Since r1908537 BIO_set_callback_ex is used with OpenSSL >= 3.0 instead of
BIO_set_callback to set the BIO callback. The meaning of parameters and
their range of values in the callback function set by BIO_set_callback_ex
has changed compared to the callback function set by BIO_set_callback
although parameters kept their names. Accommodate for this and adjust the
code accordingly.
Furthermore limit the size of dumps to APR_UINT16_MAX bytes. Given the length
of SSL records of 16k this should not have practical implications.
* Changelog for r1918880
mod_ssl: Let modssl_set_io_callbacks() decide which callback is needed.
* modules/ssl/ssl_private.h:
Add conn_rec and server_rec args to modssl_set_io_callbacks().
* modules/ssl/ssl_engine_io.c(modssl_set_io_callbacks):
Don't set modssl_io_cb for log levels below TRACE4.
Yann Ylavic [Wed, 26 Jun 2024 14:51:32 +0000 (14:51 +0000)]
mod_proxy: Fixup UDS filename for mod_proxy called through r->handler.
* modules/proxy/proxy_util.c:
Export ap_proxy_fixup_uds_filename() from fix_uds_filename.
Call it from ap_proxy_pre_request() even for rewritten balancer workers.
Joe Orton [Fri, 21 Jun 2024 14:31:54 +0000 (14:31 +0000)]
Merge r1917578 from trunk:
On Linux use the real thread id via gettid() in error logging,
where available, rather than the (meaningless) default
pthread_self()-as-integer interpretation:
* configure.in: Define DEFAULT_LOG_TID on Linux if gettid() is available.
* server/log.c: Define DEFAULT_LOG_TID as NULL by default.
(do_errorlog_default): Use DEFAULT_LOG_TID as the argument to log_tid().
* modules/ssl/ssl_engine_io.c (bio_filter_out_write,
bio_filter_in_read): #ifdef-out reneg protection if
SSL_OP_NO_RENEGOTATION is defined.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Enable SSL_OP_NO_RENEGOTATION.
(ssl_init_ctx_callbacks): Only enable the "info" callback if
debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use
modssl_set_reneg_state to set the reneg protection mode.
(ssl_hook_Access_modern): Drop manipulation of the reneg mode which
does nothing for TLSv1.3 already.
(ssl_callback_Info): Only enable reneg protection if
SSL_OP_NO_RENEGOTATION is *not* defined.
* modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.
mod_ssl: follow up to r1877397: fix SSL_OP_NO_RENEGOT*I*ATION typo.
Joe Orton [Mon, 17 Jun 2024 14:21:04 +0000 (14:21 +0000)]
Merge r1916863 from trunk:
* Ensure that we set the default DH parameters for the key
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
Add experimental support for fd passing in mod_cgid. Attaches CGI
script stderr to the error log specific to the vhost, by passing the
appropriate fd over the AF_UNIX socket from the request handling
thread to the cgid server process.
* modules/generators/mod_cgid.c (sock_readhdr): New function, also
returns auxiliary control data (the stderr fd) if available.
(sock_write): Take optional aux fd argument, send it as control
data. (send_req, get_req): Adjust accordingly to pass/receive the
stderr fd.
(cgid_server): Use passed fd if available, limit the lifetime.
PR: 60692
mod_cgid: Continuation of r1862968, experimental fd passing support.
Split out CGI bucket implementation from mod_cgi and use in both
mod_cgi and mod_cgid, bringing stderr handling in mod_cgid up to par
with mod_cgi. (There is a lot of code which has been copied between
mod_cgi{,d} so there's scope for further reduction of source
duplication between the modules using this header)
* modules/generators/cgi_common.h: Copied from mod_cgi.c, removed
everything but the CGI bucket implementation with only one change:
(struct cgi_bucket_data, cgi_bucket_create, cgi_bucket_read): Take a
timeout on bucket creation, store and use on reads.
* modules/generators/mod_cgi.c [APR_FILES_AS_SOCKETS]: Include
cgi_common.h.
(cgi_handler): Pass configured timeout to CGI bucket.
* modules/generators/mod_cgid.c: Include cgi_common.h.
