Re: [VOTE] Release httpd-2.4.35

2018-09-21 Thread Rainer Jung 

Am 21.09.2018 um 04:18 schrieb Dennis Clarke:



+1 for release and thanks for RM.

Not enough time right now for the usual detailed report, but so far 
looks good on Solaris 10 Sparc, SLES 11+12, RHEL 6+7.





Thank you for getting to it before I did. I can ignore it now ;-)


Not necessarily, your input typically is very valuable. There's so much 
possible variation in compilers, library versions, linking type, OS 
patches etc. etc.


But if you are short on time: merging support for TLS 1.3 will likely be 
the next step for httpd 2.4 and intensive testing then will be much 
appreciated.


Thanks and regards,

Rainer

Re: [VOTE] Release httpd-2.4.35

2018-09-21 Thread Steffen 

Maybe I overlook it:

I miss in the change log:

http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1840546

Looks it needs special windows test attention.

Description:

Merge r1801144, r1801148, r1801456 from trunk:

mpm_winnt: Factor out a helper function to parse the type of an accept
filter and use an appropriate enum for it.

This makes the code in winnt_accept() a bit easier to follow.  As a minor
side effect, it also fixes a small bug where the "unrecognized AcceptFilter
'%s'" log entry would always contain "none" instead of the actually
unrecognized kind of the accept filter.

mpm_winnt: Fix typo in the logged message in winnt_get_connection().

mpm_winnt: Following up on r1801144, use the new accept_filter_e enum
values in a couple of missed places in winnt_accept().

Submitted by: kotkov
Reviewed by: jailletc36, jim (via inspection), wrowe



On 18-09-18 02:56, Daniel Ruggeri wrote:

Hi, all;
    Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this
candidate tarball as 2.4.35:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
md5: 92ddccfbd43b533578499d1faaad17fe *httpd-2.4.35.tar.gz
sha1: b7996c2c1f7ff5bb217114fe5354a19a5207ab62 *httpd-2.4.35.tar.gz
sha256: 31c2c82c9cd34749cbb60d04619d9aa3fb0814ab22246ad588d2426dde90c72c
*httpd-2.4.35.tar.gz

Re: svn commit: r1841573 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl

2018-09-21 Thread Jim Jagielski 
*cheers*!!

> On Sep 21, 2018, at 8:14 AM, minf...@apache.org wrote:
> 
> Author: minfrin
> Date: Fri Sep 21 12:14:05 2018
> New Revision: 1841573
> 
> URL: http://svn.apache.org/viewvc?rev=1841573&view=rev
> Log:
> Add TLSv1.3 support to mod_ssl:
> trunk: http://svn.apache.org/r1839946
>   http://svn.apache.org/r1839920
>   http://svn.apache.org/r1833589
>   http://svn.apache.org/r1833588
>   http://svn.apache.org/r1828723
>   http://svn.apache.org/r1828720
>   http://svn.apache.org/r1828222
>   http://svn.apache.org/r1827992
>   http://svn.apache.org/r1827924
>   http://svn.apache.org/r1827912
>   http://svn.apache.org/r1828790
>   http://svn.apache.org/r1828791
>   http://svn.apache.org/r1828792
>   http://svn.apache.org/r1840585
>   http://svn.apache.org/r1840710
>   http://svn.apache.org/r1841218
> 2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x
> 
> Modified:
>httpd/httpd/branches/2.4.x/   (props changed)
>httpd/httpd/branches/2.4.x/CHANGES
>httpd/httpd/branches/2.4.x/STATUS
>httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
>httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
>httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
>httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
>httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
>httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
> 
> Propchange: httpd/httpd/branches/2.4.x/
> --
> --- svn:mergeinfo (original)
> +++ svn:mergeinfo Fri Sep 21 12:14:05 2018
> @@ -1,11 +1,11 @@
> /httpd/httpd/branches/2.4.17-protocols-changes:1712542-1715252
> /httpd/httpd/branches/2.4.17-protocols-http2:1701609-1705681
> -/httpd/httpd/branches/2.4.x:1825504
> /httpd/httpd/branches/2.4.x-mod_md:1816423-1821089
> /httpd/httpd/branches/2.4.x-mpm_fdqueue:1824383-1824864
> /httpd/httpd/branches/revert-ap-ldap:1150158-1150173
> +/httpd/httpd/branches/tlsv1.3-for-2.4.x:1840105-1841571
> /httpd/httpd/branches/trunk-buildconf-noapr:1780253-1795930
> /httpd/httpd/branches/trunk-md:1804087-1804529
> /httpd/httpd/branches/trunk-override-index:1793921-1793931
> /httpd/httpd/branches/wombat-integration:723609-723841
> -/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,120,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
> 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,130,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
> ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341905-1341906,1341913,1341930,1342065,1343085,1343087,1343094,1343099,1343109,1343935,1344712,1345147,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,1359884,1361153,1361298,1361766,1361773,1361778,1361784,1361791-1361792,1361801,1361803,1362020,1362538,1

Re: [VOTE] Release httpd-2.4.35

2018-09-21 Thread Daniel Ruggeri 
Hi, Steffen;

   Good catch. That particular change didn't have a CHANGES entry, so it
explains why it's missing. Luckily, there are no user-visible changes
(other than the error message being correct), so I think we're good to
move forward. Would love to see a test case added around this if you're
so inclined :-)


Thanks!

