git.ipfire.org Git - thirdparty/apache/httpd.git/log

Remove bogus comment: for SSLPassPhraseDialog exec:..., argv is
defined and documented and can't be changed.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105683 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix possible
NULL pointer dereference in some configurations.

PR: 31848

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105663 13f79535-47bb-0310-9956-ffa450edef68

Add a check for SSL_ENABLED_OPTIONAL to the http_method and default_port hook so that they return the correct values for an upgradeable connection.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105426 13f79535-47bb-0310-9956-ffa450edef68

* os/unix/os.h: Define AP_NEED_SET_MUTEX_PERMS.

* modules/mappers/mod_rewrite.c, modules/ssl/ssl_engine_mutex.c: Use
AP_NEED_SET_MUTEX_PERMS to determine whether unixd_set_*_mutex_perms
calls are necessary.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105411 13f79535-47bb-0310-9956-ffa450edef68

Fix CAN-2004-0885:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.

Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105396 13f79535-47bb-0310-9956-ffa450edef68

Use the right length.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105354 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_connect): Return
502 not 501 if SSL_connect() fails for a proxy connection.

PR: 31083

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105252 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache_shmcb.c (ssl_scahe_shmcb_init): If anonymous
shm is not supported, always remove the named segment first to cope
with unclean shutdowns.

PR: 21335 (continued)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105249 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c: Map "UID" suffix to the same OID
(2.5.4.45) for old and new versions of OpenSSL.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105244 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_remain): New
function. (ssl_var_lookup_ssl_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.

* modules/ssl_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if
+StdEnvVars is configured.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104700 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback
handling for AP_MODE_SPECULATIVE.

PR: 30134

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104687 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify_CRL),
* server/log.c (ap_log_pid),
* server/mpm/prefork/prefork.c (accept_mutex_on, accept_mutex_off),
* support/htdbm.c (htdbm_list):
Fix some non-literal format strings (warnings from gcc -Wformat-security).

PR: 30585
Submitted by: Ulf Harnhammar (SITIC), Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104548 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix potential
infinite loop in ssl_io_input_getline if connection is aborted without
inctx->rc being set.

PR: 29964

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104547 13f79535-47bb-0310-9956-ffa450edef68

Tokenize the header while parsing it for the upgrade tokens and once the protocol has been upgraded, allow the request to complete encrypted.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104273 13f79535-47bb-0310-9956-ffa450edef68

Use the correct Apache-2.x EBCDIC conversion function (not the old apache-1.3 routine)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@104082 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (bio_filter_out_flush): Create a new
brigade for sending output after passing on the current one.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103967 13f79535-47bb-0310-9956-ffa450edef68

Add "SSLUserName" directive to set r->user based on a chosen SSL
environment variable name.

* modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add
szUserName field.

* modules/ssl/ssl_engine_config.c (ssl_config_perdir_create,
ssl_config_perdir_merge): Initialize and merge szUserName field.
(ssl_cmd_SSLUserName): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to
the value of the chosen SSL environment variable.

* modules/ssl/mod_ssl.c: Add SSLUserName config directive.

PR: 20957
Submitted by: Martin v. Loewis <martin v.loewis.de>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103834 13f79535-47bb-0310-9956-ffa450edef68

Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag
which uses the server's cipher preference order rather than the
client's.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.

PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103832 13f79535-47bb-0310-9956-ffa450edef68

Drop support for the "CompatEnvVars" argument to SSLOptions, which was
never implemented in 2.0 and never needed to be.

* docs/ssl/ssl-std.conf.in: Remove CompatEnvVars examples.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Don't allow
the CompatEnvVars argument.

* modules/ssl/ssl_private.h: Remove SSL_OPT_COMPATENVVARS macro.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103829 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache.c (ssl_scache_expire): Remove unused function.

* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_expire): Likewise.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_expire): Likewise.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_expire): Make static.

