You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 2018/09/21 12:15:10 UTC
Re: svn commit: r1841573 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
STATUS docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
*cheers*!!
> On Sep 21, 2018, at 8:14 AM, minfrin@apache.org wrote:
>
> Author: minfrin
> Date: Fri Sep 21 12:14:05 2018
> New Revision: 1841573
>
> URL: http://svn.apache.org/viewvc?rev=1841573&view=rev
> Log:
> Add TLSv1.3 support to mod_ssl:
> trunk: http://svn.apache.org/r1839946
> http://svn.apache.org/r1839920
> http://svn.apache.org/r1833589
> http://svn.apache.org/r1833588
> http://svn.apache.org/r1828723
> http://svn.apache.org/r1828720
> http://svn.apache.org/r1828222
> http://svn.apache.org/r1827992
> http://svn.apache.org/r1827924
> http://svn.apache.org/r1827912
> http://svn.apache.org/r1828790
> http://svn.apache.org/r1828791
> http://svn.apache.org/r1828792
> http://svn.apache.org/r1840585
> http://svn.apache.org/r1840710
> http://svn.apache.org/r1841218
> 2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x
>
> Modified:
> httpd/httpd/branches/2.4.x/ (props changed)
> httpd/httpd/branches/2.4.x/CHANGES
> httpd/httpd/branches/2.4.x/STATUS
> httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
> httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
> httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
> httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
> httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
>
> Propchange: httpd/httpd/branches/2.4.x/
> ------------------------------------------------------------------------------
> --- svn:mergeinfo (original)
> +++ svn:mergeinfo Fri Sep 21 12:14:05 2018
> @@ -1,11 +1,11 @@
> /httpd/httpd/branches/2.4.17-protocols-changes:1712542-1715252
> /httpd/httpd/branches/2.4.17-protocols-http2:1701609-1705681
> -/httpd/httpd/branches/2.4.x:1825504
> /httpd/httpd/branches/2.4.x-mod_md:1816423-1821089
> /httpd/httpd/branches/2.4.x-mpm_fdqueue:1824383-1824864
> /httpd/httpd/branches/revert-ap-ldap:1150158-1150173
> +/httpd/httpd/branches/tlsv1.3-for-2.4.x:1840105-1841571
> /httpd/httpd/branches/trunk-buildconf-noapr:1780253-1795930
> /httpd/httpd/branches/trunk-md:1804087-1804529
> /httpd/httpd/branches/trunk-override-index:1793921-1793931
> /httpd/httpd/branches/wombat-integration:723609-723841
> -/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,1201111,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
> 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,1301111,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
> ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341905-1341906,1341913,1341930,1342065,1343085,1343087,1343094,1343099,1343109,1343935,1344712,1345147,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,1359884,1361153,1361298,1361766,1361773,1361778,1361784,1361791-1361792,1361801,1361803,1362020,1362538,1362707,1363035,1363183,1363186,1363312,1363440,1363557,1363589,1363829,1363832,1363836-1363837,1363853,1364133,1364138,1364229,1364601,1364695,1365001,1365020,1365029,1365479,1366319,1366344,1366621,1367778,1367819,1368053,1368058,1368094,1368121,1368131,1368393,1368396,1369419,1369568,1369
> 604,1369618,1369904,1369995,1369999,1370001,1370466,1370592,1370615-1370616,1370763,1371387,1371791,1371801,1371878,1371903,1373270,1373447,1373898,1373955,1374157,1374199,1374214,1374216,1374247,1374874,1374877,1374880,1375006,1375009,1375011,1375013,1375445,1375584,1376695,1376700,1378178,1383490,1384408,1384913,1386576,1386578,1386726,1386822,1386880,1386913,1387085,1387088,1387110,1387389,1387444,1387603,1387607,1387633,1387693,1387979,1388029,1388445,1388447,1388648,1388660,1388825,1388899,1389316,1389339,1389481,1389506,1389564,1389566-1389569,1390562,1390564,1391396,1391398,1391771,1392120,1392122,1392150,1392214,1392345-1392347,1392850,1393033,1393058,1393152,1393338,1393564,1394079,1395225,1395253-1395256,1395792,1396440,1397172,1397320,1397636,1397687,1397710,1397716,1398025,1398040,1398066,1398478,1398480-1398481,1398970,1399413,1399687,1399708,1400700,1401448,1402924,1403476,1403483,1403492,1404653,1405407,1405856,1405973,1406068,1406493,1406495,1406616,1406646,1406760,1
> 407004,1407006,1407085,1407088,1407248,1407381,1407459-1407460,1407528,1407853,1407965,1408093,1408402,1408958,1408961,1409170,1409437,1409726,1409800,1410681,1410954,1411862,1412278,1413732,1414094,1415008,1415023,1415075,1416121,1416150,1416278,1417197,1417440,1417529,1418524,1418556,1418648,1418655,1418703,1418721,1418752,1418761,1418765,1418769,1419084,1419719,1419726,1419755,1419781,1419796,1420120,1420124,1420149,1420184,1420644,1420685-1420686,1420975,1421288,1421323,1421851,1421912,1421953,1422135,1422549,1422594,1422712,1422855,1422937,1422943,1422980,1423353,1423933,1425360,1425771-1425772,1425775,1425777,1425874,1426850,1426975,1427546,1428184,1428280,1428916,1429228,1429559,1429561,1429564,1429582,1430575,1430814,1430869,1433001,1433613,1433682,1433861,1433988,1435178,1435811,1436058,1436401,1439083,1439106,1439114,1439404,1439623,1442309,1442320,1442326,1442412,1442759,1442865,1447993,1448171,1448453,1451478,1451484,1451633,1451830,1451849,1451905,1451921,1452128,145219
> 5,1452259,1452281,1452551,1452911,1452949,1452954,1453022,1453574,1453604,1453875-1453876,1453963,1453981,1454386,1454414-1454415,1454888,1457437,1457450,1457471,1457504,1457520-1457521,1457610,1457995,1458003-1458004,1458020,1458285,1458447,1458456,1462266,1462269,1462643,1463044-1463047,1463049,1463052,1463056,1463455,1463736,1463750,1463754,1464675,1464721,1464762,1465115-1465116,1465190,1467593,1467765,1468581,1470183,1470679,1470940,1471449,1475878,1476604,1476621,1476642,1476644-1476645,1476652,1476680,1477094,1477530,1478382,1478748,1479117,1479216,1479222,1479411,1479528,1479905,1479966,1480046,1480627,1481197,1481302,1481306,1481396-1481397,1481891,1482041,1482075,1482170,1482555,1482859,1482996,1483005,1483027,1483190,1484343,1484398,1484832,1484910,1484914,1485409,1485668,1486490,1487528,1487530,1487775,1488158,1488164,1488296,1488471,1488492,1488644,1490294,1490493,1490507,1490550,1490761,1490994,1491155,1491221,1491234,1491458,1491479,1491538,1491564,1491724,1492395,149
> 2663,1492710,1492782,1493257,1493330,1493921,1493925,1494532,1494536,1495501,1496194,1496338,1496429,1496709,1497371,1497588,1498880,1499679,1500323,1500345,1500362,1500423,1500437,1500483,1500519,1501294,1501369,1501399,1501827,1501913,1502665,1502772,1503680,1503866,1503990-1503991,1504276,1506474,1506714,1509872,1509983,1510084-1510085,1510098,1510295,1510588,1510707,1511093,1513492,1513508,1514039,1514064,1514214-1514215,1514255,1514267,1514617,1515050,1515162,1515403,1515411,1515420,1517025,1517045,1517175,1517366,1517386,1517388,1518265,1518269,1519475,1520368,1520445,1520760,1520908,1521909,1523235,1523239,1523281,1523387,1524101,1524158,1524192,1524368,1524388,1524770,1525276,1525280-1525281,1525931,1526168,1526189,1526647,1526666,1527008,1527220,1527291,1527294-1527295,1527509,1527925-1527926,1528143,1528718,1529014,1529277,1529449,1529559,1529988,1529991,1530793,1531340,1531370,1531505,1531672,1531961-1531962,1532281,1532289,1532746,1532816,1533065,1533224,1533810,1533935,
> 1534321,1534754,1534890,1534892,1534895-1534896,1534914,1536310,1537535,1537718,1538490,1540051-1540052,1541181,1541270,1541368,1542338,1542379,1542533,1542562,1542615,1543020,1543147,1543149,1543174,1544381,1544774,1544784,1544812,1544820,1545286,1545292,1545325,1545364,1545408,1545411,1546692-1546693,1546730,1546759-1546760,1546801,1546804-1546805,1546835-1546836,1546860,1547845,1550061,1550302,1550307,1551611,1551685,1551714,1551802,1552130,1552227,1553204,1553824,1554161,1554168,1554170,1554175-1554176,1554179,1554181,1554184,1554188,1554192,1554195,1554276,1554281,1554300-1554301,1554994-1554995,1555240,1555259,1555266,1555423-1555424,1555463-1555464,1555467,1555555,1555569,1555631,1556206,1556428,1556473,1556911-1556912,1556914,1556937,1557317,1557617,1558483,1559351,1559828,1560367,1560546,1560679,1560689,1560729,1560977,1560979,1561137,1561262,1561385,1561660,1561923,1562472,1563193,1563379,1563381,1563417-1563418,1563420,1564052,1564437,1564475,1564756,1564760,1565081,15657
> 11,1568404,1569615,1570288,1570598,1571369,1572092,1572198,1572543,1572561,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572905,1572911,1572967,1573224,1573229,1573626,1574151,1575400,1576233,1576741,1578760,1578762,1580568,1580928,1580935,1583005,1583007-1583008,1583027,1583175,1583191,1584098,1584417,1584430,1584434,1584572,1584653,1584658,1584665,1584703,1584878,1584884,1584896,1585054,1585072,1585090,1585157,1585435,1585609,1585824,1585918-1585919,1586745,1586827,1587036,1587040,1587053,1587255,1587594,1587607,1587639,1587654,1588054,1588065,1588213,1588330,1588427,1588519,1588527,1588704,1588806,1588851,1588853,1588868,1589413,1590437,1590509,1591143,1591320,1591322,1591328,1591390,1591394,1591401,1591472,1591508,1592032,1592037,1592500,1592511,1592514,1592529,1592615,1592632,1593745,1594625,1594643,1594648,1595305,1595321,1595426,1597182,1597349,1597352,1597533,1597639,1597642,1598107,1598946,1599012,1599535,1601076,1601184-1601185,1601274,1601291,1601559,1601624,16
> 01630,1601919,1601995,1602338,1602978,1602989,1603027,1603029,1603122,1603156,1603915,1604382,1604461,1604631,1605207,1605328,1605827,1605829,1607960,1608284,1608785,1608999,1609914,1609936,1609938,1610207,1610311,1610353,1610366,1610491,1610652,1610674,1611165,1611169,1611244,1611600,1611871,1611978,1612068,1615026,1615289,1617018,1617913,1618401,1618541,1618555,1619297,1619383,1619444,1619483,1619835,1620324,1620461,1620932,1621367,1621372,1621417,1621453,1621806,1622450,1624234,1624349,1625196,1625952,1626050,1626956,1626978,1628104,1628388,1628918-1628919,1628924,1628950,1629235,1629239,1629244,1629250,1629372,1629440-1629441,1629485,1629507-1629508,1629519,1629576-1629577,1629652,1629916,1631885,1632454,1632740,1632742,1633730-1633731,1633793,1634120,1634237,1634425,1634736,1634836,1635510,1635558,1635644-1635645,1635762,1637112,1638072-1638073,1638879,1639614,1640031,1640036,1640040,1640042,1640331,1641077,1641095,1641376,1642099,1642484,1642499,1642847,1642868,1643034,1643279
> ,1643284,1643537,1643825,1644245,1646282,1646724,1647035,1648201,1648394,1648433,1648719,1648840,1649001,1649043,1649491,1649632,1649966,1650047,1650061,1650309-1650310,1650320,1651088,1652829,1652929,1652931,1652955,1652982,1652985,1652989,1653941,1653978,1653997,1656225,1656549,1656669,1657256,1657261,1657636,1657638,1657685,1657881,1657897,1658760,1658765,1661067,1661258,1661448,1661464,1661486,1662245-1662246,1662437,1663017,1663647,1664071,1664133,1664205,1664299,1664565,1664709,1665215-1665216,1665218,1665625,1665643,1665721,1666297,1666361,1666363,1666415,1666417,1666468,1666617-1666618,1666998,1667385-1667386,1667676,1667707,1668532,1668535,1668553,1669130,1669289,1669292,1670434,1671364,1671396-1671397,1671918,1672289,1672453,1672466,1672480,1672483,1672564,1672757,1672985,1672989,1673113,1673155,1673368,1673455,1673769,1674056,1674538,1674542,1674606,1674632,1674697,1675103,1675410,1675533,1676085,1676654,1676709,1676842,1677096,1677143-1677146,1677149,1677151,1677153-1677
> 156,1677159,1677339,1677462,1677702,1677830,1677832,1677834-1677835,1678763,1679032,1679181-1679182,1679192,1679428,1679432,1679470,1679620,1679712,1680276,1680895,1680900,1680942,1681037,1681424,1681440,1681685,1681694,1681795,1682482,1682816,1682819,1682907,1682923,1682937,1682979,1682988,1683044,1683047,1683123,1683881,1683884,1684057,1684171,1684636,1684900,1685069,1685339,1685345,1685347,1685349-1685350,1685650,1685659,1685779,1686085,1686853,1686856,1687539,1687680,1687980,1688274,1688331,1688339-1688341,1688343,1688399,1688474-1688475,1688536,1688538,1688660,1689325,1689605,1689694,1689698,1690120,1690137,1690248,1691374,1691582,1691592,1691819,1691908,1692285,1692432,1692486,1692516,1693792,1693918-1693919,1693963,1694903,1694936,1694950-1694951,1695170,1695727,1695874,1695885,1695920,1696105,1696264,1696266,1696279,1696428,1696442,1696565,1696592,1696607,1696755,1696881,1697013,1697015,1697051,1697323,1697339,1697370,1697389,1697446,1697543,1697634,1697855,1698023,1698103,1
> 698107,1698116,1698133,1698330,1698334,1700271,1700275,1700317-1700322,1700326,1700328,1700330-1700332,1700334,1700336,1700338,1700418,1700514,1700777,1700851,1700917,1700925,1700968,1701005,1701145,1701178,1701204,1701347,1701436,1701545,1701717,1702643,1702919,1702948,1703152,1703241,1703248,1703417,1703642,1703807,1703813,1703822,1703871,1703902,1703952,1704099,1704241,1704262,1704797,1704799,1704826,1705099,1705134,1705194,1705217,1705257,1705749,1705776,1705823,1705826,1705828,1705833,1705922,1705983,1706275,1706523,1706595,1706627,1706635,1706637,1706640,1706918,1706942,1706989,1707002,1707230-1707231,1707497,1707512,1707519,1707591,1707626-1707627,1707640,1707831,1707883,1707889,1708107,1709008,1709587,1709596,1709602,1709995,1710095,1710105,1710231,1710380,1710391,1710403,1710419,1710572,1710583,1710723,1711479,1711553,1711648,1711728,1711902,1712382,1713040,1713043,1713209,1713937,1715023,1715255,1715273,1715567-1715568,1715570-1715572,1715576,1715581-1715585,1715886,171621
> 1,1716388,1716460,1716487,1716660,1716940,1717063,1717086,1717639,1717816,1717934,1717958,1717975,1717985,1718314,1718338,1718400,1718476,1718496,1718514,1718556,1718569,1718598,1719016,1719018,1719189-1719190,1719252,1719254-1719255,1719257,1719967,1720129,1720996,1721313,1721685,1721899,1722137,1722154,1722177,1722195,1722229,1722320,1722328,1722334,1722350-1722351,1722358,1722377,1722572,1722701,1723122,1723143,1723284,1723295,1723522,1723567,1723953,1724847,1724857,1724879,1724992-1724993,1724995,1725018,1725031,1725090,1725120,1725149,1725325,1725328,1725387,1725392,1725394-1725395,1725445,1725468,1725485,1725489,1725498-1725499,1725516,1725523,1725545,1725567,1725581,1725602,1725822,1725940,1725967,1726009,1726026,1726038,1726049,1726051-1726052,1726055,1726086,1726167,1726233,1726675,1726705,1726798,1726881,1726888,1727071,1727111,1727317,1727544,1727573,1727603,1727842,1728326,1728804,1729208,1729235,1729374,1729376,1729826,1729847,1729929-1729931,1729960,1730079,1730297,173
> 0640,1730723,1730865,1731929,1732228,1732252,1732353,1732369,1732716,1732954,1732986,1733056,1733064,1733068,1733088-1733089,1733275,1733523,1733537-1733538,1733691,1734006,1734125,1734239,1734294,1734412,1734561,1734635,1734807,1734817,1734947,1734955,1734989,1735088,1735159,1735337,1735608-1735609,1735611,1735668,1735786,1735891,1735906,1735931,1735935,1735942,1735952,1736156,1736186,1736243,1736250,1736463,1736681,1736686,1737006,1737014,1737020-1737021,1737102,1737114,1737125,1737254,1737256,1737265,1737447,1737449,1737451,1737476,1738217,1738331,1738333,1738464,1738466,1738486,1738563,1738628,1738631,1738633,1738635,1739008,1739146,1739151,1739193,1739201,1739303,1739312,1739738,1739932,1740075,1740084,1740108,1740110,1740155,1740735,1740910,1740928,1740960,1740967,1740987,1740998,1741045,1741065,1741112,1741115,1741268,1741277,1741310,1741392,1741414,1741446,1741461,1741557,1741564,1741570,1741596,1741621,1741648,1741934,1742005,1742135,1742260,1742359,1742444-1742447,1742460,
> 1742697,1742791-1742792,1743335,1743512,1743517,1743699,1743788,1743816,1744203-1744204,1744206,1744283,1744415,1744421,1744458-1744459,1744712,1744751,1744767,1744778,1744980,1745034,1745039,1745175,1745767,1745835,1745863-1745864,1746207,1746647,1746988,1747170,1747469,1747531,1747550,1747735,1747808,1747810,1747946,1748047,1748155,1748368,1748448,1748531,1748653,1748888,1749151,1749401-1749404,1749505,1749658-1749659,1749676,1749678,1749695,1749924-1749925,1750043,1750218,1750335,1750392,1750407,1750412,1750416,1750420,1750474,1750494,1750507-1750508,1750553,1750567,1750750,1750779,1750854-1750855,1750947,1750955,1750960,1751970,1752087,1752096,1752145,1752331-1752333,1752347,1752415,1753167,1753224,1753228-1753229,1753257,1753315-1753316,1753498,1753541,1753592,1753594,1753777,1754129,1754164,1754391,1754399,1754414,1754534,1755323,1756038,1756542,1756553,1756611,1756631,1756844,1756846,1756848,1756852-1756853,1756976,1757009-1757011,1757029-1757031,1757061,1757147,1757524,17575
> 34,1757540,1757662-1757663,1757985,1758003,1758083,1758307-1758311,1758446,1758558,1759415,1759984,1760018,1761434,1761477,1761479,1761548,1761714,1761824,1762512,1762515,1762517,1762580,1762701-1762703,1762718,1762723,1762742-1762743,1763158,1763246,1763613,1764005,1764040,1764046,1764236,1764243,1764255,1765318,1765328,1765357,1765420,1766097,1766129,1766160,1766308,1766424,1766691,1766851,1766857,1766998,1767128,1767180-1767181,1767553,1767564,1767803,1767936,1768160,1768245,1769192,1769332,1769550,1769593,1769596,1769600,1769718,1770395,1770750,1770752,1770768,1770771,1770828,1770951,1770998,1771001,1771015,1771789,1771791,1771827,1772339,1772489,1772504,1772576,1772812-1772813,1772919,1773159,1773162,1773293,1773346,1773397,1773761,1773779,1773812,1773861-1773862,1773865,1774008,1774018,1774023,1774068-1774069,1774286,1774288,1774538,1774541,1774602,1774609,1775173,1775195,1775199,1775487,1775664,1775770,1775775,1775813,1775833,1775858,1775944,1775946,1776458-1776459,1776463,17
> 76575,1776578,1776624,1776627,1776674,1776734-1776735,1776738,1776740,1776956,1777160,1777324,1777354,1777460,1777556-1777557,1777593-1777594,1777672,1777923,1778268,1778319,1778331,1778350,1778630,1779077,1779091,1779111,1779354,1779459,1779525,1779528,1779573-1779574,1779623,1779699,1779738,1779743,1779896,1779972,1779979,1780095,1780159,1780308,1780328-1780329,1780576,1780596,1780598,1780725,1780971,1781030-1781031,1781187,1781190,1781304,1781312-1781313,1781324,1781328-1781329,1781509,1781516,1781575,1781577,1781580,1781687,1781701,1782164,1782166,1782193-1782194,1782323,1782418-1782419,1782482,1782532,1782875,1782944,1782958,1782975,1783056,1783305,1783722-1783723,1783764-1783765,1783770,1783842,1783849,1784002,1784203,1784205,1784227-1784228,1784275,1784318,1784366,1784372,1784571,1785115,1785672,1785683,1785752-1785753,1785871,1785907,1785943,1786009,1786110,1786119,1786512,1786575-1786576,1786715,1787051,1787053,1787141,1787525,1787553,1787604,1788032-1788033,1788040,1788430