-- 
Daniel Ruggeri

On 9/21/2018 5:59 AM, Steffen wrote:
> Maybe I overlook it:
>
> I miss in the change log:
>
> http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1840546
>
> Looks it needs special windows test attention.
>
> Description:
>
> Merge r1801144, r1801148, r1801456 from trunk:
>
> mpm_winnt: Factor out a helper function to parse the type of an accept
> filter and use an appropriate enum for it.
>
> This makes the code in winnt_accept() a bit easier to follow.  As a minor
> side effect, it also fixes a small bug where the "unrecognized
> AcceptFilter
> '%s'" log entry would always contain "none" instead of the actually
> unrecognized kind of the accept filter.
>
> mpm_winnt: Fix typo in the logged message in winnt_get_connection().
>
> mpm_winnt: Following up on r1801144, use the new accept_filter_e enum
> values in a couple of missed places in winnt_accept().
>
> Submitted by: kotkov
> Reviewed by: jailletc36, jim (via inspection), wrowe
>
>
>
> On 18-09-18 02:56, Daniel Ruggeri wrote:
>> Hi, all;
>>     Please find below the proposed release tarball and signatures:
>> https://dist.apache.org/repos/dist/dev/httpd/
>>
>> I would like to call a VOTE over the next few days to release this
>> candidate tarball as 2.4.35:
>> [ ] +1: It's not just good, it's good enough!
>> [ ] +0: Let's have a talk.
>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>
>> The computed digests of the tarball up for vote are:
>> md5: 92ddccfbd43b533578499d1faaad17fe *httpd-2.4.35.tar.gz
>> sha1: b7996c2c1f7ff5bb217114fe5354a19a5207ab62 *httpd-2.4.35.tar.gz
>> sha256: 31c2c82c9cd34749cbb60d04619d9aa3fb0814ab22246ad588d2426dde90c72c
>> *httpd-2.4.35.tar.gz
>>
>

RESULT: Passed - [VOTE] Release httpd-2.4.35

2018-09-21 Thread Daniel Ruggeri 
Hi, all;

   I am delighted to share that the vote to release Apache httpd-2.4.35
has PASSED. The following votes were recorded:

Binding +1:
minfrin, icing, jorton, gsmith, steffenal, covener, jailletc36, ylavic,
rjung, druggeri, wroewe

Community +1:
Noel Butler


I'd like to add that, as an RM, I am VERY pleased that we received 12
votes in only 3.5 days. I thank you for all the time you've put into
this project and into testing this release.

ANNOUNCE text will be updated a bit later today (with a note about
OpenSSL and upcoming TLS 1.3) and I've kicked off the dist sync process.

I will also plan to RM a followup release as promised now that the TLS
1.3 change has been merged... but let's give that a few weeks for other
features to make it into 2.4.x :-)

-- 
Daniel Ruggeri

On 9/17/2018 7:56 PM, Daniel Ruggeri wrote:
> Hi, all;
>    Please find below the proposed release tarball and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.35:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> md5: 92ddccfbd43b533578499d1faaad17fe *httpd-2.4.35.tar.gz
> sha1: b7996c2c1f7ff5bb217114fe5354a19a5207ab62 *httpd-2.4.35.tar.gz
> sha256: 31c2c82c9cd34749cbb60d04619d9aa3fb0814ab22246ad588d2426dde90c72c
> *httpd-2.4.35.tar.gz
>

Re: NOTICE: Intent to T&R 2.4.35 in the next few hours

2018-09-21 Thread Daniel Ruggeri 
I've updated the proposed, generated announcements here:
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.html
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.txt

A quick proofread would be appreciated - this should be the exact
messages that will be sent/published.

-- 
Daniel Ruggeri

On 9/19/2018 5:54 AM, Joe Orton wrote:
> On Tue, Sep 18, 2018 at 11:19:10AM -0500, William A Rowe Jr wrote:
>> On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  wrote:
>>> You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3
>>> merge is integrated for 2.4.x, yeah, I wouldn't worry about that.
>> But I think this is worth highlighting in our Announcement, that we would
>> strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
>> could tease the forthcoming 2.4 release as building against 1.1.1/TLS 1.3.)
> Good idea.  How about this, to insert after the "This release requires 
> the Apache Portable Runtime (APR)," paragraph?
>
> """ 
> This release is compatible with OpenSSL versions from 0.9.8a to 
> 1.1.0 only, and does not support TLSv1.3.  Future releases of httpd 2.4 
> are expected to add compatibility with OpenSSL 1.1.1 and enable support 
> for TLSv1.3. 
> """
>
> Regards, Joe

