From: Graham Leggett <minfrin@apache.org>
Date: Fri, 21 Sep 2018 12:14:05 +0000 (+0000)
Subject: Add TLSv1.3 support to mod_ssl:
X-Git-Tag: 2.4.36~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49fde74b79a9f965bd4b29888ecb95565d7cf32a;p=thirdparty%2Fapache%2Fhttpd.git

Add TLSv1.3 support to mod_ssl:
trunk: http://svn.apache.org/r1839946
       http://svn.apache.org/r1839920
       http://svn.apache.org/r1833589
       http://svn.apache.org/r1833588
       http://svn.apache.org/r1828723
       http://svn.apache.org/r1828720
       http://svn.apache.org/r1828222
       http://svn.apache.org/r1827992
       http://svn.apache.org/r1827924
       http://svn.apache.org/r1827912
       http://svn.apache.org/r1828790
       http://svn.apache.org/r1828791
       http://svn.apache.org/r1828792
       http://svn.apache.org/r1840585
       http://svn.apache.org/r1840710
       http://svn.apache.org/r1841218
2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841573 13f79535-47bb-0310-9956-ffa450edef68
---

49fde74b79a9f965bd4b29888ecb95565d7cf32a
diff --cc CHANGES
index 8a4cfe7b2c8,45814786e4c..653a91bb9cd
--- a/CHANGES
+++ b/CHANGES
@@@ -1,30 -1,19 +1,43 @@@
                                                           -*- coding: utf-8 -*-
 -Changes with Apache 2.4.35
 +Changes with Apache 2.4.36
  
+   *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9. 
+      SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
+      Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
+      Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
+      as this would need to trigger the master connection thread - which we do not support
+      right now.
+      Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
+      does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
+      TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
+      Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they 
+      can match their needs onto the TLSv1.3 protocol.
+      [Yann Ylavic, Stefan Eissing]
+ 
 +  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
 +     should be accepted after the authorization scheme. \t are also tolerated.
 +     [Christophe Jaillet]
 +
 +  *) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
 +     [Jim Jagielski]
 +
 +  *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
 +     [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
 +
 +  *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
 +     [Jim Jagielski]
 +
 +  *) mod_status, mod_echo: Fix the display of client addresses.
 +    They were truncated to 31 characters which is not enough for IPv6 addresses.
 +    This is done by deprecating the use of the 'client' field and using
 +    the new 'client64' field in worker_score.
 +    PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
 +
 +Changes with Apache 2.4.35
 +
 +  *) http: Enforce consistently no response body with both 204 and 304
 +     statuses.  [Yann Ylavic]
 +
    *) mod_status: Cumulate CPU time of exited child processes in the
       "cu" and "cs" values. Add CPU time of the parent process to the
       "c" and "s" values.
diff --cc STATUS
index b5c25db9cd4,c281e532777..a56e938b5bf
--- a/STATUS
+++ b/STATUS
@@@ -124,26 -124,28 +124,6 @@@ RELEASE SHOWSTOPPERS
  PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
    [ start all new proposals below, under PATCHES PROPOSED. ]
  
-    *) Add TLSv1.3 support to mod_ssl:
-       trunk: http://svn.apache.org/r1839946
-              http://svn.apache.org/r1839920
-              http://svn.apache.org/r1833589
-              http://svn.apache.org/r1833588
-              http://svn.apache.org/r1828723
-              http://svn.apache.org/r1828720
-              http://svn.apache.org/r1828222
-              http://svn.apache.org/r1827992
-              http://svn.apache.org/r1827924
-              http://svn.apache.org/r1827912
-              http://svn.apache.org/r1828790
-              http://svn.apache.org/r1828791
-              http://svn.apache.org/r1828792
-              http://svn.apache.org/r1840585
-              http://svn.apache.org/r1840710
-              http://svn.apache.org/r1841218
-       2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x
-       +1: icing, jorton, minfrin (tested on openssl-1.0.2j and openssl-1.1.1)
 -  *) kotkov has made mamy improvements to the mpm_winnt about one year ago.
 -     None of them have been merged or proposed for backport yet.
 -     Start the merge process with the first easy steps in order to synch
 -     2.4.x and trunk and ease other merges
 -     - mpm_winnt: Factor out a helper function to parse the type of an accept
 -                  filter and use an appropriate enum for it
 -     - mpm_winnt: fix typo
 -     - mpm_winnt: follow-up to r1801144
 -     trunk patch: http://svn.apache.org/r1801144
 -                  http://svn.apache.org/r1801148
 -                  http://svn.apache.org/r1801456
 -     2.4.x patch: svn merge -c 1801144,1801148,1801456 ^/httpd/httpd/trunk . 
 -     +1: jailletc36, jim (via inspection), wrowe
--
 -   *) mod_proxy: fix load order dep between mod_proxy and lbmethod providers
 -      trunk patch: http://svn.apache.org/r1836381 
 -                   http://svn.apache.org/r1836382 
 -                   http://svn.apache.org/r1836383 
 -                   http://svn.apache.org/r1836386 
 -                   http://svn.apache.org/r1836603
 -      2.4.x patch: http://people.apache.org/~covener/2.4.x-proxy-opt-fn.diff
 -      +1: covener, jim, ylavic
  
  
  PATCHES PROPOSED TO BACKPORT FROM TRUNK: