Joe Orton [Wed, 25 Jun 2025 12:53:18 +0000 (12:53 +0000)]
* modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE
handling inside mod_ssl where OpenSSL is built to handle that
internally in libssl.
Joe Orton [Wed, 25 Jun 2025 07:55:26 +0000 (07:55 +0000)]
mod_ssl: Accept expired client certs with optional_no_ca mode.
* modules/ssl/ssl_private.h (ssl_verify_error_is_optional): Add
X509_V_ERR_CERT_HAS_EXPIRED to the list of error exceptions
permitted for "optional_no_ca" mode.
In set_cookie_name() and set_cookie_name2(), now that the empty 'name' argument is explicitly handled, the error message in check_string() can be simplified because the cookie name can't be empty anymore when this function is called.
Joe Orton [Fri, 6 Jun 2025 10:36:00 +0000 (10:36 +0000)]
* modules/dav/fs/repos.c (dav_fs_remove_resource):
Return a 404 if apr_file_remove() fails with an ENOENT error,
likely due to a race with another DELETE.
Ruediger Pluem [Tue, 3 Jun 2025 15:12:14 +0000 (15:12 +0000)]
Ensure that ALL fields of the ap_listen_rec structure are initialized
alloc_listener initializes more fields in the created ap_listen_rec structure
than alloc_systemd_listener as it has more data to add to this structure.
Ensure that all fields of the ap_listen_rec structure are initialized at
least with 0 as later code using this structure depends on this.
Stefan Eissing [Fri, 30 May 2025 12:45:59 +0000 (12:45 +0000)]
*) mod_md: update to version 2.5.2
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes #377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
Yann Ylavic [Thu, 22 May 2025 14:38:41 +0000 (14:38 +0000)]
mod_proxy: restore reuse of ProxyRemote connections when possible.
Fixes a regression from 2.4.59 (r1913907).
For a reverse proxy setup with a worker (enablereuse=on) and a
forward/CONNECT ProxyRemote to reach it, an open connection/tunnel
to/through the remote proxy for the same origin server (and using the
same proxy auth) should be reusable. Avoid closing them like r1913534
did.
* modules/proxy/proxy_util.c:
Rename the struct to remote_connect_info since it's only used for
connecting through remote CONNECT proxies. Axe the use_http_connect
field, always true.
* modules/proxy/proxy_util.c(ap_proxy_connection_reusable):
Remote CONNECT (forward) proxy connections can be reused if the auth
and origin server infos are the same, so conn->forward != NULL is not
a condition to prevent reusability.
* modules/proxy/proxy_util.c(ap_proxy_determine_connection):
Fix the checks around conn->forward reuse and connection cleanup if
that's not possible.
Joe Orton [Wed, 9 Apr 2025 10:17:24 +0000 (10:17 +0000)]
CI: Use the git commit hash to determine the revision of APR/APR-util
from the github repos, and build exactly that, rather than relying on SVN:
- works if apr/apr-util moves to a r/w git in the future
- removes a race for branches where the git revision tested
could be different to the SVN revision retrieved before
Joe Orton [Wed, 9 Apr 2025 08:01:24 +0000 (08:01 +0000)]
mod_ssl: Check the SSLProtocol directive when loading the configuration
Previously, the SSLProtocol directive was checked at runtime. Apache quit if
the directive contained an invalid combination of protocols, and logged the
message "AH02231: No SSL protocols available [hint: SSLProtocol]".
With this change, most invalid SSLProtocol directives are detected when
checking the configuration, e.g. with \"httpd -t -f httpd.conf\".
Examples of invalid protocol combinations that are caught:
* SSLProtocol "-TLSv1"
* SSLProtocol "-all"
* SSLProtocol "TLSv1.2 -TLSv1.2"
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes #523
Joe Orton [Wed, 9 Apr 2025 07:43:49 +0000 (07:43 +0000)]
mod_asis: Fix the log level of the message AH01236
Change the log level from ERROR to DEBUG.