Re: svn commit: r1841573 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl

2018-09-21 Thread Stefan Eissing 
Champagne! :-D

> Am 21.09.2018 um 14:15 schrieb Jim Jagielski :
> 
> *cheers*!!
> 
>> On Sep 21, 2018, at 8:14 AM, minf...@apache.org wrote:
>> 
>> Author: minfrin
>> Date: Fri Sep 21 12:14:05 2018
>> New Revision: 1841573
>> 
>> URL: http://svn.apache.org/viewvc?rev=1841573&view=rev
>> Log:
>> Add TLSv1.3 support to mod_ssl:
>> trunk: http://svn.apache.org/r1839946
>>  http://svn.apache.org/r1839920
>>  http://svn.apache.org/r1833589
>>  http://svn.apache.org/r1833588
>>  http://svn.apache.org/r1828723
>>  http://svn.apache.org/r1828720
>>  http://svn.apache.org/r1828222
>>  http://svn.apache.org/r1827992
>>  http://svn.apache.org/r1827924
>>  http://svn.apache.org/r1827912
>>  http://svn.apache.org/r1828790
>>  http://svn.apache.org/r1828791
>>  http://svn.apache.org/r1828792
>>  http://svn.apache.org/r1840585
>>  http://svn.apache.org/r1840710
>>  http://svn.apache.org/r1841218
>> 2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x
>> 
>> Modified:
>>   httpd/httpd/branches/2.4.x/   (props changed)
>>   httpd/httpd/branches/2.4.x/CHANGES
>>   httpd/httpd/branches/2.4.x/STATUS
>>   httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
>>   httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
>>   httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
>>   httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
>>   httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
>>   httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
>> 
>> Propchange: httpd/httpd/branches/2.4.x/
>> --
>> --- svn:mergeinfo (original)
>> +++ svn:mergeinfo Fri Sep 21 12:14:05 2018
>> @@ -1,11 +1,11 @@
>> /httpd/httpd/branches/2.4.17-protocols-changes:1712542-1715252
>> /httpd/httpd/branches/2.4.17-protocols-http2:1701609-1705681
>> -/httpd/httpd/branches/2.4.x:1825504
>> /httpd/httpd/branches/2.4.x-mod_md:1816423-1821089
>> /httpd/httpd/branches/2.4.x-mpm_fdqueue:1824383-1824864
>> /httpd/httpd/branches/revert-ap-ldap:1150158-1150173
>> +/httpd/httpd/branches/tlsv1.3-for-2.4.x:1840105-1841571
>> /httpd/httpd/branches/trunk-buildconf-noapr:1780253-1795930
>> /httpd/httpd/branches/trunk-md:1804087-1804529
>> /httpd/httpd/branches/trunk-override-index:1793921-1793931
>> /httpd/httpd/branches/wombat-integration:723609-723841
>> -/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,120,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
>> 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,130,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
>> ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341905-1341906,1341913,1341930,1342065,1343085,1343087,1343094,1343099,1343109,1343935,1344712,1345147,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,

Re: NOTICE: Intent to T&R 2.4.35 in the next few hours

2018-09-21 Thread Joe Orton 
On Fri, Sep 21, 2018 at 08:52:32AM -0500, Daniel Ruggeri wrote:
> I've updated the proposed, generated announcements here:
> https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.html
> https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.txt
> 
> A quick proofread would be appreciated - this should be the exact
> messages that will be sent/published.

Looks good to me, thanks Daniel.

Regards, Joe

Re: RESULT: Passed - [VOTE] Release httpd-2.4.35

2018-09-21 Thread Marion & Christophe JAILLET 

FYI, 2.4.35 version has been added to bz.

CJ


Le 21/09/2018 à 14:31, Daniel Ruggeri a écrit :

Hi, all;

    I am delighted to share that the vote to release Apache httpd-2.4.35
has PASSED. The following votes were recorded:

Binding +1:
minfrin, icing, jorton, gsmith, steffenal, covener, jailletc36, ylavic,
rjung, druggeri, wroewe

Community +1:
Noel Butler


I'd like to add that, as an RM, I am VERY pleased that we received 12
votes in only 3.5 days. I thank you for all the time you've put into
this project and into testing this release.

ANNOUNCE text will be updated a bit later today (with a note about
OpenSSL and upcoming TLS 1.3) and I've kicked off the dist sync process.

I will also plan to RM a followup release as promised now that the TLS
1.3 change has been merged... but let's give that a few weeks for other
features to make it into 2.4.x :-)

Re: svn commit: r29575 - /dev/httpd/ /release/httpd/

2018-09-21 Thread William A Rowe Jr 
You may want to use this opportunity to drop md5 and sha1 hashes, you will
be yelled at by ops when you attempt to publish new instances of these
obsoleted hashes.

In the apr release case, the announce was modded through anyways, but a
subsequent thread on dev@apr determined that only sha256 is both useful and
portable.

Adding a sha512 undermines our direction to users to rely on the asc pgp
sig.

Even on very stale OS's without sha256 in their tool chain, they likely
have openssl 0.9.8 or later with sha256 support.



