delta/apache/httpd.git/modules/ssl, branch 2.4.17-protocols-changes github.com: apache/httpd.git merged r1715023 as proposed by ylavic 2015-11-19T16:06:32+00:00 Stefan Eissing icing@apache.org 2015-11-19T16:06:32+00:00 7228bf6236c38452d77efe1ea460ea783ff6055a git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-changes@1715202 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-changes@1715202 13f79535-47bb-0310-9956-ffa450edef68
update merge of changes in 2.4.x 2015-11-19T14:58:52+00:00 Stefan Eissing icing@apache.org 2015-11-19T14:58:52+00:00 ca04f6867dab2c831da80bf09a67594e8da1e47c git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-changes@1715192 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-changes@1715192 13f79535-47bb-0310-9956-ffa450edef68
Merge r1705194, r1705823, r1705826, r1705828, r1705833, r1706275, r1707230, r1707231 from trunk: 2015-11-18T16:14:36+00:00 Jim Jagielski jim@apache.org 2015-11-18T16:14:36+00:00 f7debe933d1a1554f8fc0bf431bff8736e486527 mod_ssl: forward EOR (only) brigades to the core_output_filter(). mod_ssl: don't FLUSH output (blocking) on read. This defeats deferred write (and pipelining), eg. check_pipeline() is not expecting the pipe to be flushed under it. So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions are known to not handle all the cases, so we keep flushing with those). mod_ssl: follow up to r1705823. Oups, every #if needs a #endif... mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(), the core output filter needs them. Proposed by: jorton mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828. Add CHANGES entry, and restore ap_process_request_after_handler()'s comment as prior to r1705194 (the change makes no sense now). mod_ssl: follow up to r1705823. We still need to flush in the middle of a SSL/TLS handshake. mod_ssl: follow up to r1705823. Flush SSL/TLS handshake data when writing (instead of before reading), and only when necessary (openssl < 0.9.8m or proxy/client side). mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init(). Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1715014 13f79535-47bb-0310-9956-ffa450edef68 
mod_ssl: forward EOR (only) brigades to the core_output_filter().

mod_ssl: don't FLUSH output (blocking) on read.
This defeats deferred write (and pipelining), eg. check_pipeline() is not
expecting the pipe to be flushed under it.
So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
are known to not handle all the cases, so we keep flushing with those).


mod_ssl: follow up to r1705823.
Oups, every #if needs a #endif...

mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(),
the core output filter needs them.

Proposed by: jorton


mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828.
Add CHANGES entry, and restore ap_process_request_after_handler()'s comment
as prior to r1705194 (the change makes no sense now).


mod_ssl: follow up to r1705823.
We still need to flush in the middle of a SSL/TLS handshake.


mod_ssl: follow up to r1705823.
Flush SSL/TLS handshake data when writing (instead of before reading),
and only when necessary (openssl < 0.9.8m or proxy/client side).


mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init().

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1715014 13f79535-47bb-0310-9956-ffa450edef68
merge of 1708107,1709587,1709602,1709995,1710231,1710419,1710572,1710583 from trunk, addition of master conn_rec*, minor bump of mmn 2015-11-04T15:15:16+00:00 Stefan Eissing icing@apache.org 2015-11-04T15:15:16+00:00 8fbd8b191af5ec3218e91d3ae41a16d5813c7f5d git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-changes@1712567 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-changes@1712567 13f79535-47bb-0310-9956-ffa450edef68
Extend expression parser registration to support 2015-10-25T11:57:28+00:00 Rainer Jung rjung@apache.org 2015-10-25T11:57:28+00:00 c0a1206db728075700cc7bd1afcdab9c78ec6626 ssl variables in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function syntax "ssl(VARNAME)". Backport of r1707002 and r1709596 from trunk. Committed By: rjung Backported By: rjung Reviewed by: rjung, ylavic, sf git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1710433 13f79535-47bb-0310-9956-ffa450edef68 
ssl variables in any expression using
mod_rewrite syntax "%{SSL:VARNAME}" or function
syntax "ssl(VARNAME)".

Backport of r1707002 and r1709596 from trunk.

Committed By: rjung
Backported By: rjung
Reviewed by: rjung, ylavic, sf


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1710433 13f79535-47bb-0310-9956-ffa450edef68
merge r1703952 from trunk 2015-09-30T11:50:30+00:00 Kaspar Brand kbrand@apache.org 2015-09-30T11:50:30+00:00 ecf675884027e8d2d643d1006301bef092221aed Support compilation against libssl built with OPENSSL_NO_SSL3, and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3", in accordance with RFC 7568. PR 58349, PR 57120. Proposed by: kbrand Reviewed by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68 
Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
merge r1702643 from trunk 2015-09-30T11:42:54+00:00 Kaspar Brand kbrand@apache.org 2015-09-30T11:42:54+00:00 181e083ddb30da04dd59e17d6fdfb5228c2b7af0 Append :!aNULL:!eNULL:!EXP to the cipher string settings, instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7 and later). Enables support for configuring the SUITEB* cipher strings introduced in OpenSSL 1.0.2. PR 58213. Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive. Proposed by: kbrand Reviewed by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68 
Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68
merge r1693792 from trunk 2015-09-30T11:38:34+00:00 Kaspar Brand kbrand@apache.org 2015-09-30T11:38:34+00:00 5e6194b6f402334299f25e76af8b743c1449b99b Add support for extracting the msUPN and dnsSRV forms of subjectAltName entries of type "otherName" into SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment variables. Addresses PR 58020. * docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the environment variables table * modules/ssl/ssl_engine_vars.c: add support for retrieving the SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables * modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and adapt modssl_X509_getSAN to take an optional otherName form argument for the GEN_OTHERNAME case * modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype * modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table Proposed by: kbrand Reviewed by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68 
Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
  currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
  "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
  adapt modssl_X509_getSAN to take an optional otherName form
  argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
  OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68
merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151, 2015-09-30T11:31:43+00:00 Kaspar Brand kbrand@apache.org 2015-09-30T11:31:43+00:00 b0dc766b75f07e25a0d5fcd79ee9da46ee5048b4 r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832, r1677834, r1677835 from trunk mod_ssl namespacing Proposed by: kbrand Reviewed by: ylavic, jorton mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo. For related discussion, see the dev@ thread starting at: http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2, and SSL_set_app_data2 from SSL_* to modssl_*. Update references in README.dsov.* files. Rename static variable SSL_app_data2_idx to just app_data2_idx since the symbol is internal to ssl_util_ssl.c. mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside ssl_util_ssl.c (no callers outside this file). The new static function name chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_ nor ASN1_ are safe prefixes to use without potential future overlap. mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to modssl_X509_NAME_ENTRY_to_string. mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the file ssl_util_ssl.c (no outside callers). Rename to just getIDs(). mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller ssl_init_proxy_certs() in ssl_engine_init.c. No functional change. Review by: kbrand mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c and make it a static function called load_x509_info(). mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c and make it a static function called use_certificate_chain(). mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz(). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68 
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,
r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand
Reviewed by: ylavic, jorton


mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the
file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
Follow up to r1705672. 2015-09-28T22:00:12+00:00 Yann Ylavic ylavic@apache.org 2015-09-28T22:00:12+00:00 c8dc4e3b7edbffb07ddd447c81555a0fd080b6a5 Backport changes that somehow missed the backport process. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705784 13f79535-47bb-0310-9956-ffa450edef68 
Backport changes that somehow missed the backport process.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705784 13f79535-47bb-0310-9956-ffa450edef68