Re: svn commit: r1908132 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c
On 3/6/23 6:46 PM, di...@apache.org wrote:
> Author: dirkx
> Date: Mon Mar 6 17:46:04 2023
> New Revision: 1908132
>
> URL: http://svn.apache.org/viewvc?rev=1908132=rev
> Log:
> Add SSL_SHARED_CIPHER environment variable
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1908132=1908131=1908132=diff
> ==
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Mar 6 17:46:04 2023
> @@ -1,6 +1,9 @@
> -*- coding: utf-8
> -*-
> Changes with Apache 2.5.1
>
> + *) Add a SSL_SHARED_CIPHER environment variable with the list of
> + client/server permitted ciphers. [Dirk-Willem van Gulik]
> +
To reduce backporting conflicts we now store change entries in separate files
per change in the changes-entries directory
and merge them from time to time or latest before a release via 'make
update-changes' into the CHANGES file.
See
http://svn.apache.org/viewvc/httpd/httpd/trunk/README.CHANGES?revision=1879840=co
>*) mod_http2: field values (headers and trailers) are stripped of
> leading/trailing whitespace (space +htab) before being processed
> or send in a response. This is compatible behaviour to HTTP/1.1
>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1908132=1908131=1908132=diff
> ==
> --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Mar 6 17:46:04 2023
> @@ -66,7 +66,8 @@ compatibility variables.
> SSL_SESSION_IDstring
> The hex-encoded SSL session id
> SSL_SESSION_RESUMED string
> Initial or Resumed SSL Session. Note: multiple requests may be served
> over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in
> use
> SSL_SECURE_RENEG string
> true if secure renegotiation is supported, else
> false
> -SSL_CIPHERstring
> The cipher specification name
> +SSL_SHARED_CIPHERSstring
> Colon separated list of shared ciphers (i.e. the subset of ciphers that
> are configured on both server and on the client)
> +SSL_CIPHERstring
> The name of the cipher agreed between client and server
> SSL_CIPHER_EXPORT string
> true if cipher is an export cipher
> SSL_CIPHER_USEKEYSIZE number
> Number of cipher bits (actually used)
> SSL_CIPHER_ALGKEYSIZE number
> Number of cipher bits (possible)
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1908132=1908131=1908132=diff
> ==
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 6 17:46:04 2023
> @@ -1532,6 +1532,7 @@ static const char *const ssl_hook_Fixup_
> "SSL_SERVER_A_SIG",
> "SSL_SESSION_ID",
> "SSL_SESSION_RESUMED",
> +"SSL_SHARED_CIPHERS",
> #ifdef HAVE_SRP
> "SSL_SRP_USER",
> "SSL_SRP_USERINFO",
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1908132=1908131=1908132=diff
> ==
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Mon Mar 6 17:46:04 2023
> @@ -506,6 +506,11 @@ static const char *ssl_var_lookup_ssl(ap
> else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
> result = ssl_var_lookup_ssl_compress_meth(ssl);
> }
> +else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) {
> +char buf[ 1024 * 16 ];
Is it important to be 16k? Typically we use HUGE_STRING_LEN which is 8k in such
situations.
If it needs to be 16k I would favor HUGE_STRING_LEN * 2 instead.
> +if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf)))
> + result = apr_pstrdup(p,buf);
> +}
> #ifdef HAVE_TLSEXT
> else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
> result = apr_pstrdup(p, SSL_get_servername(ssl,
>
>
>
Regards
Rüdiger
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
+1 All looks fine on Windows. > Op 5 mrt. 2023 om 22:32 heeft Eric Covener het volgende > geschreven: > > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > The computed digests of the tarball up for vote are: > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 > *httpd-2.4.56-rc1.tar.gz > sha512: > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724 > *httpd-2.4.56-rc1.tar.gz > > The SVN candidate source is found at tags/2.4.56-rc1-candidate. > > -- > Eric Covener > cove...@gmail.com
Re: svn commit: r1908060 - in /httpd/httpd/trunk/test/modules: http1/htdocs/cgi/ http2/ http2/htdocs/cgi/ md/ tls/ tls/htdocs/a.mod-tls.test/ tls/htdocs/b.mod-tls.test/
[resent to dev@] On Sat, Mar 04, 2023 at 01:40:39PM -, ic...@apache.org wrote: > Author: icing > Date: Sat Mar 4 13:40:38 2023 > New Revision: 1908060 > > URL: http://svn.apache.org/viewvc?rev=1908060=rev > Log: > Test case updates related to macOS ventura changes: > > - python 3.11 deprecates the `cg` module, replacing > url query and multipart form-data handling with new code > - adaptions to changes in openssl/curl behaviours > - all mod_tls test cases now have prefix `test_tls_` for > easier scoping. This seems to be failing: https://github.com/apache/httpd/actions/runs/4341851149/jobs/7581956398 1) Maybe some new pypi requirement or something? Looks like the CGI scripts are now giving 500 errors. 2) What is the path to the relevant error_log when running those tests, we can tweak the config to grab that file and upload it for easy diagnosis.