> ,1788451,1788508,1788672,1788674,1788981,1788996,1788998,1789000,1789220-1789221,1789224,1789276,1789279,1789387,1789395,1789520,1789535,1789692,1789740,1789800,1790102,1790113,1790169,1790284,1790457,1790691,1790754,1790826-1790827,1790842,1790850,1790852-1790853,1790855,1790860,1790973,1790978,1791377,1791388,1791400,1791669,1791773,1791790,1791975,1792092,1792195,1792212,1792589,1792675,1793525,1793533,1793932,1794049,1795635,1795651,1795830,1795834,1795931,1796343,1796348,1796350,1796446,1796493,1796864,1797550,1797745,1797844,1798785,1799341,1799435,1799437,1799784,1799786,1800126,1800173,1800306,1800393,1800594,1800689,1800788,1800809,1800815,1800817,1800819,1800830,1800833,1800917,1800919,1800978,1801143-1801144,1801148,1801456,1801594,1801665,1801994-1801995,1802040,1802305,1802309,1802336,1802535,1802618,1802845,1802875,1803392,1803396,1803398,1803420,1803454,1804090,1804096,1804530-1804531,1804542,1804545,1804671,1804759,1804787,1804975,1805099,1805163,1805180,1805188,1805
> 190,1805192,1805194-1805195,1805206,1805256,1805294,1805322,1805373,1805490,1806939,1806985,1807228,1807238,1807347,1807577,1807593,1807655,1807774,1807777,1807876,1808005,1808008,1808014,1808085,1808092,1808100,1808230,1808241-1808243,1808249,1808444,1808671,1808723,1808746,1808780,1809028,1809135,1809209,1809273,1809302-1809303,1809305,1809311,1809314,1809713,1809719,1809881,1809888,1809973,1809976,1809981,1810088-1810089,1810358,1810362-1810363,1810365,1810447,1810723,1811082,1811192,1811285,1811540-1811541,1811569-1811570,1811649,1811664,1811744,1811812,1811976,1812004,1812075,1812193,1812263,1812301,1812307,1812332,1812517-1812518,1812756,1812999,1813116,1813642-1813643,1813991,1814118,1814465,1814719-1814720,1814939,1814968,1815004-1815005,1815078,1815264,1815370,1815483,1816055,1816110,1816154,1816156,1816179,1816534,1816552,1816558,1816619,1816919,1816922,1816970,1817023,1817131,1817175,1817598,1817777,1817785,1818013,1818040,1818120,1818122,1818278-1818280,1818308,1818624,1
> 818725,1818792,1818802,1818804,1818825,1818849,1818924,1818951,1818958,1818960,1819027,1819214,1819847-1819848,1819852-1819853,1819855,1819969-1819970,1820035,1820101,1820464,1820808-1820809,1821095,1821371,1821374,1821504-1821505,1821558,1821561-1821562,1821595,1821624-1821627,1821629,1821632,1821635,1821639,1821644,1821647-1821651,1821659-1821660,1821767,1822305,1822366-1822367,1822502-1822503,1822509,1822511,1822537,1822624,1822849,1822858,1822878-1822879,1822883,1822931,1823047,1823179,1823412,1823415-1823416,1823482,1823564,1823572,1823575,1823886,1824176,1824303,1824332,1824336,1824343,1824381,1824390,1824454,1824460,1824463-1824464,1824482,1824497,1824811,1824862,1824877,1824973,1825147,1825169,1825368,1825370,1825467,1825504,1826207,1826556,1826686-1826687,1826845,1826847,1826973,1826995,1827001,1827166,1827196,1827362,1827366,1827374,1827599,1827604,1827654,1827671,1827783,1827865,1828210,1828232,1828390,1828485,1828493,1828669,1828687,1828879,1828890,1828912,1828920,182892
> 6-1828927,1829038-1829039,1829513,1829557,1829573,1829645,1829657,1830523,1830562,1830744,1830746,1830943-1830944,1831231,1831591,1831772,1831800,1832198,1832200,1832277,1832280,1832317,1832351,1832500,1832580-1832581,1832934,1832937,1832951,1832991,1833014,1833827,1833875-1833876,1834012-1834013,1834209,1834226,1834318,1834470,1835094,1835118,1835287,1836095,1836154,1836276,1836287,1836381-1836383,1836386,1836469,1836603,1837130,1837357,1837588-1837590,1837595,1838937,1839780,1840010,1840582,1840776
> +/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,1201111,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
> 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,1301111,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
> ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341905-1341906,1341913,1341930,1342065,1343085,1343087,1343094,1343099,1343109,1343935,1344712,1345147,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,1359884,1361153,1361298,1361766,1361773,1361778,1361784,1361791-1361792,1361801,1361803,1362020,1362538,1362707,1363035,1363183,1363186,1363312,1363440,1363557,1363589,1363829,1363832,1363836-1363837,1363853,1364133,1364138,1364229,1364601,1364695,1365001,1365020,1365029,1365479,1366319,1366344,1366621,1367778,1367819,1368053,1368058,1368094,1368121,1368131,1368393,1368396,1369419,1369568,1369
> 604,1369618,1369904,1369995,1369999,1370001,1370466,1370592,1370615-1370616,1370763,1371387,1371791,1371801,1371878,1371903,1373270,1373447,1373898,1373955,1374157,1374199,1374214,1374216,1374247,1374874,1374877,1374880,1375006,1375009,1375011,1375013,1375445,1375584,1376695,1376700,1378178,1383490,1384408,1384913,1386576,1386578,1386726,1386822,1386880,1386913,1387085,1387088,1387110,1387389,1387444,1387603,1387607,1387633,1387693,1387979,1388029,1388445,1388447,1388648,1388660,1388825,1388899,1389316,1389339,1389481,1389506,1389564,1389566-1389569,1390562,1390564,1391396,1391398,1391771,1392120,1392122,1392150,1392214,1392345-1392347,1392850,1393033,1393058,1393152,1393338,1393564,1394079,1395225,1395253-1395256,1395792,1396440,1397172,1397320,1397636,1397687,1397710,1397716,1398025,1398040,1398066,1398478,1398480-1398481,1398970,1399413,1399687,1399708,1400700,1401448,1402924,1403476,1403483,1403492,1404653,1405407,1405856,1405973,1406068,1406493,1406495,1406616,1406646,1406760,1
> 407004,1407006,1407085,1407088,1407248,1407381,1407459-1407460,1407528,1407853,1407965,1408093,1408402,1408958,1408961,1409170,1409437,1409726,1409800,1410681,1410954,1411862,1412278,1413732,1414094,1415008,1415023,1415075,1416121,1416150,1416278,1417197,1417440,1417529,1418524,1418556,1418648,1418655,1418703,1418721,1418752,1418761,1418765,1418769,1419084,1419719,1419726,1419755,1419781,1419796,1420120,1420124,1420149,1420184,1420644,1420685-1420686,1420975,1421288,1421323,1421851,1421912,1421953,1422135,1422549,1422594,1422712,1422855,1422937,1422943,1422980,1423353,1423933,1425360,1425771-1425772,1425775,1425777,1425874,1426850,1426975,1427546,1428184,1428280,1428916,1429228,1429559,1429561,1429564,1429582,1430575,1430814,1430869,1433001,1433613,1433682,1433861,1433988,1435178,1435811,1436058,1436401,1439083,1439106,1439114,1439404,1439623,1442309,1442320,1442326,1442412,1442759,1442865,1447993,1448171,1448453,1451478,1451484,1451633,1451830,1451849,1451905,1451921,1452128,145219
> 5,1452259,1452281,1452551,1452911,1452949,1452954,1453022,1453574,1453604,1453875-1453876,1453963,1453981,1454386,1454414-1454415,1454888,1457437,1457450,1457471,1457504,1457520-1457521,1457610,1457995,1458003-1458004,1458020,1458285,1458447,1458456,1462266,1462269,1462643,1463044-1463047,1463049,1463052,1463056,1463455,1463736,1463750,1463754,1464675,1464721,1464762,1465115-1465116,1465190,1467593,1467765,1468581,1470183,1470679,1470940,1471449,1475878,1476604,1476621,1476642,1476644-1476645,1476652,1476680,1477094,1477530,1478382,1478748,1479117,1479216,1479222,1479411,1479528,1479905,1479966,1480046,1480627,1481197,1481302,1481306,1481396-1481397,1481891,1482041,1482075,1482170,1482555,1482859,1482996,1483005,1483027,1483190,1484343,1484398,1484832,1484910,1484914,1485409,1485668,1486490,1487528,1487530,1487775,1488158,1488164,1488296,1488471,1488492,1488644,1490294,1490493,1490507,1490550,1490761,1490994,1491155,1491221,1491234,1491458,1491479,1491538,1491564,1491724,1492395,149
> 2663,1492710,1492782,1493257,1493330,1493921,1493925,1494532,1494536,1495501,1496194,1496338,1496429,1496709,1497371,1497588,1498880,1499679,1500323,1500345,1500362,1500423,1500437,1500483,1500519,1501294,1501369,1501399,1501827,1501913,1502665,1502772,1503680,1503866,1503990-1503991,1504276,1506474,1506714,1509872,1509983,1510084-1510085,1510098,1510295,1510588,1510707,1511093,1513492,1513508,1514039,1514064,1514214-1514215,1514255,1514267,1514617,1515050,1515162,1515403,1515411,1515420,1517025,1517045,1517175,1517366,1517386,1517388,1518265,1518269,1519475,1520368,1520445,1520760,1520908,1521909,1523235,1523239,1523281,1523387,1524101,1524158,1524192,1524368,1524388,1524770,1525276,1525280-1525281,1525931,1526168,1526189,1526647,1526666,1527008,1527220,1527291,1527294-1527295,1527509,1527925-1527926,1528143,1528718,1529014,1529277,1529449,1529559,1529988,1529991,1530793,1531340,1531370,1531505,1531672,1531961-1531962,1532281,1532289,1532746,1532816,1533065,1533224,1533810,1533935,
> 1534321,1534754,1534890,1534892,1534895-1534896,1534914,1536310,1537535,1537718,1538490,1540051-1540052,1541181,1541270,1541368,1542338,1542379,1542533,1542562,1542615,1543020,1543147,1543149,1543174,1544381,1544774,1544784,1544812,1544820,1545286,1545292,1545325,1545364,1545408,1545411,1546692-1546693,1546730,1546759-1546760,1546801,1546804-1546805,1546835-1546836,1546860,1547845,1550061,1550302,1550307,1551611,1551685,1551714,1551802,1552130,1552227,1553204,1553824,1554161,1554168,1554170,1554175-1554176,1554179,1554181,1554184,1554188,1554192,1554195,1554276,1554281,1554300-1554301,1554994-1554995,1555240,1555259,1555266,1555423-1555424,1555463-1555464,1555467,1555555,1555569,1555631,1556206,1556428,1556473,1556911-1556912,1556914,1556937,1557317,1557617,1558483,1559351,1559828,1560367,1560546,1560679,1560689,1560729,1560977,1560979,1561137,1561262,1561385,1561660,1561923,1562472,1563193,1563379,1563381,1563417-1563418,1563420,1564052,1564437,1564475,1564756,1564760,1565081,15657
> 11,1568404,1569615,1570288,1570598,1571369,1572092,1572198,1572543,1572561,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572905,1572911,1572967,1573224,1573229,1573626,1574151,1575400,1576233,1576741,1578760,1578762,1580568,1580928,1580935,1583005,1583007-1583008,1583027,1583175,1583191,1584098,1584417,1584430,1584434,1584572,1584653,1584658,1584665,1584703,1584878,1584884,1584896,1585054,1585072,1585090,1585157,1585435,1585609,1585824,1585918-1585919,1586745,1586827,1587036,1587040,1587053,1587255,1587594,1587607,1587639,1587654,1588054,1588065,1588213,1588330,1588427,1588519,1588527,1588704,1588806,1588851,1588853,1588868,1589413,1590437,1590509,1591143,1591320,1591322,1591328,1591390,1591394,1591401,1591472,1591508,1592032,1592037,1592500,1592511,1592514,1592529,1592615,1592632,1593745,1594625,1594643,1594648,1595305,1595321,1595426,1597182,1597349,1597352,1597533,1597639,1597642,1598107,1598946,1599012,1599535,1601076,1601184-1601185,1601274,1601291,1601559,1601624,16
> 01630,1601919,1601995,1602338,1602978,1602989,1603027,1603029,1603122,1603156,1603915,1604382,1604461,1604631,1605207,1605328,1605827,1605829,1607960,1608284,1608785,1608999,1609914,1609936,1609938,1610207,1610311,1610353,1610366,1610491,1610652,1610674,1611165,1611169,1611244,1611600,1611871,1611978,1612068,1615026,1615289,1617018,1617913,1618401,1618541,1618555,1619297,1619383,1619444,1619483,1619835,1620324,1620461,1620932,1621367,1621372,1621417,1621453,1621806,1622450,1624234,1624349,1625196,1625952,1626050,1626956,1626978,1628104,1628388,1628918-1628919,1628924,1628950,1629235,1629239,1629244,1629250,1629372,1629440-1629441,1629485,1629507-1629508,1629519,1629576-1629577,1629652,1629916,1631885,1632454,1632740,1632742,1633730-1633731,1633793,1634120,1634237,1634425,1634736,1634836,1635510,1635558,1635644-1635645,1635762,1637112,1638072-1638073,1638879,1639614,1640031,1640036,1640040,1640042,1640331,1641077,1641095,1641376,1642099,1642484,1642499,1642847,1642868,1643034,1643279
> ,1643284,1643537,1643825,1644245,1646282,1646724,1647035,1648201,1648394,1648433,1648719,1648840,1649001,1649043,1649491,1649632,1649966,1650047,1650061,1650309-1650310,1650320,1651088,1652829,1652929,1652931,1652955,1652982,1652985,1652989,1653941,1653978,1653997,1656225,1656549,1656669,1657256,1657261,1657636,1657638,1657685,1657881,1657897,1658760,1658765,1661067,1661258,1661448,1661464,1661486,1662245-1662246,1662437,1663017,1663647,1664071,1664133,1664205,1664299,1664565,1664709,1665215-1665216,1665218,1665625,1665643,1665721,1666297,1666361,1666363,1666415,1666417,1666468,1666617-1666618,1666998,1667385-1667386,1667676,1667707,1668532,1668535,1668553,1669130,1669289,1669292,1670434,1671364,1671396-1671397,1671918,1672289,1672453,1672466,1672480,1672483,1672564,1672757,1672985,1672989,1673113,1673155,1673368,1673455,1673769,1674056,1674538,1674542,1674606,1674632,1674697,1675103,1675410,1675533,1676085,1676654,1676709,1676842,1677096,1677143-1677146,1677149,1677151,1677153-1677
> 156,1677159,1677339,1677462,1677702,1677830,1677832,1677834-1677835,1678763,1679032,1679181-1679182,1679192,1679428,1679432,1679470,1679620,1679712,1680276,1680895,1680900,1680942,1681037,1681424,1681440,1681685,1681694,1681795,1682482,1682816,1682819,1682907,1682923,1682937,1682979,1682988,1683044,1683047,1683123,1683881,1683884,1684057,1684171,1684636,1684900,1685069,1685339,1685345,1685347,1685349-1685350,1685650,1685659,1685779,1686085,1686853,1686856,1687539,1687680,1687980,1688274,1688331,1688339-1688341,1688343,1688399,1688474-1688475,1688536,1688538,1688660,1689325,1689605,1689694,1689698,1690120,1690137,1690248,1691374,1691582,1691592,1691819,1691908,1692285,1692432,1692486,1692516,1693792,1693918-1693919,1693963,1694903,1694936,1694950-1694951,1695170,1695727,1695874,1695885,1695920,1696105,1696264,1696266,1696279,1696428,1696442,1696565,1696592,1696607,1696755,1696881,1697013,1697015,1697051,1697323,1697339,1697370,1697389,1697446,1697543,1697634,1697855,1698023,1698103,1
> 698107,1698116,1698133,1698330,1698334,1700271,1700275,1700317-1700322,1700326,1700328,1700330-1700332,1700334,1700336,1700338,1700418,1700514,1700777,1700851,1700917,1700925,1700968,1701005,1701145,1701178,1701204,1701347,1701436,1701545,1701717,1702643,1702919,1702948,1703152,1703241,1703248,1703417,1703642,1703807,1703813,1703822,1703871,1703902,1703952,1704099,1704241,1704262,1704797,1704799,1704826,1705099,1705134,1705194,1705217,1705257,1705749,1705776,1705823,1705826,1705828,1705833,1705922,1705983,1706275,1706523,1706595,1706627,1706635,1706637,1706640,1706918,1706942,1706989,1707002,1707230-1707231,1707497,1707512,1707519,1707591,1707626-1707627,1707640,1707831,1707883,1707889,1708107,1709008,1709587,1709596,1709602,1709995,1710095,1710105,1710231,1710380,1710391,1710403,1710419,1710572,1710583,1710723,1711479,1711553,1711648,1711728,1711902,1712382,1713040,1713043,1713209,1713937,1715023,1715255,1715273,1715567-1715568,1715570-1715572,1715576,1715581-1715585,1715886,171621
> 1,1716388,1716460,1716487,1716660,1716940,1717063,1717086,1717639,1717816,1717934,1717958,1717975,1717985,1718314,1718338,1718400,1718476,1718496,1718514,1718556,1718569,1718598,1719016,1719018,1719189-1719190,1719252,1719254-1719255,1719257,1719967,1720129,1720996,1721313,1721685,1721899,1722137,1722154,1722177,1722195,1722229,1722320,1722328,1722334,1722350-1722351,1722358,1722377,1722572,1722701,1723122,1723143,1723284,1723295,1723522,1723567,1723953,1724847,1724857,1724879,1724992-1724993,1724995,1725018,1725031,1725090,1725120,1725149,1725325,1725328,1725387,1725392,1725394-1725395,1725445,1725468,1725485,1725489,1725498-1725499,1725516,1725523,1725545,1725567,1725581,1725602,1725822,1725940,1725967,1726009,1726026,1726038,1726049,1726051-1726052,1726055,1726086,1726167,1726233,1726675,1726705,1726798,1726881,1726888,1727071,1727111,1727317,1727544,1727573,1727603,1727842,1728326,1728804,1729208,1729235,1729374,1729376,1729826,1729847,1729929-1729931,1729960,1730079,1730297,173
> 0640,1730723,1730865,1731929,1732228,1732252,1732353,1732369,1732716,1732954,1732986,1733056,1733064,1733068,1733088-1733089,1733275,1733523,1733537-1733538,1733691,1734006,1734125,1734239,1734294,1734412,1734561,1734635,1734807,1734817,1734947,1734955,1734989,1735088,1735159,1735337,1735608-1735609,1735611,1735668,1735786,1735891,1735906,1735931,1735935,1735942,1735952,1736156,1736186,1736243,1736250,1736463,1736681,1736686,1737006,1737014,1737020-1737021,1737102,1737114,1737125,1737254,1737256,1737265,1737447,1737449,1737451,1737476,1738217,1738331,1738333,1738464,1738466,1738486,1738563,1738628,1738631,1738633,1738635,1739008,1739146,1739151,1739193,1739201,1739303,1739312,1739738,1739932,1740075,1740084,1740108,1740110,1740155,1740735,1740910,1740928,1740960,1740967,1740987,1740998,1741045,1741065,1741112,1741115,1741268,1741277,1741310,1741392,1741414,1741446,1741461,1741557,1741564,1741570,1741596,1741621,1741648,1741934,1742005,1742135,1742260,1742359,1742444-1742447,1742460,
> 1742697,1742791-1742792,1743335,1743512,1743517,1743699,1743788,1743816,1744203-1744204,1744206,1744283,1744415,1744421,1744458-1744459,1744712,1744751,1744767,1744778,1744980,1745034,1745039,1745175,1745767,1745835,1745863-1745864,1746207,1746647,1746988,1747170,1747469,1747531,1747550,1747735,1747808,1747810,1747946,1748047,1748155,1748368,1748448,1748531,1748653,1748888,1749151,1749401-1749404,1749505,1749658-1749659,1749676,1749678,1749695,1749924-1749925,1750043,1750218,1750335,1750392,1750407,1750412,1750416,1750420,1750474,1750494,1750507-1750508,1750553,1750567,1750750,1750779,1750854-1750855,1750947,1750955,1750960,1751970,1752087,1752096,1752145,1752331-1752333,1752347,1752415,1753167,1753224,1753228-1753229,1753257,1753315-1753316,1753498,1753541,1753592,1753594,1753777,1754129,1754164,1754391,1754399,1754414,1754534,1755323,1756038,1756542,1756553,1756611,1756631,1756844,1756846,1756848,1756852-1756853,1756976,1757009-1757011,1757029-1757031,1757061,1757147,1757524,17575
