This week I was very busy with hacking on mod_ssl. The result is now
available: mod_ssl 2.2.4. Beside a lot of small changes at all edges for
preparing the final transition from SSLeay to OpenSSL this version fixes at
least two nasty problems: The close notify situation and the restart situation
- which were both broken.
I hope I've not introduced a new heavy bug with the massive changes (the diff
against 2.2.3 is around 250KB this time which is actually more than I wanted).
Nevertheless I strongly encourage you to read the above changelog and upgrade
when possible.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.2.4 (21-Feb-1999 to 04-Mar-1999)
*) Add important note to INSTALL/INSTALL.Win32 that all
documentation references already use the term OpenSSL, the file and
program names `openssl', etc. although most of the users are still using
SSLeay and don't have any `openssl' command, etc.
*) Fixed two export warnings for ssl_expr_parse.c under Win32.
*) In correspondence with the SSLeay to OpenSSL transition
we changed the --with-ssleay=DIR option to --with-ssl=DIR (but the old
variant is still recognized for backward compatibility, of course). For
consistency we also renamed --with-rsaref=DIR to --with-rsa=DIR.
*) Ported src/support/ca-fix tool to OpenSSL 0.9.2, although after final
switching to OpenSSL 0.9.2 as the minimum required toolkit version we
will no longer need this tool. But until then let us be friendly and
support the OpenSSL snapshots ;-)
*) Added the first cut of Vendor extension support. This stuff is
currently _NOT_ compiled in per default. It has to be enabled with the
new APACI --enable-rule=SSL_VENDOR option. The idea is this: the mod_ssl
sources contain EAPI vendor hooks (`ssl::vendor::xxxx') and internal
EAPI context variables which can be used to change or extend mod_ssl by
a vendor without patching the source code. Grep for `ssl::vendor::'
inside src/modules/ssl/ for more details. Additionally vendors can now
add their own source code as files named ssl_vendor.c, ssl_vendor_XXX.c,
etc. The libssl.module script automatically picks these up under
configuration time and mod_ssl under run-time calls the functions `void
ssl_vendor_register(void)' and `void ssl_vendor_unregister(void)' inside
these objects to bootstrap them. Read the src/modules/ssl/README file
for more details.
*) Fixed two old Stronghold directive compatibility mappings, added missing
Stronghold directive mappings and added a bunch of additional Stronghold
variable mappings.
*) Big and official switch from the name `Apache Interface to SSLeay' to
`Apache Interface to OpenSSL', from any SSLeay-references to
OpenSSL-references, etc. There is still support for SSLeay, of course.
But this renaming cleanup has to be done, because in the near future
support for SSLeay has to be completely dropped due to non-optional
support for new features like DSA/DH, etc (which is only possible with
OpenSSL).
*) Made the error messages of `configure' even more idiot-proof :-(
*) Fixed the connection closing phase: First, mod_ssl no longer hooks into
this phase by using ap_register_cleanup() (with the connection pool)
because the cleanup functions are called by Apache's API a lot too late
(actually _after_ the socket was already closed!). Instead a new EAPI
hook `close_connection' was added to register a hook which is run
directly _before_ the socket is closed. Second, the SSL ``Close
Notify'' alert is now always sent (even when older IE browsers display
the message in the window), because not sending the alert is a violation
of the SSL/TLS standard.
!! ATTENTION: THIS HAD TO CHANGE EAPI, SO YOU HAVE TO RECOMPILE APACHE !!
*) Enhance the output of alert messages under `SSLLogLevel trace'.
*) Make mod_ssl aware of the forthcoming OpenSSL 0.9.2 version
where some callback function signatures will be changed
and a few new TLSv1 export ciphers are added.
*) Fixed restarts which were broken due to recent changes to the cert/key
handling (DER/internal conversions). Now mod_ssl again surives server
restarts without problems.
*) Replaced `%0 %*' with `%0 %1 %2 %3 %4 %5 %6 %7 %8 %9' in configure.bat
because Windows 98 is even more braindead than anyone can image.
*) Added AP_HOOK_DECLTMP return code semantic to EAPI's hook mechanism
which is needed in the forthcoming vendor hooks to avoid local temporary
variables.
*) Fixed the `SSLLogLevel debug' output where confusing `Ops, no memory
buffer?' messages occured in the past. The BIO callback function now
only outputs messages for the actual read/write calls.
*) Fixed a warning the `gcc -O -Wall ...' compiler flag combination causes.
*) Fixed confusing terms in the final messages in mkcert.sh
which display a short description of files under `make certificate'.
*) Fixed compilation for SunOS where no RAND_MAX exists.
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
