delta/apache/httpd.git/modules/ssl/ssl_util_stapling.c, branch 2.4.17-protocols-changes github.com: apache/httpd.git Merge r1679032, r1679192, and r1680276 from trunk: 2015-05-23T11:13:21+00:00 Jeff Trawick trawick@apache.org 2015-05-23T11:13:21+00:00 f940bb84e3d8b314e92a6669385ce236de1b0839 r1679032: mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing the OCSP response for a different certificate. mod_ssl has an additional global mutex, "ssl-stapling-refresh". Not mentioned in CHANGES: Stapling no longer uses a mutex when using a stapling cache implementation which doesn't require it. (A further, unrelated code change to mod_ssl is required to allow the use of memcache as a stapling cache, and I haven't tested with distcache; thus it isn't clear if this helps in practice yet.) r1679192: Fix regression in check for cached response (Essentially) Submitted by: ylavic r1680276: OCSP stapling: slight simplification to some internal interfaces, add a few comments and sanity checks Submitted by: trawick (with assist from ylavic) Reviewed by: jim, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681320 13f79535-47bb-0310-9956-ffa450edef68 
r1679032:

mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
the OCSP response for a different certificate.  mod_ssl has an additional
global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache
implementation which doesn't require it.  (A further, unrelated
code change to mod_ssl is required to allow the use of memcache 
as a stapling cache, and I haven't tested with distcache; thus
it isn't clear if this helps in practice yet.)

r1679192:

Fix regression in check for cached response
(Essentially) Submitted by: ylavic

r1680276:

OCSP stapling: slight simplification to some internal interfaces,
add a few comments and sanity checks

Submitted by: trawick (with assist from ylavic)
Reviewed by: jim, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681320 13f79535-47bb-0310-9956-ffa450edef68
Merge r1641077, r1641095 from trunk: 2014-12-16T13:06:19+00:00 Jim Jagielski jim@apache.org 2014-12-16T13:06:19+00:00 1910951711da2a1e7059391306b70f6744585d26 mod_ssl: Fix recognition of OCSP stapling responses that are encoded improperly or too large. The one byte "ok" flag stored with the response was accounted for in the wrong condition. follow up to r1641077: one bug was traded for another in r1641077; track the response length and the cached object length separately to avoid such confusion Submitted by: trawick Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1645935 13f79535-47bb-0310-9956-ffa450edef68 
mod_ssl: Fix recognition of OCSP stapling responses that are encoded
         improperly or too large.

The one byte "ok" flag stored with the response was accounted for in
the wrong condition.


follow up to r1641077: 

one bug was traded for another in r1641077; track the response
length and the cached object length separately to avoid such
confusion

Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1645935 13f79535-47bb-0310-9956-ffa450edef68
Merge r1629372, r1629485, r1629519 from trunk: 2014-10-27T12:50:05+00:00 Jim Jagielski jim@apache.org 2014-10-27T12:50:05+00:00 8ac9c67bcf2a66216edef5c1fc3a584a23b2801f Move OCSP stapling information from a per-certificate store (ex_data attached to an X509 *) to a per-server hash which is allocated from the pconf pool. Fixes PR 54357, PR 56919 and a leak with the certinfo_free cleanup function (missing OCSP_CERTID_free). * modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add ssl_stapling_certid_free (used with apr_pool_cleanup_register). Switch to a stapling_certinfo hash which is keyed by the SHA-1 digest of the certificate's DER encoding, rework ssl_stapling_init_cert to only store info once per certificate (allocated from the pconf to the extent possible) and extend the logging. * modules/ssl/ssl_private.h: adjust prototype for ssl_stapling_init_cert, replace ssl_stapling_ex_init with ssl_stapling_certinfo_hash_init * modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls Based on initial work by Alex Bligh <alex alex.org.uk> Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value). Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros). Submitted by: kbrand, ylavic, ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634529 13f79535-47bb-0310-9956-ffa450edef68 
Move OCSP stapling information from a per-certificate store
(ex_data attached to an X509 *) to a per-server hash which is
allocated from the pconf pool. Fixes PR 54357, PR 56919 and
a leak with the certinfo_free cleanup function (missing
OCSP_CERTID_free).

* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
  ssl_stapling_certid_free (used with apr_pool_cleanup_register).
  Switch to a stapling_certinfo hash which is keyed by the SHA-1
  digest of the certificate's DER encoding, rework ssl_stapling_init_cert
  to only store info once per certificate (allocated from the pconf
  to the extent possible) and extend the logging.