> 34,1757540,1757662-1757663,1757985,1758003,1758083,1758307-1758311,1758446,1758558,1759415,1759984,1760018,1761434,1761477,1761479,1761548,1761714,1761824,1762512,1762515,1762517,1762580,1762701-1762703,1762718,1762723,1762742-1762743,1763158,1763246,1763613,1764005,1764040,1764046,1764236,1764243,1764255,1765318,1765328,1765357,1765420,1766097,1766129,1766160,1766308,1766424,1766691,1766851,1766857,1766998,1767128,1767180-1767181,1767553,1767564,1767803,1767936,1768160,1768245,1769192,1769332,1769550,1769593,1769596,1769600,1769718,1770395,1770750,1770752,1770768,1770771,1770828,1770951,1770998,1771001,1771015,1771789,1771791,1771827,1772339,1772489,1772504,1772576,1772812-1772813,1772919,1773159,1773162,1773293,1773346,1773397,1773761,1773779,1773812,1773861-1773862,1773865,1774008,1774018,1774023,1774068-1774069,1774286,1774288,1774538,1774541,1774602,1774609,1775173,1775195,1775199,1775487,1775664,1775770,1775775,1775813,1775833,1775858,1775944,1775946,1776458-1776459,1776463,17
> 76575,1776578,1776624,1776627,1776674,1776734-1776735,1776738,1776740,1776956,1777160,1777324,1777354,1777460,1777556-1777557,1777593-1777594,1777672,1777923,1778268,1778319,1778331,1778350,1778630,1779077,1779091,1779111,1779354,1779459,1779525,1779528,1779573-1779574,1779623,1779699,1779738,1779743,1779896,1779972,1779979,1780095,1780159,1780308,1780328-1780329,1780576,1780596,1780598,1780725,1780971,1781030-1781031,1781187,1781190,1781304,1781312-1781313,1781324,1781328-1781329,1781509,1781516,1781575,1781577,1781580,1781687,1781701,1782164,1782166,1782193-1782194,1782323,1782418-1782419,1782482,1782532,1782875,1782944,1782958,1782975,1783056,1783305,1783722-1783723,1783764-1783765,1783770,1783842,1783849,1784002,1784203,1784205,1784227-1784228,1784275,1784318,1784366,1784372,1784571,1785115,1785672,1785683,1785752-1785753,1785871,1785907,1785943,1786009,1786110,1786119,1786512,1786575-1786576,1786715,1787051,1787053,1787141,1787525,1787553,1787604,1788032-1788033,1788040,1788430
> ,1788451,1788508,1788672,1788674,1788981,1788996,1788998,1789000,1789220-1789221,1789224,1789276,1789279,1789387,1789395,1789520,1789535,1789692,1789740,1789800,1790102,1790113,1790169,1790284,1790457,1790691,1790754,1790826-1790827,1790842,1790850,1790852-1790853,1790855,1790860,1790973,1790978,1791377,1791388,1791400,1791669,1791773,1791790,1791975,1792092,1792195,1792212,1792589,1792675,1793525,1793533,1793932,1794049,1795635,1795651,1795830,1795834,1795931,1796343,1796348,1796350,1796446,1796493,1796864,1797550,1797745,1797844,1798785,1799341,1799435,1799437,1799784,1799786,1800126,1800173,1800306,1800393,1800594,1800689,1800788,1800809,1800815,1800817,1800819,1800830,1800833,1800917,1800919,1800978,1801143-1801144,1801148,1801456,1801594,1801665,1801994-1801995,1802040,1802305,1802309,1802336,1802535,1802618,1802845,1802875,1803392,1803396,1803398,1803420,1803454,1804090,1804096,1804530-1804531,1804542,1804545,1804671,1804759,1804787,1804975,1805099,1805163,1805180,1805188,1805
> 190,1805192,1805194-1805195,1805206,1805256,1805294,1805322,1805373,1805490,1806939,1806985,1807228,1807238,1807347,1807577,1807593,1807655,1807774,1807777,1807876,1808005,1808008,1808014,1808085,1808092,1808100,1808230,1808241-1808243,1808249,1808444,1808671,1808723,1808746,1808780,1809028,1809135,1809209,1809273,1809302-1809303,1809305,1809311,1809314,1809713,1809719,1809881,1809888,1809973,1809976,1809981,1810088-1810089,1810358,1810362-1810363,1810365,1810447,1810723,1811082,1811192,1811285,1811540-1811541,1811569-1811570,1811649,1811664,1811744,1811812,1811976,1812004,1812075,1812193,1812263,1812301,1812307,1812332,1812517-1812518,1812756,1812999,1813116,1813642-1813643,1813991,1814118,1814465,1814719-1814720,1814939,1814968,1815004-1815005,1815078,1815264,1815370,1815483,1816055,1816110,1816154,1816156,1816179,1816534,1816552,1816558,1816619,1816919,1816922,1816970,1817023,1817131,1817175,1817598,1817777,1817785,1818013,1818040,1818120,1818122,1818278-1818280,1818308,1818624,1
> 818725,1818792,1818802,1818804,1818825,1818849,1818924,1818951,1818958,1818960,1819027,1819214,1819847-1819848,1819852-1819853,1819855,1819969-1819970,1820035,1820101,1820464,1820808-1820809,1821095,1821371,1821374,1821504-1821505,1821558,1821561-1821562,1821595,1821624-1821627,1821629,1821632,1821635,1821639,1821644,1821647-1821651,1821659-1821660,1821767,1822305,1822366-1822367,1822502-1822503,1822509,1822511,1822537,1822624,1822849,1822858,1822878-1822879,1822883,1822931,1823047,1823179,1823412,1823415-1823416,1823482,1823564,1823572,1823575,1823886,1824176,1824303,1824332,1824336,1824343,1824381,1824390,1824454,1824460,1824463-1824464,1824482,1824497,1824811,1824862,1824877,1824973,1825147,1825169,1825368,1825370,1825467,1825504,1826207,1826556,1826686-1826687,1826845,1826847,1826973,1826995,1827001,1827166,1827196,1827362,1827366,1827374,1827599,1827604,1827654,1827671,1827783,1827865,1827912,1827924,1827992,1828210,1828222,1828232,1828390,1828485,1828493,1828669,1828687,182872
> 0,1828723,1828790-1828792,1828879,1828890,1828912,1828920,1828926-1828927,1829038-1829039,1829513,1829557,1829573,1829645,1829657,1830523,1830562,1830744,1830746,1830943-1830944,1831231,1831591,1831772,1831800,1832198,1832200,1832277,1832280,1832317,1832351,1832500,1832580-1832581,1832934,1832937,1832951,1832991,1833014,1833588-1833589,1833827,1833875-1833876,1834012-1834013,1834209,1834226,1834318,1834470,1835094,1835118,1835287,1836095,1836154,1836276,1836287,1836381-1836383,1836386,1836469,1836603,1837130,1837357,1837588-1837590,1837595,1838937,1839780,1839920,1839946,1840010,1840582,1840585,1840710,1840776,1841218
>
> Modified: httpd/httpd/branches/2.4.x/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 21 12:14:05 2018
> @@ -1,6 +1,19 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.4.36
>
> + *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9.
> + SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
> + Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
> + Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
> + as this would need to trigger the master connection thread - which we do not support
> + right now.
> + Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
> + does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
> + TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
> + Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they
> + can match their needs onto the TLSv1.3 protocol.
> + [Yann Ylavic, Stefan Eissing]
> +
> *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
> should be accepted after the authorization scheme. \t are also tolerated.
> [Christophe Jaillet]
>
> Modified: httpd/httpd/branches/2.4.x/STATUS
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/STATUS (original)
> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 21 12:14:05 2018
> @@ -124,26 +124,6 @@ RELEASE SHOWSTOPPERS:
> PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
> [ start all new proposals below, under PATCHES PROPOSED. ]
>
> - *) Add TLSv1.3 support to mod_ssl:
> - trunk: http://svn.apache.org/r1839946
> - http://svn.apache.org/r1839920
> - http://svn.apache.org/r1833589
> - http://svn.apache.org/r1833588
> - http://svn.apache.org/r1828723
> - http://svn.apache.org/r1828720
> - http://svn.apache.org/r1828222
> - http://svn.apache.org/r1827992
> - http://svn.apache.org/r1827924
> - http://svn.apache.org/r1827912
> - http://svn.apache.org/r1828790
> - http://svn.apache.org/r1828791
> - http://svn.apache.org/r1828792
> - http://svn.apache.org/r1840585
> - http://svn.apache.org/r1840710
> - http://svn.apache.org/r1841218
> - 2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x
> - +1: icing, jorton, minfrin (tested on openssl-1.0.2j and openssl-1.1.1)
> -
>
>
> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>
> Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original)
> +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Fri Sep 21 12:14:05 2018
> @@ -654,6 +654,11 @@ The available (case-insensitive) <em>pro
> A revision of the TLS 1.1 protocol, as defined in
> <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
>
> +<li><code>TLSv1.3</code> (when using OpenSSL 1.1.1 and later)
> + <p>
> + A new version of the TLS protocol, as defined in
> + <a href="https://github.com/tlswg/tls13-spec">RFC TBD</a>.</p></li>
> +
> <li><code>all</code>
> <p>
> This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
> @@ -674,7 +679,7 @@ SSLProtocol TLSv1
> <name>SSLCipherSuite</name>
> <description>Cipher Suite available for negotiation in SSL
> handshake</description>
> -<syntax>SSLCipherSuite <em>cipher-spec</em></syntax>
> +<syntax>SSLCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
> <default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default>
> <contextlist><context>server config</context>
> <context>virtual host</context>
> @@ -686,12 +691,25 @@ handshake</description>
> <p>
> This complex directive uses a colon-separated <em>cipher-spec</em> string
> consisting of OpenSSL cipher specifications to configure the Cipher Suite the
> -client is permitted to negotiate in the SSL handshake phase. Notice that this
> -directive can be used both in per-server and per-directory context. In
> -per-server context it applies to the standard SSL handshake when a connection
> +client is permitted to negotiate in the SSL handshake phase. The optional
> +protocol specifier can configure the Cipher Suite for a specific SSL version.
> +Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2.
> +<p>
> +Notice that this
> +directive can be used both in per-server and per-directory context.
> +In per-server context it applies to the standard SSL handshake when a connection
> is established. In per-directory context it forces a SSL renegotiation with the
> reconfigured Cipher Suite after the HTTP request was read but before the HTTP
> -response is sent.</p>
> +response is sent. (Since renegotiation is not</p>
> +<p>
> +If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol
> +specifier "TLSv1.3" can be used to configure the cipher suites for that protocol.
> +Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in
> +a directory context is not allowed.</p>
> +<p>
> +For a list of TLSv1.3 cipher names, see
> +<a href="https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html">the OpenSSL
> +documentation</a>.</p>
> <p>
> An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
> attributes plus a few extra minor ones:</p>
> @@ -2063,7 +2081,7 @@ for additional information.
> <name>SSLProxyCipherSuite</name>
> <description>Cipher Suite available for negotiation in SSL
> proxy handshake</description>
> -<syntax>SSLProxyCipherSuite <em>cipher-spec</em></syntax>
> +<syntax>SSLProxyCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
> <default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</default>
> <contextlist><context>server config</context> <context>virtual host</context>
> <context>proxy section</context></contextlist>
>
> Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Fri Sep 21 12:14:05 2018
> @@ -93,9 +93,9 @@ static const command_rec ssl_config_cmds
> SSL_CMD_SRV(FIPS, FLAG,
> "Enable FIPS-140 mode "
> "(`on', `off')")
> - SSL_CMD_ALL(CipherSuite, TAKE1,
> - "Colon-delimited list of permitted SSL Ciphers "
> - "('XXX:...:XXX' - see manual)")
> + SSL_CMD_ALL(CipherSuite, TAKE12,
> + "Colon-delimited list of permitted SSL Ciphers, optional preceeded "
> + "by protocol identifier ('XXX:...:XXX' - see manual)")
> SSL_CMD_SRV(CertificateFile, TAKE1,
> "SSL Server Certificate file "
> "('/path/to/file' - PEM or DER encoded)")
> @@ -185,9 +185,9 @@ static const command_rec ssl_config_cmds
> SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
> "SSL Proxy: enable or disable SSL protocol flavors "
> "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
> - SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
> + SSL_CMD_PXY(ProxyCipherSuite, TAKE12,
> "SSL Proxy: colon-delimited list of permitted SSL ciphers "
> - "('XXX:...:XXX' - see manual)")
> + ", optionally preceeded by protocol specifier ('XXX:...:XXX' - see manual)")
> SSL_CMD_PXY(ProxyVerify, TAKE1,
> "SSL Proxy: whether to verify the remote certificate "
> "('on' or 'off')")
> @@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_
> /* We must register the library in full, to ensure our configuration
> * code can successfully test the SSL environment.
> */
> -#if MODSSL_USE_OPENSSL_PRE_1_1_API
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
> (void)CRYPTO_malloc_init();
> #else
> OPENSSL_malloc_init();
>
> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Fri Sep 21 12:14:05 2018
> @@ -136,6 +136,7 @@ static void modssl_ctx_init(modssl_ctx_t
> mctx->auth.cipher_suite = NULL;
> mctx->auth.verify_depth = UNSET;
> mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
> + mctx->auth.tls13_ciphers = NULL;
>
> mctx->ocsp_mask = UNSET;
> mctx->ocsp_force_default = UNSET;
> @@ -280,6 +281,7 @@ static void modssl_ctx_cfg_merge(apr_poo
> cfgMergeString(auth.cipher_suite);
> cfgMergeInt(auth.verify_depth);
> cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
> + cfgMergeString(auth.tls13_ciphers);
>
> cfgMergeInt(ocsp_mask);
> cfgMergeBool(ocsp_force_default);
> @@ -761,22 +763,37 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
>
> const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
> void *dcfg,
> - const char *arg)
> + const char *arg1, const char *arg2)
> {
> SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
> SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
>
> - /* always disable null and export ciphers */
> - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
> -
> - if (cmd->path) {
> - dc->szCipherSuite = arg;
> + if (arg2 == NULL) {
> + arg2 = arg1;
> + arg1 = "SSL";
> }
> - else {
> - sc->server->auth.cipher_suite = arg;
> +
> + if (!strcmp("SSL", arg1)) {
> + /* always disable null and export ciphers */
> + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
> + if (cmd->path) {
> + dc->szCipherSuite = arg2;
> + }
> + else {
> + sc->server->auth.cipher_suite = arg2;
> + }
> + return NULL;
> }
> -
> - return NULL;
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + else if (!strcmp("TLSv1.3", arg1)) {
> + if (cmd->path) {
> + return "TLSv1.3 ciphers cannot be set inside a directory context";
> + }
> + sc->server->auth.tls13_ciphers = arg2;
> + return NULL;
> + }
> +#endif
> + return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
> }
>
> #define SSL_FLAGS_CHECK_FILE \
> @@ -1445,6 +1462,9 @@ static const char *ssl_cmd_protocol_pars
> else if (strcEQ(w, "TLSv1.2")) {
> thisopt = SSL_PROTOCOL_TLSV1_2;
> }
> + else if (SSL_HAVE_PROTOCOL_TLSV1_3 && strcEQ(w, "TLSv1.3")) {
> + thisopt = SSL_PROTOCOL_TLSV1_3;
> + }
> #endif
> else if (strcEQ(w, "all")) {
> thisopt = SSL_PROTOCOL_ALL;
> @@ -1506,16 +1526,28 @@ const char *ssl_cmd_SSLProxyProtocol(cmd
>
> const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
> void *dcfg,
> - const char *arg)
> + const char *arg1, const char *arg2)
> {
> SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
> -
> - /* always disable null and export ciphers */
> - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
> -
> - dc->proxy->auth.cipher_suite = arg;
> -
> - return NULL;
> +
> + if (arg2 == NULL) {
> + arg2 = arg1;
> + arg1 = "SSL";
> + }
> +
> + if (!strcmp("SSL", arg1)) {
> + /* always disable null and export ciphers */
> + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
> + dc->proxy->auth.cipher_suite = arg2;
> + return NULL;
> + }
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + else if (!strcmp("TLSv1.3", arg1)) {
> + dc->proxy->auth.tls13_ciphers = arg2;
> + return NULL;
> + }
> +#endif
> + return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
> }
>
> const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
>
> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Fri Sep 21 12:14:05 2018
> @@ -568,6 +568,9 @@ static apr_status_t ssl_init_ctx_protoco
> #ifdef HAVE_TLSV1_X
> (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
> (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + (protocol & SSL_PROTOCOL_TLSV1_3 ? "TLSv1.3, " : ""),
> +#endif
> #endif
> NULL);
> cp[strlen(cp)-2] = NUL;
> @@ -600,6 +603,13 @@ static apr_status_t ssl_init_ctx_protoco
> TLSv1_2_client_method() : /* proxy */
> TLSv1_2_server_method(); /* server */
> }
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + else if (protocol == SSL_PROTOCOL_TLSV1_3) {
> + method = mctx->pkp ?
> + TLSv1_3_client_method() : /* proxy */
> + TLSv1_3_server_method(); /* server */
> + }
> +#endif
> #endif
> else { /* For multiple protocols, we need a flexible method */
> method = mctx->pkp ?
> @@ -617,7 +627,8 @@ static apr_status_t ssl_init_ctx_protoco
>
> SSL_CTX_set_options(ctx, SSL_OP_ALL);
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
> /* always disable SSLv2, as per RFC 6176 */
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
>
> @@ -639,10 +650,19 @@ static apr_status_t ssl_init_ctx_protoco
> if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
> SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
> }
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
> + protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
> +#endif
> #endif
>
> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> /* We first determine the maximum protocol version we should provide */
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
> + prot = TLS1_3_VERSION;
> + } else
> +#endif
> if (protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> @@ -664,6 +684,11 @@ static apr_status_t ssl_init_ctx_protoco
>
> /* Next we scan for the minimal protocol version we should provide,
> * but we do not allow holes between max and min */
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> + prot = TLS1_2_VERSION;
> + }
> +#endif
> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> }
> @@ -736,6 +761,13 @@ static apr_status_t ssl_init_ctx_protoco
> SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
> #endif
>
> +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
> + /* For OpenSSL >=1.1.1, disable auto-retry mode so it's possible
> + * to consume handshake records without blocking for app-data.