(log_script_err): Copy from mod_cgi.c.
(log_script): Use log_script_err.
(send_req): Take fd for stderr.
(cgid_child_errfn): Handle fd-passing case by writing error
to stderr for client to pass through ap_log_rerror.
(cgid_handler): Create pipe for stderr, pass write-end to
server via send_req, use read-end to create CGI bucket. Handle
stderr output in failure paths.
PR: 54221
* modules/generators/mod_cgid.c (sock_readhdr): Only set up control
message block when required; add some additional error handling.
* modules/generators/cgi_common.h (cgi_bucket_create):
Disable APR timeout handling here for all callers.
* modules/generators/mod_cgi.c (cgi_handler): ... drop it here.
PR: 63797
Move common (and near-identical) code for CGI response output handling
to cgi_common.h; the diff between the modules for this code was as
follows:
Change from previous: mod_cgi will now explicitly discard output when
returning HTTP_MOVED_TEMPORARILY for relative redirects (should not be
functionally different), TRACE1 logging of ap_pass_brigade failures
for mod_cgid is dropped.
* modules/generators/cgi_common.h (cgi_handle_response): New function,
factored out from mod_cgid.
(discard_script_output): Copied function from mod_cgi/d unchanged.
* modules/generator/mod_cgid.c (cgid_handler),
modules/generator/mod_cgi.c (cgi_handler): Use cgi_handle_response.
Fix build broken w/o --enable-cgid-fdpassing by r1867968:
* modules/generators/cgi_common.h: Only define CGI bucket type
if WANT_CGI_BUCKET is defined.
* modules/generators/mod_cgi.c: Always include cgi_common.h, defining
WANT_CGI_BUCKET iff APR_FILES_AS_SOCKETS is defined
* modules/generators/mod_cgid.c: Always include cgi_common.h, defining
WANT_CGI_BUCKET iff HAVE_CGID_FDPASSING (--enable-cgid-fdpassing).
Add comment, no functional change.
* modules/generators/cgi_common.h (cgi_handle_request): Factor out
near-identical common code from mod_cgid, mod_cgi.
* modules/generators/mod_cgid.c (cgid_handler),
modules/generators/mod_cgi.c (cgi_handler):
Adjust to use cgi_handle_request.
* modules/generators/cgi_common.h (cgi_handle_request): Catch
(unlikely) apr_bucket_read() failure when reading request.
* modules/generators/mod_cgid.c (cgid_handler): Bail immediately with
a 503 response on errors when talking to the daemon. Check the pid
returned is not zero.
* modules/generators/mod_cgid.c (get_req): Add basic sanity
checking for the structure received in the CGI daemon.
* modules/generators/mod_cgid.c (get_cgi_pid): Fix test for pid=0.
(cgid_handler): Remove duplicated test for pid=0 here added in
r1879119.
* modules/generators/cgi_common.h (cgi_handle_response): Avoid trying
to read the output brigade twice in the case of a timeout.
PR: 64709
Further re-unification of code duplicated across mod_cgi/mod_cgid into
cgi_common.h. Functional changes:
- brings the PR 61980 fix to mod_cgid as well, and
- some mod_cgid-specific APLOGNOs are dropped in favour of the
code used in the equivalent error path in mod_cgi
... otherwise no user-visible changes (intended).
* modules/generators/cgi_common.h (log_scripterror, log_script_err): Move
here from mod_cgi.
(cgi_handle_exec): Move here, renamed from mod_cgi's handle_exec.
(cgi_optfns_retrieve): New function, split out from mod_cgi's cgi_post_config.
* modules/generators/cgi_common.h (discard_script_output): Simplify
slightly and ensure constant rather than unlimited memory
consumption when discarding CGI script output (for e.g. a redirect
response).
* mod_md:
- Using OCSP stapling information to trigger certificate renewals. Proposed
by @frasertweedale.
- Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
- Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
Fix occasional pytest failures
in modules/http2/test_800_websockets.py
(test_h2_800_03_not_found and
test_h2_800_05_non_ws_delay_resource) due to
additional RST messages.
projects / thirdparty / apache / httpd.git / log
