Re: svn commit: r1908132 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c
On 3/6/23 6:46 PM, di...@apache.org wrote: > Author: dirkx > Date: Mon Mar 6 17:46:04 2023 > New Revision: 1908132 > > URL: http://svn.apache.org/viewvc?rev=1908132&view=rev > Log: > Add SSL_SHARED_CIPHER environment variable > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml > httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c > > Modified: httpd/httpd/trunk/CHANGES > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1908132&r1=1908131&r2=1908132&view=diff > == > --- httpd/httpd/trunk/CHANGES [utf-8] (original) > +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Mar 6 17:46:04 2023 > @@ -1,6 +1,9 @@ > -*- coding: utf-8 > -*- > Changes with Apache 2.5.1 > > + *) Add a SSL_SHARED_CIPHER environment variable with the list of > + client/server permitted ciphers. [Dirk-Willem van Gulik] > + To reduce backporting conflicts we now store change entries in separate files per change in the changes-entries directory and merge them from time to time or latest before a release via 'make update-changes' into the CHANGES file. See http://svn.apache.org/viewvc/httpd/httpd/trunk/README.CHANGES?revision=1879840&view=co >*) mod_http2: field values (headers and trailers) are stripped of > leading/trailing whitespace (space +htab) before being processed > or send in a response. This is compatible behaviour to HTTP/1.1 > > Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1908132&r1=1908131&r2=1908132&view=diff > == > --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Mar 6 17:46:04 2023 > @@ -66,7 +66,8 @@ compatibility variables. > SSL_SESSION_IDstring > The hex-encoded SSL session id > SSL_SESSION_RESUMED string > Initial or Resumed SSL Session. Note: multiple requests may be served > over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in > use > SSL_SECURE_RENEG string > true if secure renegotiation is supported, else > false > -SSL_CIPHERstring > The cipher specification name > +SSL_SHARED_CIPHERSstring > Colon separated list of shared ciphers (i.e. the subset of ciphers that > are configured on both server and on the client) > +SSL_CIPHERstring > The name of the cipher agreed between client and server > SSL_CIPHER_EXPORT string > true if cipher is an export cipher > SSL_CIPHER_USEKEYSIZE number > Number of cipher bits (actually used) > SSL_CIPHER_ALGKEYSIZE number > Number of cipher bits (possible) > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1908132&r1=1908131&r2=1908132&view=diff > == > --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 6 17:46:04 2023 > @@ -1532,6 +1532,7 @@ static const char *const ssl_hook_Fixup_ > "SSL_SERVER_A_SIG", > "SSL_SESSION_ID", > "SSL_SESSION_RESUMED", > +"SSL_SHARED_CIPHERS", > #ifdef HAVE_SRP > "SSL_SRP_USER", > "SSL_SRP_USERINFO", > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1908132&r1=1908131&r2=1908132&view=diff > == > --- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Mon Mar 6 17:46:04 2023 > @@ -506,6 +506,11 @@ static const char *ssl_var_lookup_ssl(ap > else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { > result = ssl_var_lookup_ssl_compress_meth(ssl); > } > +else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) { > +char buf[ 1024 * 16 ]; Is it important to be 16k? Typically we use HUGE_STRING_LEN which is 8k in such situations. If it needs to be 16k I would favor HUGE_STRING_LEN * 2 instead. > +if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf))) > + result = apr_pstrdup(p,buf); > +} > #ifdef HAVE_TLSEXT > else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { > result = apr_pstrdup(p, SSL_get_servername(ssl, > > > Regards Rüdiger
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
+1 All looks fine on Windows. > Op 5 mrt. 2023 om 22:32 heeft Eric Covener het volgende > geschreven: > > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > The computed digests of the tarball up for vote are: > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 > *httpd-2.4.56-rc1.tar.gz > sha512: > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724 > *httpd-2.4.56-rc1.tar.gz > > The SVN candidate source is found at tags/2.4.56-rc1-candidate. > > -- > Eric Covener > cove...@gmail.com
Re: svn commit: r1908060 - in /httpd/httpd/trunk/test/modules: http1/htdocs/cgi/ http2/ http2/htdocs/cgi/ md/ tls/ tls/htdocs/a.mod-tls.test/ tls/htdocs/b.mod-tls.test/
[resent to dev@] On Sat, Mar 04, 2023 at 01:40:39PM -, ic...@apache.org wrote: > Author: icing > Date: Sat Mar 4 13:40:38 2023 > New Revision: 1908060 > > URL: http://svn.apache.org/viewvc?rev=1908060&view=rev > Log: > Test case updates related to macOS ventura changes: > > - python 3.11 deprecates the `cg` module, replacing > url query and multipart form-data handling with new code > - adaptions to changes in openssl/curl behaviours > - all mod_tls test cases now have prefix `test_tls_` for > easier scoping. This seems to be failing: https://github.com/apache/httpd/actions/runs/4341851149/jobs/7581956398 1) Maybe some new pypi requirement or something? Looks like the CGI scripts are now giving 500 errors. 2) What is the path to the relevant error_log when running those tests, we can tweak the config to grab that file and upload it for easy diagnosis.