> + * https://github.com/openssl/openssl/issues/7178 */
> + SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
> +#endif
> +
> return APR_SUCCESS;
> }
>
> @@ -888,7 +920,15 @@ static apr_status_t ssl_init_ctx_cipher_
> ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
> return ssl_die(s);
> }
> -
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + if (mctx->auth.tls13_ciphers
> + && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
> + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
> + "Unable to configure permitted TLSv1.3 ciphers");
> + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
> + return ssl_die(s);
> + }
> +#endif
> return APR_SUCCESS;
> }
>
> @@ -1452,6 +1492,13 @@ static apr_status_t ssl_init_proxy_certs
> X509_STORE_CTX *sctx;
> X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
>
> +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
> + /* For OpenSSL >=1.1.1, turn on client cert support which is
> + * otherwise turned off by default (by design).
> + * https://github.com/openssl/openssl/issues/6933 */
> + SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1);
> +#endif
> +
> SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
> ssl_callback_proxy_cert);
>
>
> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Fri Sep 21 12:14:05 2018
> @@ -188,6 +188,12 @@ static int ssl_auth_compatible(modssl_au
> || strcmp(a1->cipher_suite, a2->cipher_suite))) {
> return 0;
> }
> + /* both have the same ca cipher suite string */
> + if ((a1->tls13_ciphers != a2->tls13_ciphers)
> + && (!a1->tls13_ciphers || !a2->tls13_ciphers
> + || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
> + return 0;
> + }
> return 1;
> }
>
> @@ -424,87 +430,70 @@ static void ssl_configure_env(request_re
> }
> }
>
> -/*
> - * Access Handler
> - */
> -int ssl_hook_Access(request_rec *r)
> +static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc,
> + SSLDirConfigRec *dc, SSLConnRec *sslconn,
> + SSL *ssl)
> {
> - SSLDirConfigRec *dc = myDirConfig(r);
> - SSLSrvConfigRec *sc = mySrvConfig(r->server);
> - SSLConnRec *sslconn = myConnConfig(r->connection);
> - SSL *ssl = sslconn ? sslconn->ssl : NULL;
> - server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
> - SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
> - SSL_CTX *ctx = NULL;
> - apr_array_header_t *requires;
> - ssl_require_t *ssl_requires;
> - int ok, i;
> - BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
> X509 *cert;
> - X509 *peercert;
> - X509_STORE *cert_store = NULL;
> - X509_STORE_CTX *cert_store_ctx;
> - STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
> - const SSL_CIPHER *cipher = NULL;
> - int depth, verify_old, verify, n, is_slave = 0;
> - const char *ncipher_suite;
> -
> - /* On a slave connection, we do not expect to have an SSLConnRec, but
> - * our master connection might have one. */
> - if (!(sslconn && ssl) && r->connection->master) {
> - sslconn = myConnConfig(r->connection->master);
> - ssl = sslconn ? sslconn->ssl : NULL;
> - handshakeserver = sslconn ? sslconn->server : NULL;
> - hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
> - is_slave = 1;
> - }
>
> - if (ssl) {
> - /*
> - * We should have handshaken here (on handshakeserver),
> - * otherwise we are being redirected (ErrorDocument) from
> - * a renegotiation failure below. The access is still
> - * forbidden in the latter case, let ap_die() handle
> - * this recursive (same) error.
> - */
> - if (!SSL_is_init_finished(ssl)) {
> - return HTTP_FORBIDDEN;
> + /*
> + * Remember the peer certificate's DN
> + */
> + if ((cert = SSL_get_peer_certificate(ssl))) {
> + if (sslconn->client_cert) {
> + X509_free(sslconn->client_cert);
> }
> - ctx = SSL_get_SSL_CTX(ssl);
> + sslconn->client_cert = cert;
> + sslconn->client_dn = NULL;
> }
> -
> +
> /*
> - * Support for SSLRequireSSL directive
> + * Finally check for acceptable renegotiation results
> */
> - if (dc->bSSLRequired && !ssl) {
> - if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) {
> - /* This vhost was configured for optional SSL, just tell the
> - * client that we need to upgrade.
> - */
> - apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
> - apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
> + if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
> + (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
> + BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
> + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
> +
> + if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
> + "Re-negotiation handshake failed: "
> + "Client verification failed");
>
> - return HTTP_UPGRADE_REQUIRED;
> + return HTTP_FORBIDDEN;
> }
>
> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
> - "access to %s failed, reason: %s",
> - r->filename, "SSL connection required");
> -
> - /* remember forbidden access for strict require option */
> - apr_table_setn(r->notes, "ssl-access-forbidden", "1");
> + if (do_verify) {
> + if (cert == NULL) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
> + "Re-negotiation handshake failed: "
> + "Client certificate missing");
>
> - return HTTP_FORBIDDEN;
> + return HTTP_FORBIDDEN;
> + }
> + }
> }
> + return OK;
> +}
>
> - /*
> - * Check to see whether SSL is in use; if it's not, then no
> - * further access control checks are relevant. (the test for
> - * sc->enabled is probably strictly unnecessary)
> - */
> - if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
> - return DECLINED;
> - }
> +/*
> + * Access Handler, classic flavour, for SSL/TLS up to v1.2
> + * where everything can be renegotiated and no one is happy.
> + */
> +static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
> + SSLConnRec *sslconn, SSL *ssl)
> +{
> + server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
> + SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
> + SSL_CTX *ctx = NULL;
> + BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
> + X509 *peercert;
> + X509_STORE *cert_store = NULL;
> + X509_STORE_CTX *cert_store_ctx;
> + STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
> + const SSL_CIPHER *cipher = NULL;
> + int depth, verify_old, verify, n, rc;
> + const char *ncipher_suite;
>
> #ifdef HAVE_SRP
> /*
> @@ -581,7 +570,7 @@ int ssl_hook_Access(request_rec *r)
> }
>
> /* configure new state */
> - if (is_slave) {
> + if (r->connection->master) {
> /* TODO: this categorically fails changed cipher suite settings
> * on slave connections. We could do better by
> * - create a new SSL* from our SSL_CTX and set cipher suite there,
> @@ -659,7 +648,7 @@ int ssl_hook_Access(request_rec *r)
> }
>
> if (renegotiate) {
> - if (is_slave) {
> + if (r->connection->master) {
> /* The request causes renegotiation on a slave connection.
> * This is not allowed since we might have concurrent requests
> * on this connection.
> @@ -732,7 +721,7 @@ int ssl_hook_Access(request_rec *r)
> (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
> {
> renegotiate = TRUE;
> - if (is_slave) {
> + if (r->connection->master) {
> /* The request causes renegotiation on a slave connection.
> * This is not allowed since we might have concurrent requests
> * on this connection.
> @@ -883,6 +872,7 @@ int ssl_hook_Access(request_rec *r)
>
> if (renegotiate_quick) {
> STACK_OF(X509) *cert_stack;
> + X509 *cert;
>
> /* perform just a manual re-verification of the peer */
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02258)
> @@ -1035,43 +1025,10 @@ int ssl_hook_Access(request_rec *r)
> }
>
> /*
> - * Remember the peer certificate's DN
> - */
> - if ((cert = SSL_get_peer_certificate(ssl))) {
> - if (sslconn->client_cert) {
> - X509_free(sslconn->client_cert);
> - }
> - sslconn->client_cert = cert;
> - sslconn->client_dn = NULL;
> - }
> -
> - /*
> * Finally check for acceptable renegotiation results
> */
> - if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
> - (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
> - BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
> - (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
> -
> - if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
> - "Re-negotiation handshake failed: "
> - "Client verification failed");
> -
> - return HTTP_FORBIDDEN;
> - }
> -
> - if (do_verify) {
> - if ((peercert = SSL_get_peer_certificate(ssl)) == NULL) {
> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
> - "Re-negotiation handshake failed: "
> - "Client certificate missing");
> -
> - return HTTP_FORBIDDEN;
> - }
> -
> - X509_free(peercert);
> - }
> + if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
> + return rc;
> }
>
> /*
> @@ -1094,6 +1051,215 @@ int ssl_hook_Access(request_rec *r)
> }
> }
>
> + return DECLINED;
> +}
> +
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> +/*
> + * Access Handler, modern flavour, for SSL/TLS v1.3 and onward.
> + * Only client certificates can be requested, everything else stays.
> + */
> +static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
> + SSLConnRec *sslconn, SSL *ssl)
> +{
> + if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
> + (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
> + int vmode_inplace, vmode_needed;
> + int change_vmode = FALSE;
> + int old_state, n, rc;
> +
> + vmode_inplace = SSL_get_verify_mode(ssl);
> + vmode_needed = SSL_VERIFY_NONE;
> +
> + if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
> + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
> + vmode_needed |= SSL_VERIFY_PEER_STRICT;
> + }
> +
> + if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
> + (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
> + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
> + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
> + {
> + vmode_needed |= SSL_VERIFY_PEER;
> + }
> +
> + if (vmode_needed == SSL_VERIFY_NONE) {
> + return DECLINED;
> + }
> +
> + vmode_needed |= SSL_VERIFY_CLIENT_ONCE;
> + if (vmode_inplace != vmode_needed) {
> + /* Need to change, if new setting is more restrictive than existing one */
> +
> + if ((vmode_inplace == SSL_VERIFY_NONE)
> + || (!(vmode_inplace & SSL_VERIFY_PEER)
> + && (vmode_needed & SSL_VERIFY_PEER))
> + || (!(vmode_inplace & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
> + && (vmode_needed & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
> + /* need to change the effective verify mode */
> + change_vmode = TRUE;
> + }
> + else {
> + /* FIXME: does this work with TLSv1.3? Is this more than re-inspecting
> + * the certificate we should already have? */
> + /*
> + * override of SSLVerifyDepth
> + *
> + * The depth checks are handled by us manually inside the
> + * verify callback function and not by OpenSSL internally
> + * (and our function is aware of both the per-server and
> + * per-directory contexts). So we cannot ask OpenSSL about
> + * the currently verify depth. Instead we remember it in our
> + * SSLConnRec attached to the SSL* of OpenSSL. We've to force
> + * the renegotiation if the reconfigured/new verify depth is
> + * less than the currently active/remembered verify depth
> + * (because this means more restriction on the certificate
> + * chain).
> + */
> + n = (sslconn->verify_depth != UNSET)?
> + sslconn->verify_depth : sc->server->auth.verify_depth;
> + /* determine the new depth */
> + sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
> + ? dc->nVerifyDepth
> + : sc->server->auth.verify_depth;
> + if (sslconn->verify_depth < n) {
> + change_vmode = TRUE;
> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "Reduced client verification depth will "
> + "force renegotiation");
> + }
> + }
> + }
> +
> + if (change_vmode) {
> + char peekbuf[1];
> +
> + if (r->connection->master) {
> + /* FIXME: modifying the SSL on a slave connection is no good.
> + * We would need to push this back to the master connection
> + * somehow.
> + */
> + apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
> + return HTTP_FORBIDDEN;
> + }
> +
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "verify client post handshake");
> +
> + SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
> +
> + if (SSL_verify_client_post_handshake(ssl) != 1) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158)
> + "cannot perform post-handshake authentication");
> + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
> + apr_table_setn(r->notes, "error-notes",
> + "Reason: Cannot perform Post-Handshake Authentication.<br />");
> + return HTTP_FORBIDDEN;
> + }
> +
> + old_state = sslconn->reneg_state;
> + sslconn->reneg_state = RENEG_ALLOW;
> + modssl_set_app_data2(ssl, r);
> +
> + SSL_do_handshake(ssl);
> + /* Need to trigger renegotiation handshake by reading.
> + * Peeking 0 bytes actually works.
> + * See: http://marc.info/?t=145493359200002&r=1&w=2
> + */
> + SSL_peek(ssl, peekbuf, 0);
> +
> + sslconn->reneg_state = old_state;
> + modssl_set_app_data2(ssl, NULL);
> +
> + /*
> + * Finally check for acceptable renegotiation results
> + */
> + if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
> + return rc;
> + }
> + }
> + }
> +
> + return DECLINED;
> +}
> +#endif
> +
> +int ssl_hook_Access(request_rec *r)
> +{
> + SSLDirConfigRec *dc = myDirConfig(r);
> + SSLSrvConfigRec *sc = mySrvConfig(r->server);
> + SSLConnRec *sslconn = myConnConfig(r->connection);
> + SSL *ssl = sslconn ? sslconn->ssl : NULL;
> + apr_array_header_t *requires;
> + ssl_require_t *ssl_requires;
> + int ok, i, ret;
> +
> + /* On a slave connection, we do not expect to have an SSLConnRec, but
> + * our master connection might have one. */
> + if (!(sslconn && ssl) && r->connection->master) {
> + sslconn = myConnConfig(r->connection->master);
> + ssl = sslconn ? sslconn->ssl : NULL;
> + }
> +
> + /*
> + * We should have handshaken here, otherwise we are being
> + * redirected (ErrorDocument) from a renegotiation failure below.
> + * The access is still forbidden in the latter case, let ap_die() handle
> + * this recursive (same) error.
> + */
> + if (ssl && !SSL_is_init_finished(ssl)) {
> + return HTTP_FORBIDDEN;
> + }
> +
> + /*
> + * Support for SSLRequireSSL directive
> + */
> + if (dc->bSSLRequired && !ssl) {
> + if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) {
> + /* This vhost was configured for optional SSL, just tell the
> + * client that we need to upgrade.
> + */
> + apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
> + apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
> +
> + return HTTP_UPGRADE_REQUIRED;
> + }
> +
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
> + "access to %s failed, reason: %s",
> + r->filename, "SSL connection required");
> +
> + /* remember forbidden access for strict require option */
> + apr_table_setn(r->notes, "ssl-access-forbidden", "1");
> +
> + return HTTP_FORBIDDEN;
> + }
> +
> + /*
> + * Check to see whether SSL is in use; if it's not, then no
> + * further access control checks are relevant. (the test for
> + * sc->enabled is probably strictly unnecessary)
> + */
> + if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
> + return DECLINED;
> + }
> +
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + /* TLSv1.3+ is less complicated here. Branch off into a new codeline
> + * and avoid messing with the past. */
> + if (SSL_version(ssl) >= TLS1_3_VERSION) {
> + ret = ssl_hook_Access_modern(r, sc, dc, sslconn, ssl);
> + }
> + else
> +#endif
> + {
> + ret = ssl_hook_Access_classic(r, sc, dc, sslconn, ssl);
> + }
> +
> + if (ret != DECLINED) {
> + return ret;
> + }
> +
> /* If we're trying to have the user name set from a client
> * certificate then we need to set it here. This should be safe as
> * the user name probably isn't important from an auth checking point
> @@ -2078,31 +2244,43 @@ void ssl_callback_Info(const SSL *ssl, i
> {
> conn_rec *c;
> server_rec *s;
> - SSLConnRec *scr;
>
> /* Retrieve the conn_rec and the associated SSLConnRec. */
> if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
> return;
> }
>
> - if ((scr = myConnConfig(c)) == NULL) {
> - return;
> - }
> + /* With TLS 1.3 this callback may be called multiple times on the first
> + * negotiation, so the below logic to detect renegotiations can't work.
> + * Fortunately renegotiations are forbidden starting with TLS 1.3, and
> + * this is enforced by OpenSSL so there's nothing to be done here.
> + */
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> + if (SSL_version(ssl) < TLS1_3_VERSION)
> +#endif
> + {
> + SSLConnRec *sslconn;
> +
> + if ((sslconn = myConnConfig(c)) == NULL) {
> + return;
> + }
>
> - /* If the reneg state is to reject renegotiations, check the SSL
> - * state machine and move to ABORT if a Client Hello is being
> - * read. */
> - if (!scr->is_proxy &&
> - (where & SSL_CB_HANDSHAKE_START) &&
> - scr->reneg_state == RENEG_REJECT) {
> - scr->reneg_state = RENEG_ABORT;
> + /* If the reneg state is to reject renegotiations, check the SSL
> + * state machine and move to ABORT if a Client Hello is being
> + * read. */
> + if (!sslconn->is_proxy &&
> + (where & SSL_CB_HANDSHAKE_START) &&
> + sslconn->reneg_state == RENEG_REJECT) {
> + sslconn->reneg_state = RENEG_ABORT;
> ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
> "rejecting client initiated renegotiation");
> - }
> - /* If the first handshake is complete, change state to reject any
> - * subsequent client-initiated renegotiation. */
> - else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
> - scr->reneg_state = RENEG_REJECT;
> + }
> + /* If the first handshake is complete, change state to reject any
> + * subsequent client-initiated renegotiation. */
> + else if ((where & SSL_CB_HANDSHAKE_DONE)
> + && sslconn->reneg_state == RENEG_INIT) {
> + sslconn->reneg_state = RENEG_REJECT;
> + }
> }
>
> s = mySrvFromConn(c);
>
> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1841573&r1=1841572&r2=1841573&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Fri Sep 21 12:14:05 2018
> @@ -132,13 +132,14 @@
> SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
> #define SSL_CTX_set_max_proto_version(ctx, version) \
> SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
> -#endif
> -/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
> - * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
> - * we have to work around this...
> +#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
> +/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
> + * include most changes from OpenSSL >= 1.1 (new functions, macros,
> + * deprecations, ...), so we have to work around this...
> */
> #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
> -#else
> +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
> +#else /* defined(LIBRESSL_VERSION_NUMBER) */
> #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
> #endif
>
> @@ -238,7 +239,8 @@ void init_bio_methods(void);
> void free_bio_methods(void);
> #endif
>
> -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
> +#if OPENSSL_VERSION_NUMBER < 0x10002000L || \
> + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
> #define X509_STORE_CTX_get0_store(x) (x->ctx)
> #endif
>
> @@ -372,8 +374,17 @@ typedef int ssl_opt_t;
> #ifdef HAVE_TLSV1_X
> #define SSL_PROTOCOL_TLSV1_1 (1<<3)
> #define SSL_PROTOCOL_TLSV1_2 (1<<4)
> +#define SSL_PROTOCOL_TLSV1_3 (1<<5)
> +
> +#ifdef SSL_OP_NO_TLSv1_3
> +#define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
> +#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
> + SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
> +#else
> +#define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
> #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
> SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
> +#endif
> #else
> #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
> #endif
> @@ -646,6 +657,11 @@ typedef struct {
> /** for client or downstream server authentication */
> int verify_depth;
> ssl_verify_t verify_mode;
> +
> + /** TLSv1.3 has its separate cipher list, separate from the
> + settings for older TLS protocol versions. Since which one takes
> + effect is a matter of negotiation, we need separate settings */
> + const char *tls13_ciphers;
> } modssl_auth_ctx_t;
>
> #ifdef HAVE_TLS_SESSION_TICKETS
> @@ -801,7 +817,7 @@ const char *ssl_cmd_SSLPassPhraseDialog
> const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
> const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
> const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
> -const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
> +const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
> const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
> const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
> const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
> @@ -830,7 +846,7 @@ const char *ssl_cmd_SSLInsecureRenegotia
>
> const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
> const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
> -const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
> +const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
> const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
> const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
> const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
>
>
Re: svn commit: r1841573 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
STATUS docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Posted by Stefan Eissing <st...@greenbytes.de>.
Champagne! :-D
> Am 21.09.2018 um 14:15 schrieb Jim Jagielski <ji...@jaguNET.com>:
>
> *cheers*!!
