You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/07/08 15:14:09 UTC

svn commit: r1608759 - in /httpd/httpd/branches/2.4.x: ./ STATUS modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c

Author: jim
Date: Tue Jul  8 13:14:08 2014
New Revision: 1608759

URL: http://svn.apache.org/r1608759
Log:
Merge r1537535 from trunk:

For better compatibility with mod_nss:

* modules/ssl/ssl_engine_config.c (ssl_config_server_new): Default
  sc->enabled to UNSET.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Only override
  sc->enabled based on the protocol iff sc->enabled is UNSET; allows
  "SSLEngine off" to override the Listen-based default.

Submitted by: jorton
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1537535

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1608759&r1=1608758&r2=1608759&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Jul  8 13:14:08 2014
@@ -100,18 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
-     OCSP requests should use a nonce to be checked against the responder's
-     one. PR 56233.
-     trunk patch: http://svn.apache.org/r1583191
-                  http://svn.apache.org/r1584098
-                  http://svn.apache.org/r1584665 (manual: use 2.4's backport
-                                                  version instead of temporary
-                                                  2.5-dev <compatibility> ref)
-                  http://svn.apache.org/r1591401
-     2.4.x patch: https://people.apache.org/~ylavic/httpd-2.4.x-SSLOCSPUseRequestNonce+manual-2.4.10-v2.patch
-     +1: ylavic, kbrand, jorton
-
    * mod_proxy_http: Avoid useless functions calls.
      trunk patch: http://svn.apache.org/r1572561
      2.4.x patch: trunk works
@@ -124,13 +112,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works (modulo CHANGES)
      +1: ylavic, covener, jim
 
-   * mod_ssl: Improve compatibility with mod_nss; allow "SSLEngine off" to override
-              Listen-based default.
-     trunk patch: http://svn.apache.org/r1537535
-     2.4.x patch: trunk patch works
-     +1: jorton, trawick, , jim
-
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1608759&r1=1608758&r2=1608759&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Tue Jul  8 13:14:08 2014
@@ -203,7 +203,7 @@ static SSLSrvConfigRec *ssl_config_serve
     SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
 
     sc->mc                     = NULL;
-    sc->enabled                = SSL_ENABLED_FALSE;
+    sc->enabled                = SSL_ENABLED_UNSET;
     sc->proxy_enabled          = UNSET;
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1608759&r1=1608758&r2=1608759&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Tue Jul  8 13:14:08 2014
@@ -117,13 +117,16 @@ apr_status_t ssl_init_Module(apr_pool_t 
         sc->vhost_id = ssl_util_vhostid(p, s);
         sc->vhost_id_len = strlen(sc->vhost_id);
 
-        if (ap_get_server_protocol(s) &&
-            strcmp("https", ap_get_server_protocol(s)) == 0) {
+        /* Default to enabled if SSLEngine is not set explicitly, and
+         * the protocol is https. */
+        if (ap_get_server_protocol(s) 
+            && strcmp("https", ap_get_server_protocol(s)) == 0
+            && sc->enabled == SSL_ENABLED_UNSET) {
             sc->enabled = SSL_ENABLED_TRUE;
         }
 
-        /* If sc->enabled is UNSET, then SSL is optional on this vhost  */
-        /* Fix up stuff that may not have been set */
+        /* Fix up stuff that may not have been set.  If sc->enabled is
+         * UNSET, then SSL is disabled on this vhost.  */
         if (sc->enabled == SSL_ENABLED_UNSET) {
             sc->enabled = SSL_ENABLED_FALSE;
         }