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On Sun, Mar 05, 2023 at 04:31:34PM -0500, Eric Covener wrote: > Hi all, > > Please find below the proposed release tarball and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: > [X] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. +1, tests pass on RHEL 8+9 (x86_64), sigs good, thanks for RMing. Seems there is some tweak required to get Actions to work for a tag which I will look into. Regards, Joe
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
I would like to call a VOTE over the next few days to release this candidate tarball httpd-2.4.56-rc1 as 2.4.56: [x] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. +1
Re: expose SSL_SHARED_CIPHERs from SSL/TLS
> On 6 Mar 2023, at 13:32, Ruediger Pluem wrote: > > > > On 3/6/23 12:35 PM, Dirk-Willem van Gulik wrote: >> I was cleaning up some of our private code - and came across the patch below >> - exposing the SHARED_CHIPHERs. >> >> We scratch this itch in a few places to help force (or prevent) the forcing >> of a protocol upgrade from application land. >> >> No idea how common that is - any reason not to submit this as a suggestion >> for some future httpd version ? > > If you provide some documentation for the var, go for it :-) Draft against trunk below. As far as I could see mod_ssl.xml was the most sensible place to document this. Updated the SSL_CIPHER a little to clarify the relation between the two. Dw Index: docs/manual/mod/mod_ssl.xml === --- docs/manual/mod/mod_ssl.xml (revision 1908122) +++ docs/manual/mod/mod_ssl.xml (working copy) @@ -66,7 +66,8 @@ SSL_SESSION_IDstring The hex-encoded SSL session id SSL_SESSION_RESUMED string Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use SSL_SECURE_RENEG string true if secure renegotiation is supported, else false -SSL_CIPHERstring The cipher specification name +SSL_SHARED_CIPHERSstring Colon separated list of shared chiper (i.e. possible chipers that are present on both server and with the client)) +SSL_CIPHERstring The name of the selected cipher SSL_CIPHER_EXPORT string true if cipher is an export cipher SSL_CIPHER_USEKEYSIZE number Number of cipher bits (actually used) SSL_CIPHER_ALGKEYSIZE number Number of cipher bits (possible) Index: modules/ssl/ssl_engine_kernel.c === --- modules/ssl/ssl_engine_kernel.c (revision 1908122) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1532,6 +1532,7 @@ "SSL_SERVER_A_SIG", "SSL_SESSION_ID", "SSL_SESSION_RESUMED", +"SSL_SHARED_CIPHERS", #ifdef HAVE_SRP "SSL_SRP_USER", "SSL_SRP_USERINFO", Index: modules/ssl/ssl_engine_vars.c === --- modules/ssl/ssl_engine_vars.c (revision 1908122) +++ modules/ssl/ssl_engine_vars.c (working copy) @@ -506,6 +506,11 @@ else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { result = ssl_var_lookup_ssl_compress_meth(ssl); } +else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) { +char buf[ 1024 * 16 ]; +if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf))) + result = apr_pstrdup(p,buf); +} #ifdef HAVE_TLSEXT else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { result = apr_pstrdup(p, SSL_get_servername(ssl,
Re: expose SSL_SHARED_CIPHERs from SSL/TLS
On 3/6/23 12:35 PM, Dirk-Willem van Gulik wrote: > I was cleaning up some of our private code - and came across the patch below > - exposing the SHARED_CHIPHERs. > > We scratch this itch in a few places to help force (or prevent) the forcing > of a protocol upgrade from application land. > > No idea how common that is - any reason not to submit this as a suggestion > for some future httpd version ? If you provide some documentation for the var, go for it :-) Regards Rüdiger
expose SSL_SHARED_CIPHERs from SSL/TLS
I was cleaning up some of our private code - and came across the patch below - exposing the SHARED_CHIPHERs. We scratch this itch in a few places to help force (or prevent) the forcing of a protocol upgrade from application land. No idea how common that is - any reason not to submit this as a suggestion for some future httpd version ? Dw Index: modules/ssl/ssl_engine_vars.c === --- modules/ssl/ssl_engine_vars.c (revision 620141) +++ modules/ssl/ssl_engine_vars.c (working copy) @@ -320,6 +320,11 @@ else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { result = ssl_var_lookup_ssl_compress_meth(ssl); } +else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) { + char buf[ 1024 * 16 ]; + if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf))) + result = apr_pstrdup(p,buf); +} #ifndef OPENSSL_NO_TLSEXT else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { result = apr_pstrdup(p, SSL_get_servername(ssl, Index: modules/ssl/ssl_engine_kernel.c === --- modules/ssl/ssl_engine_kernel.c (revision 620141) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1067,6 +1067,7 @@ "SSL_SERVER_A_KEY", "SSL_SERVER_A_SIG", "SSL_SESSION_ID", +"SSL_SHARED_CIPHERS", NULL }; and config SSLSessionCache None SSLSessionCacheTimeout 1 ... EOM
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On Sun, Mar 5, 2023 at 10:31 PM Eric Covener wrote: > > I would like to call a VOTE over the next few days to release > this candidate tarball httpd-2.4.56-rc1 as 2.4.56: +1: It's not just good, it's good enough! All checksums/sigs and tests pass (Debian 11 & 12), thanks Eric for RMing. Regards; Yann.