>
>> On Sep 21, 2018, at 8:14 AM, minfrin@apache.org wrote:
>>
>> Author: minfrin
>> Date: Fri Sep 21 12:14:05 2018
>> New Revision: 1841573
>>
>> URL: http://svn.apache.org/viewvc?rev=1841573&view=rev
>> Log:
>> Add TLSv1.3 support to mod_ssl:
>> trunk: http://svn.apache.org/r1839946
>> http://svn.apache.org/r1839920
>> http://svn.apache.org/r1833589
>> http://svn.apache.org/r1833588
>> http://svn.apache.org/r1828723
>> http://svn.apache.org/r1828720
>> http://svn.apache.org/r1828222
>> http://svn.apache.org/r1827992
>> http://svn.apache.org/r1827924
>> http://svn.apache.org/r1827912
>> http://svn.apache.org/r1828790
>> http://svn.apache.org/r1828791
>> http://svn.apache.org/r1828792
>> http://svn.apache.org/r1840585
>> http://svn.apache.org/r1840710
>> http://svn.apache.org/r1841218
>> 2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x
>>
>> Modified:
>> httpd/httpd/branches/2.4.x/ (props changed)
>> httpd/httpd/branches/2.4.x/CHANGES
>> httpd/httpd/branches/2.4.x/STATUS
>> httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
>> httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
>> httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
>> httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
>> httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
>> httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
>>
>> Propchange: httpd/httpd/branches/2.4.x/
>> ------------------------------------------------------------------------------
>> --- svn:mergeinfo (original)
>> +++ svn:mergeinfo Fri Sep 21 12:14:05 2018
>> @@ -1,11 +1,11 @@
>> /httpd/httpd/branches/2.4.17-protocols-changes:1712542-1715252
>> /httpd/httpd/branches/2.4.17-protocols-http2:1701609-1705681
>> -/httpd/httpd/branches/2.4.x:1825504
>> /httpd/httpd/branches/2.4.x-mod_md:1816423-1821089
>> /httpd/httpd/branches/2.4.x-mpm_fdqueue:1824383-1824864
>> /httpd/httpd/branches/revert-ap-ldap:1150158-1150173
>> +/httpd/httpd/branches/tlsv1.3-for-2.4.x:1840105-1841571
>> /httpd/httpd/branches/trunk-buildconf-noapr:1780253-1795930
>> /httpd/httpd/branches/trunk-md:1804087-1804529
>> /httpd/httpd/branches/trunk-override-index:1793921-1793931
>> /httpd/httpd/branches/wombat-integration:723609-723841
>> -/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,1201111,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
>> 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,1301111,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
>> ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341905-1341906,1341913,1341930,1342065,1343085,1343087,1343094,1343099,1343109,1343935,1344712,1345147,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,1359884,1361153,1361298,1361766,1361773,1361778,1361784,1361791-1361792,1361801,1361803,1362020,1362538,1362707,1363035,1363183,1363186,1363312,1363440,1363557,1363589,1363829,1363832,1363836-1363837,1363853,1364133,1364138,1364229,1364601,1364695,1365001,1365020,1365029,1365479,1366319,1366344,1366621,1367778,1367819,1368053,1368058,1368094,1368121,1368131,1368393,1368396,1369419,1369568,1369
>> 604,1369618,1369904,1369995,1369999,1370001,1370466,1370592,1370615-1370616,1370763,1371387,1371791,1371801,1371878,1371903,1373270,1373447,1373898,1373955,1374157,1374199,1374214,1374216,1374247,1374874,1374877,1374880,1375006,1375009,1375011,1375013,1375445,1375584,1376695,1376700,1378178,1383490,1384408,1384913,1386576,1386578,1386726,1386822,1386880,1386913,1387085,1387088,1387110,1387389,1387444,1387603,1387607,1387633,1387693,1387979,1388029,1388445,1388447,1388648,1388660,1388825,1388899,1389316,1389339,1389481,1389506,1389564,1389566-1389569,1390562,1390564,1391396,1391398,1391771,1392120,1392122,1392150,1392214,1392345-1392347,1392850,1393033,1393058,1393152,1393338,1393564,1394079,1395225,1395253-1395256,1395792,1396440,1397172,1397320,1397636,1397687,1397710,1397716,1398025,1398040,1398066,1398478,1398480-1398481,1398970,1399413,1399687,1399708,1400700,1401448,1402924,1403476,1403483,1403492,1404653,1405407,1405856,1405973,1406068,1406493,1406495,1406616,1406646,1406760,1
>> 407004,1407006,1407085,1407088,1407248,1407381,1407459-1407460,1407528,1407853,1407965,1408093,1408402,1408958,1408961,1409170,1409437,1409726,1409800,1410681,1410954,1411862,1412278,1413732,1414094,1415008,1415023,1415075,1416121,1416150,1416278,1417197,1417440,1417529,1418524,1418556,1418648,1418655,1418703,1418721,1418752,1418761,1418765,1418769,1419084,1419719,1419726,1419755,1419781,1419796,1420120,1420124,1420149,1420184,1420644,1420685-1420686,1420975,1421288,1421323,1421851,1421912,1421953,1422135,1422549,1422594,1422712,1422855,1422937,1422943,1422980,1423353,1423933,1425360,1425771-1425772,1425775,1425777,1425874,1426850,1426975,1427546,1428184,1428280,1428916,1429228,1429559,1429561,1429564,1429582,1430575,1430814,1430869,1433001,1433613,1433682,1433861,1433988,1435178,1435811,1436058,1436401,1439083,1439106,1439114,1439404,1439623,1442309,1442320,1442326,1442412,1442759,1442865,1447993,1448171,1448453,1451478,1451484,1451633,1451830,1451849,1451905,1451921,1452128,145219
>> 5,1452259,1452281,1452551,1452911,1452949,1452954,1453022,1453574,1453604,1453875-1453876,1453963,1453981,1454386,1454414-1454415,1454888,1457437,1457450,1457471,1457504,1457520-1457521,1457610,1457995,1458003-1458004,1458020,1458285,1458447,1458456,1462266,1462269,1462643,1463044-1463047,1463049,1463052,1463056,1463455,1463736,1463750,1463754,1464675,1464721,1464762,1465115-1465116,1465190,1467593,1467765,1468581,1470183,1470679,1470940,1471449,1475878,1476604,1476621,1476642,1476644-1476645,1476652,1476680,1477094,1477530,1478382,1478748,1479117,1479216,1479222,1479411,1479528,1479905,1479966,1480046,1480627,1481197,1481302,1481306,1481396-1481397,1481891,1482041,1482075,1482170,1482555,1482859,1482996,1483005,1483027,1483190,1484343,1484398,1484832,1484910,1484914,1485409,1485668,1486490,1487528,1487530,1487775,1488158,1488164,1488296,1488471,1488492,1488644,1490294,1490493,1490507,1490550,1490761,1490994,1491155,1491221,1491234,1491458,1491479,1491538,1491564,1491724,1492395,149
>> 2663,1492710,1492782,1493257,1493330,1493921,1493925,1494532,1494536,1495501,1496194,1496338,1496429,1496709,1497371,1497588,1498880,1499679,1500323,1500345,1500362,1500423,1500437,1500483,1500519,1501294,1501369,1501399,1501827,1501913,1502665,1502772,1503680,1503866,1503990-1503991,1504276,1506474,1506714,1509872,1509983,1510084-1510085,1510098,1510295,1510588,1510707,1511093,1513492,1513508,1514039,1514064,1514214-1514215,1514255,1514267,1514617,1515050,1515162,1515403,1515411,1515420,1517025,1517045,1517175,1517366,1517386,1517388,1518265,1518269,1519475,1520368,1520445,1520760,1520908,1521909,1523235,1523239,1523281,1523387,1524101,1524158,1524192,1524368,1524388,1524770,1525276,1525280-1525281,1525931,1526168,1526189,1526647,1526666,1527008,1527220,1527291,1527294-1527295,1527509,1527925-1527926,1528143,1528718,1529014,1529277,1529449,1529559,1529988,1529991,1530793,1531340,1531370,1531505,1531672,1531961-1531962,1532281,1532289,1532746,1532816,1533065,1533224,1533810,1533935,
>> 1534321,1534754,1534890,1534892,1534895-1534896,1534914,1536310,1537535,1537718,1538490,1540051-1540052,1541181,1541270,1541368,1542338,1542379,1542533,1542562,1542615,1543020,1543147,1543149,1543174,1544381,1544774,1544784,1544812,1544820,1545286,1545292,1545325,1545364,1545408,1545411,1546692-1546693,1546730,1546759-1546760,1546801,1546804-1546805,1546835-1546836,1546860,1547845,1550061,1550302,1550307,1551611,1551685,1551714,1551802,1552130,1552227,1553204,1553824,1554161,1554168,1554170,1554175-1554176,1554179,1554181,1554184,1554188,1554192,1554195,1554276,1554281,1554300-1554301,1554994-1554995,1555240,1555259,1555266,1555423-1555424,1555463-1555464,1555467,1555555,1555569,1555631,1556206,1556428,1556473,1556911-1556912,1556914,1556937,1557317,1557617,1558483,1559351,1559828,1560367,1560546,1560679,1560689,1560729,1560977,1560979,1561137,1561262,1561385,1561660,1561923,1562472,1563193,1563379,1563381,1563417-1563418,1563420,1564052,1564437,1564475,1564756,1564760,1565081,15657
>> 11,1568404,1569615,1570288,1570598,1571369,1572092,1572198,1572543,1572561,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572905,1572911,1572967,1573224,1573229,1573626,1574151,1575400,1576233,1576741,1578760,1578762,1580568,1580928,1580935,1583005,1583007-1583008,1583027,1583175,1583191,1584098,1584417,1584430,1584434,1584572,1584653,1584658,1584665,1584703,1584878,1584884,1584896,1585054,1585072,1585090,1585157,1585435,1585609,1585824,1585918-1585919,1586745,1586827,1587036,1587040,1587053,1587255,1587594,1587607,1587639,1587654,1588054,1588065,1588213,1588330,1588427,1588519,1588527,1588704,1588806,1588851,1588853,1588868,1589413,1590437,1590509,1591143,1591320,1591322,1591328,1591390,1591394,1591401,1591472,1591508,1592032,1592037,1592500,1592511,1592514,1592529,1592615,1592632,1593745,1594625,1594643,1594648,1595305,1595321,1595426,1597182,1597349,1597352,1597533,1597639,1597642,1598107,1598946,1599012,1599535,1601076,1601184-1601185,1601274,1601291,1601559,1601624,16
>> 01630,1601919,1601995,1602338,1602978,1602989,1603027,1603029,1603122,1603156,1603915,1604382,1604461,1604631,1605207,1605328,1605827,1605829,1607960,1608284,1608785,1608999,1609914,1609936,1609938,1610207,1610311,1610353,1610366,1610491,1610652,1610674,1611165,1611169,1611244,1611600,1611871,1611978,1612068,1615026,1615289,1617018,1617913,1618401,1618541,1618555,1619297,1619383,1619444,1619483,1619835,1620324,1620461,1620932,1621367,1621372,1621417,1621453,1621806,1622450,1624234,1624349,1625196,1625952,1626050,1626956,1626978,1628104,1628388,1628918-1628919,1628924,1628950,1629235,1629239,1629244,1629250,1629372,1629440-1629441,1629485,1629507-1629508,1629519,1629576-1629577,1629652,1629916,1631885,1632454,1632740,1632742,1633730-1633731,1633793,1634120,1634237,1634425,1634736,1634836,1635510,1635558,1635644-1635645,1635762,1637112,1638072-1638073,1638879,1639614,1640031,1640036,1640040,1640042,1640331,1641077,1641095,1641376,1642099,1642484,1642499,1642847,1642868,1643034,1643279
>> ,1643284,1643537,1643825,1644245,1646282,1646724,1647035,1648201,1648394,1648433,1648719,1648840,1649001,1649043,1649491,1649632,1649966,1650047,1650061,1650309-1650310,1650320,1651088,1652829,1652929,1652931,1652955,1652982,1652985,1652989,1653941,1653978,1653997,1656225,1656549,1656669,1657256,1657261,1657636,1657638,1657685,1657881,1657897,1658760,1658765,1661067,1661258,1661448,1661464,1661486,1662245-1662246,1662437,1663017,1663647,1664071,1664133,1664205,1664299,1664565,1664709,1665215-1665216,1665218,1665625,1665643,1665721,1666297,1666361,1666363,1666415,1666417,1666468,1666617-1666618,1666998,1667385-1667386,1667676,1667707,1668532,1668535,1668553,1669130,1669289,1669292,1670434,1671364,1671396-1671397,1671918,1672289,1672453,1672466,1672480,1672483,1672564,1672757,1672985,1672989,1673113,1673155,1673368,1673455,1673769,1674056,1674538,1674542,1674606,1674632,1674697,1675103,1675410,1675533,1676085,1676654,1676709,1676842,1677096,1677143-1677146,1677149,1677151,1677153-1677
>> 156,1677159,1677339,1677462,1677702,1677830,1677832,1677834-1677835,1678763,1679032,1679181-1679182,1679192,1679428,1679432,1679470,1679620,1679712,1680276,1680895,1680900,1680942,1681037,1681424,1681440,1681685,1681694,1681795,1682482,1682816,1682819,1682907,1682923,1682937,1682979,1682988,1683044,1683047,1683123,1683881,1683884,1684057,1684171,1684636,1684900,1685069,1685339,1685345,1685347,1685349-1685350,1685650,1685659,1685779,1686085,1686853,1686856,1687539,1687680,1687980,1688274,1688331,1688339-1688341,1688343,1688399,1688474-1688475,1688536,1688538,1688660,1689325,1689605,1689694,1689698,1690120,1690137,1690248,1691374,1691582,1691592,1691819,1691908,1692285,1692432,1692486,1692516,1693792,1693918-1693919,1693963,1694903,1694936,1694950-1694951,1695170,1695727,1695874,1695885,1695920,1696105,1696264,1696266,1696279,1696428,1696442,1696565,1696592,1696607,1696755,1696881,1697013,1697015,1697051,1697323,1697339,1697370,1697389,1697446,1697543,1697634,1697855,1698023,1698103,1
>> 698107,1698116,1698133,1698330,1698334,1700271,1700275,1700317-1700322,1700326,1700328,1700330-1700332,1700334,1700336,1700338,1700418,1700514,1700777,1700851,1700917,1700925,1700968,1701005,1701145,1701178,1701204,1701347,1701436,1701545,1701717,1702643,1702919,1702948,1703152,1703241,1703248,1703417,1703642,1703807,1703813,1703822,1703871,1703902,1703952,1704099,1704241,1704262,1704797,1704799,1704826,1705099,1705134,1705194,1705217,1705257,1705749,1705776,1705823,1705826,1705828,1705833,1705922,1705983,1706275,1706523,1706595,1706627,1706635,1706637,1706640,1706918,1706942,1706989,1707002,1707230-1707231,1707497,1707512,1707519,1707591,1707626-1707627,1707640,1707831,1707883,1707889,1708107,1709008,1709587,1709596,1709602,1709995,1710095,1710105,1710231,1710380,1710391,1710403,1710419,1710572,1710583,1710723,1711479,1711553,1711648,1711728,1711902,1712382,1713040,1713043,1713209,1713937,1715023,1715255,1715273,1715567-1715568,1715570-1715572,1715576,1715581-1715585,1715886,171621
>> 1,1716388,1716460,1716487,1716660,1716940,1717063,1717086,1717639,1717816,1717934,1717958,1717975,1717985,1718314,1718338,1718400,1718476,1718496,1718514,1718556,1718569,1718598,1719016,1719018,1719189-1719190,1719252,1719254-1719255,1719257,1719967,1720129,1720996,1721313,1721685,1721899,1722137,1722154,1722177,1722195,1722229,1722320,1722328,1722334,1722350-1722351,1722358,1722377,1722572,1722701,1723122,1723143,1723284,1723295,1723522,1723567,1723953,1724847,1724857,1724879,1724992-1724993,1724995,1725018,1725031,1725090,1725120,1725149,1725325,1725328,1725387,1725392,1725394-1725395,1725445,1725468,1725485,1725489,1725498-1725499,1725516,1725523,1725545,1725567,1725581,1725602,1725822,1725940,1725967,1726009,1726026,1726038,1726049,1726051-1726052,1726055,1726086,1726167,1726233,1726675,1726705,1726798,1726881,1726888,1727071,1727111,1727317,1727544,1727573,1727603,1727842,1728326,1728804,1729208,1729235,1729374,1729376,1729826,1729847,1729929-1729931,1729960,1730079,1730297,173
>> 0640,1730723,1730865,1731929,1732228,1732252,1732353,1732369,1732716,1732954,1732986,1733056,1733064,1733068,1733088-1733089,1733275,1733523,1733537-1733538,1733691,1734006,1734125,1734239,1734294,1734412,1734561,1734635,1734807,1734817,1734947,1734955,1734989,1735088,1735159,1735337,1735608-1735609,1735611,1735668,1735786,1735891,1735906,1735931,1735935,1735942,1735952,1736156,1736186,1736243,1736250,1736463,1736681,1736686,1737006,1737014,1737020-1737021,1737102,1737114,1737125,1737254,1737256,1737265,1737447,1737449,1737451,1737476,1738217,1738331,1738333,1738464,1738466,1738486,1738563,1738628,1738631,1738633,1738635,1739008,1739146,1739151,1739193,1739201,1739303,1739312,1739738,1739932,1740075,1740084,1740108,1740110,1740155,1740735,1740910,1740928,1740960,1740967,1740987,1740998,1741045,1741065,1741112,1741115,1741268,1741277,1741310,1741392,1741414,1741446,1741461,1741557,1741564,1741570,1741596,1741621,1741648,1741934,1742005,1742135,1742260,1742359,1742444-1742447,1742460,
>> 1742697,1742791-1742792,1743335,1743512,1743517,1743699,1743788,1743816,1744203-1744204,1744206,1744283,1744415,1744421,1744458-1744459,1744712,1744751,1744767,1744778,1744980,1745034,1745039,1745175,1745767,1745835,1745863-1745864,1746207,1746647,1746988,1747170,1747469,1747531,1747550,1747735,1747808,1747810,1747946,1748047,1748155,1748368,1748448,1748531,1748653,1748888,1749151,1749401-1749404,1749505,1749658-1749659,1749676,1749678,1749695,1749924-1749925,1750043,1750218,1750335,1750392,1750407,1750412,1750416,1750420,1750474,1750494,1750507-1750508,1750553,1750567,1750750,1750779,1750854-1750855,1750947,1750955,1750960,1751970,1752087,1752096,1752145,1752331-1752333,1752347,1752415,1753167,1753224,1753228-1753229,1753257,1753315-1753316,1753498,1753541,1753592,1753594,1753777,1754129,1754164,1754391,1754399,1754414,1754534,1755323,1756038,1756542,1756553,1756611,1756631,1756844,1756846,1756848,1756852-1756853,1756976,1757009-1757011,1757029-1757031,1757061,1757147,1757524,17575
>> 34,1757540,1757662-1757663,1757985,1758003,1758083,1758307-1758311,1758446,1758558,1759415,1759984,1760018,1761434,1761477,1761479,1761548,1761714,1761824,1762512,1762515,1762517,1762580,1762701-1762703,1762718,1762723,1762742-1762743,1763158,1763246,1763613,1764005,1764040,1764046,1764236,1764243,1764255,1765318,1765328,1765357,1765420,1766097,1766129,1766160,1766308,1766424,1766691,1766851,1766857,1766998,1767128,1767180-1767181,1767553,1767564,1767803,1767936,1768160,1768245,1769192,1769332,1769550,1769593,1769596,1769600,1769718,1770395,1770750,1770752,1770768,1770771,1770828,1770951,1770998,1771001,1771015,1771789,1771791,1771827,1772339,1772489,1772504,1772576,1772812-1772813,1772919,1773159,1773162,1773293,1773346,1773397,1773761,1773779,1773812,1773861-1773862,1773865,1774008,1774018,1774023,1774068-1774069,1774286,1774288,1774538,1774541,1774602,1774609,1775173,1775195,1775199,1775487,1775664,1775770,1775775,1775813,1775833,1775858,1775944,1775946,1776458-1776459,1776463,17
>> 76575,1776578,1776624,1776627,1776674,1776734-1776735,1776738,1776740,1776956,1777160,1777324,1777354,1777460,1777556-1777557,1777593-1777594,1777672,1777923,1778268,1778319,1778331,1778350,1778630,1779077,1779091,1779111,1779354,1779459,1779525,1779528,1779573-1779574,1779623,1779699,1779738,1779743,1779896,1779972,1779979,1780095,1780159,1780308,1780328-1780329,1780576,1780596,1780598,1780725,1780971,1781030-1781031,1781187,1781190,1781304,1781312-1781313,1781324,1781328-1781329,1781509,1781516,1781575,1781577,1781580,1781687,1781701,1782164,1782166,1782193-1782194,1782323,1782418-1782419,1782482,1782532,1782875,1782944,1782958,1782975,1783056,1783305,1783722-1783723,1783764-1783765,1783770,1783842,1783849,1784002,1784203,1784205,1784227-1784228,1784275,1784318,1784366,1784372,1784571,1785115,1785672,1785683,1785752-1785753,1785871,1785907,1785943,1786009,1786110,1786119,1786512,1786575-1786576,1786715,1787051,1787053,1787141,1787525,1787553,1787604,1788032-1788033,1788040,1788430