* modules/ssl/ssl_private.h: Remove prototypes.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103793 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_util.c, modules/ssl/ssl_private.h: Remove unused
functions ssl_util_strupper, ssl_util_ptxtstub, and
ssl_util_uuencode*.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103755 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer
overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
functions.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103754 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Fix gcc
strict-aliasing warning.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103688 13f79535-47bb-0310-9956-ffa450edef68

Fix SEGV in 'shmcb' session cache:
When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68

In the newer versions of OpenSSL, the flag SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.

PR: 26562
Reviewed by: Geoff Thorpe, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103165 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_cleanup): Don't try and
send an SSL shutdown from a pool cleanup.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103156 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_log.c (ssl_log_annotation): const-ify more.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102943 13f79535-47bb-0310-9956-ffa450edef68

Pick up mod_status.h

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102938 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation,
ssl_log_ssl_error): const-ify annotation strings and simplify
ssl_log_annotation.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102927 13f79535-47bb-0310-9956-ffa450edef68

Fix use of mod_ssl as a DSO linked against static SSL libraries; also
stop linking all of support/* against the SSL libraries:

* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.

* support/Makefile.in: Link ab against SSL_LIBS.

* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.

PR: 17217

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102870 13f79535-47bb-0310-9956-ffa450edef68

Allow the enabled flag to be set to more than just TRUE or FALSE so that
the OPTIONAL flag can be correctly merged within the
ssl_config_server_merge() function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102860 13f79535-47bb-0310-9956-ffa450edef68

Allow the enabled flag to be set to more that just TRUE or FALSE so that
the OPTIONAL flag is correctly merged within the
ssl_config_server_merge() function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102859 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_init.c (ssl_init_Engine): Log the OpenSSL
error stack contents if engine load/init fails.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102857 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print
an unsigned long.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102856 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup,
ssl_var_lookup_ssl_cipher): Use apr_itoa instead of psprintf %d.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102855 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars (ssl_var_lookup): const'ify result and
drop a bunch of casts; use apr_table_get directly in place of
ssl_var_lookup_header.
(ssl_var_lookup_header): Remove function.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102854 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars (ssl_var_lookup): Optimise such that
lookup of SSL_* variables (the common case) requires 2 rather than 29
strcasecmp calls before getting to ssl_var_lookup_ssl().

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102851 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/mod_ssl.h: Declare ssl_is_https optional function.

* modules/ssl/ssl_engine_vars (ssl_is_https): New function.
(ssl_var_register): Register it.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102850 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars (ssl_var_lookup): Fix potential
segfaults if called with r=NULL, c!=NULL, spotted by Andr��.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102849 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_disable,
ssl_io_filter_error): Clear the SSL * pointer in the SSLConnRec too.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102819 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Simplify
to use apr_pstrmemdup.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102815 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): For a DN
which includes several RDNs with the same OID, allow lookup of any
particular RDN using an "_<n>" suffix on the name.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102813 13f79535-47bb-0310-9956-ffa450edef68

Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h
to be included even when mod_ssl is not enabled.

* Makefile.in (install-include): Only install mod_ssl.h.

* modules/ssl/ssl_private.h: New file.

* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.

* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h

* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.

* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102803 13f79535-47bb-0310-9956-ffa450edef68

Relicense.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102799 13f79535-47bb-0310-9956-ffa450edef68

Send the 'Close Alert' message to the peer upon closing a SSL session. This
required creating a new EOC (End-Of-Connection) bucket type to notify mod_ssl
that the connection is about to be closed.

Reviewed by: Joe Orton, Justin Erenkrantz

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102793 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_disable): Don't leak an
SSL structure for each plain-HTTP-on-SSL-port request.

PR: 27106

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102770 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Wording
tweaks.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102747 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_init): Use an
anonymous shm segment by default or fall back on name-based shm.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102746 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_pphrase.c: Note that the ERR_clear_error()
call is not merely a cosmetic fix in light of PR 21160.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102628 13f79535-47bb-0310-9956-ffa450edef68

fix name of The Apache Software Foundation

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102618 13f79535-47bb-0310-9956-ffa450edef68

fix copyright dates according to the first check in

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102573 13f79535-47bb-0310-9956-ffa450edef68

apply Apache License, Version 2.0

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102525 13f79535-47bb-0310-9956-ffa450edef68

We need the SSL module dir in our path in order to compile mod_ssl.
Otherwise, we can't find mod_ssl.h.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102515 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_io.c (ssl_io_filter_output): Use non-blocking
bucket reads whilst data remains available; flush when a read returns
EAGAIN. Fixes streaming nph- CGI scripts over SSL.

