Re: Status of 2.4.x-openssl-1.1.0-compat/ ?

On Tue, Mar 07, 2017 at 12:45:54PM -0600, William A Rowe Jr wrote: > Six months ago, rjung forked 2.4.x and began to backport our > compatibility fixes for OpenSSL 1.1.0. Today, from the state of > trunk, it seems the compatibility efforts look very good and are > nearly ready to apply to 2.4.x.

Re: [RFC] ?

On Wed, Feb 22, 2017 at 10:00:08PM +0100, Yann Ylavic wrote: > On Wed, Feb 22, 2017 at 11:47 AM, Joe Orton <jor...@redhat.com> wrote: > > (b) for match both "foo" and "<foo". > > I'd vote for this, it's very unlikely that some day we want to add

Re: [RFC] ?

On Tue, Feb 21, 2017 at 02:28:52PM -0800, Jacob Champion wrote: > I haven't tried your patch yet, but from inspection it looks like you'd have > to do something like this if you're looking for a : > > > ... > > (Note the missing closing angle bracket in the argument.) Assuming I've

[RFC] ?

For cases like HttpProtocolOptions where a new directive is introduced to multiple active branches simultaneously, it gets awkward to use to write conf files which use the new directive but are compatible across multiple versions. Triggered by a conversation with a user, but also e.g. see

Re: [2.2 PATCH] fix HttpProtocolOptions (etc) merging

On Fri, Feb 17, 2017 at 12:38:30PM -0500, Eric Covener wrote: > +1 > > On Fri, Feb 17, 2017 at 12:37 PM, William A Rowe Jr > wrote: > > Great catch; +1 to commit to 2.2.x and > > http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict/ > > branches. > >

[2.2 PATCH] fix HttpProtocolOptions (etc) merging

Found during QA of the CVE-2016-8743 patch here. The merging logic in merge_core_server_configs is (confusingly) inverted from 2.2 to 2.4, so e.g. HttpProtocolOptions doesn't inherit from global to vhost configs in 2.2.32. :( Index: server/core.c

Re: Underscores in hostnames

On Thu, Feb 02, 2017 at 03:09:35PM +0200, Issac Goldstand wrote: > AFAIK, underscores are forbidden from being part of a host name as per RFC > 1123 Sec 2.1/RFC 952 (Assummptions Sec 1) > > It's also spelled out in RFC 3986: > " > A registered name intended for lookup in the DNS (...) >

Underscores in hostnames

Another 2.4.25 regression reported from a Fedora user is that underscores in hostnames are rejected by default now. I couldn't see a specific discussion of this, was it deliberate? Following breadcrumbs... https://tools.ietf.org/html/rfc7230#section-5.4 Host = uri-host [ ":" port ] ;

Re: svn commit: r1773397 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy.c

On Mon, Jan 30, 2017 at 07:52:03AM -0500, Eric Covener wrote: > I have a fix but not sure if the change should just be reverted. In > the PR, the user changed the 2.2 config to make the ProxyPass within > location and expected similar behavior. > > Should have probably just told them that

Re: svn commit: r1773397 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy.c

On Fri, Dec 09, 2016 at 02:00:51PM -, cove...@apache.org wrote: > Author: covener > Date: Fri Dec 9 14:00:51 2016 > New Revision: 1773397 > > URL: http://svn.apache.org/viewvc?rev=1773397=rev > Log: > ProxyPass ! doesn't block per-directory ProxyPass > > *) mod_proxy: Honor a server scoped

Re: svn commit: r1778319 - /httpd/httpd/trunk/modules/core/mod_watchdog.c

On Wed, Jan 11, 2017 at 11:08:29AM -0500, Jim Jagielski wrote: > This is to address the following bug: > > https://bugzilla.redhat.com/show_bug.cgi?id=1410883 Thanks a lot Jim! > The only reason why I can see why the orig idea to use s->process->pool > was to make watchdog run independent of

Re: svn commit: r1774010 - in /httpd/test/framework/trunk/t: conf/extra.conf.in modules/ext_filter.t

On Thu, Dec 15, 2016 at 02:05:32AM -0600, William A Rowe Jr wrote: > Joe, did you forget an svn add? I see no ext_filter/ subdirectory on trunk; > > https://svn.apache.org/repos/asf/httpd/test/framework/trunk/t/htdocs/modules/filter/ Oops :( Added now, sorry guys.

Re: svn commit: r1774010 - in /httpd/test/framework/trunk/t: conf/extra.conf.in modules/ext_filter.t

On Tue, Dec 13, 2016 at 10:14:21AM -0500, Jim Jagielski wrote: > > > On Dec 13, 2016, at 8:33 AM, Jim Jagielski wrote: > > > > This fails on all systems that have sed in /usr/bin/sed > > or someplace other than /bin :( > > > > Hmmm... even w/ the change to /usr/bin/sed I'm

Re: httpd test suite breakage

On Mon, Nov 28, 2016 at 05:16:12PM -0600, William A Rowe Jr wrote: > httpd: Syntax error on line 295 of > /home/wrowe/dev/test/test24-apr16-ossl102/t/conf/httpd.conf: Cannot load > /home/wrowe/dev/test/test24-apr16-ossl102/c-modules/test_session/.libs/mod_test_session.so > into server: >

Re: svn commit: r1759415 - /httpd/httpd/trunk/include/http_config.h

On Tue, Sep 06, 2016 at 02:26:54PM +0200, Yann Ylavic wrote: > Maybe we could backport r1702948 (and this commit, which I think is a > better naming for the attribute) ? +1 from me to doing both, these new warnings are annoying. MAYBE_UNSUED is definitely a better name. > Alternatively, if

Re: svn commit: r1748322 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h modules/dav/main/mod_dav.c modules/dav/main/mod_dav.h modules/dav/main/props.c modules/dav/main/providers.c

On Mon, Jun 13, 2016 at 10:33:36PM -, minf...@apache.org wrote: > Author: minfrin > Date: Mon Jun 13 22:33:35 2016 > New Revision: 1748322 > > URL: http://svn.apache.org/viewvc?rev=1748322=rev > Log: > Allow other modules to become providers and add ACLs > to the DAV response. Requires

Re: Unbounded memory usage in mod_dav + mod_headers/mod_deflate/...

On Fri, Aug 19, 2016 at 04:44:21PM +0300, Evgeny Kotkov wrote: ... > The problem is caused by how mod_dav passes the output filter list to its > providers. Please see the deliver() hook definition in mod_dav.h:1948 and > its usage in mod_dav.c:888: > > /* Repository provider hooks */ >

Re: [PATCH] on TRACE & RFC compliance

Thanks a lot, all. I dropped the last sentence and pushed to trunk & 2.4.x. r1750750 & r1750752

[PATCH] on TRACE & RFC compliance

We had a couple of people complaining about the language around TRACE in the docs, which say disabling TRACE "makes your server noncompliant", a claim I found hard to support. All methods but HEAD and GET are defined as OPTIONAL, so I'm not sure how this is true, am I missing something?

Re: dbmmanage

On Tue, Jun 07, 2016 at 06:39:46AM -0400, Rich Bowen wrote: > In troubleshooting something with dbmmanage, I came across this: > > http://marc.info/?l=fedora-extras-commits=137148193030744=2 > > I'm sure there's more context here that I haven't unearthed yet, but > does anyone (Joe?) happen to

Re: [POLL] Commitment to 2.2.x lifecycle? (Was: End of the road of 2.2.x maintenance?)

On Wed, May 25, 2016 at 10:11:40AM -0500, William A Rowe Jr wrote: > you are personally prepared to participate. [If you aren't a 2.2.x > legacy branch participant, testing RCs or applying backports, then no > response is needed.] > > *) I intend to help maintain/test 2.2.x releases over the

Re: rotatelogs and SIGTERM?

On Fri, Feb 12, 2016 at 02:25:49PM -0500, Eric Covener wrote: > Recall that 2.2 ran piped loggers under a shell until somewhat late in > life, and 2.4 runs them directly [by default]. > > rotatelogs currently doesn't do anything to block sigterm. The > default ahndler for sigterm writes a short

Re: svn commit: r1706275 - /httpd/httpd/trunk/modules/ssl/ssl_engine_io.c

On Wed, Oct 07, 2015 at 01:35:38AM +0200, Yann Ylavic wrote: > For the server case, openssl will use its own buffering mechanism > during the handshake "so that the output is sent in a way that TCP > likes", according to the comment in the code, so we shouldn't be > flushing small chunks. > Yet

Re: svn commit: r1706275 - /httpd/httpd/trunk/modules/ssl/ssl_engine_io.c

On Tue, Oct 06, 2015 at 02:37:32PM +, Plüm, Rüdiger, Vodafone Group wrote: > The drawback is that it will flush every time the handshake writes. > The handshake may write multiple times before it wants to read. > So the current approach probably causes bigger amounts of data sent > across the

Re: svn commit: r1705236 - /httpd/httpd/trunk/modules/ssl/ssl_engine_io.c

On Fri, Sep 25, 2015 at 03:54:56PM +0200, Yann Ylavic wrote: > Couldn't we completely remove the flush from bio_filter_in_read() then? > Or make it conditional to OpenSSL < 0.9.8m (since we support 0.9.8a at least)? That looks correct to me, +1. Regards, Joe