>> ,1788451,1788508,1788672,1788674,1788981,1788996,1788998,1789000,1789220-1789221,1789224,1789276,1789279,1789387,1789395,1789520,1789535,1789692,1789740,1789800,1790102,1790113,1790169,1790284,1790457,1790691,1790754,1790826-1790827,1790842,1790850,1790852-1790853,1790855,1790860,1790973,1790978,1791377,1791388,1791400,1791669,1791773,1791790,1791975,1792092,1792195,1792212,1792589,1792675,1793525,1793533,1793932,1794049,1795635,1795651,1795830,1795834,1795931,1796343,1796348,1796350,1796446,1796493,1796864,1797550,1797745,1797844,1798785,1799341,1799435,1799437,1799784,1799786,1800126,1800173,1800306,1800393,1800594,1800689,1800788,1800809,1800815,1800817,1800819,1800830,1800833,1800917,1800919,1800978,1801143-1801144,1801148,1801456,1801594,1801665,1801994-1801995,1802040,1802305,1802309,1802336,1802535,1802618,1802845,1802875,1803392,1803396,1803398,1803420,1803454,1804090,1804096,1804530-1804531,1804542,1804545,1804671,1804759,1804787,1804975,1805099,1805163,1805180,1805188,1805
>> 190,1805192,1805194-1805195,1805206,1805256,1805294,1805322,1805373,1805490,1806939,1806985,1807228,1807238,1807347,1807577,1807593,1807655,1807774,1807777,1807876,1808005,1808008,1808014,1808085,1808092,1808100,1808230,1808241-1808243,1808249,1808444,1808671,1808723,1808746,1808780,1809028,1809135,1809209,1809273,1809302-1809303,1809305,1809311,1809314,1809713,1809719,1809881,1809888,1809973,1809976,1809981,1810088-1810089,1810358,1810362-1810363,1810365,1810447,1810723,1811082,1811192,1811285,1811540-1811541,1811569-1811570,1811649,1811664,1811744,1811812,1811976,1812004,1812075,1812193,1812263,1812301,1812307,1812332,1812517-1812518,1812756,1812999,1813116,1813642-1813643,1813991,1814118,1814465,1814719-1814720,1814939,1814968,1815004-1815005,1815078,1815264,1815370,1815483,1816055,1816110,1816154,1816156,1816179,1816534,1816552,1816558,1816619,1816919,1816922,1816970,1817023,1817131,1817175,1817598,1817777,1817785,1818013,1818040,1818120,1818122,1818278-1818280,1818308,1818624,1
>> 818725,1818792,1818802,1818804,1818825,1818849,1818924,1818951,1818958,1818960,1819027,1819214,1819847-1819848,1819852-1819853,1819855,1819969-1819970,1820035,1820101,1820464,1820808-1820809,1821095,1821371,1821374,1821504-1821505,1821558,1821561-1821562,1821595,1821624-1821627,1821629,1821632,1821635,1821639,1821644,1821647-1821651,1821659-1821660,1821767,1822305,1822366-1822367,1822502-1822503,1822509,1822511,1822537,1822624,1822849,1822858,1822878-1822879,1822883,1822931,1823047,1823179,1823412,1823415-1823416,1823482,1823564,1823572,1823575,1823886,1824176,1824303,1824332,1824336,1824343,1824381,1824390,1824454,1824460,1824463-1824464,1824482,1824497,1824811,1824862,1824877,1824973,1825147,1825169,1825368,1825370,1825467,1825504,1826207,1826556,1826686-1826687,1826845,1826847,1826973,1826995,1827001,1827166,1827196,1827362,1827366,1827374,1827599,1827604,1827654,1827671,1827783,1827865,1828210,1828232,1828390,1828485,1828493,1828669,1828687,1828879,1828890,1828912,1828920,182892
>> 6-1828927,1829038-1829039,1829513,1829557,1829573,1829645,1829657,1830523,1830562,1830744,1830746,1830943-1830944,1831231,1831591,1831772,1831800,1832198,1832200,1832277,1832280,1832317,1832351,1832500,1832580-1832581,1832934,1832937,1832951,1832991,1833014,1833827,1833875-1833876,1834012-1834013,1834209,1834226,1834318,1834470,1835094,1835118,1835287,1836095,1836154,1836276,1836287,1836381-1836383,1836386,1836469,1836603,1837130,1837357,1837588-1837590,1837595,1838937,1839780,1840010,1840582,1840776
>> +/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,1201111,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
>> 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,1301111,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
>> ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341905-1341906,1341913,1341930,1342065,1343085,1343087,1343094,1343099,1343109,1343935,1344712,1345147,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,1359884,1361153,1361298,1361766,1361773,1361778,1361784,1361791-1361792,1361801,1361803,1362020,1362538,1362707,1363035,1363183,1363186,1363312,1363440,1363557,1363589,1363829,1363832,1363836-1363837,1363853,1364133,1364138,1364229,1364601,1364695,1365001,1365020,1365029,1365479,1366319,1366344,1366621,1367778,1367819,1368053,1368058,1368094,1368121,1368131,1368393,1368396,1369419,1369568,1369
>> 604,1369618,1369904,1369995,1369999,1370001,1370466,1370592,1370615-1370616,1370763,1371387,1371791,1371801,1371878,1371903,1373270,1373447,1373898,1373955,1374157,1374199,1374214,1374216,1374247,1374874,1374877,1374880,1375006,1375009,1375011,1375013,1375445,1375584,1376695,1376700,1378178,1383490,1384408,1384913,1386576,1386578,1386726,1386822,1386880,1386913,1387085,1387088,1387110,1387389,1387444,1387603,1387607,1387633,1387693,1387979,1388029,1388445,1388447,1388648,1388660,1388825,1388899,1389316,1389339,1389481,1389506,1389564,1389566-1389569,1390562,1390564,1391396,1391398,1391771,1392120,1392122,1392150,1392214,1392345-1392347,1392850,1393033,1393058,1393152,1393338,1393564,1394079,1395225,1395253-1395256,1395792,1396440,1397172,1397320,1397636,1397687,1397710,1397716,1398025,1398040,1398066,1398478,1398480-1398481,1398970,1399413,1399687,1399708,1400700,1401448,1402924,1403476,1403483,1403492,1404653,1405407,1405856,1405973,1406068,1406493,1406495,1406616,1406646,1406760,1
>> 407004,1407006,1407085,1407088,1407248,1407381,1407459-1407460,1407528,1407853,1407965,1408093,1408402,1408958,1408961,1409170,1409437,1409726,1409800,1410681,1410954,1411862,1412278,1413732,1414094,1415008,1415023,1415075,1416121,1416150,1416278,1417197,1417440,1417529,1418524,1418556,1418648,1418655,1418703,1418721,1418752,1418761,1418765,1418769,1419084,1419719,1419726,1419755,1419781,1419796,1420120,1420124,1420149,1420184,1420644,1420685-1420686,1420975,1421288,1421323,1421851,1421912,1421953,1422135,1422549,1422594,1422712,1422855,1422937,1422943,1422980,1423353,1423933,1425360,1425771-1425772,1425775,1425777,1425874,1426850,1426975,1427546,1428184,1428280,1428916,1429228,1429559,1429561,1429564,1429582,1430575,1430814,1430869,1433001,1433613,1433682,1433861,1433988,1435178,1435811,1436058,1436401,1439083,1439106,1439114,1439404,1439623,1442309,1442320,1442326,1442412,1442759,1442865,1447993,1448171,1448453,1451478,1451484,1451633,1451830,1451849,1451905,1451921,1452128,145219
>> 5,1452259,1452281,1452551,1452911,1452949,1452954,1453022,1453574,1453604,1453875-1453876,1453963,1453981,1454386,1454414-1454415,1454888,1457437,1457450,1457471,1457504,1457520-1457521,1457610,1457995,1458003-1458004,1458020,1458285,1458447,1458456,1462266,1462269,1462643,1463044-1463047,1463049,1463052,1463056,1463455,1463736,1463750,1463754,1464675,1464721,1464762,1465115-1465116,1465190,1467593,1467765,1468581,1470183,1470679,1470940,1471449,1475878,1476604,1476621,1476642,1476644-1476645,1476652,1476680,1477094,1477530,1478382,1478748,1479117,1479216,1479222,1479411,1479528,1479905,1479966,1480046,1480627,1481197,1481302,1481306,1481396-1481397,1481891,1482041,1482075,1482170,1482555,1482859,1482996,1483005,1483027,1483190,1484343,1484398,1484832,1484910,1484914,1485409,1485668,1486490,1487528,1487530,1487775,1488158,1488164,1488296,1488471,1488492,1488644,1490294,1490493,1490507,1490550,1490761,1490994,1491155,1491221,1491234,1491458,1491479,1491538,1491564,1491724,1492395,149
>> 2663,1492710,1492782,1493257,1493330,1493921,1493925,1494532,1494536,1495501,1496194,1496338,1496429,1496709,1497371,1497588,1498880,1499679,1500323,1500345,1500362,1500423,1500437,1500483,1500519,1501294,1501369,1501399,1501827,1501913,1502665,1502772,1503680,1503866,1503990-1503991,1504276,1506474,1506714,1509872,1509983,1510084-1510085,1510098,1510295,1510588,1510707,1511093,1513492,1513508,1514039,1514064,1514214-1514215,1514255,1514267,1514617,1515050,1515162,1515403,1515411,1515420,1517025,1517045,1517175,1517366,1517386,1517388,1518265,1518269,1519475,1520368,1520445,1520760,1520908,1521909,1523235,1523239,1523281,1523387,1524101,1524158,1524192,1524368,1524388,1524770,1525276,1525280-1525281,1525931,1526168,1526189,1526647,1526666,1527008,1527220,1527291,1527294-1527295,1527509,1527925-1527926,1528143,1528718,1529014,1529277,1529449,1529559,1529988,1529991,1530793,1531340,1531370,1531505,1531672,1531961-1531962,1532281,1532289,1532746,1532816,1533065,1533224,1533810,1533935,
>> 1534321,1534754,1534890,1534892,1534895-1534896,1534914,1536310,1537535,1537718,1538490,1540051-1540052,1541181,1541270,1541368,1542338,1542379,1542533,1542562,1542615,1543020,1543147,1543149,1543174,1544381,1544774,1544784,1544812,1544820,1545286,1545292,1545325,1545364,1545408,1545411,1546692-1546693,1546730,1546759-1546760,1546801,1546804-1546805,1546835-1546836,1546860,1547845,1550061,1550302,1550307,1551611,1551685,1551714,1551802,1552130,1552227,1553204,1553824,1554161,1554168,1554170,1554175-1554176,1554179,1554181,1554184,1554188,1554192,1554195,1554276,1554281,1554300-1554301,1554994-1554995,1555240,1555259,1555266,1555423-1555424,1555463-1555464,1555467,1555555,1555569,1555631,1556206,1556428,1556473,1556911-1556912,1556914,1556937,1557317,1557617,1558483,1559351,1559828,1560367,1560546,1560679,1560689,1560729,1560977,1560979,1561137,1561262,1561385,1561660,1561923,1562472,1563193,1563379,1563381,1563417-1563418,1563420,1564052,1564437,1564475,1564756,1564760,1565081,15657
>> 11,1568404,1569615,1570288,1570598,1571369,1572092,1572198,1572543,1572561,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572905,1572911,1572967,1573224,1573229,1573626,1574151,1575400,1576233,1576741,1578760,1578762,1580568,1580928,1580935,1583005,1583007-1583008,1583027,1583175,1583191,1584098,1584417,1584430,1584434,1584572,1584653,1584658,1584665,1584703,1584878,1584884,1584896,1585054,1585072,1585090,1585157,1585435,1585609,1585824,1585918-1585919,1586745,1586827,1587036,1587040,1587053,1587255,1587594,1587607,1587639,1587654,1588054,1588065,1588213,1588330,1588427,1588519,1588527,1588704,1588806,1588851,1588853,1588868,1589413,1590437,1590509,1591143,1591320,1591322,1591328,1591390,1591394,1591401,1591472,1591508,1592032,1592037,1592500,1592511,1592514,1592529,1592615,1592632,1593745,1594625,1594643,1594648,1595305,1595321,1595426,1597182,1597349,1597352,1597533,1597639,1597642,1598107,1598946,1599012,1599535,1601076,1601184-1601185,1601274,1601291,1601559,1601624,16
>> 01630,1601919,1601995,1602338,1602978,1602989,1603027,1603029,1603122,1603156,1603915,1604382,1604461,1604631,1605207,1605328,1605827,1605829,1607960,1608284,1608785,1608999,1609914,1609936,1609938,1610207,1610311,1610353,1610366,1610491,1610652,1610674,1611165,1611169,1611244,1611600,1611871,1611978,1612068,1615026,1615289,1617018,1617913,1618401,1618541,1618555,1619297,1619383,1619444,1619483,1619835,1620324,1620461,1620932,1621367,1621372,1621417,1621453,1621806,1622450,1624234,1624349,1625196,1625952,1626050,1626956,1626978,1628104,1628388,1628918-1628919,1628924,1628950,1629235,1629239,1629244,1629250,1629372,1629440-1629441,1629485,1629507-1629508,1629519,1629576-1629577,1629652,1629916,1631885,1632454,1632740,1632742,1633730-1633731,1633793,1634120,1634237,1634425,1634736,1634836,1635510,1635558,1635644-1635645,1635762,1637112,1638072-1638073,1638879,1639614,1640031,1640036,1640040,1640042,1640331,1641077,1641095,1641376,1642099,1642484,1642499,1642847,1642868,1643034,1643279
>> ,1643284,1643537,1643825,1644245,1646282,1646724,1647035,1648201,1648394,1648433,1648719,1648840,1649001,1649043,1649491,1649632,1649966,1650047,1650061,1650309-1650310,1650320,1651088,1652829,1652929,1652931,1652955,1652982,1652985,1652989,1653941,1653978,1653997,1656225,1656549,1656669,1657256,1657261,1657636,1657638,1657685,1657881,1657897,1658760,1658765,1661067,1661258,1661448,1661464,1661486,1662245-1662246,1662437,1663017,1663647,1664071,1664133,1664205,1664299,1664565,1664709,1665215-1665216,1665218,1665625,1665643,1665721,1666297,1666361,1666363,1666415,1666417,1666468,1666617-1666618,1666998,1667385-1667386,1667676,1667707,1668532,1668535,1668553,1669130,1669289,1669292,1670434,1671364,1671396-1671397,1671918,1672289,1672453,1672466,1672480,1672483,1672564,1672757,1672985,1672989,1673113,1673155,1673368,1673455,1673769,1674056,1674538,1674542,1674606,1674632,1674697,1675103,1675410,1675533,1676085,1676654,1676709,1676842,1677096,1677143-1677146,1677149,1677151,1677153-1677
>> 156,1677159,1677339,1677462,1677702,1677830,1677832,1677834-1677835,1678763,1679032,1679181-1679182,1679192,1679428,1679432,1679470,1679620,1679712,1680276,1680895,1680900,1680942,1681037,1681424,1681440,1681685,1681694,1681795,1682482,1682816,1682819,1682907,1682923,1682937,1682979,1682988,1683044,1683047,1683123,1683881,1683884,1684057,1684171,1684636,1684900,1685069,1685339,1685345,1685347,1685349-1685350,1685650,1685659,1685779,1686085,1686853,1686856,1687539,1687680,1687980,1688274,1688331,1688339-1688341,1688343,1688399,1688474-1688475,1688536,1688538,1688660,1689325,1689605,1689694,1689698,1690120,1690137,1690248,1691374,1691582,1691592,1691819,1691908,1692285,1692432,1692486,1692516,1693792,1693918-1693919,1693963,1694903,1694936,1694950-1694951,1695170,1695727,1695874,1695885,1695920,1696105,1696264,1696266,1696279,1696428,1696442,1696565,1696592,1696607,1696755,1696881,1697013,1697015,1697051,1697323,1697339,1697370,1697389,1697446,1697543,1697634,1697855,1698023,1698103,1
>> 698107,1698116,1698133,1698330,1698334,1700271,1700275,1700317-1700322,1700326,1700328,1700330-1700332,1700334,1700336,1700338,1700418,1700514,1700777,1700851,1700917,1700925,1700968,1701005,1701145,1701178,1701204,1701347,1701436,1701545,1701717,1702643,1702919,1702948,1703152,1703241,1703248,1703417,1703642,1703807,1703813,1703822,1703871,1703902,1703952,1704099,1704241,1704262,1704797,1704799,1704826,1705099,1705134,1705194,1705217,1705257,1705749,1705776,1705823,1705826,1705828,1705833,1705922,1705983,1706275,1706523,1706595,1706627,1706635,1706637,1706640,1706918,1706942,1706989,1707002,1707230-1707231,1707497,1707512,1707519,1707591,1707626-1707627,1707640,1707831,1707883,1707889,1708107,1709008,1709587,1709596,1709602,1709995,1710095,1710105,1710231,1710380,1710391,1710403,1710419,1710572,1710583,1710723,1711479,1711553,1711648,1711728,1711902,1712382,1713040,1713043,1713209,1713937,1715023,1715255,1715273,1715567-1715568,1715570-1715572,1715576,1715581-1715585,1715886,171621
>> 1,1716388,1716460,1716487,1716660,1716940,1717063,1717086,1717639,1717816,1717934,1717958,1717975,1717985,1718314,1718338,1718400,1718476,1718496,1718514,1718556,1718569,1718598,1719016,1719018,1719189-1719190,1719252,1719254-1719255,1719257,1719967,1720129,1720996,1721313,1721685,1721899,1722137,1722154,1722177,1722195,1722229,1722320,1722328,1722334,1722350-1722351,1722358,1722377,1722572,1722701,1723122,1723143,1723284,1723295,1723522,1723567,1723953,1724847,1724857,1724879,1724992-1724993,1724995,1725018,1725031,1725090,1725120,1725149,1725325,1725328,1725387,1725392,1725394-1725395,1725445,1725468,1725485,1725489,1725498-1725499,1725516,1725523,1725545,1725567,1725581,1725602,1725822,1725940,1725967,1726009,1726026,1726038,1726049,1726051-1726052,1726055,1726086,1726167,1726233,1726675,1726705,1726798,1726881,1726888,1727071,1727111,1727317,1727544,1727573,1727603,1727842,1728326,1728804,1729208,1729235,1729374,1729376,1729826,1729847,1729929-1729931,1729960,1730079,1730297,173
>> 0640,1730723,1730865,1731929,1732228,1732252,1732353,1732369,1732716,1732954,1732986,1733056,1733064,1733068,1733088-1733089,1733275,1733523,1733537-1733538,1733691,1734006,1734125,1734239,1734294,1734412,1734561,1734635,1734807,1734817,1734947,1734955,1734989,1735088,1735159,1735337,1735608-1735609,1735611,1735668,1735786,1735891,1735906,1735931,1735935,1735942,1735952,1736156,1736186,1736243,1736250,1736463,1736681,1736686,1737006,1737014,1737020-1737021,1737102,1737114,1737125,1737254,1737256,1737265,1737447,1737449,1737451,1737476,1738217,1738331,1738333,1738464,1738466,1738486,1738563,1738628,1738631,1738633,1738635,1739008,1739146,1739151,1739193,1739201,1739303,1739312,1739738,1739932,1740075,1740084,1740108,1740110,1740155,1740735,1740910,1740928,1740960,1740967,1740987,1740998,1741045,1741065,1741112,1741115,1741268,1741277,1741310,1741392,1741414,1741446,1741461,1741557,1741564,1741570,1741596,1741621,1741648,1741934,1742005,1742135,1742260,1742359,1742444-1742447,1742460,
>> 1742697,1742791-1742792,1743335,1743512,1743517,1743699,1743788,1743816,1744203-1744204,1744206,1744283,1744415,1744421,1744458-1744459,1744712,1744751,1744767,1744778,1744980,1745034,1745039,1745175,1745767,1745835,1745863-1745864,1746207,1746647,1746988,1747170,1747469,1747531,1747550,1747735,1747808,1747810,1747946,1748047,1748155,1748368,1748448,1748531,1748653,1748888,1749151,1749401-1749404,1749505,1749658-1749659,1749676,1749678,1749695,1749924-1749925,1750043,1750218,1750335,1750392,1750407,1750412,1750416,1750420,1750474,1750494,1750507-1750508,1750553,1750567,1750750,1750779,1750854-1750855,1750947,1750955,1750960,1751970,1752087,1752096,1752145,1752331-1752333,1752347,1752415,1753167,1753224,1753228-1753229,1753257,1753315-1753316,1753498,1753541,1753592,1753594,1753777,1754129,1754164,1754391,1754399,1754414,1754534,1755323,1756038,1756542,1756553,1756611,1756631,1756844,1756846,1756848,1756852-1756853,1756976,1757009-1757011,1757029-1757031,1757061,1757147,1757524,17575
>> 34,1757540,1757662-1757663,1757985,1758003,1758083,1758307-1758311,1758446,1758558,1759415,1759984,1760018,1761434,1761477,1761479,1761548,1761714,1761824,1762512,1762515,1762517,1762580,1762701-1762703,1762718,1762723,1762742-1762743,1763158,1763246,1763613,1764005,1764040,1764046,1764236,1764243,1764255,1765318,1765328,1765357,1765420,1766097,1766129,1766160,1766308,1766424,1766691,1766851,1766857,1766998,1767128,1767180-1767181,1767553,1767564,1767803,1767936,1768160,1768245,1769192,1769332,1769550,1769593,1769596,1769600,1769718,1770395,1770750,1770752,1770768,1770771,1770828,1770951,1770998,1771001,1771015,1771789,1771791,1771827,1772339,1772489,1772504,1772576,1772812-1772813,1772919,1773159,1773162,1773293,1773346,1773397,1773761,1773779,1773812,1773861-1773862,1773865,1774008,1774018,1774023,1774068-1774069,1774286,1774288,1774538,1774541,1774602,1774609,1775173,1775195,1775199,1775487,1775664,1775770,1775775,1775813,1775833,1775858,1775944,1775946,1776458-1776459,1776463,17