PR: 21944
Inspired by: Jeff Trawick

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102397 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl): Fix segfault if
SSL_get_session() returns NULL.

PR: 15057
Submitted by: Otmar Lendl (lendl@nic.at)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102281 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_scache_dc.c: Add the Apache Software License.

* modules/ssl/mod_ssl.h: Undo accidental comment change in previous
commit.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102228 13f79535-47bb-0310-9956-ffa450edef68

Add support to mod_ssl for a distributed session cache using
distcache.

* LAYOUT: Update for removal of scache_shmht and addition of scache_dc.

* modules/ssl/config.m4: Check for libdistcache; build ssl_scache_dc.lo.

* modules/ssl/mod_ssl.dsp: Build ssl_scache_dc (with luck).

* modules/ssl/mod_ssl.h: Add SSL_SCMODE_DC and scache_dc_* prototypes.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Allow
use of dc: argument.

* modules/ssl/ssl_scache_dc.c: New file.

* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_store, ssl_scache_retrieve, ssl_scache_remove,
ssl_ext_status_hook): Hook into scache_dc.

Submitted by: Geoff Thorpe <geoff@geoffthorpe.net>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102227 13f79535-47bb-0310-9956-ffa450edef68

update license to 2004.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102135 13f79535-47bb-0310-9956-ffa450edef68

We need the error strings loaded as early as possible

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102067 13f79535-47bb-0310-9956-ffa450edef68

get mod_ssl.dsp to load again
(we *x weenies have to be careful :) )

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102062 13f79535-47bb-0310-9956-ffa450edef68

Fix format string warnings from gcc on amd64:

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_store):
Print apr_size_t using APR_SIZE_T_FMT.

* modules/ssl/ssl_engine_io.c (ssl_filter_write): Print difference
between sizes using APR_SSIZE_T_FMT, apr_size_t using APR_SIZE_T_FMT.

* modules/proxy/proxy_http.c (ap_proxy_http_request): Print
apr_uint64_t using APR_UINT64_T_HEX_FMT.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@102037 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/mod_ssl.h: Remove prototypes for shmht.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101900 13f79535-47bb-0310-9956-ffa450edef68

Extend mod_status output to include SSL session cache status
information:

* modules/ssl/mod_ssl.c (ssl_hook_pre_config): Call
ssl_scache_status_register.

* modules/ssl/ssl_scache.c (ssl_scache_status): Removed function.
(ssl_ext_status_hook): Renamed from ssl_ext_ms_display: switch to
2.1's mod_status "status_hook" API.
(ssl_scache_status_register): Register optional hook.

* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_status): Adjust to use
new API.

* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_status): Adjust
to use new API.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101889 13f79535-47bb-0310-9956-ffa450edef68

Remove shmht session cache in favour of shmcb; shmht has had
data corruption bugs since being apr_rmm'ified.

* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.

* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.

* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.

* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.

* ssl_scache.c: Remove shmht hooks throughout.

* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101888 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_log_handler_x): Fix
unused variable from previous commit.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101881 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Only call
ssl_var_lookup_ssl for a real SSL connection; fix lookup of "HTTPS"
for non-SSL connections.
(ssl_var_log_handler_x): Give results for non-SSL connections too;
e.g. %{HTTPS}x does the right thing.

PR: 23956

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101880 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_version):
Determine the library version string at run-time rather than at
compile-time.

Submitted by: Eric Seidel <eseidel@apple.com>
PR: 23956

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101879 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.

