at the same time, don't lose errors occuring while forwarding on the first
side when none occurs next on the other side, and abort.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657636 13f79535-47bb-0310-9956-ffa450edef68
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.
[Edward Lu <Chaosed0 gmail.com>]
Discovered by Guido Vranken <guidovranken gmail.com>
Submitted by: Edward Lu
Committed by: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
when the FIN bit was set. Results in PING not being recognized
by mod_lua. PR57524
Submitted By: Edward Lu
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657256 13f79535-47bb-0310-9956-ffa450edef68
on startup or restart when the module is linked statically. PR 57525
Submitted by: apache.org tech.futurequest.net
Committed by: Yann Ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1656669 13f79535-47bb-0310-9956-ffa450edef68
The goal is to minimize the delay between this connection is considered alive
and the first bytes sent (should the client's link be slow or some input filter
retain the data).
This is a best effort to prevent the backend from closing (from under us) what
it thinks is an idle connection, hence to reduce to the minimum the unavoidable
local ap_proxy_is_socket_connected() vs remote keepalive race condition.
PR 56541.
Also, allow the new subprocess_env variable "proxy-flushall" to prevent any
buffering of the request body before it is forwarded to the backend.
When set, the prefetch is still done (although non-blocking), so we can still
determine Content-Length vs chunked vs spooled (depending on data available
with the header or while reading it), and then all brigades are flushed when
passed to the backend.
PR 37920.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1656259 13f79535-47bb-0310-9956-ffa450edef68
in virtualhost context (new version of r1653906 reverted by r1653993).
Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Committed/modified By: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653997 13f79535-47bb-0310-9956-ffa450edef68
The issue with r1653906 is that existing configurations like
"SSLProtocol -SSLv3" (where the default is assumed to be ALL)
won't work anymore.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653993 13f79535-47bb-0310-9956-ffa450edef68
as it causes an error-prone mismatch between the enum values and the
state values. Caused a busy loop in windows.
Added in r1484852 and trunk-only.
Submitted By: Edward Lu, Yann Ylavic
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653539 13f79535-47bb-0310-9956-ffa450edef68
- modules/aaa/mod_authnz_fcgi.c:705: warning:
'orspbuflen' may be used uninitialized in this function
- modules/aaa/mod_authnz_fcgi.c:1235: warning:
comparison is always false due to limited range of data type
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1652829 13f79535-47bb-0310-9956-ffa450edef68
It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).
Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.
As long as we do not have a nice key management
there should be a way to deactivate session
tickets.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650310 13f79535-47bb-0310-9956-ffa450edef68
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650047 13f79535-47bb-0310-9956-ffa450edef68
clength in request_rec is for response sizes,
not request body size. It is initialized to 0,
so the "if" branch was never taken.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1649043 13f79535-47bb-0310-9956-ffa450edef68
opting in to connection reuse and other proxy options (max=, etc).
adds 'enablereuse' proxyoption and a minor MMN bump to share
proxy_desocketfy outside of mod_proxy.c, which is required to
match workers to URLs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1647009 13f79535-47bb-0310-9956-ffa450edef68
Connection reuse has been disabled since r1032345 at the end of
2011.
Attempt to reverse the polarity of the connection reuse doc which
has been wrong for a long time.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1647005 13f79535-47bb-0310-9956-ffa450edef68
- We need to fail if we do NOT match.
- ETag comparison only makes sense if we have an ETag
PR: 57358
Submitted by: Kunihiko Sakamoto <ksakamoto google.com>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1646282 13f79535-47bb-0310-9956-ffa450edef68
The hard-coded 2 byte offset to get to the list (in lieu of
the proper logic) didn't survive the addition of the SCT
from an additional log.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1645546 13f79535-47bb-0310-9956-ffa450edef68
return an error code understood by ssl_io_filter_error().
That function needs to perform error handling, and a valid
apr_status_t needs to be returned up.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1645529 13f79535-47bb-0310-9956-ffa450edef68
When this occurs, the redirect (internal) request reaches ssl_hook_Access()
and make SSL_do_handshake crash probably because we force the renegotiation
based on an incomplete SSL state.
To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given
SSL connection is not in a valid (handshaken) state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68
