are allocated from the request pool and not modified later on.
Submitted by: Christophe JAILLET <christophe jaillet wanadoo fr>
PR: 51358
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1135084 13f79535-47bb-0310-9956-ffa450edef68
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1032073 13f79535-47bb-0310-9956-ffa450edef68
containers:
'ssl' (equivalent to SSLRequireSSL)
'ssl-verify-client' (for use with 'SSLVerifyClient optional')
'ssl-require' (expressions with same syntax as SSLRequire)
We may decide to axe 'ssl-require' again in favor of the generic 'expr'
provider, depending on the development of the ap_expr parser.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1002837 13f79535-47bb-0310-9956-ffa450edef68
yacc.
Also change the make file magic so that the real source file name is
embedded in the debug info.
The generated files have been created with flex 2.5.35/bison 2.4.1. The two
'no previous prototype' warnings are supposed to be fixed with the next flex
version.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1002824 13f79535-47bb-0310-9956-ffa450edef68
SSL_SECURE_RENEG variable to indicate support for secure reneg.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup_vars): Export
SSL_SECURE_RENEG in the default set of variable.s
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906057 13f79535-47bb-0310-9956-ffa450edef68
default. Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
insecure_reneg field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
ssl_config_server_merge): Handle the insecure_reneg flag.
(ssl_cmd_SSLInsecureRenegotiation): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
enabled.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
support for secure reneg.
* modules/ssl/mod_ssl.c: Add the directive definition.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68
ap_get_server_name_for_url() and use it where appropriate. This fixes
mod_rewrite generating invalid URLs for redirects to IPv6 literal addresses.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@900022 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_kernel.c (has_buffered_data): New function.
(ssl_hook_Access): Forcibly disable keepalive for the connection if
there is any buffered data readable from the input filter stack.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Ensure that the
BIO uses blocking operations when invoked outside direct control of
the httpd filter stack.
Thanks to Hartmut Keil <Hartmut.Keil adnovum.ch> for proposing this
technique.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@891282 13f79535-47bb-0310-9956-ffa450edef68
Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.
Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
(ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
the (renamed) info callback unconditionally.
* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
to SSLConnRec.
(bio_filter_out_write, bio_filter_in_read): Fail with
APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
of ssl_callback_LogTracingState.
(ssl_callback_Info): New function.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833582 13f79535-47bb-0310-9956-ffa450edef68
SSL_CLIENT_I_DN, SSL_SERVER_S_DN, SSL_SERVER_I_DN back to the environment
variables to be set by mod_ssl.
Submitted by: Peter Sylvester <peter.sylvester edelweb.fr>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@820401 13f79535-47bb-0310-9956-ffa450edef68
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68
function which was never included in OpenSSL:
* acinclude.m4: Remove test for fictional function.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Remove code.
* modules/ssl/ssl_engine_config.c (MODSSL_SET_CA): Remove unused
macro. (ssl_cmd_SSLCACertificatePath,
ssl_cmd_SSLCACertificateFile): Fail if per-dir-CA is configured.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757380 13f79535-47bb-0310-9956-ffa450edef68
and the functions that manipulate it. Make httpd trunk compile against OpenSSL HEAD
as well as OpenSSL 0.9.8j. Also, get rid of some warnings.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@748396 13f79535-47bb-0310-9956-ffa450edef68
DNs with duplicate tags:
* modules/ssl/ssl_engine_vars.c:
Augment the ssl_var_lookup_ssl_cert_dn_rec table with a flag
to indicate whether RDNs of the given NID should be extracted
to the environment.
(extract_dn, modssl_var_extract_dns): New functions.
* modules/ssl/ssl_private.h (modssl_var_extract_dns): Add prototype.
* modules/ssl/ssl_engine_kernel.c: Remove SSL_*_DN_ from the list
of variables to insert into the environment.
(ssl_hook_Fixup): Use modssl_var_extract_dns to insert the
SSL_*_DN_ variables efficiently and accurately, handling
certs with duplicate RDN tags correctly.
PR: 45875
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@724717 13f79535-47bb-0310-9956-ffa450edef68
information - i.e. SSLCARevocationFile/SSLCARevocationPath - is set
on a per-vhost basis (don't know how much sense it makes to have
non-global CRLs, but anyway...).
The attached patch (47B2B1A7.1060009@velox.ch on httpd-dev) addresses
this issue, and it also improves the logging behavior for an SNI
enabled configuration (previously some of the messages would
always go to the first vhost, or wouldn't appear at
all, depending on the LogLevel of the first vhost).
reviewed: dirkx
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@627699 13f79535-47bb-0310-9956-ffa450edef68
TLS upgrade, require only the presence of a "TLS/1.0" token
somewhere in the Upgrade request-header, rather than as the exact
header value.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@600479 13f79535-47bb-0310-9956-ffa450edef68