PR: 24030

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101878 13f79535-47bb-0310-9956-ffa450edef68

Sync with APR-util deprecated functions.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101789 13f79535-47bb-0310-9956-ffa450edef68

* ssl_engine_log.c (ssl_log_ssl_error): Use the thread-safe
interface for retrieving error strings.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101625 13f79535-47bb-0310-9956-ffa450edef68

Fix missing human-readable error information in SSL log messages:

* mod_ssl.c (ssl_cleanup_pre_config): Don't free the error strings,
since they can't be loaded again once.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101624 13f79535-47bb-0310-9956-ffa450edef68

* modules/ssl/ssl_engine_vars.c (ssl_var_log_handler_c): Fix
segfault on a non-SSL request.

PR: 22741
Submitted by: Gary E. Miller <gem@rellim.com>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101534 13f79535-47bb-0310-9956-ffa450edef68

Fix a cosmetic issue where OpenSSL 0.9.7 will dump the error stack
during pass phrase entry.

* ssl_engine_pphrase.c (ssl_pphrase_Handle): Clear the OpenSSL error
stack before reading the private key.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101515 13f79535-47bb-0310-9956-ffa450edef68

SSL-C doesn't declare the char* file arg const, so we shouldn't either.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101303 13f79535-47bb-0310-9956-ffa450edef68

These silent errors have bitten me a few times, now that we
use APR'd dbm. mod_ssl had hacked sdbm for larger sizes.

PR:
Obtained from:
Submitted by:
Reviewed by:

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101214 13f79535-47bb-0310-9956-ffa450edef68

  Simplify includes - we always (in HTTPD 2.1 forward) are looking
  for the openssl/foo.h headers explicitly.  Fix the abs.dsp build
  to define HAVE_OPENSSL instead of USE_SSL so the correct headers
  are included upfront.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101195 13f79535-47bb-0310-9956-ffa450edef68

switch to APR 1.0 API (which is still in flux)

because of the changes to the argument lists of apr_mmap_dup and apr_socket_create,
2.1-dev won't build with apr and apr-util's 0.9 branch anymore

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101154 13f79535-47bb-0310-9956-ffa450edef68

* ssl_engine_io.c (ssl_io_filter_connect): Check the
library code as well as the reason code when looking for the
plain-HTTP-request error.

Submitted by: Stephen Henson <steve@openssl.org>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101135 13f79535-47bb-0310-9956-ffa450edef68

Make mod_ssl consistent with itself when you have a halfass install of
openssl-engine (ie, you're missing the headers). ssl_cmd_SSLCryptoDevice()
is thrown away by the preprocessor if you're missing the header, so the
call to it should have the same condition applied. otherwise, mod_ssl
will fail to link.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100970 13f79535-47bb-0310-9956-ffa450edef68

Trivial change to reporting an error when an identity spoof is
encountered with respect to FakeBasicAuth.

Submitted by: Greg Stein

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100941 13f79535-47bb-0310-9956-ffa450edef68

Add an error msg when encountering a spoofed identity. If this would
have been here in the first place. Makes issues like these be found
easier in the future.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100937 13f79535-47bb-0310-9956-ffa450edef68

Fix FakeBasicAuth for subrequests.  This was reported via issue
#1364 in Subversion:

  http://subversion.tigris.org/issues/show_bug.cgi?id=1364

The fix is to make mod_ssl's check_user_id hook stop tripping
over it's own checks in case of a subrequest.  That is, it
should DECLINE in case of a subrequest.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100926 13f79535-47bb-0310-9956-ffa450edef68

  Although we initialize mc->pid in the child init phase,
  we haven't initialized it before initially performing
  our ssl_rand_seed() in the parent/postconfig phase.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100912 13f79535-47bb-0310-9956-ffa450edef68

Prevent the OpenSSL id_callback from pointing at a mod_ssl
function after mod_ssl is unloaded.

* ssl_util.c (ssl_util_thread_cleanup): Clear the id_callback.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100767 13f79535-47bb-0310-9956-ffa450edef68

Prevent segfaults after SSL renegotiation failures.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.

* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.

PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100720 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Fix a problem setting variables that represent the
client certificate chain.

PR: 21371

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100605 13f79535-47bb-0310-9956-ffa450edef68

not valid to modify string pointed to by szCryptoDevice... it points to a
static string or something parsed from the config

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100603 13f79535-47bb-0310-9956-ffa450edef68

Forward port patch for CAN-2003-0192 from 2.0.

SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100518 13f79535-47bb-0310-9956-ffa450edef68

  Narrow the scope of several OPENSSL-specific setup and teardown calls
  to only OpenSSL based builds.

  Also introduce success result for the registered cleanup callback
  to clean up a compiler emit.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100348 13f79535-47bb-0310-9956-ffa450edef68

Use portable macro instead of the (no longer working) Apache-1.3 code

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100314 13f79535-47bb-0310-9956-ffa450edef68

Needed on EBCDIC systems

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100313 13f79535-47bb-0310-9956-ffa450edef68

  Reaction to Jeff Trawick's observations that we are double-initializing
  dynalinked OpenSSL Engines and Configs.  Move the library teardown code
  so that it is torn down in the proper order, corresponding to when the
  library itself was initialized.  And leave a little reminder that some
  memory diagnostics would be good if OpenSSL is built for malloc debugging.

Suggested by: Geoff Thorpe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100288 13f79535-47bb-0310-9956-ffa450edef68

OPENSSL_load_builtin_modules -appears- to have been introduced in beta-1,
but boy is this a hassle to determine without gstein's viewcvs ;-)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100211 13f79535-47bb-0310-9956-ffa450edef68

Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms().  Allow the functions to be
called for any type of mutex.

This resolves a fatal problem with mod_rewrite on systems where
APR uses flock-based mutex.

It simplifies mod_ssl as well, which had special logic to perform
the chown().  It fixed an init error with mod_ssl on systems where
flock is used when the user had no SSLMutex directive.

The Unix MPMs continue to call unixd_set_global|proc_mutex_perms()
only for SysV sems.  There is no permission problem with flock-based
accept mutexes since the child init logic for the MPMs is done
prior to switching identity.

PR:              20312

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100189 13f79535-47bb-0310-9956-ffa450edef68

  The right patch (thanks to Eric for identifying the wrong patch) to move
  SSL_library_init() into the register hooks phase.  OpenSSL_add_ssl_algorithms
  devolves to SSL_library_init, which is the same for most toolkits (and would
  be accomodated in ssl_toolkit_config.h if not.)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100136 13f79535-47bb-0310-9956-ffa450edef68

Revert revision 1.81 which called non-existent SSL_load_library.

No idea where this was seen, but OpenSSL 0.9.7b does not have this. This
gets mod_ssl working again.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100122 13f79535-47bb-0310-9956-ffa450edef68

  OpenSSL_add_all_algorithms is simply an alias for SSL_load_library.

  Note that the entire schema of what-we-load-how follows from
  OpenSSL 0.9.7's own apps/ example applications.  More review
  is greatly desired, but that's where I believed I should
  start looking for the 'correct' order of operations.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100110 13f79535-47bb-0310-9956-ffa450edef68

  Provide a far more useful explanation when SSLCryptoDevice fails to
  find a device.  Still would be nice to implement dynamic:{options}
  but this gets us to display the usual, builtin devices.

  We now load builtin engines up front, in the pre_config phase, because
  this and any other config cmd processor must have an already valid
  library config.  So loading builtin engines becomes redundant in this
  cmd handler.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100108 13f79535-47bb-0310-9956-ffa450edef68

  Solve a pretty horrific bug in SSLCryptoDevice and other places where
  the config cmd processors should be examining the SSL context.  We must
  initialize the SSL library before we can actually obtain any useful
  information from the SSL library.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100107 13f79535-47bb-0310-9956-ffa450edef68

  Based on list discussion between myself and Geoff, it seems prudent
  to check for both the existence of the openssl/engine.h header file
  and some 'expected function' such as ENGINE_init() (better suggestions
  are welcome.)  Also clear up some confusion; so long as we have
  ENGINE_load_builtin_engines() we should attempt to preload those.

  This patch protects all ENGINE-based code within the tests for the
  engine header and function, and changes a version test into a
  function test.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100104 13f79535-47bb-0310-9956-ffa450edef68