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On Sun, Mar 05, 2023 at 04:31:34PM -0500, Eric Covener wrote: > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: > [X] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. +1, tests pass on RHEL 8+9 (x86_64), sigs good, thanks for RMing. Seems there is some tweak required to get Actions to work for a tag which I will look into. Regards, Joe
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
I would like to call a VOTE over the next few days to release this candidate tarball httpd-2.4.56-rc1 as 2.4.56: [x] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. +1
Re: expose SSL_SHARED_CIPHERs from SSL/TLS
> On 6 Mar 2023, at 13:32, Ruediger Pluem wrote:
>
>
>
> On 3/6/23 12:35 PM, Dirk-Willem van Gulik wrote:
>> I was cleaning up some of our private code - and came across the patch below
>> - exposing the SHARED_CHIPHERs.
>>
>> We scratch this itch in a few places to help force (or prevent) the forcing
>> of a protocol upgrade from application land.
>>
>> No idea how common that is - any reason not to submit this as a suggestion
>> for some future httpd version ?
>
> If you provide some documentation for the var, go for it :-)
Draft against trunk below. As far as I could see mod_ssl.xml was the most
sensible place to document this.
Updated the SSL_CIPHER a little to clarify the relation between the two.
Dw
Index: docs/manual/mod/mod_ssl.xml
===
--- docs/manual/mod/mod_ssl.xml (revision 1908122)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -66,7 +66,8 @@
SSL_SESSION_IDstring
The hex-encoded SSL session id
SSL_SESSION_RESUMED string
Initial or Resumed SSL Session. Note: multiple requests may be served over
the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use
SSL_SECURE_RENEG string
true if secure renegotiation is supported, else
false
-SSL_CIPHERstring
The cipher specification name
+SSL_SHARED_CIPHERSstring
Colon separated list of shared chiper (i.e. possible chipers that are
present on both server and with the client))
+SSL_CIPHERstring
The name of the selected cipher
SSL_CIPHER_EXPORT string
true if cipher is an export cipher
SSL_CIPHER_USEKEYSIZE number
Number of cipher bits (actually used)
SSL_CIPHER_ALGKEYSIZE number
Number of cipher bits (possible)
Index: modules/ssl/ssl_engine_kernel.c
===
--- modules/ssl/ssl_engine_kernel.c (revision 1908122)
+++ modules/ssl/ssl_engine_kernel.c (working copy)
@@ -1532,6 +1532,7 @@
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
"SSL_SESSION_RESUMED",
+"SSL_SHARED_CIPHERS",
#ifdef HAVE_SRP
"SSL_SRP_USER",
"SSL_SRP_USERINFO",
Index: modules/ssl/ssl_engine_vars.c
===
--- modules/ssl/ssl_engine_vars.c (revision 1908122)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -506,6 +506,11 @@
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl);
}
+else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) {
+char buf[ 1024 * 16 ];
+if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf)))
+ result = apr_pstrdup(p,buf);
+}
#ifdef HAVE_TLSEXT
else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
result = apr_pstrdup(p, SSL_get_servername(ssl,
Re: expose SSL_SHARED_CIPHERs from SSL/TLS
On 3/6/23 12:35 PM, Dirk-Willem van Gulik wrote: > I was cleaning up some of our private code - and came across the patch below > - exposing the SHARED_CHIPHERs. > > We scratch this itch in a few places to help force (or prevent) the forcing > of a protocol upgrade from application land. > > No idea how common that is - any reason not to submit this as a suggestion > for some future httpd version ? If you provide some documentation for the var, go for it :-) Regards Rüdiger
expose SSL_SHARED_CIPHERs from SSL/TLS
I was cleaning up some of our private code - and came across the patch below -
exposing the SHARED_CHIPHERs.
We scratch this itch in a few places to help force (or prevent) the forcing of
a protocol upgrade from application land.