* modules/ssl/ssl_private.h: adjust prototype for
  ssl_stapling_init_cert, replace ssl_stapling_ex_init with
  ssl_stapling_certinfo_hash_init

* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls

Based on initial work by Alex Bligh <alex alex.org.uk>


Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).

Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).
Submitted by: kbrand, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634529 13f79535-47bb-0310-9956-ffa450edef68
Merge r1588853 from trunk: 2014-05-07T12:52:13+00:00 Jim Jagielski jim@apache.org 2014-05-07T12:52:13+00:00 ec031aa871fcda3174b959f1758750fd54af9aca ssl_stapling_init_cert: do not return success when no responder URI is found stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593002 13f79535-47bb-0310-9956-ffa450edef68 
ssl_stapling_init_cert: do not return success when no responder URI is found
stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593002 13f79535-47bb-0310-9956-ffa450edef68
Merge r1544774, r1544812 from trunk: 2014-01-21T16:44:48+00:00 Jim Jagielski jim@apache.org 2014-01-21T16:44:48+00:00 8ee4c2a9d9a84bdef9d4e141614fedb1eee6e432 Address a todo listed in https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E "init functions should return status code rather than ssl_die()" For diagnostic purposes, ssl_die() is still there, but instead of abruptly exit(1)ing, it will return APR_EGENERAL to the ssl_init_* callers in ssl_engine_init.c, and these will propagate the status back to ssl_init_Module. Followup to r1544774: do not ignore failures from ssl_server_import_{cert,key} in ssl_init_server_certs Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1560082 13f79535-47bb-0310-9956-ffa450edef68 
Address a todo listed in
https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E
"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead
of abruptly exit(1)ing, it will return APR_EGENERAL to the
ssl_init_* callers in ssl_engine_init.c, and these will propagate
the status back to ssl_init_Module.


Followup to r1544774: do not ignore failures from ssl_server_import_{cert,key}
in ssl_init_server_certs

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1560082 13f79535-47bb-0310-9956-ffa450edef68
Merge r1454888: 2013-05-29T21:28:41+00:00 Stefan Fritsch sf@apache.org 2013-05-29T21:28:41+00:00 fa7e457cc8c5dd2c7fdc29232726e085a5ea4474 Typo No code change git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1487648 13f79535-47bb-0310-9956-ffa450edef68 
  Typo

No code change


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1487648 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to 2012-08-04T21:22:38+00:00 Rainer Jung rjung@apache.org 2012-08-04T21:22:38+00:00 2b159659a7c63aa7dfdba0f67bb4664aa6dd492a the main error log, pointing to the appropriate virtual host error log. Backport of r1348660 from trunk. Submitted by: sf Reviewed by: rjung, covener Backported by: rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1369464 13f79535-47bb-0310-9956-ffa450edef68 
the main error log, pointing to the appropriate virtual host error log.

Backport of r1348660 from trunk.

Submitted by: sf
Reviewed by: rjung, covener
Backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1369464 13f79535-47bb-0310-9956-ffa450edef68
merge r1222917 from trunk: 2011-12-24T06:35:20+00:00 Kaspar Brand kbrand@apache.org 2011-12-24T06:35:20+00:00 ea32bc39c2b7db5991df9c549ef3bd8e5d7c40b3 Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 or later, so that mod_ssl retains binary compatibility with future versions when internal structures are changed. Use API functions where available, and fall back to direct access for OpenSSL up to 1.0.0, where needed. Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was never used by any released version of mod_ssl. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1222920 13f79535-47bb-0310-9956-ffa450edef68 
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1222920 13f79535-47bb-0310-9956-ffa450edef68
Backport r1209766, r1210252, r1210284: 2011-12-05T00:08:01+00:00 Stefan Fritsch sf@apache.org 2011-12-05T00:08:01+00:00 b6ae8ca44adfc5fdf7ec83d8a4fc29ea5d257a55 Add lots of unique tags to error log messages ssl_util.c: Downgrade some dynamic locking messages from level DEBUG to TRACE1-3 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1210287 13f79535-47bb-0310-9956-ffa450edef68 
Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG
to TRACE1-3


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1210287 13f79535-47bb-0310-9956-ffa450edef68
Cleanup effort in prep for GA push: 2011-09-23T13:39:32+00:00 Jim Jagielski jim@apache.org 2011-09-23T13:39:32+00:00 427c85bd2353796cbd8253854dd2fb2ccfbf8bdc Trim trailing whitespace... no func change git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1174751 13f79535-47bb-0310-9956-ffa450edef68 
Trim trailing whitespace... no func change



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1174751 13f79535-47bb-0310-9956-ffa450edef68