Rainer Jung [Mon, 24 Feb 2020 15:18:33 +0000 (15:18 +0000)]
mod_proxy_ajp: Add "secret" parameter to proxy workers
to implement legacy AJP13 authentication. PR 53098.
The attribute is now suggested/required by tomcat.
Yann Ylavic [Fri, 21 Feb 2020 00:36:36 +0000 (00:36 +0000)]
Merge r1872042, r1872062 from trunk:
Add support for cross compiling to apxs. If apxs is being executed from somewhere
other than its target location, add that prefix to includes and library directories.
Without this, apxs would fail to find config_vars.mk and exit.
Allow instdso.sh to be found while cross compiling.
mod_ssl: Add support for loading private keys from ENGINEs. Support
for PKCS#11 URIs only, and PIN entry is not threaded through
SSLPassPhraseDialog config yet.
* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Use it, skip check for file existence for engine keys.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):
New function.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
For engine keys, load via modssl_load_engine_pkey.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h:
Remove modssl_read_encrypted_pkey() and helpers, added in r1804087
but never used.
* modules/ssl/ssl_util_ssl.c (modssl_read_privatekey): Remove unused
second argument.
Simplify the ssl_asn1_table API, remove abstraction (it is used only
to cache serialized EVP_PKEYs not any char * blobs), and document.
* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and
serialize internally. Use ap_realloc. Return the ssl_asn1_t *
pointer. Don't call apr_hash_set() for unchanged pointer case.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):
Adjust for the above.
* modules/ssl/ssl_private.h: Adjust as above, add docs.
mod_ssl: Add support for loading TLS certificates through the PKCS#11
engine.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed
from modssl_is_engine_key.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Rename from modssl_load_engine_key; load certificate if
cert id is passed.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally
load the certificate from the engine as well.
* docs/manual/: Update manual.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error
logno. Free EVP_PKEY in engine case. Never try reading ECDH/DH
parameters from engine ids.
Hook up PKCS#11 PIN entry through configured passphrase entry method.
* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API
around passphrase entry.
(modssl_load_engine_keypair): Take vhost ID and use above rather than
default OpenSSL UI.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load
the engine associated with the private key (&cert) explicitly
rather than requiring the engine to be set as the default method
for all operations (with "SSLCryptoDevice <engine>").
(Thanks to Anderson Sasaki <ansasaki redhat.com> for suggested
improvement and guidance)
* modules/ssl/ssl_engine_pphrase.c: Fix linking against OpenSSL without
ENGINE support.
*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
Jim Jagielski [Tue, 11 Feb 2020 13:21:48 +0000 (13:21 +0000)]
Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:
mod_ssl: negotiate the TLS protocol version per name based vhost configuration.
By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.
In other words:
SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).
Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).
We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.
mod_ssl: follow up to r1868645.
Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which
depends on its return value (OK/NOACK), mainly on session resumption, for
SSL_get_servername() to consider or ignore the SNI (returning NULL thus
making SSLStrictSNIVHostCheck fail for possibly legitimate cases).
This means that init_vhost() should accurately return whether the SNI exists
in the configured vhosts, even when it's called multiple times (e.g. first
from ClientHello callback and then from SNI callback), so save that state in
sslconn->vhost_found and reuse it.
mod_ssl: follow up to r1868645.
Keep the base server's SSLProtocol if none is configured on the vhost
selected by Hello/SNI callback.
mod_ssl: follow up to r1868645 and r1868929.
Merge ->protocol_set.
mod_ssl: follow up to r1868645.
CHANGES entry and docs' note.
Submitted by: ylavic
Reviewed by: ylavic, minfrin, jim
Joe Orton [Fri, 7 Feb 2020 16:56:40 +0000 (16:56 +0000)]
Merge r1867970 from trunk:
* modules/generators/cgi_common.h (discard_script_output): Simplify
slightly and ensure constant rather than unlimited memory
consumption when discarding CGI script output (for e.g. a redirect
response).
* configure.in: Add systemd to HTTPD_LIBS rather than LIBS. Add PCRE
libs to HTTPD_LIBS.
* configure.in, acinclude.m4: Move systemd check to APACHE_CHECK_SYSTEMD
and use pkg-config where available.
mod_systemd: Add IdleShutdown - number of seconds in idle-state after which
httpd is shutdown. This is useful in a combination with socket activation.
Add mod_systemd documentation.
mod_systemd: Use AP_SIG_GRACEFUL instead of SIGWINCH.
Fix overriding ExtendedStatus to "off" with mod_systemd loaded, and
give more feedback to systemd during a reload.
* modules/arch/unix/mod_systemd.c (systemd_pre_config): New
function; tell systemd the service is reloading here.
(systemd_pre_mpm): Don't set ap_extended_status here, do nothing
if ExtendedStatus is off.
(register_hooks): Register pre_config hook.
* modules/arch/unix/mod_systemd.c (systemd_post_config): Fix systemd
service getting stuck reloading if "ExtendedStatus off" is
configured; regression in r1802251.
PR: 62697
* modules/arch/unix/mod_systemd.c (systemd_pre_mpm, systemd_monitor):
Ignore sd_notify{,f} failure cases as currently recommended by the
systemd API docs.
* modules/arch/unix/mod_systemd.c: Remove IdleShutdown feature which
was buggy per sf's feedback in 2.4.x backport proposal, and would
probably be more appropriate outside this module anyway.
* modules/arch/unix/config5.m4: Don't override enable_systemd, fixing
--enable-systemd=static per covener's suggestion in
<CALK=YjPrN644NtLROwYPyBeCpev-GHSAD2J-Z2hupLymZ0op-g@mail.gmail.com>
Also fix the APACHE_MODULE() usage; disable the module by default
for the "all" modules selection.
Luca Toscano [Fri, 31 Jan 2020 16:12:33 +0000 (16:12 +0000)]
Vote on mod_systemd's backport patch
Tested building the module from a fresh copy of 2.4.x
on Debian 10 (Buster). Tested a systemd unit with "Type=notify",
everything works as expected. Thanks Joe!
projects / thirdparty / apache / httpd.git / log