No idea how common that is - any reason not to submit this as a suggestion for
some future httpd version ?
Dw
Index: modules/ssl/ssl_engine_vars.c
===
--- modules/ssl/ssl_engine_vars.c (revision 620141)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -320,6 +320,11 @@
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl);
}
+else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) {
+ char buf[ 1024 * 16 ];
+ if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf))) +
result = apr_pstrdup(p,buf);
+}
#ifndef OPENSSL_NO_TLSEXT
else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
result = apr_pstrdup(p, SSL_get_servername(ssl,
Index: modules/ssl/ssl_engine_kernel.c
===
--- modules/ssl/ssl_engine_kernel.c (revision 620141)
+++ modules/ssl/ssl_engine_kernel.c (working copy)
@@ -1067,6 +1067,7 @@
"SSL_SERVER_A_KEY",
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
+"SSL_SHARED_CIPHERS",
NULL
};
and config
SSLSessionCache None
SSLSessionCacheTimeout 1
...
EOM
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On Sun, Mar 5, 2023 at 10:31 PM Eric Covener wrote: > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: +1: It's not just good, it's good enough! All checksums/sigs and tests pass (Debian 11 & 12), thanks Eric for RMing. Regards; Yann.
Re: svn commit: r1908116 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/http2/mod_proxy_http2.c
> Am 06.03.2023 um 10:37 schrieb Yann Ylavic : > > On Mon, Mar 6, 2023 at 10:28 AM Ruediger Pluem wrote: >> >> Thanks. Should we roll a new rc with this being backported and included? > > I don't think so, the ci failure is caused by an explicit script/check > but the build works fine while runtime will only log an empty "AH" > number, not a show stopper IMO. Agreed, not a stopper. And we can always find the one code line with an empty AH! ;) > > Regards; > Yann.
Re: svn commit: r1908116 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/http2/mod_proxy_http2.c
On Mon, Mar 6, 2023 at 10:28 AM Ruediger Pluem wrote: > > Thanks. Should we roll a new rc with this being backported and included? I don't think so, the ci failure is caused by an explicit script/check but the build works fine while runtime will only log an empty "AH" number, not a show stopper IMO. Regards; Yann.
Re: svn commit: r1908116 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/http2/mod_proxy_http2.c
On 3/6/23 10:24 AM, jor...@apache.org wrote: > Author: jorton > Date: Mon Mar 6 09:24:44 2023 > New Revision: 1908116 > > URL: http://svn.apache.org/viewvc?rev=1908116=rev > Log: > * modules/http2/mod_proxy_http2.c: Fix missing APLOGNO. > > Modified: > httpd/httpd/trunk/docs/log-message-tags/next-number > httpd/httpd/trunk/modules/http2/mod_proxy_http2.c > > Modified: httpd/httpd/trunk/docs/log-message-tags/next-number > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1908116=1908115=1908116=diff > == > --- httpd/httpd/trunk/docs/log-message-tags/next-number (original) > +++ httpd/httpd/trunk/docs/log-message-tags/next-number Mon Mar 6 09:24:44 > 2023 > @@ -1 +1 @@ > -10412 > +10413 > > Modified: httpd/httpd/trunk/modules/http2/mod_proxy_http2.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/mod_proxy_http2.c?rev=1908116=1908115=1908116=diff > == > --- httpd/httpd/trunk/modules/http2/mod_proxy_http2.c (original) > +++ httpd/httpd/trunk/modules/http2/mod_proxy_http2.c Mon Mar 6 09:24:44 2023 > @@ -167,7 +167,7 @@ static int proxy_http2_canon(request_rec > * We have a raw control character or a ' ' in r->args. > * Correct encoding was missed. > */ > -ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() > +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412) >"To be forwarded query string contains control > " >"characters or spaces"); > return HTTP_FORBIDDEN; > > > Thanks. Should we roll a new rc with this being backported and included? Regards Rüdiger
Re: svn commit: r1907984 - /httpd/httpd/trunk/modules/dav/fs/quota.c
On 3/2/23 4:46 PM, m...@apache.org wrote:
> Author: manu
> Date: Thu Mar 2 15:46:12 2023
> New Revision: 1907984
>
> URL: http://svn.apache.org/viewvc?rev=1907984=rev
> Log:
> Add RFC4331 quotas for mod_dav_fs
>
> Address forgotten svn add in previous commit
>
> Added:
> httpd/httpd/trunk/modules/dav/fs/quota.c
>
> Added: httpd/httpd/trunk/modules/dav/fs/quota.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/fs/quota.c?rev=1907984=auto
> ==
> --- httpd/httpd/trunk/modules/dav/fs/quota.c (added)
> +++ httpd/httpd/trunk/modules/dav/fs/quota.c Thu Mar 2 15:46:12 2023
> @@ -0,0 +1,359 @@
> +/* Licensed to the Apache Software Foundation (ASF) under one or more
> + * contributor license agreements. See the NOTICE file distributed with
> + * this work for additional information regarding copyright ownership.