Re: logio problem with SSL

On Fri, Sep 25, 2015 at 09:50:04AM +0200, Yann Ylavic wrote: > On Fri, Sep 25, 2015 at 1:00 AM, Yann Ylavic wrote: > > On Fri, Sep 25, 2015 at 12:22 AM, Eric Covener wrote: > >> > >> two logs (http/https) sorted to top of autoindex here: > >>

Re: Using UPN from subjectAltName with SSLUserName

On Sun, Aug 02, 2015 at 09:33:48AM +0200, Kaspar Brand wrote: On 19.07.2015 17:24, Kaspar Brand wrote: But, to be on the safe side, I think we could a) move the OBJ_create() call to ssl_hook_pre_config and b) omit OBJ_cleanup(). Do you concur? For the record: I have now committed this to

Re: Using UPN from subjectAltName with SSLUserName

On Sat, Jul 11, 2015 at 04:40:20PM +0200, Kaspar Brand wrote: @@ -1902,5 +1907,7 @@ apr_status_t ssl_init_ModuleKill(void *data) free_dh_params(); +OBJ_cleanup(); + return APR_SUCCESS; From being burnt previously three or four times, I get scared by OpenSSL process

Re: namespacing in mod_ssl

On Thu, Apr 16, 2015 at 06:42:04AM +0200, Kaspar Brand wrote: On 15.04.2015 18:36, Stefan Sperling wrote: However, the actual issue here is that mod_ssl is squatting the SSL_ namespace. Historically this may have made sense (it seems mod_ssl and OpenSSL have shared history/authors). Bill

Re: CVE-2013-5704 fix breaks mod_wsgi

On Sat, Jan 10, 2015 at 07:38:03AM -0500, Jeff Trawick wrote: On Fri, Jan 9, 2015 at 3:48 PM, Jeff Trawick traw...@gmail.com wrote: * Add helper functions to allocate a request_rec, conn_rec, server_rec. It doesn't solve all possible problems of course but can drastically reduce the

Re: CVE-2013-5704 fix breaks mod_wsgi

On Sat, Jan 10, 2015 at 09:04:12AM +1100, Graham Dumpleton wrote: 1. Verify that recompiling mod_wsgi is actually sufficient given than my direct use of request_rec isn't going to populate the extra fields and they will remain NULL still. As trailers shouldn't be expected in context the

Re: CVE-2013-5704 fix breaks mod_wsgi

On Mon, Jan 12, 2015 at 11:25:53AM -0500, Eric Covener wrote: On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton jor...@redhat.com wrote: Either way, the fix for CVE-2013-5704 ends up breaking backwards compatibility with existing 2.4.x builds of mod_wsgi, which is kind of Bad. I don't have a good

CVE-2013-5704 fix breaks mod_wsgi

Since Jim is talking 2.4.11, I should report this now. We discovered this week in Fedora: mod_wsgi does some interesting things in daemon mode, notably that it allocates a request_rec internally which ends up getting used by httpd. Reason is, the fix for CVE-2013-5704 extends the request_rec:

Re: MAJOR SECURITY-PROBLEM Apache 2.4.6

On Wed, Oct 01, 2014 at 02:16:17PM -0400, Eric Covener wrote: The default handler (static file handler) is a fall-through, and there is not currently a way to tell it NOT to respond for something because a configured module unexpectedly passed control back. It is a relatively easy opt-in

Re: [PATCH] Support RFC5929 - Channel Bindings for TLS

On Wed, Aug 27, 2014 at 10:05:40AM -0400, Simo Sorce wrote: Yes the spec is strange wrt digest, which is why the code looks strange too, here is the quote from RFC 5929 (4.1): Great, thanks. It took me two commits due to PEBKAC issues...

Re: [VOTE] Release Apache httpd 2.4.10 as GA

On Tue, Jul 15, 2014 at 01:20:59PM -0400, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.10 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.10 GA. CHANGES, test suite, sigs, install

Re: svn commit: r1610674 - in /httpd/httpd/trunk: include/ap_mmn.h include/httpd.h modules/proxy/mod_proxy_http.c modules/proxy/proxy_util.c server/util.c

On Tue, Jul 15, 2014 at 12:27:00PM -, jor...@apache.org wrote: Author: jorton Date: Tue Jul 15 12:27:00 2014 New Revision: 1610674 URL: http://svn.apache.org/r1610674 Log: SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse proxy configuration, a remote attacker could

