From: Joe Orton Date: Mon, 14 Nov 2016 10:26:31 +0000 (+0000) Subject: Merged to latest 2.4.x. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38562136a6ef16810f1a12930aadc1122e600071;p=thirdparty%2Fapache%2Fhttpd.git Merged to latest 2.4.x. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1769588 13f79535-47bb-0310-9956-ffa450edef68 --- 38562136a6ef16810f1a12930aadc1122e600071 diff --cc CHANGES index 74bdf290731,042fb0dea7f..76cd1c9baf1 --- a/CHANGES +++ b/CHANGES @@@ -2,8 -2,116 +2,119 @@@ Changes with Apache 2.4.24 + *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung] + + *) mpm_unix: Apache fails to start if previously crashed then restarted with + the same PID (e.g. in container). PR 60261. + [Val , Yann Ylavic] + + *) mod_http2: unannounced and multiple interim responses (status code < 200) + are parsed and forwarded to client until a final response arrives. + [Stefan Eissing] + + *) mod_proxy_http2: improved robustness when main connection is closed early + by resetting all ongoing streams against the backend. + [Stefan Eissing] + + *) mod_http2: allocators from slave connections are released earlier, resulting + in less overall memory use on busy, long lived connections. + [Stefan Eissing] + + *) mod_remoteip: Pick up where we left off during a subrequest rather + than running with the modified XFF but original TCP address. + PR 49839/PR 60251 + + *) http: Respond with "408 Request Timeout" when a timeout occurs while + reading the request body. [Yann Ylavic] + + *) mod_http2: connection shutdown revisited: corrected edge cases on + shutting down ongoing streams, changed log warnings to be less noisy + when waiting on long running tasks. [Stefan Eissing] + + *) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them + available also in normal deployments. [Stefan Eissing] + + *) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented + up to the backend. Reused HTTP/2 proxy connections with more than a second + not used will block request bodies until a PING answer is received. + Requests headers are not delayed by this, since they are repeatable in + case of failure. This greatly increases robustness, especially with + busy server and/or low keepalive connections. [Stefan Eissing] + + *) mod_proxy_http2: fixed duplicate symbols with mod_http2. + [Stefan Eissing] + + *) mod_http2: rewrite of how responses and trailers are transferred between + master and slave connection. Reduction of internal states for tasks + and streams, stability. Heuristic id generation for slave connections + to better keep promise of connection ids unique at given point int time. + Fix for mod_cgid interop in high load situtations. + Fix for handling of incoming trailers when no request body is sent. + [Stefan Eissing] + + *) mod_http2: fix suspended handling for streams. Output could become + blocked in rare cases. [Stefan Eissing] + + *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in + use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion] + + *) mod_cgid: Resolve a case where a short CGI response causes a subsequent + CGI to be killed prematurely, resulting in a truncated subsequent + response. [Eric Covener] + + *) mod_proxy_hcheck: Set health check URI and expression correctly for health + check worker. PR 60038 [zdeno ] + + *) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request + headers will immediately reset the stream with a PROTOCOL error. Feature + logged by module on startup as 'INVHD' in info message. + [Stefan Eissing] + + *) mod_http2: fixed handling of stream buffers during shutdown. + [Stefan Eissing] + + *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid + triggering mod_proxy_connect's AH01018 once the tunnel is established. + [Yann Ylavic] + + *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS + connections (unless -I is specified), according to the Host header (if + any) or the requested URL's hostname otherwise. [Yann Ylavic] + + *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled + and the error documents are proxied. PR 55415. [Luca Toscano] + + *) mod_proxy_fcgi: read the whole FCGI response even when the content has + not been modified (HTTP 304) to avoid subsequent bougus reads and + confusing error messages logged. [Luca Toscano] + + *) mod_http2: h2 status resource follows latest draft, see + http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt + [Stefan Eissing] + + *) mod_http2: handling graceful shutdown gracefully, e.g. handling existing + streams to the end. [Stefan Eissing] + + *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues. + [Dominic Scheirlinck , Yann Ylavic] + + *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data + available before the request is sent. PR 57832. [Yann Ylavic] + + *) mod_proxy_balancer: Prevent redirect loops between workers within a + balancer by limiting the number of redirects to the number balancer + members. PR 59864 [Ruediger Pluem] + + *) mod_proxy: Correctly consider error response codes by the backend when + processing failonstatus. PR 59869 [Ruediger Pluem] + + *) mod_dav: Add dav_get_provider_name() function to obtain the name + of the provider from mod_dav. [Graham Leggett] + + *) mod_dav: Add support for childtags to dav_error. + [Jari Urpalainen ] + ++>>>>>>> .merge-right.r1769587 *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query string showing up in SCRIPT_FILENAME. PR59815 diff --cc configure.in index 289b231ca91,c59c54257cf..a56187d3bc9 --- a/configure.in +++ b/configure.in @@@ -158,7 -158,7 +158,9 @@@ els ifdef([APR_FIND_APU], [ APR_FIND_APU("$srcdir/srclib/apr-util", "./srclib/apr-util", 1, ${apr_major_version}) -- ], [apu_found=no]) ++ ], [apu_found=no ++ AC_MSG_NOTICE([APR-util 1.x not supported with APR 1.x]) ++ ]) fi if test "$apu_found" = "no"; then diff --cc support/ab.c index 7f6fbc6c54f,ac0b54415c0..a2560b3cd9c --- a/support/ab.c +++ b/support/ab.c @@@ -2378,32 -2416,12 +2425,37 @@@ int main(int argc, const char * const a } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { meth = TLSv1_client_method(); } +#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + meth = TLS_client_method(); + if (strncasecmp(opt_arg, "ALL", 3) == 0) { + max_prot = TLS1_2_VERSION; +#ifndef OPENSSL_NO_SSL3 + min_prot = SSL3_VERSION; +#else + min_prot = TLS1_VERSION; +#endif +#ifndef OPENSSL_NO_SSL3 + } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { + max_prot = SSL3_VERSION; + min_prot = SSL3_VERSION; +#endif + } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { + max_prot = TLS1_1_VERSION; + min_prot = TLS1_1_VERSION; + } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) { + max_prot = TLS1_2_VERSION; + min_prot = TLS1_2_VERSION; + } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { + max_prot = TLS1_VERSION; + min_prot = TLS1_VERSION; + } +#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ break; + #ifdef HAVE_TLSEXT + case 'I': + tls_use_sni = 0; + break; + #endif #endif } }