Joe Orton [Fri, 19 Mar 2021 15:15:36 +0000 (15:15 +0000)]
mod_ssl: Add base64-encoded DER certificate variables as alternative
to PEM, to avoid newline mangling issues when using PEM in header
values.
* modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data):
New function, replacing ssl_var_lookup_ssl_cert_PEM.
(ssl_var_lookup_ssl): Use it, and add _B64CERT variants of
SSL_{CLIENT,SERVER}_CERT.
(ssl_var_lookup_ssl_cert_chain): Use it.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support
"ExportBase64CertData" argument.
* modules/ssl/ssl_engine_kernel.c (extract_to_env): New function.
(ssl_hook_Fixup): Use it, also export _B64CERT variables if
SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain
handling.
Joe Orton [Tue, 16 Mar 2021 15:31:58 +0000 (15:31 +0000)]
* modules/generators/mod_cgid.c (cgid_server): Register cleanup for
socket earlier to avoid possible leaks on error paths. (highlighted
by Coverity scan)
Stefan Eissing [Tue, 9 Mar 2021 12:55:55 +0000 (12:55 +0000)]
Using the new ap_ssl_conn_is_ssl() and ap_ssl_var_lookup() in all internal modules.
* leaving mod_nw_ssl and mod_ssl itself untouched
* removing mod_ssl.h includes where no longer necessary
* some modules might skip post_config hooks, but those were left in, even when empty now.
Stefan Eissing [Mon, 8 Mar 2021 18:05:50 +0000 (18:05 +0000)]
*) mod_md: v2.4.0 with improvements and bugfixes
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exist CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
Joe Orton [Wed, 3 Mar 2021 14:53:12 +0000 (14:53 +0000)]
Synch from mod_md github:
mod_md: tolerate missing revokeCert or keyChange resource
RFC 8555 §7.1 states:
The server MUST provide "directory" and "newNonce" resources.
But RFC 8555 makes no explicit statement anywhere whether other
resources are, or are not, required (with the exception of
"newAuthz" which is optional).
Therefore it is possible that some ACME server implementations may
omit some resources; in particular those that are not an essential
part of the "order" workflow. Indeed, I am working with one such
server implementation, which does not at this time implement
"keyChange". mod_md refuses to interact with this server because it
is checking that a certain set of resources are defined in the
directory object - despite some of those resources not currently
being used.
Update the check to require only "newNonce", "newAccount" and
"newOrder". Omit from the check and therefore tolerate the absense
of resources which are not always required: "revokeCert" and
"keyChange".
If mod_md implements revocation and/or key rollover in the future,
the availability of those features should be predicated on the
server's advertised capabilities.
Joe Orton [Wed, 3 Mar 2021 14:27:33 +0000 (14:27 +0000)]
Simplify balancer-manager XSS protection, no functional change:
* modules/proxy/mod_proxy_balancer.c (balancer_process_balancer_worker):
Drop the ok2change parameter, which makes the function a noop, and
require the function is not called for that case.
(balancer_handler): Only call balancer_process_balancer_worker if
the nonce matches. Simplify call to balancer_display_page.
Stefan Eissing [Tue, 2 Mar 2021 14:21:18 +0000 (14:21 +0000)]
Adding more ap_ssl_* functions and hooks to the core server.
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
Add an exemple.
Synch with 2.4.x (syntax highlight) + secret introduced in 2.4.42.
Small doc rearrangement so that the "Beyond this list of basic attributes" is actually after the description of all items.
Joe Orton [Thu, 25 Feb 2021 09:11:57 +0000 (09:11 +0000)]
Enable mod_cgid stderr handling via Unix socket fd transfer by
default, rather than as an opt-in configure flag. (This has been
tested in Fedora for >12 months without seeing any new problems)
* configure.in: Check for CMSG_DATA here, and define HAVE_FDPASSING
and $ap_has_fdpassing if fd passing is supported.
* modules/generator/config5.m4,
modules/generator/mod_cgid.c: Drop configure flag for mod_cgid
fdpassing support, instead enable where possible by default.
* modules/proxy/config.m4: Rely on configure test for CMSG_DATA.
* .travis.yml: Switch test for cgid fdpassing for testing w/o
CMSG_DATA.
Stefan Eissing [Tue, 23 Feb 2021 15:08:24 +0000 (15:08 +0000)]
*) core: Adding SSL related inquiry functions to the server API.
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
Stefan Eissing [Mon, 22 Feb 2021 14:11:09 +0000 (14:11 +0000)]
mod_htt2, synch with changes from github module version:
- logio: improvements to reporting of sent bytes for http2 responses
- directive H2OutputBuffering, controls if any output should be sent immediately.
Yann Ylavic [Sat, 6 Feb 2021 12:17:40 +0000 (12:17 +0000)]
mod_http2: Fix workers synchronization on pchild cleanup.
When the MPM child exits and pre-workers_pool_cleanup() is called, all the
workers are are necessarily in their idle critical section, thus aborting slots
in the ->idle list only may leave worker threads alive, later blocked in the
idle critical section with no one to wake them.
Instead of the per-slot ->aborted flag, workers_pool_cleanup() will now set
workers->aborted "globally" such that slot_run() does not wait to be woken up
from idle in this case, and all workers really exit.
Also, for workers_pool_cleanup() to wait for all the workers to reach the
->zombies list before returning, a new ->all_done condition variable is armed
when the last thread exits. Since this depends on the atomic ->worker_count to
reach zero, for accuracy the increment in activate_slot() is moved before the
thread startup.
