Merge to current 2.4.x.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1770812 13f79535-47bb-0310-9956-ffa450edef68

diff --cc CHANGES
index e68815ee43cf455da024bacea4f0f3536ca3da98,4faf997abc433eea5747dfc39923b99f3a9948e9..9e502d0c1a452ea81946b1548c8e40463a6057b2
--- 1/CHANGES
--- 2/CHANGES
+++ b/CHANGES
@@@ -2,8 -2,34 +2,36 @@@
  
  Changes with Apache 2.4.24
  
 +  *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
 + 
+   *) mod_dir: Responses that go through "FallbackResource" might appear to
+      hang due to unterminated chunked encoding. PR58292. [Eric Covener]
+ 
+   *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
+      behavior in a routine that sends <DAV:response>'s to the output filters.
+      [Evgeny Kotkov]
+ 
+   *) mod_http2: new directive 'H2PushResource' to enable early pushes before 
+      processing of the main request starts. Resources are announced to the 
+      client in Link headers on a 103 early hint response. 
+      All responses with status code <400 are inspected for Link header and
+      trigger pushes accordingly. 304 still does prevent pushes.
+      'H2PushResource' can mark resources as 'critical' which gives them higher
+      priority than the main resource. This leads to preferred scheduling for
+      processing and, when content is available, will send it first. 'critical'
+      is also recognized on Link headers. [Stefan Eissing]
+      
+   *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
+      local url when available. Relative uris with an absolute path are mapped
+      as well. This makes reverse proxy mapping available for resources
+      announced in this header. 
+      With 103 interim responses being forwarded to the main client connection,
+      this effectively allows early pushing of resources by a reverse proxied
+      backend server. [Stefan Eissing]
+      
+   *) mod_proxy_http2: adding support for newly proposed 103 status code.
+      [Stefan Eissing]
+      
    *) mpm_unix: Apache fails to start if previously crashed then restarted with
       the same PID (e.g. in container).  PR 60261.
       [Val <valentin.bremond gmail.com>, Yann Ylavic]

diff --cc modules/ssl/ssl_engine_io.c
index 59a35764b01dd7cca9c8618b1ea8a5d72f798113,82953ad0ac8969d4915cac8b59decf3b446f77a4..b463e1ab0790e325648661ab46d0848ca98d21ae
--- 1/modules/ssl/ssl_engine_io.c
--- 2/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@@ -838,7 -784,12 +843,12 @@@ static apr_status_t ssl_filter_write(ap
          return APR_EGENERAL;
      }
  
 -    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
+     /* We rely on SSL_get_error() after the write, which requires an empty error
+      * queue before the write in order to work properly.
+      */
+     ERR_clear_error();
+ 
 +    outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
      res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
  
      if (res < 0) {
@@@ -1309,11 -1260,16 +1319,16 @@@ static apr_status_t ssl_io_filter_hands
          return APR_SUCCESS;
      }
  
+     /* We rely on SSL_get_error() after the accept, which requires an empty
+      * error queue before the accept in order to work properly.
+      */
+     ERR_clear_error();
+ 
      if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
          bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
 -                                     (filter_ctx->pbioRead->ptr);
 +                                     BIO_get_data(filter_ctx->pbioRead);
          bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
 -                                       (filter_ctx->pbioWrite->ptr);
 +                                       BIO_get_data(filter_ctx->pbioWrite);
          apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
          ssl_err = SSL_get_error(filter_ctx->pssl, n);