>> 76575,1776578,1776624,1776627,1776674,1776734-1776735,1776738,1776740,1776956,1777160,1777324,1777354,1777460,1777556-1777557,1777593-1777594,1777672,1777923,1778268,1778319,1778331,1778350,1778630,1779077,1779091,1779111,1779354,1779459,1779525,1779528,1779573-1779574,1779623,1779699,1779738,1779743,1779896,1779972,1779979,1780095,1780159,1780308,1780328-1780329,1780576,1780596,1780598,1780725,1780971,1781030-1781031,1781187,1781190,1781304,1781312-1781313,1781324,1781328-1781329,1781509,1781516,1781575,1781577,1781580,1781687,1781701,1782164,1782166,1782193-1782194,1782323,1782418-1782419,1782482,1782532,1782875,1782944,1782958,1782975,1783056,1783305,1783722-1783723,1783764-1783765,1783770,1783842,1783849,1784002,1784203,1784205,1784227-1784228,1784275,1784318,1784366,1784372,1784571,1785115,1785672,1785683,1785752-1785753,1785871,1785907,1785943,1786009,1786110,1786119,1786512,1786575-1786576,1786715,1787051,1787053,1787141,1787525,1787553,1787604,1788032-1788033,1788040,1788430
>> ,1788451,1788508,1788672,1788674,1788981,1788996,1788998,1789000,1789220-1789221,1789224,1789276,1789279,1789387,1789395,1789520,1789535,1789692,1789740,1789800,1790102,1790113,1790169,1790284,1790457,1790691,1790754,1790826-1790827,1790842,1790850,1790852-1790853,1790855,1790860,1790973,1790978,1791377,1791388,1791400,1791669,1791773,1791790,1791975,1792092,1792195,1792212,1792589,1792675,1793525,1793533,1793932,1794049,1795635,1795651,1795830,1795834,1795931,1796343,1796348,1796350,1796446,1796493,1796864,1797550,1797745,1797844,1798785,1799341,1799435,1799437,1799784,1799786,1800126,1800173,1800306,1800393,1800594,1800689,1800788,1800809,1800815,1800817,1800819,1800830,1800833,1800917,1800919,1800978,1801143-1801144,1801148,1801456,1801594,1801665,1801994-1801995,1802040,1802305,1802309,1802336,1802535,1802618,1802845,1802875,1803392,1803396,1803398,1803420,1803454,1804090,1804096,1804530-1804531,1804542,1804545,1804671,1804759,1804787,1804975,1805099,1805163,1805180,1805188,1805
>> 190,1805192,1805194-1805195,1805206,1805256,1805294,1805322,1805373,1805490,1806939,1806985,1807228,1807238,1807347,1807577,1807593,1807655,1807774,1807777,1807876,1808005,1808008,1808014,1808085,1808092,1808100,1808230,1808241-1808243,1808249,1808444,1808671,1808723,1808746,1808780,1809028,1809135,1809209,1809273,1809302-1809303,1809305,1809311,1809314,1809713,1809719,1809881,1809888,1809973,1809976,1809981,1810088-1810089,1810358,1810362-1810363,1810365,1810447,1810723,1811082,1811192,1811285,1811540-1811541,1811569-1811570,1811649,1811664,1811744,1811812,1811976,1812004,1812075,1812193,1812263,1812301,1812307,1812332,1812517-1812518,1812756,1812999,1813116,1813642-1813643,1813991,1814118,1814465,1814719-1814720,1814939,1814968,1815004-1815005,1815078,1815264,1815370,1815483,1816055,1816110,1816154,1816156,1816179,1816534,1816552,1816558,1816619,1816919,1816922,1816970,1817023,1817131,1817175,1817598,1817777,1817785,1818013,1818040,1818120,1818122,1818278-1818280,1818308,1818624,1
>> 818725,1818792,1818802,1818804,1818825,1818849,1818924,1818951,1818958,1818960,1819027,1819214,1819847-1819848,1819852-1819853,1819855,1819969-1819970,1820035,1820101,1820464,1820808-1820809,1821095,1821371,1821374,1821504-1821505,1821558,1821561-1821562,1821595,1821624-1821627,1821629,1821632,1821635,1821639,1821644,1821647-1821651,1821659-1821660,1821767,1822305,1822366-1822367,1822502-1822503,1822509,1822511,1822537,1822624,1822849,1822858,1822878-1822879,1822883,1822931,1823047,1823179,1823412,1823415-1823416,1823482,1823564,1823572,1823575,1823886,1824176,1824303,1824332,1824336,1824343,1824381,1824390,1824454,1824460,1824463-1824464,1824482,1824497,1824811,1824862,1824877,1824973,1825147,1825169,1825368,1825370,1825467,1825504,1826207,1826556,1826686-1826687,1826845,1826847,1826973,1826995,1827001,1827166,1827196,1827362,1827366,1827374,1827599,1827604,1827654,1827671,1827783,1827865,1827912,1827924,1827992,1828210,1828222,1828232,1828390,1828485,1828493,1828669,1828687,182872
>> 0,1828723,1828790-1828792,1828879,1828890,1828912,1828920,1828926-1828927,1829038-1829039,1829513,1829557,1829573,1829645,1829657,1830523,1830562,1830744,1830746,1830943-1830944,1831231,1831591,1831772,1831800,1832198,1832200,1832277,1832280,1832317,1832351,1832500,1832580-1832581,1832934,1832937,1832951,1832991,1833014,1833588-1833589,1833827,1833875-1833876,1834012-1834013,1834209,1834226,1834318,1834470,1835094,1835118,1835287,1836095,1836154,1836276,1836287,1836381-1836383,1836386,1836469,1836603,1837130,1837357,1837588-1837590,1837595,1838937,1839780,1839920,1839946,1840010,1840582,1840585,1840710,1840776,1841218
>>
>> Modified: httpd/httpd/branches/2.4.x/CHANGES
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
>> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 21 12:14:05 2018
>> @@ -1,6 +1,19 @@
>> -*- coding: utf-8 -*-
>> Changes with Apache 2.4.36
>>
>> + *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9.
>> + SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
>> + Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
>> + Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
>> + as this would need to trigger the master connection thread - which we do not support
>> + right now.
>> + Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
>> + does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
>> + TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
>> + Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they
>> + can match their needs onto the TLSv1.3 protocol.
>> + [Yann Ylavic, Stefan Eissing]
>> +
>> *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
>> should be accepted after the authorization scheme. \t are also tolerated.
>> [Christophe Jaillet]
>>
>> Modified: httpd/httpd/branches/2.4.x/STATUS
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/STATUS (original)
>> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 21 12:14:05 2018
>> @@ -124,26 +124,6 @@ RELEASE SHOWSTOPPERS:
>> PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>> [ start all new proposals below, under PATCHES PROPOSED. ]
>>
>> - *) Add TLSv1.3 support to mod_ssl:
>> - trunk: http://svn.apache.org/r1839946
>> - http://svn.apache.org/r1839920
>> - http://svn.apache.org/r1833589
>> - http://svn.apache.org/r1833588
>> - http://svn.apache.org/r1828723
>> - http://svn.apache.org/r1828720
>> - http://svn.apache.org/r1828222
>> - http://svn.apache.org/r1827992
>> - http://svn.apache.org/r1827924
>> - http://svn.apache.org/r1827912
>> - http://svn.apache.org/r1828790
>> - http://svn.apache.org/r1828791
>> - http://svn.apache.org/r1828792
>> - http://svn.apache.org/r1840585
>> - http://svn.apache.org/r1840710
>> - http://svn.apache.org/r1841218
>> - 2.4.x branch: svn merge ^/httpd/httpd/branches/tlsv1.3-for-2.4.x
>> - +1: icing, jorton, minfrin (tested on openssl-1.0.2j and openssl-1.1.1)
>> -
>>
>>
>> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>>
>> Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original)
>> +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Fri Sep 21 12:14:05 2018
>> @@ -654,6 +654,11 @@ The available (case-insensitive) <em>pro
>> A revision of the TLS 1.1 protocol, as defined in
>> <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
>>
>> +<li><code>TLSv1.3</code> (when using OpenSSL 1.1.1 and later)
>> + <p>
>> + A new version of the TLS protocol, as defined in
>> + <a href="https://github.com/tlswg/tls13-spec">RFC TBD</a>.</p></li>
>> +
>> <li><code>all</code>
>> <p>
>> This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
>> @@ -674,7 +679,7 @@ SSLProtocol TLSv1
>> <name>SSLCipherSuite</name>
>> <description>Cipher Suite available for negotiation in SSL
>> handshake</description>
>> -<syntax>SSLCipherSuite <em>cipher-spec</em></syntax>
>> +<syntax>SSLCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
>> <default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default>
>> <contextlist><context>server config</context>
>> <context>virtual host</context>
>> @@ -686,12 +691,25 @@ handshake</description>
>> <p>
>> This complex directive uses a colon-separated <em>cipher-spec</em> string
>> consisting of OpenSSL cipher specifications to configure the Cipher Suite the
>> -client is permitted to negotiate in the SSL handshake phase. Notice that this
>> -directive can be used both in per-server and per-directory context. In
>> -per-server context it applies to the standard SSL handshake when a connection
>> +client is permitted to negotiate in the SSL handshake phase. The optional
>> +protocol specifier can configure the Cipher Suite for a specific SSL version.
>> +Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2.
>> +<p>
>> +Notice that this
>> +directive can be used both in per-server and per-directory context.
>> +In per-server context it applies to the standard SSL handshake when a connection
>> is established. In per-directory context it forces a SSL renegotiation with the
>> reconfigured Cipher Suite after the HTTP request was read but before the HTTP
>> -response is sent.</p>
>> +response is sent. (Since renegotiation is not</p>
>> +<p>
>> +If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol
>> +specifier "TLSv1.3" can be used to configure the cipher suites for that protocol.
>> +Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in
>> +a directory context is not allowed.</p>
>> +<p>
>> +For a list of TLSv1.3 cipher names, see
>> +<a href="https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html">the OpenSSL
>> +documentation</a>.</p>
>> <p>
>> An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
>> attributes plus a few extra minor ones:</p>
>> @@ -2063,7 +2081,7 @@ for additional information.
>> <name>SSLProxyCipherSuite</name>
>> <description>Cipher Suite available for negotiation in SSL
>> proxy handshake</description>
>> -<syntax>SSLProxyCipherSuite <em>cipher-spec</em></syntax>
>> +<syntax>SSLProxyCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
>> <default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</default>
>> <contextlist><context>server config</context> <context>virtual host</context>
>> <context>proxy section</context></contextlist>
>>
>> Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
>> +++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Fri Sep 21 12:14:05 2018
>> @@ -93,9 +93,9 @@ static const command_rec ssl_config_cmds
>> SSL_CMD_SRV(FIPS, FLAG,
>> "Enable FIPS-140 mode "
>> "(`on', `off')")
>> - SSL_CMD_ALL(CipherSuite, TAKE1,
>> - "Colon-delimited list of permitted SSL Ciphers "
>> - "('XXX:...:XXX' - see manual)")
>> + SSL_CMD_ALL(CipherSuite, TAKE12,
>> + "Colon-delimited list of permitted SSL Ciphers, optional preceeded "
>> + "by protocol identifier ('XXX:...:XXX' - see manual)")
>> SSL_CMD_SRV(CertificateFile, TAKE1,
>> "SSL Server Certificate file "
>> "('/path/to/file' - PEM or DER encoded)")
>> @@ -185,9 +185,9 @@ static const command_rec ssl_config_cmds
>> SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
>> "SSL Proxy: enable or disable SSL protocol flavors "
>> "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
>> - SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
>> + SSL_CMD_PXY(ProxyCipherSuite, TAKE12,
>> "SSL Proxy: colon-delimited list of permitted SSL ciphers "
>> - "('XXX:...:XXX' - see manual)")
>> + ", optionally preceeded by protocol specifier ('XXX:...:XXX' - see manual)")
>> SSL_CMD_PXY(ProxyVerify, TAKE1,
>> "SSL Proxy: whether to verify the remote certificate "
>> "('on' or 'off')")
>> @@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_
>> /* We must register the library in full, to ensure our configuration
>> * code can successfully test the SSL environment.
>> */
>> -#if MODSSL_USE_OPENSSL_PRE_1_1_API
>> +#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
>> (void)CRYPTO_malloc_init();
>> #else
>> OPENSSL_malloc_init();
>>
>> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
>> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Fri Sep 21 12:14:05 2018
>> @@ -136,6 +136,7 @@ static void modssl_ctx_init(modssl_ctx_t
>> mctx->auth.cipher_suite = NULL;
>> mctx->auth.verify_depth = UNSET;
>> mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
>> + mctx->auth.tls13_ciphers = NULL;
>>
>> mctx->ocsp_mask = UNSET;
>> mctx->ocsp_force_default = UNSET;
>> @@ -280,6 +281,7 @@ static void modssl_ctx_cfg_merge(apr_poo
>> cfgMergeString(auth.cipher_suite);
>> cfgMergeInt(auth.verify_depth);
>> cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
>> + cfgMergeString(auth.tls13_ciphers);
>>
>> cfgMergeInt(ocsp_mask);
>> cfgMergeBool(ocsp_force_default);
>> @@ -761,22 +763,37 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
>>
>> const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
>> void *dcfg,
>> - const char *arg)
>> + const char *arg1, const char *arg2)
>> {
>> SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
>> SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
>>
>> - /* always disable null and export ciphers */
>> - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
>> -
>> - if (cmd->path) {
>> - dc->szCipherSuite = arg;
>> + if (arg2 == NULL) {
>> + arg2 = arg1;
>> + arg1 = "SSL";
>> }
>> - else {
>> - sc->server->auth.cipher_suite = arg;
>> +
>> + if (!strcmp("SSL", arg1)) {
>> + /* always disable null and export ciphers */
>> + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
>> + if (cmd->path) {
>> + dc->szCipherSuite = arg2;
>> + }
>> + else {
>> + sc->server->auth.cipher_suite = arg2;
>> + }
>> + return NULL;
>> }
>> -
>> - return NULL;
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + else if (!strcmp("TLSv1.3", arg1)) {
>> + if (cmd->path) {
>> + return "TLSv1.3 ciphers cannot be set inside a directory context";
>> + }
>> + sc->server->auth.tls13_ciphers = arg2;
>> + return NULL;
>> + }
>> +#endif
>> + return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
>> }
>>
>> #define SSL_FLAGS_CHECK_FILE \
>> @@ -1445,6 +1462,9 @@ static const char *ssl_cmd_protocol_pars
>> else if (strcEQ(w, "TLSv1.2")) {
>> thisopt = SSL_PROTOCOL_TLSV1_2;
>> }
>> + else if (SSL_HAVE_PROTOCOL_TLSV1_3 && strcEQ(w, "TLSv1.3")) {
>> + thisopt = SSL_PROTOCOL_TLSV1_3;
>> + }
>> #endif
>> else if (strcEQ(w, "all")) {
>> thisopt = SSL_PROTOCOL_ALL;
>> @@ -1506,16 +1526,28 @@ const char *ssl_cmd_SSLProxyProtocol(cmd
>>
>> const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
>> void *dcfg,
>> - const char *arg)
>> + const char *arg1, const char *arg2)
>> {
>> SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
>> -
>> - /* always disable null and export ciphers */
>> - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
>> -
>> - dc->proxy->auth.cipher_suite = arg;
>> -
>> - return NULL;
>> +
>> + if (arg2 == NULL) {
>> + arg2 = arg1;
>> + arg1 = "SSL";
>> + }
>> +
>> + if (!strcmp("SSL", arg1)) {
>> + /* always disable null and export ciphers */
>> + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
>> + dc->proxy->auth.cipher_suite = arg2;
>> + return NULL;
>> + }
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + else if (!strcmp("TLSv1.3", arg1)) {
>> + dc->proxy->auth.tls13_ciphers = arg2;
>> + return NULL;
>> + }
>> +#endif
>> + return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
>> }
>>
>> const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
>>
>> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
>> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Fri Sep 21 12:14:05 2018
>> @@ -568,6 +568,9 @@ static apr_status_t ssl_init_ctx_protoco
>> #ifdef HAVE_TLSV1_X
>> (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
>> (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + (protocol & SSL_PROTOCOL_TLSV1_3 ? "TLSv1.3, " : ""),
>> +#endif
>> #endif
>> NULL);
>> cp[strlen(cp)-2] = NUL;
>> @@ -600,6 +603,13 @@ static apr_status_t ssl_init_ctx_protoco
>> TLSv1_2_client_method() : /* proxy */
>> TLSv1_2_server_method(); /* server */
>> }
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + else if (protocol == SSL_PROTOCOL_TLSV1_3) {
>> + method = mctx->pkp ?
>> + TLSv1_3_client_method() : /* proxy */
>> + TLSv1_3_server_method(); /* server */
>> + }
>> +#endif
>> #endif
>> else { /* For multiple protocols, we need a flexible method */
>> method = mctx->pkp ?
>> @@ -617,7 +627,8 @@ static apr_status_t ssl_init_ctx_protoco
>>
>> SSL_CTX_set_options(ctx, SSL_OP_ALL);
>>
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
>> + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
>> /* always disable SSLv2, as per RFC 6176 */
>> SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
>>
>> @@ -639,10 +650,19 @@ static apr_status_t ssl_init_ctx_protoco
>> if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
>> SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
>> }
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
>> + protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
>> +#endif
>> #endif
>>
>> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
>> /* We first determine the maximum protocol version we should provide */
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
>> + prot = TLS1_3_VERSION;
>> + } else
>> +#endif
>> if (protocol & SSL_PROTOCOL_TLSV1_2) {
>> prot = TLS1_2_VERSION;
>> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
>> @@ -664,6 +684,11 @@ static apr_status_t ssl_init_ctx_protoco
>>
>> /* Next we scan for the minimal protocol version we should provide,
>> * but we do not allow holes between max and min */
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
>> + prot = TLS1_2_VERSION;
>> + }
>> +#endif
>> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
>> prot = TLS1_1_VERSION;
>> }
>> @@ -736,6 +761,13 @@ static apr_status_t ssl_init_ctx_protoco
>> SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
>> #endif
>>
>> +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
>> + /* For OpenSSL >=1.1.1, disable auto-retry mode so it's possible
>> + * to consume handshake records without blocking for app-data.
