-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_proxy_connect: Honor the smallest of the backend or client timeout
+ while tunneling. [Yann Ylavic]
+
+ * mod_http2: a regression in v1.15.24 of the modules was fixed that
+ could lead to httpd child processes not being terminated on a
+ graceful reload or when reaching MaxConnectionsPerChild.
+ When unprocessed h2 requests were queued at the time, these could stall.
+ See <https://github.com/icing/mod_h2/issues/212>.
+ [@hansborr, @famzah, Stefan Eissing]
+
+ *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
+ PR 65616. [Ruediger Pluem]
+
+ *) mod_md: Fix memory leak in case of failures to load the private key.
+ PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
+
+ * mod_http2: the new pollset implementation is disabled when
+ compiling with an APR version less than 1.6.
+
+ *) mod_autoindex: Add "IndexForbiddenReturn404" to return 404 instead of a
+ 403 when Options does not included "indexes". [Eric Covener]
+
+ *) mod_dir: Add "NotFound" option to "DirectorySlash" directive to return
+ 404 instead of a DirectorySlash redirect. [Eric Covener]
+
+ *) mod_md: adding v2.4.8 with the following changes
+ - Added support for ACME External Account Binding (EAB).
+ Use the new directive `MDExternalAccountBinding` to provide the
+ server with the value for key identifier and hmac as provided by
+ your CA.
+ While working on some servers, EAB handling is not uniform
+ across CAs. First tests with a Sectigo Certificate Manager in
+ demo mode are successful. But ZeroSSL, for example, seems to
+ regard EAB values as a one-time-use-only thing, which makes them
+ fail if you create a seconde account or retry the creation of the
+ first account with the same EAB.
+ - The directive 'MDCertificateAuthority' now checks if its parameter
+ is a http/https url or one of a set of known names. Those are
+ 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
+ for now and they are not case-sensitive.
+ The default of LetsEncrypt is unchanged.
+ - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
+ section.
+ - Treating 401 HTTP status codes for orders like 403, since some ACME
+ servers seem to prefer that for accessing oders from other accounts.
+ - When retrieving certificate chains, try to read the repsonse even
+ if the HTTP Content-Type is unrecognized.
+ - Fixed a bug that reset the error counter of a certificate renewal
+ and prevented the increasing delays in further attempts.
+ - Fixed the renewal process giving up every time on an already existing
+ order with some invalid domains. Now, if such are seen in a previous
+ order, a new order is created for a clean start over again.
+ See <https://github.com/icing/mod_md/issues/268>
+ - Fixed a mixup in md-status handler when static certificate files
+ and renewal was configured at the same time.
+
+ *) mod_http2:
+ - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
+ were overwritten instead of preserved. [PR by @daum3ns]
+ - Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2
+ streams, overriding server's 'Timeout' configuration. [rpluem]
+ - HTTP/2 connections now use pollsets to monitor the status of the
+ ongoing streams and their main connection when host OS allows this.
+ - Removed work-arounds for older versions of libnghttp2 and checking
+ during configure that at least version 1.15.0 is present.
+ - The HTTP/2 connection state handler, based on an experiment and draft
+ at the IETF http working group (abandoned for some time), has been removed.
+ - H2SerializeHeaders no longer has an effect. A warning is logged when it is
+ set to "on". The switch enabled the internal writing of requests to be parsed
+ by the internal HTTP/1.1 protocol handler and was introduced to avoid
+ potential incompatibilities during the introduction of HTTP/2.
+ - Removed the abort/redo of tasks when mood swings lower the active limit.
+ [Ruediger Pluem, daum3ns, Stefan Eissing]
+
+ *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
+ a third-party module. PR 65627.
+ [acmondor <bz.apache.org acmondor.ca>, Yann Ylavic]
+
+ *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
+ [Yann Ylavic, Ruediger Pluem]
+
+ *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
+ half-close forwarding when tunneling protocols. [Yann Ylavic]
+
+ *) mod_tls: added mod_tls from abetterinternet, donated
+ by ISRG/Prossimo <https://github.com/abetterinternet/mod_tls>.
+ - adds font-/backend TLS (v1.2/v1.3) via the Rust rustls crate
+ and its rustls-ffi C binding <https://github.com/rustls/rustls-ffi>.
+ - documentation at <https://github.com/abetterinternet/mod_tls>
+ (adding to Apache's manual TBD)
+ - build support for Apache httpd configure on *nix platforms,
+ rustls is linked statically into mod_tls.
+
+ *) mod_md: values for External Account Binding (EAB) can
+ now also be configured to be read from a separate JSON
+ file. This allows to keep server configuration permissions
+ world readable without exposing secrets.
+ [Stefan Eissing]
+
*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
unused AP_NORMALIZE_DROP_PARAMETERS flag.
[Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
+++ /dev/null
- *) mod_http2:
- - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
- were overwritten instead of preserved. [PR by @daum3ns]
- - Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2
- streams, overriding server's 'Timeout' configuration. [rpluem]
- - HTTP/2 connections now use pollsets to monitor the status of the
- ongoing streams and their main connection when host OS allows this.
- - Removed work-arounds for older versions of libnghttp2 and checking
- during configure that at least version 1.15.0 is present.
- - The HTTP/2 connection state handler, based on an experiment and draft
- at the IETF http working group (abandoned for some time), has been removed.
- - H2SerializeHeaders no longer has an effect. A warning is logged when it is
- set to "on". The switch enabled the internal writing of requests to be parsed
- by the internal HTTP/1.1 protocol handler and was introduced to avoid
- potential incompatibilities during the introduction of HTTP/2.
- - Removed the abort/redo of tasks when mood swings lower the active limit.
- [Ruediger Pluem, daum3ns, Stefan Eissing]
\ No newline at end of file
+++ /dev/null
- *) mod_md: adding v2.4.8 with the following changes
- - Added support for ACME External Account Binding (EAB).
- Use the new directive `MDExternalAccountBinding` to provide the
- server with the value for key identifier and hmac as provided by
- your CA.
- While working on some servers, EAB handling is not uniform
- across CAs. First tests with a Sectigo Certificate Manager in
- demo mode are successful. But ZeroSSL, for example, seems to
- regard EAB values as a one-time-use-only thing, which makes them
- fail if you create a seconde account or retry the creation of the
- first account with the same EAB.
- - The directive 'MDCertificateAuthority' now checks if its parameter
- is a http/https url or one of a set of known names. Those are
- 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
- for now and they are not case-sensitive.
- The default of LetsEncrypt is unchanged.
- - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
- section.
- - Treating 401 HTTP status codes for orders like 403, since some ACME
- servers seem to prefer that for accessing oders from other accounts.
- - When retrieving certificate chains, try to read the repsonse even
- if the HTTP Content-Type is unrecognized.
- - Fixed a bug that reset the error counter of a certificate renewal
- and prevented the increasing delays in further attempts.
- - Fixed the renewal process giving up every time on an already existing
- order with some invalid domains. Now, if such are seen in a previous
- order, a new order is created for a clean start over again.
- See <https://github.com/icing/mod_md/issues/268>
- - Fixed a mixup in md-status handler when static certificate files
- and renewal was configured at the same time.
-
projects / thirdparty / apache / httpd.git / commitdiff
