Sorry for the delay, but a lot of stuff from my "development queue" had to be
incorporated and tested. But now here it is: mod_ssl 2.1.1, the first bugfix
release for the 2.1 branch. The major user visible changes: First network I/O
performance is no longer decreased (we no longer force NO_WRITEV) and the CA
list is send on client authentication. Additionally a lot of minor bugfixes
were done, of course.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.1.1 (17-Nov-1998 to 30-Nov-1998)
*) Fixed typos in pass phrase dialog.
*) Added support to APACI for overriding the conf/ssl.crt/server.crt
default certificate path.
*) Added another logging level `trace' (between `info' and `debug')
and converted all existing `debug' messages to this level. Additionally
the internal SSLeay processing is now logged to this level, too. The
`debug' level now consists of deepest-level I/O dumps where you can even
see every read/write byte on the BIO (the buffer above the SSL record
layer).
*) Changed buffer I/O: Previously NO_WRITEV was forced
because there is no real SSL_writev() available. But the drawback of
this was that writev() (which nevertheless is available on mostly all
platforms) wasn't used for non-SSL requests. The result was bad network
I/O performance when Apache was built with EAPI/mod_ssl. This is now
changed: When writev() is available it is used for non-SSL requests
(this way we gain maximum performance) while for SSL requests the output
is still done via SSL_write().
*) Fixed DBM library determination and build. This especially fixed the
problems with DSO support under Linux platforms where libdbm was
previously not linked against libssl.
*) Added a README.Patents document to the distribution
which tries to explain some RSA patent issues.
*) Fixed Thawte sxnet stuff to work with recent EAPI changes.
*) Fixed documentation: X.509 field was incorrect: SP -> ST.
*) Fixed SSL support for mod_proxy: It was broken because
the "ssl_enable" ctx-flag was set too late.
*) Ported a recent change in Apache-SSL 1.29 to mod_ssl:
``Send CA list to client when SSLCACertificatePath is used (this was
only done for SSLCACertificateFile up to now)''. I've implemented it
with a new ssl_init_FindCAList() function in ssl_engine_init.c where the
main difference is that it _merges_ the list entries from both
directives together while in Apache-SSL the SSLCACertificatePath would
override the SSLCACertificateFile for this list generation. I use them
in parallel for the list generation (by merging their entries) because
they are used in parallel by SSLeay under the verification process, too.
Additionally I've now removed SSLCACertifiateReqFile because it was
oversize.
*) Added a similar SSL_accept() check as was recently added to Apache-SSL
1.29, but in a different way: Under the SSL_ERROR_ZERO_RETURN error
don't log it as an error. A "info"-level log entry is enough.
*) Extended the Compatibility chapter of the User Manual to now also
contain information about environment variable derivation.
*) Overhauled the SSL part in the http.conf-dist file.
*) Fixed pkg.sslcfg/ssl.key/server.key: It contained a dummy key
instead of the intended dummy text "THIS FILE SHOULD ...".
*) Fixed httpd.conf-dist: The SSLRequire is only allowed in
<Location> or <Directory> sections there.
*) Fixed documentation: sign.sh instead of ca.sign, SSLRequire uses
braces and not parenthesis for word groups, etc.
*) Use the commonly used .crt extension also in the sign.sh script
*) Fixed backward compatibility code: half-way matching could occur (Sioux'
"RequireSSL" matched the correct "SSLRequireSSL" and leaded to
"SSLSSLRequireSSL") and the SSLRequireCipher/SSLBanCipher directives
were not matched correctly.
*) Don't do I/O read-aheads in SSLeay under Win32 because it's not safe
for this platform (we use select() there).
*) Fixed two memory leaks in ssl_engine_var.c by copying over
malloc-allocated buffers from X509_NAME_oneline() to Apache
pool-allocated buffers.
*) Fixed RSAref handling: the -L path to the librsaref.a library
file was configured incorrectly (a bogus "/lib" was there)
*) Fixed some ANSI C portability issues which popped up with IRIX vendor
compiler while good-old GCC was happy. This way other compilers should
be quiet now, too.
*) Added notice and workarounds for RSAref portability problem to the
INSTALL document. This is especially important to people using platforms
with non-Intel CPUs (like the Alpha-boxes of DEC).
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