The message \"mod_asis: ap_pass_brigade failed for file ...\" was logged with
the level ERROR. This log level is inappropriate here, because a client can
trigger this log message by aborting the request.
Most other modules don't log at all or use the log level DEBUG when
ap_pass_brigade() fails.
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes #527
Stefan Eissing [Mon, 24 Mar 2025 12:48:09 +0000 (12:48 +0000)]
* mod_proxy_http2: revert r1912193 for detecting broken backend connections
as this interferes with backend selection who a node is unresponsive.
PR69624.
Stefan Eissing [Mon, 3 Mar 2025 12:32:31 +0000 (12:32 +0000)]
*) mod_md: update to version 2.0.30
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
Joe Orton [Fri, 14 Feb 2025 16:08:23 +0000 (16:08 +0000)]
mod_dav: Fix error handling for dav_fs_dir_file_name():
dav_fs_dir_file_name() will not set *fname_p to NULL on failure,
and all callers of dav_fs_dir_file_name() does not check the
return value of dav_fs_dir_file_name(), which could lead to an
undefined behavior against fname_p.
Fix this by adding return value check of dav_fs_dir_file_name()
Joe Orton [Mon, 20 Jan 2025 17:01:17 +0000 (17:01 +0000)]
CI: Add 64-bit ARM job to Linux workflow. See:
https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/
Stefan Eissing [Fri, 17 Jan 2025 16:12:28 +0000 (16:12 +0000)]
*) mod_http2: make test_h2_200_17+18 work reliably with
older and newer curl versions. Only a change in logging,
no function module change.
Newer curl send a GOAWAY on connection shutdown which
triggers another code path that the test did not expect.
Thanks to Rainer Jung for tracking this down.
Stefan Eissing [Wed, 15 Jan 2025 12:48:52 +0000 (12:48 +0000)]
*) mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
Ruediger Pluem [Mon, 13 Jan 2025 13:37:40 +0000 (13:37 +0000)]
* Do not add a space before '|' when setting the value for stickysession in the
balancer manager as this breaks the stickysession configuration once a new
configuration is submitted by the balancer manager.
Joe Orton [Wed, 8 Jan 2025 18:00:29 +0000 (18:00 +0000)]
* modules/generators/mod_autoindex.c (dsortf): Ensure the function
is transitive to avoid undefined behaviour, per:
https://www.qualys.com/2024/01/30/qsort.txt
Joe Orton [Tue, 10 Dec 2024 17:20:36 +0000 (17:20 +0000)]
CI: Switch down to GCC 12, the ubuntu-latest image is not consistently
an Ubuntu 24.04 environment yet, this version should be available in
both the -22.04 and -24.04 images.
Stefan Eissing [Tue, 3 Dec 2024 09:47:26 +0000 (09:47 +0000)]
*) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
Eric Covener [Sun, 1 Dec 2024 14:16:42 +0000 (14:16 +0000)]
Don't use AuthFormLoginRequiredLocation in inline
Intro to inline says:
If a non-authenticated user attempts to access a page protected by
mod_auth_form that isn't configured with a AuthFormLoginRequiredLocation
directive, a HTTP_UNAUTHORIZED status code is returned to the browser
indicating to the user that they are not authorized to view the page.
The entire point seems to be to keep the URL the same by using an internal redirect
via ErrorDocument, and AuthFormLoginRequiredLocation conflicts with it.
Submitted By: Rishikeshan Lavakumar/Sulochana <oss AT @rishikeshan.com>
Joe Orton [Wed, 20 Nov 2024 10:23:03 +0000 (10:23 +0000)]
* modules/aaa/mod_authnz_ldap.c (create_authnz_ldap_dir_config): Fix allocation
of sgAttributes, found by gcc -fanalyzer:
modules/aaa/mod_authnz_ldap.c: scope_hint: In function 'create_authnz_ldap_dir_config'
modules/aaa/mod_authnz_ldap.c:356:23: warning[-Wanalyzer-allocation-size]: allocated buffer size is not a multiple of the pointee's size
projects / thirdparty / apache / httpd.git / log
