Stefan Eissing [Thu, 25 Nov 2021 15:48:08 +0000 (15:48 +0000)]
test: adapting http2 test 200_16 to compensate for not getting a response.
This happens for newer nghttp2 versions that RST a stream with the
tested, invalid header.
*) mod_md: Fix memory leak in case of failures to load the private key.
PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
Graham Leggett [Sun, 26 Sep 2021 14:35:55 +0000 (14:35 +0000)]
Backport:
*) mpm event: Correctly count active child processes in parent process if
child process dies due to MaxConnectionsPerChild. PR 65592.
Trunk version of patch:
https://svn.apache.org/r1893520
Backport version for 2.4.x of patch:
Trunk version of patch works
svn merge -c 1893520 ^/httpd/httpd/trunk .
+1: rpluem, ylavic, minfrin
Graham Leggett [Sun, 26 Sep 2021 14:30:51 +0000 (14:30 +0000)]
Backport:
*) mod_http2: when a server is restarted gracefully, any idle h2 worker
threads are shut down immediately.
Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
Adds all other, never proposed code changes to make a clean
sync of http2 sources.
trunk patch: http://svn.apache.org/r1893214
http://svn.apache.org/r1893215
http://svn.apache.org/r1893220
and other never proposed code changes
PR: https://github.com/apache/httpd/pull/270
+1: icing, rpluem, minfrin
Graham Leggett [Sun, 26 Sep 2021 14:18:55 +0000 (14:18 +0000)]
Backport:
*) mod_dav: Correctly handle errors returned by dav providers on REPORT
requests.
Trunk version of patch:
https://svn.apache.org/r1893589
Backport version for 2.4.x of patch:
Trunk version of patch works
svn merge -c 1893589 ^/httpd/httpd/trunk .
+1: rpluem, minfrin, ylavic
Graham Leggett [Sun, 26 Sep 2021 14:14:37 +0000 (14:14 +0000)]
Backport:
*) core: do not install core input/output filters on secondary
connections.
Trunk version of patch:
http://svn.apache.org/viewvc?view=revision&revision=1787606
Backport version for 2.4.x of patch:
svn merge -c 1787606 ^/httpd/httpd/trunk .
+1: icing, rpluem, ylavic
Graham Leggett [Sun, 26 Sep 2021 14:11:22 +0000 (14:11 +0000)]
Backport:
*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
and use it to prevent that failures in running the pre_connection
hook cause crashes afterwards.
Trunk version of patch:
https://svn.apache.org/r1893497
https://svn.apache.org/r1893507
Backport version for 2.4.x of patch:
https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/269.diff
Can be applied via apply_backport_pr.sh 269.
+1: rpluem, icing, ylavic
Stefan Eissing [Fri, 17 Sep 2021 12:41:45 +0000 (12:41 +0000)]
Merge of /httpd/httpd/trunk:r1893399
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
Stefan Eissing [Wed, 15 Sep 2021 13:41:35 +0000 (13:41 +0000)]
Merge of /httpd/httpd/trunk:r1893359
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
Stefan Eissing [Thu, 9 Sep 2021 15:22:23 +0000 (15:22 +0000)]
Merge r1890605, r1893164, r1893179 from trunk:
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
*core: clarify comments and use hook API better to check for presence of callbacks.
core: Set r->request_time before any logging, mod_unique_id needs it.
* server/protocol.c(read_request_line):
Move r->request_time initialization before first APLOG_TRACE5,
ap_log_rerror() may run the generate_log_id hooks and call mod_unique_id
with no timestamp initialized (zero).
mod_unique_id: Follow up to r1892915: Shorter counter race condition yet.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Set the counter in network byte order for uuencoding only, allowing for
simple cur_unique_id.counter++
mod_unique_id: Follow up to r1892915 and r1893002: Atomic counter.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Use an atomic 32bit counter to close the race condition with threaded MPMs,
using the lower 16 bits for uuencoding still.
mod_proxy: Don't canonicalize with both nocanon and ProxyPassInterpolateEnv On.
If nocanon is set, we should match the unparsed_uri against the interpolated
alias (not the ProxyPass'ed one) when verifying the resulting length. Otherwise
we falsely restore the canonicalized URL in case of mismatch. PR 65549.
mpm_event: Fix children processes possibly not stopped on graceful restart.
The number of children spawned can go above active_daemons_limit due to
exponential idle_spawn_rate growth (x 2), enforce the upper limit in
perform_idle_server_maintenance(). PR 63169.
Submitted by: Joel Self <joelself gmail.com>
mpm_event: Follow up to r1893014: log when children are not spawned.
Log at trace1 level when active_daemons >= active_daemons_limit and we won't
spawn children. Reset free_length to avoid negative value in this case too.
projects / thirdparty / apache / httpd.git / log