> + * The ASF licenses this file to You under the Apache License, Version 2.0
> + * (the "License"); you may not use this file except in compliance with
> + * the License. You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +
> +/*
> +** DAV filesystem-based quota routines
> +*/
> +
> +#include "apr.h"
> +#include "apr_strings.h"
> +
> +#include "httpd.h"
> +#include "http_log.h"
> +#include "http_main.h"
> +
> +#include "mod_dav.h"
> +#include "repos.h"
> +
> +/*
> + * Just use a configure test? fields have been standardized for
> + * while: https://pubs.opengroup.org/onlinepubs/7908799/xsh/sysstatvfs.h.html
> + */
> +#if defined(__NetBSD__) || defined(__FreeBSD__) || defined(OpenBSD) || \
> +defined(linux)
> +#include
> +#define HAVE_STATVFS
> +#endif
> +
> +#define DAV_TRUE1
> +#define DAV_FALSE 0
> +
> +/* Forwared declaration, since it calls itself */
> +static apr_status_t get_dir_used_bytes_walk(request_rec *r,
> +const char *path,
> +apr_off_t *used);
> +
> +static apr_status_t get_dir_used_bytes_walk(request_rec *r,
> +const char *path,
> +apr_off_t *used)
> +{
> +apr_dir_t *dir = NULL;
> +apr_finfo_t finfo;
> +apr_status_t rv;
> +
> +if ((rv = apr_dir_open(, path, r->pool)) != APR_SUCCESS) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
> + "failed to open \"%s\"", path);
> +goto out;
> +}
> +
> +do {
> +apr_int32_t wanted;
> +char *newpath;
> +
> +wanted =
> APR_FINFO_DIRENT|APR_FINFO_TYPE|APR_FINFO_SIZE|APR_FINFO_NAME;
> +rv = apr_dir_read(, wanted, dir);
> +if (rv != APR_SUCCESS && rv != APR_INCOMPLETE)
> +break;
> +
> +if (finfo.valid & APR_FINFO_NAME == 0) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "Cannot get entry name in \"%s\"", path);
> +goto out;
> +}
> +
> +if (!strcmp(finfo.name, ".") ||
> +!strcmp(finfo.name, "..") ||
> +!strcmp(finfo.name, DAV_FS_STATE_DIR) ||
> +!strncmp(finfo.name, DAV_FS_TMP_PREFIX,
> strlen(DAV_FS_TMP_PREFIX)))
> +continue;
> +
> +if (finfo.valid & APR_FINFO_TYPE == 0) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "Cannot get entry type in \"%s\"", path);
> +goto out;
> +}
> +
> +switch (finfo.filetype) {
> +case APR_REG:
> +if (finfo.valid & APR_FINFO_SIZE == 0) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "Cannot get entry size in \"%s\"", path);
> +goto out;
> +}
> +*used += finfo.size;
> +break;
> +
> +case APR_DIR:
> +if (finfo.valid & APR_FINFO_NAME == 0) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "Cannot get entry name in \"%s\"", path);
> +goto out;
> +}
Why do we need to check this again? We already checked this above.
> +
> +rv = apr_filepath_merge(, path, finfo.name, 0, r->pool);
> +if (rv != APR_SUCCESS) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
> + "apr_filepath_merge \"%s\" \"%s\" failed",
> + path, finfo.name);
> +goto out;
> +}
> +
> +rv =
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On 3/5/23 22:31, Eric Covener wrote: Hi all, Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next few days to release this candidate tarball httpd-2.4.56-rc1 as 2.4.56: [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. The computed digests of the tarball up for vote are: sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 *httpd-2.4.56-rc1.tar.gz sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724 *httpd-2.4.56-rc1.tar.gz +1 tested on Fedora 37 and OpenBSD 7.2 and 7.3-beta Giovanni OpenPGP_signature Description: OpenPGP digital signature