Re: svn commit: r1908116 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/http2/mod_proxy_http2.c
> Am 06.03.2023 um 10:37 schrieb Yann Ylavic : > > On Mon, Mar 6, 2023 at 10:28 AM Ruediger Pluem wrote: >> >> Thanks. Should we roll a new rc with this being backported and included? > > I don't think so, the ci failure is caused by an explicit script/check > but the build works fine while runtime will only log an empty "AH" > number, not a show stopper IMO. Agreed, not a stopper. And we can always find the one code line with an empty AH! ;) > > Regards; > Yann.
Re: svn commit: r1908116 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/http2/mod_proxy_http2.c
On Mon, Mar 6, 2023 at 10:28 AM Ruediger Pluem wrote: > > Thanks. Should we roll a new rc with this being backported and included? I don't think so, the ci failure is caused by an explicit script/check but the build works fine while runtime will only log an empty "AH" number, not a show stopper IMO. Regards; Yann.
Re: svn commit: r1908116 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/http2/mod_proxy_http2.c
On 3/6/23 10:24 AM, jor...@apache.org wrote: > Author: jorton > Date: Mon Mar 6 09:24:44 2023 > New Revision: 1908116 > > URL: http://svn.apache.org/viewvc?rev=1908116&view=rev > Log: > * modules/http2/mod_proxy_http2.c: Fix missing APLOGNO. > > Modified: > httpd/httpd/trunk/docs/log-message-tags/next-number > httpd/httpd/trunk/modules/http2/mod_proxy_http2.c > > Modified: httpd/httpd/trunk/docs/log-message-tags/next-number > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1908116&r1=1908115&r2=1908116&view=diff > == > --- httpd/httpd/trunk/docs/log-message-tags/next-number (original) > +++ httpd/httpd/trunk/docs/log-message-tags/next-number Mon Mar 6 09:24:44 > 2023 > @@ -1 +1 @@ > -10412 > +10413 > > Modified: httpd/httpd/trunk/modules/http2/mod_proxy_http2.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/mod_proxy_http2.c?rev=1908116&r1=1908115&r2=1908116&view=diff > == > --- httpd/httpd/trunk/modules/http2/mod_proxy_http2.c (original) > +++ httpd/httpd/trunk/modules/http2/mod_proxy_http2.c Mon Mar 6 09:24:44 2023 > @@ -167,7 +167,7 @@ static int proxy_http2_canon(request_rec > * We have a raw control character or a ' ' in r->args. > * Correct encoding was missed. > */ > -ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() > +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412) >"To be forwarded query string contains control > " >"characters or spaces"); > return HTTP_FORBIDDEN; > > > Thanks. Should we roll a new rc with this being backported and included? Regards Rüdiger
Re: svn commit: r1907984 - /httpd/httpd/trunk/modules/dav/fs/quota.c
On 3/2/23 4:46 PM, m...@apache.org wrote: > Author: manu > Date: Thu Mar 2 15:46:12 2023 > New Revision: 1907984 > > URL: http://svn.apache.org/viewvc?rev=1907984&view=rev > Log: > Add RFC4331 quotas for mod_dav_fs > > Address forgotten svn add in previous commit > > Added: > httpd/httpd/trunk/modules/dav/fs/quota.c > > Added: httpd/httpd/trunk/modules/dav/fs/quota.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/fs/quota.c?rev=1907984&view=auto > == > --- httpd/httpd/trunk/modules/dav/fs/quota.c (added) > +++ httpd/httpd/trunk/modules/dav/fs/quota.c Thu Mar 2 15:46:12 2023 > @@ -0,0 +1,359 @@ > +/* Licensed to the Apache Software Foundation (ASF) under one or more > + * contributor license agreements. See the NOTICE file distributed with > + * this work for additional information regarding copyright ownership. > + * The ASF licenses this file to You under the Apache License, Version 2.0 > + * (the "License"); you may not use this file except in compliance with > + * the