Re: svn commit: r1610674 - in /httpd/httpd/trunk: include/ap_mmn.h include/httpd.h modules/proxy/mod_proxy_http.c modules/proxy/proxy_util.c server/util.c

On Tue, Jul 15, 2014 at 03:14:56PM +0200, Yann Ylavic wrote: On Tue, Jul 15, 2014 at 3:07 PM, Plüm, Rüdiger, Vodafone Group ruediger.pl...@vodafone.com wrote: Isn't x.is_req = (headers == r-headers_in); in ap_proxy_clear_connection an issue, when only called with the copy of

Re: svn commit: r1610674 - in /httpd/httpd/trunk: include/ap_mmn.h include/httpd.h modules/proxy/mod_proxy_http.c modules/proxy/proxy_util.c server/util.c

On Tue, Jul 15, 2014 at 09:25:20AM -0400, Jim Jagielski wrote: I am very hesitant about adding this with so little review time... I would like to propose that we simply release 2.4.10 with the simple, trivial crash-fixer and allow us to spend more time on the below, in order to ensure it's

VOTE PLEASE! Re: svn commit: r1610674 - in /httpd/httpd/trunk: include/ap_mmn.h include/httpd.h modules/proxy/mod_proxy_http.c modules/proxy/proxy_util.c server/util.c

On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote: I've stuck it in STATUS. Any other opinions? Come on... one more for this, either way? * mod_proxy Connection handling crasher, CVE-2014-0117 trunk patch: http://svn.apache.org/r1610674 ALTERNATIVE #1 2.4.x patch: http

Re: ABI compatibiliy checker

On Mon, Jun 30, 2014 at 06:16:52PM +0400, Andrey Ponomarenko wrote: See also ABI tracker for httpd: http://upstream-tracker.org/versions/httpd.html The tracker uses ABI compliance checker tool to create reports. The report between latest git and previous release version is updated daily:

Re: yet another mod_ssl temp DH handling tweak

On Sat, Jun 21, 2014 at 09:24:05AM +0200, Kaspar Brand wrote: On 19.06.2014 23:17, Joe Orton wrote: I was reminded that there was a request to use the larger key sizes as well. Using ephemeral DH keys with sizes 4096 bits in TLS seems way overkill for the next decade or so (3072 bits

mod_ssl FakeBasicAuth, the colon problem (PR 52644)

I've had a user hit this: with FakeBasicAuth the client DN gets translated into a Basic auth blob of base64(username:password), which then fails when the username part contains a : colon character. At minimum mod_ssl could/should catch and fail auth under FakeBasicAuth when DN is seen with a

Re: Memory leak in mod_ssl ssl_callback_TmpDH

On Sat, Jun 14, 2014 at 10:35:28AM +0200, Kaspar Brand wrote: Just a quick reminder... I think it's important to backport r1597349/r1598107 + the additional adjustment for 2.4.10 (happy to vote once it's settled on trunk). Sorry guys. http://svn.apache.org/viewvc?view=revisionrevision=1603915

yet another mod_ssl temp DH handling tweak

One more tweak here, proposed by Hubert from our QA team who has been reviewing all this stuff. Hubert argued we should be erring on the side of stronger not weaker here, particularly because of the possibility of 2048-bit keys being identified as 2047 in rare cases. Is this reasonable?

Re: yet another mod_ssl temp DH handling tweak

On Thu, Jun 19, 2014 at 04:29:17PM +0100, Joe Orton wrote: One more tweak here, proposed by Hubert from our QA team who has been reviewing all this stuff. Hubert argued we should be erring on the side of stronger not weaker here, particularly because of the possibility of 2048-bit keys

Re: Memory leak in mod_ssl ssl_callback_TmpDH

On Wed, May 28, 2014 at 10:10:16PM +0200, Ruediger Pluem wrote: Thanks, but I missed some stuff during review: 1. We don't need to have two DH pointers in make_dh_params Doh! 2. There possible frees on NULL pointers in free_dh_params: This is unnecessary because DH_free() does that

Re: Memory leak in mod_ssl ssl_callback_TmpDH

On Wed, May 28, 2014 at 09:05:06AM +0200, Kaspar Brand wrote: Agree, CPU time is not a concern, get_dh_XXX() is only about populating DH with builtin constants (DH_generate_key happens at connection time, and is fast anyway). Ah, I did not realise. That is even more reason to do this at

Re: Memory leak in mod_ssl ssl_callback_TmpDH

On Wed, May 28, 2014 at 01:58:05PM +, Plüm, Rüdiger, Vodafone Group wrote: Looks great. Care to commit? http://svn.apache.org/viewvc?view=revisionrevision=1598107

Re: Memory leak in mod_ssl ssl_callback_TmpDH

On Sat, May 24, 2014 at 10:32:35AM +0200, Kaspar Brand wrote: On 19.05.2014 10:15, Plüm, Rüdiger, Vodafone Group wrote: Maybe stupid idea, but can't we do that once and hand it out over and over again? Not a stupid idea at all - I think it's actually the most sensible solution to this

Re: stop copying footers to r-headers_in?

