Re: [PATCH 55593] Add SSLServerInfoFile directive
On Mon, Oct 21, 2013 at 5:45 AM, Dr Stephen Henson shen...@opensslfoundation.com wrote: On 21/10/2013 05:09, Trevor Perrin wrote: Seems like a lot of work. For example, how would the generic SSLConfCmd commands get hooked-up with passphrase handling for the key files? BTW I've just added some experimental code to the OpenSSL master branch. It adds key/certificate support to SSL_CONF and a new function SSL_CONF_cmd_value_type. The Apache side isn't added yet but should be pretty straight forward. Cool, if you do the Apache side I'll try to follow your footsteps and extend ServerInfo to work with SSL_CONF (in OpenSSL and Apache). Trevor
Re: [PATCH 55593] Add SSLServerInfoFile directive
On 22/10/2013 20:14, Trevor Perrin wrote: On Mon, Oct 21, 2013 at 5:45 AM, Dr Stephen Henson shen...@opensslfoundation.com wrote: On 21/10/2013 05:09, Trevor Perrin wrote: BTW I've just added some experimental code to the OpenSSL master branch. It adds key/certificate support to SSL_CONF and a new function SSL_CONF_cmd_value_type. The Apache side isn't added yet but should be pretty straight forward. Cool, if you do the Apache side I'll try to follow your footsteps and extend ServerInfo to work with SSL_CONF (in OpenSSL and Apache). http://svn.apache.org/r1534754 This needs the OpenSSL master branch. It doesn't (yet) work with 1.0.2-stable but I'll be backporting the functionality in the near future. I tested it against a new DH parameters directive and it seemed to work OK. Only bit I'm not completely sure about is the use of the SSL_CONF_CTX structure in modssl_ctx_t. It's done that way to avoid having to keep creating and destroying the SSL_CONF_CTX for each directive but a quick test showed it was creating several other SSL_CONF_CTX structures which were never used. Maybe there's a better way to handle that or just create the SSL_CONF_CTX on first use? Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: svn commit: r1534015 - /httpd/httpd/trunk/server/main.c
On Mon, Oct 21, 2013 at 2:30 AM, n...@apache.org wrote: Author: niq Date: Mon Oct 21 00:30:26 2013 New Revision: 1534015 URL: http://svn.apache.org/r1534015 Log: Fix r55670. Not a great idea to dereference process after pool destroy! Modified: httpd/httpd/trunk/server/main.c Modified: httpd/httpd/trunk/server/main.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/main.c?rev=1534015r1=1534014r2=1534015view=diff == --- httpd/httpd/trunk/server/main.c (original) +++ httpd/httpd/trunk/server/main.c Mon Oct 21 00:30:26 2013 @@ -264,12 +264,17 @@ static void destroy_and_exit_process(pro * by us before they can do so. In this case maybe valueable log messages * might get lost. */ + +/* If we are to print an error, we need the name before we destroy pool. + * short_name is a pointer into argv, so remains valid. + */ +const char *name = process-short_name ? process-short_name : httpd; + Shouldn't this be safe from terminal controls, eg : const char *name = process-short_name; if (!name || !*name || ap_has_cntrl(name)) { name = httpd; } ? apr_sleep(TASK_SWITCH_SLEEP); ap_main_state = AP_SQ_MS_EXITING; apr_pool_destroy(process-pool); /* and destroy all descendent pools */ apr_terminate(); if ((process_exit_value != 0) isatty(fileno(stderr))) { -const char *name = process-short_name ? process-short_name : httpd; fprintf(stderr, %s: abnormal exit %d\n, name, process_exit_value); } exit(process_exit_value) Regards.
Re: svn commit: r1534015 - /httpd/httpd/trunk/server/main.c
On Oct 22, 2013 5:14 PM, Yann Ylavic ylavic@gmail.com wrote: Shouldn't this be safe from terminal controls, eg : const char *name = process-short_name; if (!name || !*name || ap_has_cntrl(name)) { name = httpd; } ? No. You are thinking of untrusted user input. The Admin started this process under the given name. Describe how this can be devolved to a vulnerability?
Re: svn commit: r1533810 - in /httpd/httpd/trunk: docs/man/rotatelogs.8 docs/manual/programs/rotatelogs.html.en support/rotatelogs.c
On 10/20/13 5:31 AM, Ruediger Pluem wrote: Can't we use apr_psprintf with %pm instead of the constant length buffer char [120]? Done in r1534895, r1534896 and r1534914.