Yann Ylavic [Fri, 21 Feb 2020 00:36:36 +0000 (00:36 +0000)]
Merge r1872042, r1872062 from trunk:
Add support for cross compiling to apxs. If apxs is being executed from somewhere
other than its target location, add that prefix to includes and library directories.
Without this, apxs would fail to find config_vars.mk and exit.
Allow instdso.sh to be found while cross compiling.
mod_ssl: Add support for loading private keys from ENGINEs. Support
for PKCS#11 URIs only, and PIN entry is not threaded through
SSLPassPhraseDialog config yet.
* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Use it, skip check for file existence for engine keys.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):
New function.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
For engine keys, load via modssl_load_engine_pkey.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h:
Remove modssl_read_encrypted_pkey() and helpers, added in r1804087
but never used.
* modules/ssl/ssl_util_ssl.c (modssl_read_privatekey): Remove unused
second argument.
Simplify the ssl_asn1_table API, remove abstraction (it is used only
to cache serialized EVP_PKEYs not any char * blobs), and document.
* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and
serialize internally. Use ap_realloc. Return the ssl_asn1_t *
pointer. Don't call apr_hash_set() for unchanged pointer case.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):
Adjust for the above.
* modules/ssl/ssl_private.h: Adjust as above, add docs.
mod_ssl: Add support for loading TLS certificates through the PKCS#11
engine.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed
from modssl_is_engine_key.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Rename from modssl_load_engine_key; load certificate if
cert id is passed.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally
load the certificate from the engine as well.
* docs/manual/: Update manual.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error
logno. Free EVP_PKEY in engine case. Never try reading ECDH/DH
parameters from engine ids.
Hook up PKCS#11 PIN entry through configured passphrase entry method.
* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API
around passphrase entry.
(modssl_load_engine_keypair): Take vhost ID and use above rather than
default OpenSSL UI.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load
the engine associated with the private key (&cert) explicitly
rather than requiring the engine to be set as the default method
for all operations (with "SSLCryptoDevice <engine>").
(Thanks to Anderson Sasaki <ansasaki redhat.com> for suggested
improvement and guidance)
* modules/ssl/ssl_engine_pphrase.c: Fix linking against OpenSSL without
ENGINE support.
*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
Jim Jagielski [Tue, 11 Feb 2020 13:21:48 +0000 (13:21 +0000)]
Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:
mod_ssl: negotiate the TLS protocol version per name based vhost configuration.
By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.
In other words:
SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).
Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).
We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.
mod_ssl: follow up to r1868645.
Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which
depends on its return value (OK/NOACK), mainly on session resumption, for
SSL_get_servername() to consider or ignore the SNI (returning NULL thus
making SSLStrictSNIVHostCheck fail for possibly legitimate cases).
This means that init_vhost() should accurately return whether the SNI exists
in the configured vhosts, even when it's called multiple times (e.g. first
from ClientHello callback and then from SNI callback), so save that state in
sslconn->vhost_found and reuse it.
mod_ssl: follow up to r1868645.
Keep the base server's SSLProtocol if none is configured on the vhost
selected by Hello/SNI callback.
mod_ssl: follow up to r1868645 and r1868929.
Merge ->protocol_set.
mod_ssl: follow up to r1868645.
CHANGES entry and docs' note.
Submitted by: ylavic
Reviewed by: ylavic, minfrin, jim
Joe Orton [Fri, 7 Feb 2020 16:56:40 +0000 (16:56 +0000)]
Merge r1867970 from trunk:
* modules/generators/cgi_common.h (discard_script_output): Simplify
slightly and ensure constant rather than unlimited memory
consumption when discarding CGI script output (for e.g. a redirect
response).
* configure.in: Add systemd to HTTPD_LIBS rather than LIBS. Add PCRE
libs to HTTPD_LIBS.
* configure.in, acinclude.m4: Move systemd check to APACHE_CHECK_SYSTEMD
and use pkg-config where available.
mod_systemd: Add IdleShutdown - number of seconds in idle-state after which
httpd is shutdown. This is useful in a combination with socket activation.
Add mod_systemd documentation.
mod_systemd: Use AP_SIG_GRACEFUL instead of SIGWINCH.
Fix overriding ExtendedStatus to "off" with mod_systemd loaded, and
give more feedback to systemd during a reload.
* modules/arch/unix/mod_systemd.c (systemd_pre_config): New
function; tell systemd the service is reloading here.
(systemd_pre_mpm): Don't set ap_extended_status here, do nothing
if ExtendedStatus is off.
(register_hooks): Register pre_config hook.
* modules/arch/unix/mod_systemd.c (systemd_post_config): Fix systemd
service getting stuck reloading if "ExtendedStatus off" is
configured; regression in r1802251.
PR: 62697
* modules/arch/unix/mod_systemd.c (systemd_pre_mpm, systemd_monitor):
Ignore sd_notify{,f} failure cases as currently recommended by the
systemd API docs.
* modules/arch/unix/mod_systemd.c: Remove IdleShutdown feature which
was buggy per sf's feedback in 2.4.x backport proposal, and would
probably be more appropriate outside this module anyway.