On Tue, May 06, 2014 at 07:45:42PM -0400, Eric Covener wrote: On Tue, May 6, 2014 at 6:44 PM, Yann Ylavic ylavic@gmail.com wrote: This patch (still) does not propose to merge splitted trailers into headers (for those broken by the change), but when (and why) would we do that? For

Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod

On Sat, Apr 12, 2014 at 09:00:08AM -0400, Jeff Trawick wrote: So... Concerns? Suggestions? Etc.? Speak up, or forever* ask me to fix it after committing ;) (*Let's not be ridiculous though) Interesting stuff! I do think it is preferable to keep mod_ssl.h toolkit-agnostic. Because the

Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod

On Mon, Apr 14, 2014 at 08:32:18AM -0400, Jeff Trawick wrote: FWIW, I think it is reasonable to say This *is* a private mod_ssl interface for the purposes of introducing some modularity within this particular SSL/TLS implementation, and these interfaces aren't intended for third-party modules.

Re: Zombies from rotatelogs

On Mon, Apr 14, 2014 at 11:06:25AM -0500, Daniel Ruggeri wrote: I was taking a look at a server that had a handful of zombies and came to see they are caused by rotatelogs. It seems pretty straight forward why - I am calling gzip post-rotate to compress the log file and child cleanup only

CVE-2013-5704, mod_headers and chunked trailer fields

For context: http://martin.swende.se/blog/HTTPChunked.html This was discussed a little on the security@ list last year but it's a difficult issue and there was not any consensus beyond the fact that the current behaviour is wrong, and punt to dev@. There is a separate thread about how to fix

Re: Affected versions for CVE-2014-0098

On Sun, Mar 30, 2014 at 12:13:20PM +0200, Stefan Fritsch wrote: Hi, I have been looking at backporting the cookie issue fix, and it looks to me that it was introduced in http://svn.apache.org/viewvc?view=revisionrevision=r1374538

Re: modules calling ap_lingering_close()!!!

On Thu, Feb 20, 2014 at 12:24:23PM -0500, Jeff Trawick wrote: BTW, do you know if there's a known collection of patches for 2.4 support or for other critical fixes? This shows what we have in Fedora, FWIW: http://pkgs.fedoraproject.org/cgit/mod_wsgi.git/tree/ ... all of which are in the

Re: modules calling ap_lingering_close()!!!

On Fri, Feb 21, 2014 at 10:24:25AM +1100, Graham Dumpleton wrote: Crap. I thought those httpd 2.4 fixes were already in mod_wsgi 3.4. Another reason I have to get off my backside and release an updated version. Has been too long. That would be very useful! And yes mod_wsgi does lots of

Re: modules calling ap_lingering_close()!!!

On Thu, Feb 20, 2014 at 07:52:34AM -0500, Jeff Trawick wrote: WSGI 3.4 daemon mode crashing with httpd 2.4.x... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xaef17b70 (LWP 32761)] 0x08078a32 in update_child_status_internal () (gdb) where #0 0x08078a32 in

Re: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to vulnerabilities

[X] It is mandatory to provide best available description and any available tracking information when committing fixes for vulnerabilities to any branch, delaying committing of the fix if the information shouldn't be provided yet.

Re: [Patch] non blocking writes in core

On Tue, Nov 19, 2013 at 07:44:07PM +0200, Graham Leggett wrote: On 18 Nov 2013, at 1:24 PM, Plüm, Rüdiger, Vodafone Group ruediger.pl...@vodafone.com wrote: +rv = send_brigade_nonblocking(net-client_socket, bb, + (ctx-bytes_written), c); +

Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?

On Thu, Nov 14, 2013 at 07:02:58AM +0100, Kaspar Brand wrote: On 13.11.2013 15:28, Dr Stephen Henson wrote: I can vaguely recall that some of that code is designed to avoid the need to enter the private key passphrase more than once by decrypting private keys once and storing the

Re: error log providers, multiple vhosts, mod_syslog

On Thu, Oct 17, 2013 at 12:33:50PM +, Plüm, Rüdiger, Vodafone Group wrote: Hmm. This points out another issue when using an error log provider for the main server log: We lose everything that the server or other programs like CGI-scripts write to the stderr FD as it is simply written to

Re: stop copying footers to r-headers_in?