On Fri, Sep 21, 2018, 07:37  wrote:

> Author: druggeri
> Date: Fri Sep 21 12:37:13 2018
> New Revision: 29575
>
> Log:
> Push 2.4.35 up to the release directory
>
> Added:
> release/httpd/CHANGES_2.4.35
>   - copied unchanged from r29574, dev/httpd/CHANGES_2.4.35
> release/httpd/httpd-2.4.35.tar.bz2
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.bz2
> release/httpd/httpd-2.4.35.tar.bz2.asc
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.bz2.asc
> release/httpd/httpd-2.4.35.tar.bz2.md5
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.bz2.md5
> release/httpd/httpd-2.4.35.tar.bz2.sha1
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.bz2.sha1
> release/httpd/httpd-2.4.35.tar.bz2.sha256
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.bz2.sha256
> release/httpd/httpd-2.4.35.tar.gz
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.gz
> release/httpd/httpd-2.4.35.tar.gz.asc
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.gz.asc
> release/httpd/httpd-2.4.35.tar.gz.md5
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.gz.md5
> release/httpd/httpd-2.4.35.tar.gz.sha1
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.gz.sha1
> release/httpd/httpd-2.4.35.tar.gz.sha256
>   - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.gz.sha256
> Removed:
> dev/httpd/CHANGES_2.4
> dev/httpd/CHANGES_2.4.35
> dev/httpd/httpd-2.4.35-deps.tar.bz2
> dev/httpd/httpd-2.4.35-deps.tar.bz2.asc
> dev/httpd/httpd-2.4.35-deps.tar.bz2.md5
> dev/httpd/httpd-2.4.35-deps.tar.bz2.sha1
> dev/httpd/httpd-2.4.35-deps.tar.bz2.sha256
> dev/httpd/httpd-2.4.35-deps.tar.gz
> dev/httpd/httpd-2.4.35-deps.tar.gz.asc
> dev/httpd/httpd-2.4.35-deps.tar.gz.md5
> dev/httpd/httpd-2.4.35-deps.tar.gz.sha1
> dev/httpd/httpd-2.4.35-deps.tar.gz.sha256
> dev/httpd/httpd-2.4.35.tar.bz2
> dev/httpd/httpd-2.4.35.tar.bz2.asc
> dev/httpd/httpd-2.4.35.tar.bz2.md5
> dev/httpd/httpd-2.4.35.tar.bz2.sha1
> dev/httpd/httpd-2.4.35.tar.bz2.sha256
> dev/httpd/httpd-2.4.35.tar.gz
> dev/httpd/httpd-2.4.35.tar.gz.asc
> dev/httpd/httpd-2.4.35.tar.gz.md5
> dev/httpd/httpd-2.4.35.tar.gz.sha1
> dev/httpd/httpd-2.4.35.tar.gz.sha256
> Modified:
> release/httpd/Announcement2.4.html
> release/httpd/Announcement2.4.txt
> release/httpd/CHANGES_2.4
>

Re: svn commit: r29575 - /dev/httpd/ /release/httpd/

2018-09-21 Thread Daniel Ruggeri 
Ah, yes - good point. We even just talked about that topic at the board
meeting this week.

I'll nuke those and update the scripts to not generate them any more.

