Bug report for Apache httpd-2 [2023/12/03]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |11580|Opn|Enh|2002-08-09|generate Content-Location headers | |12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long| |13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation | |14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR| |16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.| |17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi| |17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header| |20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment | |21260|Opn|Nor|2003-07-02|CacheMaxExpire directive not enforced ! | |21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut| |22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down| |22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7| |22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header | |23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54| |24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32| |24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact| |24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g| |25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files | |25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP | |26153|Opn|Cri|2004-01-15|Apache cygwin directory traversal vulnerability | |27257|Ass|Enh|2004-02-26|rotatelogs with getopt and setuid | |27715|Ass|Enh|2004-03-16|Client sending misformed Range "bytes = 0-100" ins| |29090|Ass|Enh|2004-05-19|MultiviewsMatch NegotiatedOnly extensions not resp| |29510|Ass|Enh|2004-06-10|ab does not support multiple cookies | |29644|Ver|Nor|2004-06-17|mod_proxy keeps downloading even after the client | |30259|Ass|Enh|2004-07-22|When proxy connects to backend, a DNS lookup is do| |30505|Ass|Enh|2004-08-05|Apache uses 'Error', and not lower level event typ| |31302|Opn|Cri|2004-09-19|suexec doesn't execute commands if they're not in | |31352|Ass|Enh|2004-09-21|RFE, Bind to LDAP server with browser supplier use| |31418|Opn|Nor|2004-09-25|SSLUserName is not usable by other modules| |32328|Opn|Enh|2004-11-19|Make mod_rewrite escaping optional / expose intern| |32750|Ass|Maj|2004-12-17|mod_proxy + Win32DisableAcceptEx = memory leak| |33089|New|Nor|2005-01-13|mod_include: Options +Includes (or IncludesNoExec)| |34519|New|Enh|2005-04-19|Directory index should emit valid XHTML | |35098|Ver|Maj|2005-05-27|Install fails using --prefix | |35154|Opn|Nor|2005-06-01|Support for NID_serialNumber, etc. in SSLUserName | |35652|Opn|Min|2005-07-07|Improve error message: "pcfg_openfile: unable to c| |35768|Opn|Nor|2005-07-17|Missing file logs at far too high of log level| |36676|New|Nor|2005-09-15|time() bug in httpd/os/win32/util_win32.c:wait_for| |36710|Opn|Blk|2005-09-19|CGI output not captured | |37006|Ver|Reg|2005-10-11|"pthread" error when compiling under AIX 5.3 using| |37290|Opn|Min|2005-10-28|DirectoryIndex don't work in scriptaliased directo| |37564|New|Enh|2005-11-19|Suggestion: mod_suexec SuexecUserGroup directive i| |38325|Opn|Nor|2006-01-20|impossible to determine AUTH_TYPE of interpreted r| |38571|New|Enh|2006-02-08|CustomLog directive checked by apachectl configtes| |38995|New|Nor|2006-03-16|httpd tries to communicate with the CGI daemon eve| |39275|Opn|Nor|2006-04-11|slow child_init causes MaxClients warning | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39727|Ass|Nor|2006-06-05|Incorrect ETag on gzip:ed content | |39748|New|Enh|2006-06-07|Header and POST support for mod_include |
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 27 Nov 2023, at 15:02, Ingo Franzki wrote:
> The mod_ssl module has support for loading keys and certificates from OpenSSL
> engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile,
> e.g. using the PKCS#11 engine part of libp11
> (https://github.com/OpenSC/libp11).
>
> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new
> provider concept is used.
> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization
> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
> and newer distributions all have OpenSSL 3.x included.
> Currently, engines do still work, bit since they are deprecated, they will at
> some point in time no longer be working.
>
> With OpenSSL 3.x providers one can implements loading of keys and
> certificates by implementing a STORE method.
> With this, keys and certificates can be loaded for example from PKCS#11
> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.
>
> Please find below some code changes required to support loading the server
> private key and certificates from a PKCS#11 provider using OpenSSL STORE
> providers.
Definite +1 in principle.
> Index: docs/manual/mod/mod_ssl.html.en.utf8
> ===
> --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150)
> +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy)
> @@ -666,7 +666,7 @@
Would it be possible to patch mod_ssl.xml instead of the html file, the html is
autogenerated.
> Index: modules/ssl/ssl_engine_config.c
> ===
> --- modules/ssl/ssl_engine_config.c (revision 1914150)
> +++ modules/ssl/ssl_engine_config.c (working copy)
> @@ -689,6 +689,11 @@
> if (strcEQ(arg, "builtin")) {
> mc->szCryptoDevice = NULL;
> }
> +#if MODSSL_USE_OPENSSL_STORE
> +else if (strcEQ(arg, "provider")) {
> +mc->szCryptoDevice = arg;
> +}
> +#endif
> #if MODSSL_HAVE_ENGINE_API
This patch isn’t applying for me, looks like the leading spaces have been lost.
Would it be possible to try attach it as a file?
Regards,
Graham
—
Re: svn commit: r1913977 - /httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
On 24 Nov 2023, at 19:26, Ruediger Pluem wrote: >> We do - and we also need to apr_pstrdup() the dn to be consistent with the >> rest. > > Why? dn is already apr_pstrdup from r->pool: > > https://github.com/apache/httpd/blob/dc76ce4c43efb8c0c36a5990aeb0468a87458087/modules/ldap/util_ldap.c#L2133 Looks like we were consistently wasteful due to lack of const, fixed in r1914281. Regards, Graham —