On Sat, Oct 19, 2013 at 10:13:21AM -0400, Eric Covener wrote: now: 1) add r-footers_in and use it in 2.2 and up by default 2) add a directive to copy them up to r-headers_in (for those broken by the change) Bikeshed... r-trailers_in? +1 to all this anyway. I'd be tempted to (lazily) stop

Re: Warnings in buildconf on trunk

On Tue, Oct 01, 2013 at 09:53:25AM +0200, Ruediger Pluem wrote: I see the following autoconf warning when executing buildconf on trunk: rebuilding configure configure.in:406: warning: AC_COMPILE_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS ../../lib/autoconf/specific.m4:386:

Re: mod_proxy, oooled backend connections and the keep-alive race condition

On Fri, Aug 02, 2013 at 12:33:58PM +, Plüm, Rüdiger, Vodafone Group wrote: The typical way to solve this today is to know the keepalive timeout of the backend and set ttl for this worker to a value a few seconds below. I just looked at a case where the user is hitting this problem and

Re: breach attack

On Fri, Aug 09, 2013 at 09:14:51AM -0700, Paul Querna wrote: In this case, I don't know if any of the proposed mitigations help; I'd love to have an easy way to validate that, so we could bring data to the discussion: If it increases the attack by multiple hours, and causes a 1% performance

Re: [PATCH] systemd socket activation

On Sun, Jul 21, 2013 at 02:14:35PM -0700, Paul Querna wrote: Hiya Y'all, long time no patches :-) Attached is a patch that would let httpd use systemd's socket activation feature: http://0pointer.de/blog/projects/socket-activation.html Also online here:

Re: [PATCH] mod_unique_id: use ap_random_insecure_bytes() to get unique ID

On Tue, Jul 09, 2013 at 11:02:18PM +0200, Stefan Fritsch wrote: On Tuesday 09 July 2013, Joe Orton wrote: On Tue, Jul 09, 2013 at 10:00:19AM +0200, Jan Kaluza wrote: I agree 20 bytes could be too much. I have changed my patch to have only 10 bytes long root. I will check the Daniel's

Re: [PATCH] mod_unique_id: use ap_random_insecure_bytes() to get unique ID

On Tue, Jul 09, 2013 at 10:00:19AM +0200, Jan Kaluza wrote: I agree 20 bytes could be too much. I have changed my patch to have only 10 bytes long root. I will check the Daniel's ideas mentioned in another mail in this thread and try to implement it, but if we are going to do it my way, I

Re: [PATCH] Fix LDAPReferrals off

On Thu, Jun 20, 2013 at 08:41:04AM -0400, Eric Covener wrote: I'm only concerned with someone who was getting by with LDAPReferrals OFF because the default gave their SDK an error. Now OFF would be fatal too. Just revisiting this... at least it seems clear that the docs do not match the code

Re: svn commit: r1491221 - /httpd/httpd/trunk/modules/generators/mod_autoindex.c

On Sun, Jun 09, 2013 at 01:52:17PM -, jaillet...@apache.org wrote: --- httpd/httpd/trunk/modules/generators/mod_autoindex.c (original) +++ httpd/httpd/trunk/modules/generators/mod_autoindex.c Sun Jun 9 13:52:17 2013 @@ -1840,7 +1840,7 @@ static void output_directories(struct en

Re: mod_ssl NPN API rejig (was Re: Intent to revert commit r1332643)

On Wed, May 29, 2013 at 03:04:30PM -0400, Matthew Steele wrote: Looks good to me. Thanks! Thanks a lot for reviewing. http://svn.apache.org/viewvc?view=revisionrevision=1487772 Gregg, thanks for confirming and sorry again about leaving the builds broken. Regards, Joe

mod_ssl NPN API rejig (was Re: Intent to revert commit r1332643)

Guenter, can you test if the attached compiles on Windows? It is nothing special so it should be OK. This redesigns the NPN API with a cheap and crappy callback interface which doesn't rely on the actual hooks API; it is not pretty but it avoids the inter-module hard linkage issue (which is

Re: mod_ssl NPN API rejig (was Re: Intent to revert commit r1332643)

Hi Matthew - thanks for taking a look at the patch so quickly. On Wed, May 29, 2013 at 10:52:10AM -0400, Matthew Steele wrote: Two questions about this change: - In modssl_register_npn, it appears that the code creates new npn_advertfns and npn_negofns arrays on every call, even if they

Re: mod_ssl NPN API rejig (was Re: Intent to revert commit r1332643)