-- 
Daniel Ruggeri

On 9/21/2018 11:27 AM, William A Rowe Jr wrote:
> You may want to use this opportunity to drop md5 and sha1 hashes, you
> will be yelled at by ops when you attempt to publish new instances of
> these obsoleted hashes. 
>
> In the apr release case, the announce was modded through anyways, but
> a subsequent thread on dev@apr determined that only sha256 is both
> useful and portable. 
>
> Adding a sha512 undermines our direction to users to rely on the asc
> pgp sig. 
>
> Even on very stale OS's without sha256 in their tool chain, they
> likely have openssl 0.9.8 or later with sha256 support. 
>
>
>
> On Fri, Sep 21, 2018, 07:37  > wrote:
>
> Author: druggeri
> Date: Fri Sep 21 12:37:13 2018
> New Revision: 29575
>
> Log:
> Push 2.4.35 up to the release directory
>
> Added:
>     release/httpd/CHANGES_2.4.35
>       - copied unchanged from r29574, dev/httpd/CHANGES_2.4.35
>     release/httpd/httpd-2.4.35.tar.bz2
>       - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.bz2
>     release/httpd/httpd-2.4.35.tar.bz2.asc
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.bz2.asc
>     release/httpd/httpd-2.4.35.tar.bz2.md5
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.bz2.md5
>     release/httpd/httpd-2.4.35.tar.bz2.sha1
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.bz2.sha1
>     release/httpd/httpd-2.4.35.tar.bz2.sha256
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.bz2.sha256
>     release/httpd/httpd-2.4.35.tar.gz
>       - copied unchanged from r29574, dev/httpd/httpd-2.4.35.tar.gz
>     release/httpd/httpd-2.4.35.tar.gz.asc
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.gz.asc
>     release/httpd/httpd-2.4.35.tar.gz.md5
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.gz.md5
>     release/httpd/httpd-2.4.35.tar.gz.sha1
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.gz.sha1
>     release/httpd/httpd-2.4.35.tar.gz.sha256
>       - copied unchanged from r29574,
> dev/httpd/httpd-2.4.35.tar.gz.sha256
> Removed:
>     dev/httpd/CHANGES_2.4
>     dev/httpd/CHANGES_2.4.35
>     dev/httpd/httpd-2.4.35-deps.tar.bz2
>     dev/httpd/httpd-2.4.35-deps.tar.bz2.asc
>     dev/httpd/httpd-2.4.35-deps.tar.bz2.md5
>     dev/httpd/httpd-2.4.35-deps.tar.bz2.sha1
>     dev/httpd/httpd-2.4.35-deps.tar.bz2.sha256
>     dev/httpd/httpd-2.4.35-deps.tar.gz
>     dev/httpd/httpd-2.4.35-deps.tar.gz.asc
>     dev/httpd/httpd-2.4.35-deps.tar.gz.md5
>     dev/httpd/httpd-2.4.35-deps.tar.gz.sha1
>     dev/httpd/httpd-2.4.35-deps.tar.gz.sha256
>     dev/httpd/httpd-2.4.35.tar.bz2
>     dev/httpd/httpd-2.4.35.tar.bz2.asc
>     dev/httpd/httpd-2.4.35.tar.bz2.md5
>     dev/httpd/httpd-2.4.35.tar.bz2.sha1
>     dev/httpd/httpd-2.4.35.tar.bz2.sha256
>     dev/httpd/httpd-2.4.35.tar.gz
>     dev/httpd/httpd-2.4.35.tar.gz.asc
>     dev/httpd/httpd-2.4.35.tar.gz.md5
>     dev/httpd/httpd-2.4.35.tar.gz.sha1
>     dev/httpd/httpd-2.4.35.tar.gz.sha256
> Modified:
>     release/httpd/Announcement2.4.html
>     release/httpd/Announcement2.4.txt
>     release/httpd/CHANGES_2.4
>

Re: svn commit: r29575 - /dev/httpd/ /release/httpd/

2018-09-21 Thread Dennis Clarke 

On 09/21/2018 12:27 PM, William A Rowe Jr wrote:
You may want to use this opportunity to drop md5 and sha1 hashes, you 
will be yelled at by ops when you attempt to publish new instances of 
these obsoleted hashes.


In the apr release case, the announce was modded through anyways, but a 
subsequent thread on dev@apr determined that only sha256 is both useful 
and portable.


Adding a sha512 undermines our direction to users to rely on the asc pgp 
sig.


Even on very stale OS's without sha256 in their tool chain, they likely 
have openssl 0.9.8 or later with sha256 support.




I can tell you that I have seen unpatched barely maintained Solaris 10
servers in the wild. Chugging along. Sadly. Those things have :

# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: ... long list here )

Sure enough .. no sha512 there nor even sha256. Or much in fact.

However anything with a recent set of security updates :

jupiter # /usr/bin/openssl version
OpenSSL 1.0.2n  7 Dec 2017

Anything hugged by me :

# /usr/local/bin/openssl version
OpenSSL 1.1.1  11 Sep 2018


At least three flavours of OpenSSL may exist and that includes the lib
madness and RPATH fun therein. Stale may be a measure of "maintained".


Dennis

Re: NOTICE: Intent to T&R 2.4.35 in the next few hours

2018-09-21 Thread Dennis Clarke 

On 09/21/2018 09:52 AM, Daniel Ruggeri wrote:

I've updated the proposed, generated announcements here:
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.html
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.txt

A quick proofread would be appreciated - this should be the exact
messages that will be sent/published.



Here is my nickle worth.

The first and second links are "404" types and should be :

https://dist.apache.org/repos/dist/release/httpd/CHANGES_2.4

then

https://dist.apache.org/repos/dist/release/httpd/CHANGES_2.4.35


There may be changes to 
https://httpd.apache.org/security/vulnerabilities_24.html also.


Then this paragraph bugs me :

This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features
may require the 1.6.x version of both APR and APR-Util. The APR
libraries must be upgraded for all features of httpd to operate
correctly.

To me Apache httpd is the big dog of web services platforms in the open
world and so I have to wonder what features go missing and what features
get enabled with the latest and greatest apr and apr-util bits. Feels 
like yet another text link notes.txt or similar. Worse, that means an

actual test build and check of httpd with older apr bits. How horrific
would it be to merely change the language of that paragraph and draw a
line in the sand thus :


This release requires the Apache Portable Runtime (APR) and also
the Apache Portable Runtime Utility. The APR libraries must be
upgraded for all features of httpd to operate correctly.


Otherwise I have no idea what works and what won't work with a tree of
possible intermix versions of apr-util and apr.

Otherwise it looks all fine to me.

