Doug MacEachern [Tue, 21 Aug 2001 05:57:13 +0000 (05:57 +0000)]
authentication/authorization hooks were backwards
make authentication hook run APR_HOOK_FIRST for FakeBasicAuth
PR:
Obtained from:
Submitted by:
Reviewed by:
Ryan Bloom [Mon, 20 Aug 2001 22:30:17 +0000 (22:30 +0000)]
Add the openssl/include/openssl directory to the INCLUDES variable.
This allows us to remove the openssl from the #include lines in the
mod_ssl files. This makes it easier to use a different SSL library,
with fewer changes to the mod_ssl files.
The purpose of this patch is to toggle the debugging mode (default) to
Program Database (from Program Database for Modify on the fly debugging).
The net effect of this patch is to clean up all of the irrelevant entries
associated with either the debugging or release command line switches, and
generally straighten the projects as they would be exported from VC6/SP5.
The outcome of this patch is that VC5 users -should- be able to load and
build the workspace without any errors (as they used to have no symbols
database at all, the /ZI option doesn't work, they had to use cvtdsp.pl
to toggle these to /Zi.)
Jeff Trawick [Thu, 16 Aug 2001 21:11:30 +0000 (21:11 +0000)]
check for timeout on socket read when we check for ECONNRESET and eof
previously, we'd die on an assert() (really nasty for threaded MPM) when
we hit a keepalive timeout for a browser like netscape which keeps the
connection open
Doug MacEachern [Thu, 16 Aug 2001 03:58:16 +0000 (03:58 +0000)]
enable ssl Translate, UserCheck, Access and Auth hooks
add support for renegotiation during the Access hook
this requires hooking into the read and write SSL BIOs in order to
flush data to the client and read from the filter chain
this also requires that the ssl filters become "aware" that
renegotitation is in progress so that the BIOs are left alone for
SSL_renegotiate/SSL_do_handshake in ssl_hook_Access to deal with
Doug MacEachern [Tue, 14 Aug 2001 17:03:03 +0000 (17:03 +0000)]
need to check return value of ssl_hook_process_connection
if != APR_SUCCESS the ssl connection has been shutdown
(for example client cert was revoked)
PR:
Obtained from:
Submitted by:
Reviewed by:
This patch conditionally builds against openssl 0.9.6b _if_ openssl is
unpacked and properly built (using pretty much the defaults) in the
srclib/openssl/ directory. Someday soon this needs to be more exhaustive,
but this should solve the 80% problem :)
enables the use of the ssl_var_lookup functionality in the various source
files in modules/ssl. The ap_hook_* functions are still not yet ported to
Apache 2.0 style
This patch eliminates the direct use of OS library calls (fopen and
other depreciated Apache 1.3 library utilities) from ssl_engine_pphrase.c
and ssl_util_ssl.c.
- eliminated the use of ssl_log - it used to cause seg faults during cleanup
since the conn_rec will no longer be valid.
- eliminated the "for (;;)" processing loop in ssl_io_filter_Output() -
we'll have to do that in churn_output() if required, so that any remaining
OpenSSL data (if available) is transferred before we call the
CloseConnection.
- Any remaining data in SSL should be cleaned up ideally in the
APR_BUCKET_IS_EOS() processing stage itself, as we close the SSL connection
here.
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: William Rowe
Register for %X, %c (we gotta make a decision, please vote if you care...
use %c's meaning from the historical SSL modules, or Bill Stoddard's
connection-terminated meaning? One will have to give.)
Apply mod_ssl MEGA porting patch. This is a cleaned up version of the
latest patches from Madhusudan which makes mod_ssl 95% working inside
Apache 2.0. There is still a lot of more work (both porting and cleanup)
to do be done. See modules/ssl/README for details.
Roy T. Fielding [Thu, 10 May 2001 01:47:47 +0000 (01:47 +0000)]
Eventually we will want to only find openssl once regardless of how
many modules depend on it, so make the check an autoconf macro.
Note that this still isn't being checked "the autoconf way", but it
is better than what we have now.
I'm not sure about the -R stuff, but I am told that Solaris won't
build without it. This is something that should be tested using
AC_TRY_LINK rather than assuming openssl isn't already on the ld path.
Roy T. Fielding [Tue, 8 May 2001 04:42:26 +0000 (04:42 +0000)]
When no specific location of openssl is given, we need to check the
places where people install upgraded software first, since otherwise
we will get the older versions installed by the OS distribution. That's
very bad for us because we are requiring a version of openssl that is
more recent than most of the Linux distros.
When finding the openssl helper program, check both the PATH and the default
install dirs, since openssl isn't normally included on a user's path.
Use APR_ADDTO to add to the make macros in order to avoid duplicates.
Port ssl_util_table.[ch] to Apache 2.0 by just removing all platform
depended code (table_read, table_write). This is possible because this
table library is local to mod_ssl and inside mod_ssl this library is
used for manipulating hash tables inside shared memory segments only. So
we can just get rid of the unportable parts at all.
Change mostly all old module structure hooks and EAPI hooks to
ap_hook_xxx equivalents. More work has to be done here to clean all this
up and reduce to a minimum...
Axe writev(2) support from the SSL I/O layer because in Apache 2.0 we no
longer handle the bottom line of I/O ourself. Additionally this again
simplifies mod_ssl's I/O part for later transition to mod_tls's approach
with buckets.
Axe most WIN32 stuff from Apache 1.3. In Apache 2.0 we either use APR
later for this or we don't do it at all. But we certainly no longer want
to see any platform specific things inside a module.
Axe out SSL_CONSERVATIVE stuff which for Apache 1.3 did I/O data
pre-sucking on POST requests and I/O re-injection in case of SSL
renegotiations. This all either cannot be solved any longer or at least
has to be implemented totally different through I/O layering/filtering.
Axe out SSL_USE_SDBM stuff, i.e., get rid of the local SDBM copy and use
APR's DBM API instead. The remaining question just is whether APR's DBM
allows "larger" things like SSL sessions to be stored...
Axe out the complete SSL_COMPAT stuff. Because Apache 2.0 is already
incompatible at many places to Apache 1.3 we also don't want this stuff
anymore. Apache 2.0's mod_ssl will be mostly compatibile with Apache
1.3's mod_ssl, of course. But we really no longer want to be compatible
to Sioux and other obsolete SSL things...
Start writing down incompatibilities to mod_ssl 2.x from Apache 1.3.
Our general goal is to axe down mod_ssl to a minimum, because what we
don't have anymore we don't have to port and as simpler mod_ssl becomes.
Nevertheless we will try to minimize incompatibilities if possible.
Axe out EAPI-based SSL_VENDOR stuff.
If we want this later again, we have to do it differently anyway. So,
for now we try to strip down mod_ssl as heavy as possible and hence we
kick out this stuff at all.
Finalize the build environment by integrating the last thing (the
lex/yacc stuff) into Makefile.in and getting rid of the old Apache 1.3
Makefile.tmpl file.
Get rid of libssl.modules and libssl.version. libssl.version we
no longer need, because mod_ssl no longer has its own version.
libssl.modules is now more or less (except for the old custom Apache 1.3
configuration rules) replaced by the Autoconf based config.m4.
projects / thirdparty / apache / httpd.git / log
