" builds.
Continues on the path of eliminating external dependencies, we
strongly expect users to never modify the grammers during normal
builds.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@396670 13f79535-47bb-0310-9956-ffa450edef68
nearly every .rc compilation (giving the output .res file a different
name for each component). Adds AP_SERVER_BASEPROJECT to ap_revision.h
so we can display the proper name of "Apache HTTP Server" as opposed
to AP_SERVER_BASEPRODUCT (which is, and should remain, simply "Apache"
for the server string tokens.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@395418 13f79535-47bb-0310-9956-ffa450edef68
paths to each custom build target. However, the time stamps of these
directories will trigger a rebuild in bison where sources haven't
changed. These targets are not necessary, as these generated files
reside in the current directory (which, obviously, already exists.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@209466 13f79535-47bb-0310-9956-ffa450edef68
This makes binaries far easier to debug, during operation and for post-crash
.dmp analysis. Do not alter /Gs optimizations per brane.
Reviewed by: stoddard, brane
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@170253 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
data corruption bugs since being apr_rmm'ified.
* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.
* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.
* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.
* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.
* ssl_scache.c: Remove shmht hooks throughout.
* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101888 13f79535-47bb-0310-9956-ffa450edef68
for the openssl/foo.h headers explicitly. Fix the abs.dsp build
to define HAVE_OPENSSL instead of USE_SSL so the correct headers
are included upfront.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101195 13f79535-47bb-0310-9956-ffa450edef68
the older .dbg format symbols are not worth the interference with
generating complete .pdb symbolic debugging databases.
This patch further eliminates pdbtype:sept flags that interfere with
deciphering local symbols and type information.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98970 13f79535-47bb-0310-9956-ffa450edef68
fairly redundant when you retain rich .pdb debugging symbol files. We
have rarely used them, and generally .dbg and .pdb files prove much more
useful for the cases we have.
While eliminating /map files, we are also shrinking the size of the .dbg
files by stripping 'private' symbol information. Really this means less
rich diagnostics from Dr. Watson on NT or Win9x when they query the .dbg
symbols in creating a DrWatson log file. But it's more than compensated
for on newer OS'es where Dr. Watson will query the .pdb symbols, on all
Win32 flavors when WinDbg is used with the .pdb symbols, and the fact that
the distribution of binary symbols will use less bandwidth when less
information is duplicated from the .pdb format into the .dbg files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98743 13f79535-47bb-0310-9956-ffa450edef68
was badness. Twist this puppy to .dbr, the only name I could invent that
doesn't look like any database file extension I recall.
It stands for .dbg rebased.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98712 13f79535-47bb-0310-9956-ffa450edef68
and .dbg files (older debuggers and Dr. Watson-type utilities
on WinNT or Win9x don't support the newer .pdb flavor.)
[Allen Edwards, William Rowe]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98596 13f79535-47bb-0310-9956-ffa450edef68
build for jack without these changes. Of course they don't harm 0.9.6b
builders either, unless they are outside of the states/EU/AU and find
themselves free to ignore IP considerations.
I'd really like to know _why_ 0.9.6c doesn't configure itself rationally.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93381 13f79535-47bb-0310-9956-ffa450edef68
mod_so, mod_win32 and the winnt mpm] into individual loadable
modules, so the administrator may individually disable the former
compiled-in modules by simply commenting out their LoadModule
directives. [William Rowe]
*) Saved Win32 module authors and porters many future headaches, by
duplicating the appropriate .h files such as os.h into the include
directory, including in the build tree. [William Rowe]
Also noticed that version stamp resources weren't generated for proxy
modules, this too is now fixed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92804 13f79535-47bb-0310-9956-ffa450edef68
Program Database (from Program Database for Modify on the fly debugging).
The net effect of this patch is to clean up all of the irrelevant entries
associated with either the debugging or release command line switches, and
generally straighten the projects as they would be exported from VC6/SP5.
The outcome of this patch is that VC5 users -should- be able to load and
build the workspace without any errors (as they used to have no symbols
database at all, the /ZI option doesn't work, they had to use cvtdsp.pl
to toggle these to /Zi.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90269 13f79535-47bb-0310-9956-ffa450edef68