Dennis

Re: svn commit: r29575 - /dev/httpd/ /release/httpd/

2018-09-21 Thread William A Rowe Jr 
On Fri, Sep 21, 2018 at 12:09 PM Dennis Clarke 
wrote:

> On 09/21/2018 12:27 PM, William A Rowe Jr wrote:
> > You may want to use this opportunity to drop md5 and sha1 hashes, you
> > will be yelled at by ops when you attempt to publish new instances of
> > these obsoleted hashes.
> >
> > Even on very stale OS's without sha256 in their tool chain, they likely
> > have openssl 0.9.8 or later with sha256 support.
>
> I can tell you that I have seen unpatched barely maintained Solaris 10
> servers in the wild. Chugging along. Sadly. Those things have :
>
> # /usr/sfw/bin/openssl version
> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: ... long list here )
>
> Sure enough .. no sha512 there nor even sha256. Or much in fact.


Many flavors of literally unsupported configurations still exist with no
sha256.
If these are used as outward facing servers, that's about as good for the
security ecosystem as unpatched Windows 98/ME instances that are still
out there.

But even in these cases, it is a simple matter to download to a system that
can validate the asc pgp sig, and transfer the file from that verified
source.
I see no issue here.

Re: NOTICE: Intent to T&R 2.4.35 in the next few hours

2018-09-21 Thread William A Rowe Jr 
On Fri, Sep 21, 2018 at 12:31 PM Dennis Clarke 
wrote:

>
> Then this paragraph bugs me :
>
>  This release requires the Apache Portable Runtime (APR), minimum
>  version 1.5.x, and APR-Util, minimum version 1.5.x. Some features
>  may require the 1.6.x version of both APR and APR-Util. The APR
>  libraries must be upgraded for all features of httpd to operate
>  correctly.
>
> To me Apache httpd is the big dog of web services platforms in the open
> world and so I have to wonder what features go missing and what features
> get enabled with the latest and greatest apr and apr-util bits. Feels
> like yet another text link notes.txt or similar. Worse, that means an
> actual test build and check of httpd with older apr bits. How horrific
> would it be to merely change the language of that paragraph and draw a
> line in the sand thus :
>
>
>  This release requires the Apache Portable Runtime (APR) and also
>  the Apache Portable Runtime Utility. The APR libraries must be
>  upgraded for all features of httpd to operate correctly.


Not "features". The original APR 1.4.x packages, corresponding to the
early httpd 2.4.x releases have known vulnerabilities to mitigate, which
read on an httpd build's behavior. I believe "correctly" is not a sufficient
caution.

I agree with you, that specific features in httpd docs should spell out
if an upgraded (post-1.4) flavor of apr[-util] is required for that feature.

Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext

2018-09-21 Thread William A Rowe Jr 
You might want to point out the -r flag to OpenSSL, which emits the same
output as bintools sha256.


On Fri, Sep 21, 2018, 12:30  wrote:

> Author: elukey
> Date: Fri Sep 21 17:30:07 2018
> New Revision: 1841620
>
> URL: http://svn.apache.org/viewvc?rev=1841620&view=rev
> Log:
> Remove MD5 traces from documentation and add a SHA256 tutorial.
>
> Modified:
> httpd/site/trunk/content/dev/verification.mdtext
>
> Modified: httpd/site/trunk/content/dev/verification.mdtext
> URL:
> http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff
>
> ==
> --- httpd/site/trunk/content/dev/verification.mdtext (original)
> +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07
> 2018
> @@ -19,10 +19,10 @@ Notice:Licensed to the Apache Softwa
>  # Verifying Apache HTTP Server Releases
>
>  All official releases of code distributed by the Apache HTTP Server
> Project
> -are signed by the release manager for the release. PGP signatures and MD5
> +are signed by the release manager for the release. PGP signatures and SHA
>  hashes are available along with the distribution.
>
> -You should download the PGP signatures and MD5 hashes directly from the
> +You should download the PGP signatures and SHA hashes directly from the
>  Apache Software Foundation rather than our mirrors. This is to help ensure
>  the integrity of the signature files. However, you are encouraged to
>  download the releases from our mirrors. (Our download page points you at
> @@ -168,3 +168,23 @@ verifying the signature of a release.
>  gpg: aka "Jim Jagielski "
>  gpg: aka "Jim Jagielski "
>
> +In order to check the integrity of the downloaded file, you need to
> download the source and the related SHA256
> +hash. For example, assuming a preference for tar.bz, to verify the
> 2.4.34 release you should end up with two files on disk:
> +
> +  * httpd-2.4.34.tar.bz2 (source)
> +  * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
> +
> +On most Unix systems then it is only a matter of executing:
> +
> +% shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
> +httpd-2.4.34.tar.bz2: OK
> +
> +Behind the scenes, the command checks that the SHA hash contained in
> httpd-2.4.34.tar.bz2.sha256 matches the one
> +calculated for the file httpd-2.4.34.tar.bz2. The correct result should
> be a 'OK' displayed.
> +
> +Another way to calculate the SHA256 has for a file is to use openssl:
> +
> +% openssl sha -sha256 httpd-2.4.34.tar.bz2
> +SHA256(httpd-2.4.34.tar.bz2)=
> fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
> +
> +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches
> the above result.
> \ No newline at end of file
>
>
>

Re: svn commit: r1841632 - in /httpd/test/framework/trunk/t: conf/extra.conf.in htdocs/modules/data/ htdocs/modules/data/SupportApache-small.png modules/data.t

2018-09-21 Thread Christophe JAILLET 

Hi,
When I wrote this tinny test, I first tried to use something with 
mod_include. Because doc says "Data URLs can be embedded inline within 
web pages using something like the |mod_include 
| module, to 
remove the need for clients to make separate connections"


I tried something like:
    
    
         ">

    
    

However, mod_data does not process the image. It returns around line 79, 
where the comments states "base64-ing won't work on subrequests, it 
would be nice if it did."
And the binary is then embedded in the response, instead of its base64 
data:image equivalent string.

I was thinking that mod_data was there to allow such construction.

Did I miss something?
How does mod_data is supposed to be used?

CJ


Le 21/09/2018 à 21:24, jaillet...@apache.org a écrit :

Author: jailletc36
Date: Fri Sep 21 19:24:40 2018
New Revision: 1841632

URL: http://svn.apache.org/viewvc?rev=1841632&view=rev
Log:
Add test for mod_data

Added:
 httpd/test/framework/trunk/t/htdocs/modules/data/
 httpd/test/framework/trunk/t/htdocs/modules/data/SupportApache-small.png   
(with props)
 httpd/test/framework/trunk/t/modules/data.t
Modified:
 httpd/test/framework/trunk/t/conf/extra.conf.in

Modified: httpd/test/framework/trunk/t/conf/extra.conf.in
URL: 
http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/conf/extra.conf.in?rev=1841632&r1=1841631&r2=1841632&view=diff
==
--- httpd/test/framework/trunk/t/conf/extra.conf.in (original)
+++ httpd/test/framework/trunk/t/conf/extra.conf.in Fri Sep 21 19:24:40 2018
@@ -1286,3 +1286,9 @@ LimitRequestFields32

 
  
+
+
+   
+  SetOutputFilter DATA
+   
+

Added: httpd/test/framework/trunk/t/htdocs/modules/data/SupportApache-small.png
URL: 
http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/htdocs/modules/data/SupportApache-small.png?rev=1841632&view=auto
==
Binary file - no diff available.

Propchange: 
httpd/test/framework/trunk/t/htdocs/modules/data/SupportApache-small.png
--
 svn:mime-type = application/octet-stream

Added: httpd/test/framework/trunk/t/modules/data.t
URL: 
http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/modules/data.t?rev=1841632&view=auto
==
--- httpd/test/framework/trunk/t/modules/data.t (added)
+++ httpd/test/framework/trunk/t/modules/data.t Fri Sep 21 19:24:40 2018
@@ -0,0 +1,22 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my @testcases = (

[... 15 lines stripped ...]

Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext

2018-09-21 Thread Luca Toscano 
Hi William,

can you write in here the full command to use? Didn't find the -r flag
that you mentioned :(

Thanks!

Luca
Il giorno ven 21 set 2018 alle ore 14:30 William A Rowe Jr
 ha scritto:
>
> You might want to point out the -r flag to OpenSSL, which emits the same 
> output as bintools sha256.
>
>
> On Fri, Sep 21, 2018, 12:30  wrote:
>>
>> Author: elukey
>> Date: Fri Sep 21 17:30:07 2018
>> New Revision: 1841620
>>
>> URL: http://svn.apache.org/viewvc?rev=1841620&view=rev
>> Log:
>> Remove MD5 traces from documentation and add a SHA256 tutorial.
>>
>> Modified:
>> httpd/site/trunk/content/dev/verification.mdtext
>>
>> Modified: httpd/site/trunk/content/dev/verification.mdtext
>> URL: 
>> http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff
>> ==
>> --- httpd/site/trunk/content/dev/verification.mdtext (original)
>> +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 2018
>> @@ -19,10 +19,10 @@ Notice:Licensed to the Apache Softwa
>>  # Verifying Apache HTTP Server Releases
>>
>>  All official releases of code distributed by the Apache HTTP Server Project
>> -are signed by the release manager for the release. PGP signatures and MD5
>> +are signed by the release manager for the release. PGP signatures and SHA
>>  hashes are available along with the distribution.
>>
>> -You should download the PGP signatures and MD5 hashes directly from the
>> +You should download the PGP signatures and SHA hashes directly from the
>>  Apache Software Foundation rather than our mirrors. This is to help ensure
>>  the integrity of the signature files. However, you are encouraged to
>>  download the releases from our mirrors. (Our download page points you at
>> @@ -168,3 +168,23 @@ verifying the signature of a release.
>>  gpg: aka "Jim Jagielski "
>>  gpg: aka "Jim Jagielski "
>>
>> +In order to check the integrity of the downloaded file, you need to 
>> download the source and the related SHA256
>> +hash. For example, assuming a preference for tar.bz, to verify the 2.4.34 
>> release you should end up with two files on disk:
>> +
>> +  * httpd-2.4.34.tar.bz2 (source)
>> +  * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
>> +
>> +On most Unix systems then it is only a matter of executing:
>> +
>> +% shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
>> +httpd-2.4.34.tar.bz2: OK
>> +
>> +Behind the scenes, the command checks that the SHA hash contained in 
>> httpd-2.4.34.tar.bz2.sha256 matches the one
>> +calculated for the file httpd-2.4.34.tar.bz2. The correct result should be 
>> a 'OK' displayed.
>> +
>> +Another way to calculate the SHA256 has for a file is to use openssl:
>> +
>> +% openssl sha -sha256 httpd-2.4.34.tar.bz2
>> +SHA256(httpd-2.4.34.tar.bz2)= 
>> fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
>> +
>> +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches the 
>> above result.
>> \ No newline at end of file
>>
>>