On Wed, May 29, 2013 at 11:37:14AM -0400, Matthew Steele wrote: Oops, yes, RUN_ALL semantics are desired; the misleading API description is my fault, sorry. (I confess I never really understood why RUN_ALL hooks accept both OK and DECLINED values, but then don't actually treat them any

Re: [VOTE] Release Apache httpd 2.4.4 as GA

On Mon, Feb 18, 2013 at 03:34:15PM -0500, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.4 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.4 GA. NOTE: The -deps tarballs are

Re: mod_socache_shmcb segfaults

On Sun, Feb 03, 2013 at 08:32:11PM +0100, Niklas Edmundsson wrote: Hi all! Something is definitely fishy with mod_socache_shmcb as shipped with httpd 2.4.3. I'm hacking on a module that uses 16byte indexes (IP(v6) addresses) to store 2byte counters (16bit uint), these sizes are given as

Re: httpd -X: does it still work?

On Sat, Jan 12, 2013 at 05:42:55PM +0100, Stefan Fritsch wrote: On Saturday 12 January 2013, Graham Leggett wrote: Hi all, In theory, the -X flag is supposed to cause httpd to run a single worker, and not detach or fork. What I'm finding in v2.4 is that you mean a single worker

Re: svn commit: r1331110 - in /httpd/httpd/trunk: ./ modules/cache/ modules/dav/fs/ modules/filters/ modules/generators/ modules/loggers/ modules/mappers/ modules/slotmem/ support/

On Thu, Apr 26, 2012 at 09:44:52PM -, s...@apache.org wrote: Author: sf Date: Thu Apr 26 21:44:51 2012 New Revision: 1331110 URL: http://svn.apache.org/viewvc?rev=1331110view=rev Log: Replace use of apr_file_write() with apr_file_write_full() to prevent incomplete writes. Add

Re: svn commit: r1428184 - /httpd/httpd/trunk/acinclude.m4

On Thu, Jan 03, 2013 at 07:23:27AM -, kbr...@apache.org wrote: Author: kbrand Date: Thu Jan 3 07:23:27 2013 New Revision: 1428184 URL: http://svn.apache.org/viewvc?rev=1428184view=rev Log: Improve pkg-config usage for mod_ssl/ab: also use pkg-config for determining the -l flags

Re: svn commit: r1428184 - /httpd/httpd/trunk/acinclude.m4

On Thu, Jan 03, 2013 at 02:00:22PM +0100, Kaspar Brand wrote: On 03.01.2013 12:20, Joe Orton wrote: add --static to pkg-config invocations, so that libraries for static linking are also taken into account (PR 54252 - note that the additional flags will only appear in modules/ssl/modules.mk

Re: svn commit: r1423353 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/proxy/mod_proxy_ftp.c

On Tue, Dec 18, 2012 at 08:29:21AM -0500, Jeff Trawick wrote: My understanding is that we don't maintain messages numbers for TRACE messages, so the APLOGNO() could have been simply deleted. (I see several mod_lua messages that don't follow this pattern.) Ah, sorry, I didn't realise that.

Re: Powered by icon for httpd-2.4 needs update

On Wed, Oct 03, 2012 at 11:15:57PM -0400, Eric Covener wrote: http://people.apache.org/~gsmith/httpd/apache_pb2copy.png http://www.humbedooh.com/apache/apache_pb.png http://www.humbedooh.com/apache/apache_pb2.png http://www.humbedooh.com/apache/apache_pb3.png pb3 has my vote

Re: [PATCH] mod_systemd

On Wed, Oct 03, 2012 at 09:28:08AM +0100, Joe Orton wrote: On Wed, Sep 26, 2012 at 11:10:07AM -0400, Jan Kaluza wrote: attached patch adds new module called mod_systemd. Systemd [1] is service manager for Linux. Although httpd works with systemd normally, systemd provides sd_notify

Re: [PATCH] More useful data in ap_sload_t

On Wed, Sep 26, 2012 at 10:46:04AM -0400, Jan Kaluza wrote: attached patch adds more variables (bytes_served and access_count) into ap_sload_t struct introduced in revision 1389481. The intention is to have standard method to get number of total bytes_served and access_count without code

Re: [PATCH] mod_systemd

On Wed, Sep 26, 2012 at 11:10:07AM -0400, Jan Kaluza wrote: attached patch adds new module called mod_systemd. Systemd [1] is service manager for Linux. Although httpd works with systemd normally, systemd provides sd_notify(...) function [2] to inform service manager about current status of