License. You may obtain a copy of the License at > + * > + * http://www.apache.org/licenses/LICENSE-2.0 > + * > + * Unless required by applicable law or agreed to in writing, software > + * distributed under the License is distributed on an "AS IS" BASIS, > + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > + * See the License for the specific language governing permissions and > + * limitations under the License. > + */ > + > +/* > +** DAV filesystem-based quota routines > +*/ > + > +#include "apr.h" > +#include "apr_strings.h" > + > +#include "httpd.h" > +#include "http_log.h" > +#include "http_main.h" > + > +#include "mod_dav.h" > +#include "repos.h" > + > +/* > + * Just use a configure test? fields have been standardized for > + * while: https://pubs.opengroup.org/onlinepubs/7908799/xsh/sysstatvfs.h.html > + */ > +#if defined(__NetBSD__) || defined(__FreeBSD__) || defined(OpenBSD) || \ > +defined(linux) > +#include > +#define HAVE_STATVFS > +#endif > + > +#define DAV_TRUE1 > +#define DAV_FALSE 0 > + > +/* Forwared declaration, since it calls itself */ > +static apr_status_t get_dir_used_bytes_walk(request_rec *r, > +const char *path, > +apr_off_t *used); > + > +static apr_status_t get_dir_used_bytes_walk(request_rec *r, > +const char *path, > +apr_off_t *used) > +{ > +apr_dir_t *dir = NULL; > +apr_finfo_t finfo; > +apr_status_t rv; > + > +if ((rv = apr_dir_open(&dir, path, r->pool)) != APR_SUCCESS) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, > + "failed to open \"%s\"", path); > +goto out; > +} > + > +do { > +apr_int32_t wanted; > +char *newpath; > + > +wanted = > APR_FINFO_DIRENT|APR_FINFO_TYPE|APR_FINFO_SIZE|APR_FINFO_NAME; > +rv = apr_dir_read(&finfo, wanted, dir); > +if (rv != APR_SUCCESS && rv != APR_INCOMPLETE) > +break; > + > +if (finfo.valid & APR_FINFO_NAME == 0) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > + "Cannot get entry name in \"%s\"", path); > +goto out; > +} > + > +if (!strcmp(finfo.name, ".") || > +!strcmp(finfo.name, "..") || > +!strcmp(finfo.name, DAV_FS_STATE_DIR) || > +!strncmp(finfo.name, DAV_FS_TMP_PREFIX, > strlen(DAV_FS_TMP_PREFIX))) > +continue; > + > +if (finfo.valid & APR_FINFO_TYPE == 0) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > + "Cannot get entry type in \"%s\"", path); > +goto out; > +} > + > +switch (finfo.filetype) { > +case APR_REG: > +if (finfo.valid & APR_FINFO_SIZE == 0) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > + "Cannot get entry size in \"%s\"", path); > +goto out; > +} > +*used += finfo.size; > +break; > + > +case APR_DIR: > +if (finfo.valid & APR_FINFO_NAME == 0) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > + "Cannot get entry name in \"%s\"", path); > +goto out; > +} Why do we need to check this again? We already checked this above. > + > +rv = apr_filepath_merge(&newpath, path, finfo.name, 0, r->pool); > +if (rv != APR_SUCCESS) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, > + "apr_filepath_merge \"%s\" \"%s\" failed", > + path, finfo.name); > +goto out; > +} > + > +
Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
On 3/5/23 22:31, Eric Covener wrote: Hi all, Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next few days to release this candidate tarball httpd-2.4.56-rc1 as 2.4.56: [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. The computed digests of the tarball up for vote are: sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698 *httpd-2.4.56-rc1.tar.gz sha512: 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724 *httpd-2.4.56-rc1.tar.gz +1 tested on Fedora 37 and OpenBSD 7.2 and 7.3-beta Giovanni OpenPGP_signature Description: OpenPGP digital signature