Re: TLSv1.3 supprt for 2.4.x?

2018-09-21 Thread Dennis Radford 
With the recent release of openssl 1.1.1 back on Sept 11 that supports TLS
1.3 final RFC 8446, I believe demand for this backport will steadily
increase. Thank you Stephan for proposing this backport branch.

FreeBSD 11.2-RELEASE-p3
Apache/2.4.35-dev (Unix) 
OpenSSL/1.1.1

I've compiled and am running this branch and hosting a web site successfully
providing TLSv1.3 (rfc8446)
I can negotiate a TLS 1.3 connection from another openssl 1.1.1 client. I am
also successful connecting with Firefox Nightly 64.0a1. Support for RFC 8446
was added in version 63 which is expected to ship October 2018.

There is one error that I receive during initial 'make' if the package
converters/libiconv is installed on the system:


Temporarily uninstalling libiconv allows 'make' to finish.
However libiconv must be reinstalled prior to 'make install' to avoid
another error:


rsync is the only pkg that depends on libiconv so i'm not sure why it would
interfere in the make process.

After successfully compiling and installing this branch, httpd appears to
have the backported features working.
Thank you everyone for all your efforts in bringing this backport proposal
forward.

Cheers,

Dennis



--
Sent from: 
http://apache-http-server.18135.x6.nabble.com/Apache-HTTP-Server-Dev-f4771363.html

Re: TLSv1.3 supprt for 2.4.x?

2018-09-21 Thread Dennis Radford 
With the recent release of openssl 1.1.1 back on Sept 11 that supports TLS
1.3 final RFC 8446, I believe demand for this backport will steadily
increase. Thank you Stephan for proposing this backport branch.FreeBSD
11.2-RELEASE-p3Apache/2.4.35-dev (Unix)OpenSSL/1.1.1I've compiled and am
running this branch and hosting a web site successfully providing TLSv1.3
(rfc8446)I can negotiate a TLS 1.3 connection from another openssl 1.1.1
client. I am also successful connecting with Firefox Nightly 64.0a1. Support
for RFC 8446 was added in version 63 which is expected to ship October
2018.There is one error that I receive during initial 'make' if the package
converters/libiconv is installed on the system:Temporarily uninstalling
libiconv allows 'make' to finish.However libiconv must be reinstalled prior
to 'make install' to avoid another error:rsync is the only pkg that depends
on libiconv so i'm not sure why it would interfere in the make process.After
successfully compiling and installing this branch, httpd appears to have the
backported features working.Thank you everyone for all your efforts in
bringing this backport proposal forward.Cheers,Dennis 



--
Sent from: 
http://apache-http-server.18135.x6.nabble.com/Apache-HTTP-Server-Dev-f4771363.html

Re: TLSv1.3 supprt for 2.4.x?

2018-09-21 Thread Dennis Radford 
With the recent release of openssl 1.1.1 back on Sept 11 that supports TLS
1.3 final RFC 8446, I believe demand for this backport will steadily
increase. Thank you Stephan for proposing this backport branch.

FreeBSD 11.2-RELEASE-p3
Apache/2.4.35-dev (Unix)
OpenSSL/1.1.1

I've compiled and am running this branch and hosting a web site successfully
providing TLSv1.3 (rfc8446)
I can negotiate a TLS 1.3 connection from another openssl 1.1.1 client. I am
also successful connecting with Firefox Nightly 64.0a1. Support for RFC 8446
was added in version 63 which is expected to ship October 2018.

There is one error that I receive during initial 'make' if the package
converters/libiconv is installed on the system:

Temporarily uninstalling libiconv allows 'make' to finish.
However libiconv must be reinstalled prior to 'make install' to avoid
another error:

rsync is the only pkg that depends on libiconv so i'm not sure why it would
interfere in the make process.

After successfully compiling and installing this branch, httpd appears to
have the backported features working.
Thank you everyone for all your efforts in bringing this backport proposal
forward.

Cheers,

Dennis 




--
Sent from: 
http://apache-http-server.18135.x6.nabble.com/Apache-HTTP-Server-Dev-f4771363.html