* modules/http2/h2_workers.h (struct h2_workers): volatilize ->aborted and
add the ->all_done condition variable.
* modules/http2/h2_workers.c (push_slot, pop_slot): volatilize the h2_slot*
being cas-ed.
* modules/http2/h2_workers.c (cleanup_zombies): rename to join_zombies(), and
move ->worker_count atomic inc to slot_done().
* modules/http2/h2_workers.c (get_next): when workers->aborted, leave and don't
wait for ->not_idle. Return an int/bool since it's gotten / not gotten.
* modules/http2/h2_workers.c (slot_done): signal ->all_done when the last
worker and the MPM child are exiting.
* modules/http2/h2_workers.c (slot_run): rework the loops now that get_next()
is the stop signal.
* modules/http2/h2_workers.c (workers_pool_cleanup): wait for ->all_done when
needed, and remove the !workers->aborted condition since the cleanup will
only be called once.
* modules/http2/h2_workers.c (activate_slot): move ->worker_count atomic inc
before the thread creation and handle failure rollback.
Yann Ylavic [Wed, 3 Feb 2021 11:29:10 +0000 (11:29 +0000)]
mod_proxy_http: follow up to r1886141, axe overlong scheme check.
Since mod_proxy can see CONNECT URIs, "hostname:port" versus "scheme:"
is hardly distinguishable (we don't want to limit the length of hostnames),
and we don't allocate the scheme anymore while parsing, let's simply decline
unrecognized schemes (overlong or not) and be caught by the no-handler case
if there really is no proxy handler interested.
Ruediger Pluem [Tue, 2 Feb 2021 19:50:14 +0000 (19:50 +0000)]
* We need to check for (!scheme && (u = strchr(url, ':')) && (u - url) > 14)
later as (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') is true
for requests with the CONNECT method which we need to decline. But in many
cases requests with the CONNECT method have (u - url) > 14 as in this
case (u - url) is the length of the FQDN the forward proxy should connect
to.
Joe Orton [Fri, 29 Jan 2021 12:42:56 +0000 (12:42 +0000)]
Update Travis LDAP testing to use a CentOS based container, pulled
from quay.io, to avoid the new Docker hub pull rate-limiting which
is causing intermittent failures.
Ruediger Pluem [Wed, 27 Jan 2021 08:08:56 +0000 (08:08 +0000)]
Before doing any bind check that the provided username is not NULL and that the
password is neither NULL nor empty.
Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.
This causes authentications that use user supplied credentials
(AuthLDAPInitialBindAsUser set to on) to fail with status code 500 instead of
401 if the user supplied an empty password.
Add some missing hyper links to directives.
Remove some <var> in <syntax> to be more consistant with the rest of the doc.
Remove a duplicated traling ".".
Yann Ylavic [Tue, 19 Jan 2021 14:16:44 +0000 (14:16 +0000)]
mod_proxy_hcheck: don't pile up health checks. PR 63010.
Prevent health checks from running for a worker until the last one is fully
finished, to avoid making things worse (memory growth, #connections, ..).
This is done by zeroing worker->s->updated before scheduling the worker in the
threadpool, and resetting the time when it's finished. The scheduler then does
nothing if worker->s->updated is zero.
Also, to save some apr_time_now() calls when !HC_USE_THREADS, *baton->now is
updated in the callback and reused by the scheduler.
Yann Ylavic [Thu, 7 Jan 2021 13:19:08 +0000 (13:19 +0000)]
mod_proxy_wstunnel: leave Upgrade requests handling to mod_proxy_http.
Let mod_proxy_http's canon and scheme handlers accept "ws[s]:" schemes so that
mod_proxy_wstunnel can decline requests when mod_proxy_http is loaded.
* modules/proxy/{mod_proxy.h,proxy_util.c} (ap_proxy_worker_can_upgrade):
Add a "dflt" argument to ap_proxy_worker_can_upgrade() which, if not NULL,
is matched when no worker upgrade= parameter is configured. This allows to
handle the default "Upgrade: websocket" case for "ws[s]:" schemes.
* modules/proxy/mod_proxy_http.c (proxy_http_canon, proxy_http_handler):
Add and use the new get_url_scheme() helper to parse URL schemes handled by
mod_proxy_http and use it in canon and scheme handlers. This helper now
accepts ws[s] schemes.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_post_config):
New post_config hook to detect whether mod_proxy_http is loaded and set
global fallback_to_mod_proxy_http flag in this case.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_check_trans,
proxy_wstunnel_canon,
proxy_wstunnel_handler):
These hooks now early return DECLINED if fallback_to_mod_proxy_http is set.
While at it, removes the "based on the value of" because, it is not really based on the value of the environment variable, but on its existence or not.
Joe Orton [Thu, 17 Dec 2020 12:44:41 +0000 (12:44 +0000)]
Treat non-leaf certificates present in SSLProxyMachineCertificateFile
the same was as non-leaf certs are in SSLCertificateFile - use them to
build the trusted cert chain for the end-entity (client) cert.
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs):
For any non-leaf certificate present in the configured, trust as
if used in SSLProxyMachineCertificateChainFile.
Joe Orton [Thu, 17 Dec 2020 09:27:08 +0000 (09:27 +0000)]
Add job using APR thread debugging, switching to the pthreads
error-checking mutex as the default type. This results in
errors rather than undefined behaviour when double-locking
a mutex.
projects / thirdparty / apache / httpd.git / log