Re: Linking mod_ssl with a specific OpenSSL version

On Sun, Sep 16, 2012 at 08:00:00AM +0200, Kaspar Brand wrote: I have committed an improved version in r1385214 (in particular, more tweaking was required to properly handle support/ab, which can't make use of MOD_CFLAGS etc.). Reviews, further testing and feedback welcome. Looks good to me,

Re: which apr-util is really desired for the 2.2.X branch

On Sat, Sep 15, 2012 at 11:57:21AM +0200, Ruediger Pluem wrote: I think this message is outdated and should be fixed. For 2.4.x and trunk its even worse because it points to the no longer existing apr-util/trunk. Anyone opposed if I clean this up in the following way: 2.2.x: branches/1.4.x

Re: svn commit: r1365001 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h modules/proxy/mod_proxy.h modules/proxy/mod_proxy_connect.c modules/proxy/mod_proxy_ftp.c modules/proxy/proxy_util.c

On Mon, Aug 20, 2012 at 10:38:14AM +0200, Guenter Knauf wrote: Hi Joe, your commit is missing a log number ... mod_proxy_connect.c .\mod_proxy_connect.c(257) : warning C4003: not enough actual parameters for macro 'APLOGNO' Damn, sorry about that Guenter, does this break the build for you?

Re: svn commit: r1374214 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_init.c

On Sat, Aug 18, 2012 at 09:00:00AM +0200, Kaspar Brand wrote: On 17.8.12 13:59, jor...@apache.org wrote: @@ -1412,6 +1421,8 @@ static void ssl_init_proxy_certs(server_ ssl_die(s); } +/* ### Why is all the following done? Why is it necessary or + * useful for

Re: Linking mod_ssl with a specific OpenSSL version

On Thu, Aug 16, 2012 at 08:36:31PM +0200, Kaspar Brand wrote: I wonder if we should add support for module-specific CFLAGS etc., which would always appear before the EXTRA_XXX stuff in the compile and link commands, i.e. in rules.mk we would have: ALL_CFLAGS = $(MOD_CFLAGS) $(EXTRA_CFLAGS)

Re: [Bug 51489] ProxyPassReverse adds an additional slash in load balancer setups

On Fri, Aug 17, 2012 at 04:53:54PM +0200, Micha Lenk wrote: as you are apparently not subscribed to Bugzilla PR 51489, I am answering to your comment on that PR via mail. Please apologize in case you now got my answer twice. Thanks Micha, I get the bug mail via bugs@, but no problem. I've

Re: How to align shm in an neat way?

On Mon, Aug 13, 2012 at 10:19:47PM +0200, Rainer Jung wrote: I went the choose right alignment way now: http://people.apache.org/~rjung/patches/mod_socache_shmcb-alignment.patch It actually wasn't that complicated. Alignment problems never die with that code! +1, that looks good, might be

core filters vs non-blocking socket (was Re: Fix for Windows bug#52476)

On Fri, Aug 10, 2012 at 01:31:07PM -0400, Jeff Trawick wrote: We picked up that apr_socket_opt_set() from the async-dev branch with r327872, though the timeout calls in there were changed subsequently. I wonder if that call is stray and it doesn't get along with the timeout handling on Windows

Re: core filters vs non-blocking socket (was Re: Fix for Windows bug#52476)

On Mon, Aug 13, 2012 at 09:27:08AM -0400, Jeff Trawick wrote: Does that explanation work for you? Yes, perfectly, thanks for taking the time. I stupidly forgot about the timeout calls... sorry! Regards, Joe

Re: Linking mod_ssl with a specific OpenSSL version

On Wed, Aug 08, 2012 at 08:00:25AM +0200, Kaspar Brand wrote: My thinking was that people should explicitly tell configure that they want to link with the libs in a build directory (so that they don't accidentally use a directory which might only temporarily exist - that's also the primary

Re: [PATCH] proxy/balancer: fix PR 45434 regression

On Tue, Jul 24, 2012 at 08:37:02PM +0200, Rainer Jung wrote: So: Your change seems good to me. Thanks very much for checking it out! r1365479.

Re: ProxyBlock question

On Tue, Jul 24, 2012 at 07:55:27AM +, Plüm, Rüdiger, Vodafone Group wrote: Thanks. The patch reminded me of a special situation where the patch might not be suitable: If the forward proxy just forwards everything to the next proxy e.g. because it cannot do DNS lookups of the target

Re: ProxyBlock question

On Tue, Jul 24, 2012 at 10:46:12AM +0200, Rainer Jung wrote: IMHO if the admin explicitely configured an IP in the ProxyBlock list we should nevertheless check. For this case there's already a somewhat related warning in the docs which we could enhance for this new case. It looks like we

<    1   2   3   4   5   6   7   8   9   10   >