* modules/arch/unix/config5.m4: Don't override enable_systemd, fixing
--enable-systemd=static per covener's suggestion in
<CALK=YjPrN644NtLROwYPyBeCpev-GHSAD2J-Z2hupLymZ0op-g@mail.gmail.com>
Also fix the APACHE_MODULE() usage; disable the module by default
for the "all" modules selection.
Luca Toscano [Fri, 31 Jan 2020 16:12:33 +0000 (16:12 +0000)]
Vote on mod_systemd's backport patch
Tested building the module from a fresh copy of 2.4.x
on Debian 10 (Buster). Tested a systemd unit with "Type=notify",
everything works as expected. Thanks Joe!
Joe Orton [Wed, 15 Jan 2020 17:43:42 +0000 (17:43 +0000)]
Simplified mod_systemd backport proposal w/o IdleShutdown feature.
Note partial merge of some commits, socket activation changes are
excluded. mod_systemd.c as proposed is exactly as in trunk.
mod_proxy: fix proxy connection cleanup from an n+2 pool.
When connection_destructor() is called after pchild is gone, we can't
dereference worker->cp anymore. This happens is debug/one_process mode only,
if we exit by calling apr_terminate() or clearing the process pool directly.
Fix this by NULL-ing worker->cp in conn_pool_cleanup(), and by registering it
as a pre_cleanup.
Delay some memory allocation.
If this handler will not handle the request, no need to waste bytes in the request pool.
Add error messages and return bad request.
fix incorrect rv. Sorry.
Follow up to r1847232.
There is no point to use "old" numbers in recent commit.
Also avoid number duplication. The messages are the same but in different code path, so having different numbers makes sense.
This also avoids a warning when running:
make update-log-msg-tags
Make proxy modules compile if APR_HAS_THREADS is not defined.
restore use of global mutex under !APR_HAS_THREADS
followup to r1852442 which appears to have been too agressive in wrapping
blocks with #if APR_HAS_THREADS. With !APR_HAS_THREADS a global mutex
is a proc mutex.
* Add back logging goodness
Add back logging goodness added by covener in r1865938.
Fix pool concurrency problems
Create a subpool of the connection pool for worker scoped DNS resolutions.
This is needed to avoid race conditions in using the connection pool by multiple
threads during ramp up.
Recheck after obtaining the lock if we still need to do things or if they
were already done by another thread while we were waiting on the lock.
* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker
scoped DNS resolutions and use it.
* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to
struct proxy_conn_pool.
* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that
worker->cp->addr is volatile in this location of the code.
Skip "PCRE 1" job for 2.4.x since there's no PCRE 2 support.
Enable ppc64le builds, caching now seems to work in Travis for non-x86.
travis: enable email notifications on success as test
adding myself for debugging (happy 113th birthday to the inventor of that term\!)
does this work??
travis: send notification to httpd-dev@ only on failure
Due to a combination of Daniel's work and probably some fix
on Travis end, we are now finally getting Travis emails in
httpd-dev@. Since having notifications for successful builds
might become a little spammy, let's just alert when a build
fails (like we do with buildbot IIUC).
travis: sync trunk's notification config with 2.4.x
test/travis_before_linux.sh: add a simple bash retry to svn export
Sometimes a build is killed by Travis due to svn export taking
a long time to complete (> 10m). This change should be a test to see
if a simple workaround reduces the noise to the dev@ mailing list.
test/travis_before_linux.sh: remove bash -e flag
To allow a proper fail/retry, -e needs to be removed.
Ideally this shouldn't happen, so I'd consider this
a test to see if the bash for workaround is a viable
option or not.
test/travis_before_linux.sh: make for loop more resilient
This is a follow up to my last commit to this file, to make
the for loop more resilient with the following:
- use --force in svn export, otherwise the second attempt will
always fail due to the dest directory already present.
- exit 1 in case the 5 tries end up in a non zero exit code
(to fail fast the build).
travis: temporary disable notifications to dev@
There seem to be some issues to iron out, disabling
email notifications to avoid spamming dev@.
test/travis_before_linux.sh: move retry logic to function
Move the retry logic to a bash function and restore the -e
failure policy in the script (to have cleaner log traces
in base of build failures).
Work around a build failure when a cached APR branch install
is used but APR-util needs to be rebuilt; currently this fails
because the APR build directory is not available.
e.g. https://travis-ci.org/apache/httpd/jobs/630885203
Disable caching for this combination for now.
travis: restore email notifications for dev@
The issue with ppcle64 seems to be fixed from [1],
and Joe fixed the APR 1.7.x issue as well. Builds are
back to normal.
test/travis_before_linux.sh: increase backoff time before executing svn export
Cache SVN checkout of test/framework across Travis builds. Should
improve reliability (the checkout fails frequently) and performance,
plus reduces load on ASF infra.
Github: closes #85
Add Travis job which runs tests in random order.
Github: closes #86
travis: add verbose config to perl test suite for Ubuntu Worker All Modules
For some reason we get sporadic failures only in Ubuntu Worker All Modules' test:
t/apache/rwrite.t ................... 53/? # Failed test 113 in /home/travis/build/apache/httpd/test/perl-framework/blib/lib/Apache/TestCommon.pm at line 56 fail #113
t/apache/rwrite.t ................... Failed 1/114 subtests
projects / thirdparty / apache / httpd.git / log