>> + * https://github.com/openssl/openssl/issues/7178 */
>> + SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
>> +#endif
>> +
>> return APR_SUCCESS;
>> }
>>
>> @@ -888,7 +920,15 @@ static apr_status_t ssl_init_ctx_cipher_
>> ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
>> return ssl_die(s);
>> }
>> -
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + if (mctx->auth.tls13_ciphers
>> + && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
>> + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
>> + "Unable to configure permitted TLSv1.3 ciphers");
>> + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
>> + return ssl_die(s);
>> + }
>> +#endif
>> return APR_SUCCESS;
>> }
>>
>> @@ -1452,6 +1492,13 @@ static apr_status_t ssl_init_proxy_certs
>> X509_STORE_CTX *sctx;
>> X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
>>
>> +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
>> + /* For OpenSSL >=1.1.1, turn on client cert support which is
>> + * otherwise turned off by default (by design).
>> + * https://github.com/openssl/openssl/issues/6933 */
>> + SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1);
>> +#endif
>> +
>> SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
>> ssl_callback_proxy_cert);
>>
>>
>> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Fri Sep 21 12:14:05 2018
>> @@ -188,6 +188,12 @@ static int ssl_auth_compatible(modssl_au
>> || strcmp(a1->cipher_suite, a2->cipher_suite))) {
>> return 0;
>> }
>> + /* both have the same ca cipher suite string */
>> + if ((a1->tls13_ciphers != a2->tls13_ciphers)
>> + && (!a1->tls13_ciphers || !a2->tls13_ciphers
>> + || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
>> + return 0;
>> + }
>> return 1;
>> }
>>
>> @@ -424,87 +430,70 @@ static void ssl_configure_env(request_re
>> }
>> }
>>
>> -/*
>> - * Access Handler
>> - */
>> -int ssl_hook_Access(request_rec *r)
>> +static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc,
>> + SSLDirConfigRec *dc, SSLConnRec *sslconn,
>> + SSL *ssl)
>> {
>> - SSLDirConfigRec *dc = myDirConfig(r);
>> - SSLSrvConfigRec *sc = mySrvConfig(r->server);
>> - SSLConnRec *sslconn = myConnConfig(r->connection);
>> - SSL *ssl = sslconn ? sslconn->ssl : NULL;
>> - server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
>> - SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
>> - SSL_CTX *ctx = NULL;
>> - apr_array_header_t *requires;
>> - ssl_require_t *ssl_requires;
>> - int ok, i;
>> - BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
>> X509 *cert;
>> - X509 *peercert;
>> - X509_STORE *cert_store = NULL;
>> - X509_STORE_CTX *cert_store_ctx;
>> - STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
>> - const SSL_CIPHER *cipher = NULL;
>> - int depth, verify_old, verify, n, is_slave = 0;
>> - const char *ncipher_suite;
>> -
>> - /* On a slave connection, we do not expect to have an SSLConnRec, but
>> - * our master connection might have one. */
>> - if (!(sslconn && ssl) && r->connection->master) {
>> - sslconn = myConnConfig(r->connection->master);
>> - ssl = sslconn ? sslconn->ssl : NULL;
>> - handshakeserver = sslconn ? sslconn->server : NULL;
>> - hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
>> - is_slave = 1;
>> - }
>>
>> - if (ssl) {
>> - /*
>> - * We should have handshaken here (on handshakeserver),
>> - * otherwise we are being redirected (ErrorDocument) from
>> - * a renegotiation failure below. The access is still
>> - * forbidden in the latter case, let ap_die() handle
>> - * this recursive (same) error.
>> - */
>> - if (!SSL_is_init_finished(ssl)) {
>> - return HTTP_FORBIDDEN;
>> + /*
>> + * Remember the peer certificate's DN
>> + */
>> + if ((cert = SSL_get_peer_certificate(ssl))) {
>> + if (sslconn->client_cert) {
>> + X509_free(sslconn->client_cert);
>> }
>> - ctx = SSL_get_SSL_CTX(ssl);
>> + sslconn->client_cert = cert;
>> + sslconn->client_dn = NULL;
>> }
>> -
>> +
>> /*
>> - * Support for SSLRequireSSL directive
>> + * Finally check for acceptable renegotiation results
>> */
>> - if (dc->bSSLRequired && !ssl) {
>> - if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) {
>> - /* This vhost was configured for optional SSL, just tell the
>> - * client that we need to upgrade.
>> - */
>> - apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
>> - apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
>> + if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
>> + (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
>> + BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
>> + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
>> +
>> + if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
>> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
>> + "Re-negotiation handshake failed: "
>> + "Client verification failed");
>>
>> - return HTTP_UPGRADE_REQUIRED;
>> + return HTTP_FORBIDDEN;
>> }
>>
>> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
>> - "access to %s failed, reason: %s",
>> - r->filename, "SSL connection required");
>> -
>> - /* remember forbidden access for strict require option */
>> - apr_table_setn(r->notes, "ssl-access-forbidden", "1");
>> + if (do_verify) {
>> + if (cert == NULL) {
>> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
>> + "Re-negotiation handshake failed: "
>> + "Client certificate missing");
>>
>> - return HTTP_FORBIDDEN;
>> + return HTTP_FORBIDDEN;
>> + }
>> + }
>> }
>> + return OK;
>> +}
>>
>> - /*
>> - * Check to see whether SSL is in use; if it's not, then no
>> - * further access control checks are relevant. (the test for
>> - * sc->enabled is probably strictly unnecessary)
>> - */
>> - if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
>> - return DECLINED;
>> - }
>> +/*
>> + * Access Handler, classic flavour, for SSL/TLS up to v1.2
>> + * where everything can be renegotiated and no one is happy.
>> + */
>> +static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
>> + SSLConnRec *sslconn, SSL *ssl)
>> +{
>> + server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
>> + SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
>> + SSL_CTX *ctx = NULL;
>> + BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
>> + X509 *peercert;
>> + X509_STORE *cert_store = NULL;
>> + X509_STORE_CTX *cert_store_ctx;
>> + STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
>> + const SSL_CIPHER *cipher = NULL;
>> + int depth, verify_old, verify, n, rc;
>> + const char *ncipher_suite;
>>
>> #ifdef HAVE_SRP
>> /*
>> @@ -581,7 +570,7 @@ int ssl_hook_Access(request_rec *r)
>> }
>>
>> /* configure new state */
>> - if (is_slave) {
>> + if (r->connection->master) {
>> /* TODO: this categorically fails changed cipher suite settings
>> * on slave connections. We could do better by
>> * - create a new SSL* from our SSL_CTX and set cipher suite there,
>> @@ -659,7 +648,7 @@ int ssl_hook_Access(request_rec *r)
>> }
>>
>> if (renegotiate) {
>> - if (is_slave) {
>> + if (r->connection->master) {
>> /* The request causes renegotiation on a slave connection.
>> * This is not allowed since we might have concurrent requests
>> * on this connection.
>> @@ -732,7 +721,7 @@ int ssl_hook_Access(request_rec *r)
>> (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
>> {
>> renegotiate = TRUE;
>> - if (is_slave) {
>> + if (r->connection->master) {
>> /* The request causes renegotiation on a slave connection.
>> * This is not allowed since we might have concurrent requests
>> * on this connection.
>> @@ -883,6 +872,7 @@ int ssl_hook_Access(request_rec *r)
>>
>> if (renegotiate_quick) {
>> STACK_OF(X509) *cert_stack;
>> + X509 *cert;
>>
>> /* perform just a manual re-verification of the peer */
>> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02258)
>> @@ -1035,43 +1025,10 @@ int ssl_hook_Access(request_rec *r)
>> }
>>
>> /*
>> - * Remember the peer certificate's DN
>> - */
>> - if ((cert = SSL_get_peer_certificate(ssl))) {
>> - if (sslconn->client_cert) {
>> - X509_free(sslconn->client_cert);
>> - }
>> - sslconn->client_cert = cert;
>> - sslconn->client_dn = NULL;
>> - }
>> -
>> - /*
>> * Finally check for acceptable renegotiation results
>> */
>> - if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
>> - (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
>> - BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
>> - (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
>> -
>> - if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
>> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
>> - "Re-negotiation handshake failed: "
>> - "Client verification failed");
>> -
>> - return HTTP_FORBIDDEN;
>> - }
>> -
>> - if (do_verify) {
>> - if ((peercert = SSL_get_peer_certificate(ssl)) == NULL) {
>> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
>> - "Re-negotiation handshake failed: "
>> - "Client certificate missing");
>> -
>> - return HTTP_FORBIDDEN;
>> - }
>> -
>> - X509_free(peercert);
>> - }
>> + if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
>> + return rc;
>> }
>>
>> /*
>> @@ -1094,6 +1051,215 @@ int ssl_hook_Access(request_rec *r)
>> }
>> }
>>
>> + return DECLINED;
>> +}
>> +
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> +/*
>> + * Access Handler, modern flavour, for SSL/TLS v1.3 and onward.
>> + * Only client certificates can be requested, everything else stays.
>> + */
>> +static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
>> + SSLConnRec *sslconn, SSL *ssl)
>> +{
>> + if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
>> + (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
>> + int vmode_inplace, vmode_needed;
>> + int change_vmode = FALSE;
>> + int old_state, n, rc;
>> +
>> + vmode_inplace = SSL_get_verify_mode(ssl);
>> + vmode_needed = SSL_VERIFY_NONE;
>> +
>> + if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
>> + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
>> + vmode_needed |= SSL_VERIFY_PEER_STRICT;
>> + }
>> +
>> + if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
>> + (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
>> + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
>> + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
>> + {
>> + vmode_needed |= SSL_VERIFY_PEER;
>> + }
>> +
>> + if (vmode_needed == SSL_VERIFY_NONE) {
>> + return DECLINED;
>> + }
>> +
>> + vmode_needed |= SSL_VERIFY_CLIENT_ONCE;
>> + if (vmode_inplace != vmode_needed) {
>> + /* Need to change, if new setting is more restrictive than existing one */
>> +
>> + if ((vmode_inplace == SSL_VERIFY_NONE)
>> + || (!(vmode_inplace & SSL_VERIFY_PEER)
>> + && (vmode_needed & SSL_VERIFY_PEER))
>> + || (!(vmode_inplace & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
>> + && (vmode_needed & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
>> + /* need to change the effective verify mode */
>> + change_vmode = TRUE;
>> + }
>> + else {
>> + /* FIXME: does this work with TLSv1.3? Is this more than re-inspecting
>> + * the certificate we should already have? */
>> + /*
>> + * override of SSLVerifyDepth
>> + *
>> + * The depth checks are handled by us manually inside the
>> + * verify callback function and not by OpenSSL internally
>> + * (and our function is aware of both the per-server and
>> + * per-directory contexts). So we cannot ask OpenSSL about
>> + * the currently verify depth. Instead we remember it in our
>> + * SSLConnRec attached to the SSL* of OpenSSL. We've to force
>> + * the renegotiation if the reconfigured/new verify depth is
>> + * less than the currently active/remembered verify depth
>> + * (because this means more restriction on the certificate
>> + * chain).
>> + */
>> + n = (sslconn->verify_depth != UNSET)?
>> + sslconn->verify_depth : sc->server->auth.verify_depth;
>> + /* determine the new depth */
>> + sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
>> + ? dc->nVerifyDepth
>> + : sc->server->auth.verify_depth;
>> + if (sslconn->verify_depth < n) {
>> + change_vmode = TRUE;
>> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
>> + "Reduced client verification depth will "
>> + "force renegotiation");
>> + }
>> + }
>> + }
>> +
>> + if (change_vmode) {
>> + char peekbuf[1];
>> +
>> + if (r->connection->master) {
>> + /* FIXME: modifying the SSL on a slave connection is no good.
>> + * We would need to push this back to the master connection
>> + * somehow.
>> + */
>> + apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
>> + return HTTP_FORBIDDEN;
>> + }
>> +
>> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "verify client post handshake");
>> +
>> + SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
>> +
>> + if (SSL_verify_client_post_handshake(ssl) != 1) {
>> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158)
>> + "cannot perform post-handshake authentication");
>> + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
>> + apr_table_setn(r->notes, "error-notes",
>> + "Reason: Cannot perform Post-Handshake Authentication.<br />");
>> + return HTTP_FORBIDDEN;
>> + }
>> +
>> + old_state = sslconn->reneg_state;
>> + sslconn->reneg_state = RENEG_ALLOW;
>> + modssl_set_app_data2(ssl, r);
>> +
>> + SSL_do_handshake(ssl);
>> + /* Need to trigger renegotiation handshake by reading.
>> + * Peeking 0 bytes actually works.
>> + * See: http://marc.info/?t=145493359200002&r=1&w=2
>> + */
>> + SSL_peek(ssl, peekbuf, 0);
>> +
>> + sslconn->reneg_state = old_state;
>> + modssl_set_app_data2(ssl, NULL);
>> +
>> + /*
>> + * Finally check for acceptable renegotiation results
>> + */
>> + if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
>> + return rc;
>> + }
>> + }
>> + }
>> +
>> + return DECLINED;
>> +}
>> +#endif
>> +
>> +int ssl_hook_Access(request_rec *r)
>> +{
>> + SSLDirConfigRec *dc = myDirConfig(r);
>> + SSLSrvConfigRec *sc = mySrvConfig(r->server);
>> + SSLConnRec *sslconn = myConnConfig(r->connection);
>> + SSL *ssl = sslconn ? sslconn->ssl : NULL;
>> + apr_array_header_t *requires;
>> + ssl_require_t *ssl_requires;
>> + int ok, i, ret;
>> +
>> + /* On a slave connection, we do not expect to have an SSLConnRec, but
>> + * our master connection might have one. */
>> + if (!(sslconn && ssl) && r->connection->master) {
>> + sslconn = myConnConfig(r->connection->master);
>> + ssl = sslconn ? sslconn->ssl : NULL;
>> + }
>> +
>> + /*
>> + * We should have handshaken here, otherwise we are being
>> + * redirected (ErrorDocument) from a renegotiation failure below.
>> + * The access is still forbidden in the latter case, let ap_die() handle
>> + * this recursive (same) error.
>> + */
>> + if (ssl && !SSL_is_init_finished(ssl)) {
>> + return HTTP_FORBIDDEN;
>> + }
>> +
>> + /*
>> + * Support for SSLRequireSSL directive
>> + */
>> + if (dc->bSSLRequired && !ssl) {
>> + if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) {
>> + /* This vhost was configured for optional SSL, just tell the
>> + * client that we need to upgrade.
>> + */
>> + apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
>> + apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
>> +
>> + return HTTP_UPGRADE_REQUIRED;
>> + }
>> +
>> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
>> + "access to %s failed, reason: %s",
>> + r->filename, "SSL connection required");
>> +
>> + /* remember forbidden access for strict require option */
>> + apr_table_setn(r->notes, "ssl-access-forbidden", "1");
>> +
>> + return HTTP_FORBIDDEN;
>> + }
>> +
>> + /*
>> + * Check to see whether SSL is in use; if it's not, then no
>> + * further access control checks are relevant. (the test for
>> + * sc->enabled is probably strictly unnecessary)
>> + */
>> + if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
>> + return DECLINED;
>> + }
>> +
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + /* TLSv1.3+ is less complicated here. Branch off into a new codeline
>> + * and avoid messing with the past. */
>> + if (SSL_version(ssl) >= TLS1_3_VERSION) {
>> + ret = ssl_hook_Access_modern(r, sc, dc, sslconn, ssl);
>> + }
>> + else
>> +#endif
>> + {
>> + ret = ssl_hook_Access_classic(r, sc, dc, sslconn, ssl);
>> + }
>> +
>> + if (ret != DECLINED) {
>> + return ret;
>> + }
>> +
>> /* If we're trying to have the user name set from a client
>> * certificate then we need to set it here. This should be safe as
>> * the user name probably isn't important from an auth checking point
>> @@ -2078,31 +2244,43 @@ void ssl_callback_Info(const SSL *ssl, i
>> {
>> conn_rec *c;
>> server_rec *s;
>> - SSLConnRec *scr;
>>
>> /* Retrieve the conn_rec and the associated SSLConnRec. */
>> if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
>> return;
>> }
>>
>> - if ((scr = myConnConfig(c)) == NULL) {
>> - return;
>> - }
>> + /* With TLS 1.3 this callback may be called multiple times on the first
>> + * negotiation, so the below logic to detect renegotiations can't work.
>> + * Fortunately renegotiations are forbidden starting with TLS 1.3, and
>> + * this is enforced by OpenSSL so there's nothing to be done here.
>> + */
>> +#if SSL_HAVE_PROTOCOL_TLSV1_3
>> + if (SSL_version(ssl) < TLS1_3_VERSION)
>> +#endif
>> + {
>> + SSLConnRec *sslconn;
>> +
>> + if ((sslconn = myConnConfig(c)) == NULL) {
>> + return;
>> + }
>>
>> - /* If the reneg state is to reject renegotiations, check the SSL
>> - * state machine and move to ABORT if a Client Hello is being
>> - * read. */
>> - if (!scr->is_proxy &&
>> - (where & SSL_CB_HANDSHAKE_START) &&
>> - scr->reneg_state == RENEG_REJECT) {
>> - scr->reneg_state = RENEG_ABORT;
>> + /* If the reneg state is to reject renegotiations, check the SSL
>> + * state machine and move to ABORT if a Client Hello is being
>> + * read. */
>> + if (!sslconn->is_proxy &&
>> + (where & SSL_CB_HANDSHAKE_START) &&
>> + sslconn->reneg_state == RENEG_REJECT) {
>> + sslconn->reneg_state = RENEG_ABORT;
>> ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
>> "rejecting client initiated renegotiation");
>> - }
>> - /* If the first handshake is complete, change state to reject any
>> - * subsequent client-initiated renegotiation. */
>> - else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
>> - scr->reneg_state = RENEG_REJECT;
>> + }
>> + /* If the first handshake is complete, change state to reject any
>> + * subsequent client-initiated renegotiation. */
>> + else if ((where & SSL_CB_HANDSHAKE_DONE)
>> + && sslconn->reneg_state == RENEG_INIT) {
>> + sslconn->reneg_state = RENEG_REJECT;
>> + }
>> }
>>
>> s = mySrvFromConn(c);
>>
>> Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1841573&r1=1841572&r2=1841573&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
>> +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Fri Sep 21 12:14:05 2018
>> @@ -132,13 +132,14 @@
>> SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
>> #define SSL_CTX_set_max_proto_version(ctx, version) \
>> SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
>> -#endif
>> -/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
>> - * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
>> - * we have to work around this...
>> +#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
>> +/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
>> + * include most changes from OpenSSL >= 1.1 (new functions, macros,
>> + * deprecations, ...), so we have to work around this...
>> */
>> #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
>> -#else
>> +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
>> +#else /* defined(LIBRESSL_VERSION_NUMBER) */
>> #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
>> #endif
>>
>> @@ -238,7 +239,8 @@ void init_bio_methods(void);
>> void free_bio_methods(void);
>> #endif
>>
>> -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
>> +#if OPENSSL_VERSION_NUMBER < 0x10002000L || \
>> + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
>> #define X509_STORE_CTX_get0_store(x) (x->ctx)
>> #endif
>>
>> @@ -372,8 +374,17 @@ typedef int ssl_opt_t;
>> #ifdef HAVE_TLSV1_X
>> #define SSL_PROTOCOL_TLSV1_1 (1<<3)
>> #define SSL_PROTOCOL_TLSV1_2 (1<<4)
>> +#define SSL_PROTOCOL_TLSV1_3 (1<<5)
>> +
>> +#ifdef SSL_OP_NO_TLSv1_3
>> +#define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
>> +#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
>> + SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
>> +#else
>> +#define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
>> #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
>> SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
>> +#endif
>> #else
>> #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
>> #endif
>> @@ -646,6 +657,11 @@ typedef struct {
>> /** for client or downstream server authentication */
>> int verify_depth;
>> ssl_verify_t verify_mode;
>> +
>> + /** TLSv1.3 has its separate cipher list, separate from the
>> + settings for older TLS protocol versions. Since which one takes
>> + effect is a matter of negotiation, we need separate settings */
>> + const char *tls13_ciphers;
>> } modssl_auth_ctx_t;
>>
>> #ifdef HAVE_TLS_SESSION_TICKETS
>> @@ -801,7 +817,7 @@ const char *ssl_cmd_SSLPassPhraseDialog
>> const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
>> const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
>> const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
>> -const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
>> +const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
>> const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
>> const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
>> const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
>> @@ -830,7 +846,7 @@ const char *ssl_cmd_SSLInsecureRenegotia
>>
>> const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
>> const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
>> -const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
>> +const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
>> const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
>> const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
>> const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
>>
>>
>
>