Jim Jagielski [Thu, 26 Nov 2015 13:44:39 +0000 (13:44 +0000)]
Merge r1711728, r1713209 from trunk:
For the "SSLStaplingReturnResponderErrors off" case, make sure to only
staple responses with certificate status "good". Also avoids including
inaccurate responses when the OCSP responder is not completely up
to date in terms of the CA-issued certificates (and provides interim
"unknown" or "extended revoked" [RFC 6960] status replies).
Log a certificate status other than "good" in stapling_check_response().
Propagate the "ok" status from stapling_check_response() back via both
stapling_renew_response() and get_and_check_cached_response() to the
callback code in stapling_cb(), enabling the decision whether to include
or skip the response.
insert missing LOGNO in ssl_util_stapling.c
Submitted by: kbrand
Reviewed/backported by: jim
Jim Jagielski [Thu, 26 Nov 2015 13:42:42 +0000 (13:42 +0000)]
Merge r1710095, r1710105, r1711902 from trunk:
core: Limit to ten the number of tolerated empty lines between request,
and consume them before the pipelining check to avoid possible response
delay when reading the next request without flushing.
Before this commit, the maximum number of empty lines was the same as
configured LimitRequestFields, defaulting to 100, which was way too much.
We now use a fixed/hard limit of 10 (DEFAULT_LIMIT_BLANK_LINES).
check_pipeline() is changed to check for (up to the limit) and comsume the
trailing [CR]LFs so that they won't be interpreted as pipelined requests,
otherwise we would block on the next read without flushing data, and hence
possibly delay pending response(s) until the next/real request comes in or
the keepalive timeout expires.
Finally, when the maximum number of empty line is reached in
read_request_line(), or that request line does not contains at least a method
and an (valid) URI, we can fail early and avoid some failure detected in
further processing.
core: follow up to r1710095.
Simplify logic in check_pipeline(), and log unexpected errors.
core: follow up to r1710095, r1710105.
We can do this in a single (no inner) loop, and simplify again the logic.
mod_ssl: performing protocol switch directly after ALPN selection, mod_http2: connection hook inits network filters to force TLS handshake, reads input only if H2Direct explicitly enabled, changes H2Direct default to off even for cleartext connections
new ap_is_allowed_protocol() for testing configured protocols, added H2Upgrade on/off directive, changed H2Direct default back to on when h2c is in Protocols
moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl
mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection
announce protocol choices on first request
fixing compilation issue for older platform
disabling protocol upgrades on slave connections
first request on master connection only reports more preferred protocols in Upgrade header
mod_ssl: follow up to r1709602.
Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to
process_connection hook (r1709602) along with H2Direct speculative read.
Submitted by: icing, ylavic
Reviewed/backported by: jim
mod_ssl: forward EOR (only) brigades to the core_output_filter().
mod_ssl: don't FLUSH output (blocking) on read.
This defeats deferred write (and pipelining), eg. check_pipeline() is not
expecting the pipe to be flushed under it.
So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
are known to not handle all the cases, so we keep flushing with those).
mod_ssl: follow up to r1705823.
Oups, every #if needs a #endif...
mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(),
the core output filter needs them.
Proposed by: jorton
mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828.
Add CHANGES entry, and restore ap_process_request_after_handler()'s comment
as prior to r1705194 (the change makes no sense now).
mod_ssl: follow up to r1705823.
We still need to flush in the middle of a SSL/TLS handshake.
mod_ssl: follow up to r1705823.
Flush SSL/TLS handshake data when writing (instead of before reading),
and only when necessary (openssl < 0.9.8m or proxy/client side).
mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init().
Graham Leggett [Tue, 3 Nov 2015 13:27:54 +0000 (13:27 +0000)]
mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
fields as described in RFC7230. See OWS definition.
Submitted by: jailletc36
Reviewed by: ylavic, minfrin
Jim Jagielski [Tue, 3 Nov 2015 11:58:58 +0000 (11:58 +0000)]
Merge r1707831 from trunk:
PR 53845: Remove commented config regarding DNT because the spec now has CR status (confirming our interpretation) and MS has committed to changing their implementation: http://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/
Submitted by: fielding
Reviewed/backported by: jim
Rainer Jung [Sun, 25 Oct 2015 11:57:28 +0000 (11:57 +0000)]
Extend expression parser registration to support
ssl variables in any expression using
mod_rewrite syntax "%{SSL:VARNAME}" or function
syntax "ssl(VARNAME)".
mod_proxy: only cleanup the socket for a connection asked to be closed but
whose address can still be reused.
This saves unnecessary socket pool destroy and creation at cleanup and reuse
time, plus the same initialization of conn->pool's associated data which can
be reused in that case.
mod_proxy: don't recyle backend announced "Connection: close" connections.
Failing to do this may lead to a race condition where we send a new request
before the backend really closes the connection (or lost SSL-Alert/FIN make
us think the connection is still alive, until the retransmission).
Rainer Jung [Tue, 6 Oct 2015 19:31:59 +0000 (19:31 +0000)]
Add a docs remark about "SSLOptions StdEnvVars"
being not necessary for mod_rewrite
"%{SSL:VARIABLE}" feature and for the mod_ssl
extensions to mod_log_config (%{VARIABLE}x).
mod_substitute: follow up r1684900.
Introduce the SubstituteInheritBefore directive to configure the merge order.
This allows to preserve 2.4 and earlier behaviour.
mod_substitute: follow up to r1687539.
Use tristate single inherit_before variable instead of two, according to
wrowe's advices.
mod_substitute: follow up to r1687680.
Fix dir config merger 'over'-write, thanks Bill (again).
Very difficult to read, and therefore was wrong.
Assert that the SubstituteInheritBefore option was explicitly toggled,
and do not default in 2.x to this legacy behavior.
Optimize in all cases that the members are all explicitly initialized.
Useful for 2.2 and 2.4, but trunk will require the subsequent patch.
Increase legibility of the max_line_length behavior, and adjust for
the requirement that all members are initialized explicitly due to
the previous patch.
Net -8 LoC, my usual specialty.
This didn't need to be reinvented; please use established helpers.
mod_substitute: follow up r1688339.
SubstituteInheritBefore is the default in 2.5.x but wasn't for ealier versions.
mod_substitute: follow up r1697013.
Update the doc.
Submitted by: niq, ylavic, ylavic, ylavic, wrowe, wrowe, wrowe, wrowe, ylavic, ylavic
Reviewed/backported by: jim
projects / thirdparty / apache / httpd.git / log
