You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2016/11/14 10:26:34 UTC
svn commit: r1769588 [17/17] - in
/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat: ./ docs/conf/
docs/manual/ docs/manual/howto/ docs/manual/mod/ docs/manual/platform/
docs/manual/programs/ docs/manual/rewrite/ include/ modules/ modules/aaa/
modules/a...
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/util_script.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/util_script.c?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/util_script.c (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/util_script.c Mon Nov 14 10:26:31 2016
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/vhost.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/vhost.c?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/vhost.c (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/server/vhost.c Mon Nov 14 10:26:31 2016
@@ -228,7 +228,7 @@ const char *ap_parse_vhost_addrs(apr_poo
server_addr_rec **addrs;
const char *err;
- /* start the list of addreses */
+ /* start the list of addresses */
addrs = &s->addrs;
while (hostname[0]) {
err = get_addresses(p, ap_getword_conf(p, &hostname), &addrs, s->port);
@@ -574,7 +574,7 @@ AP_DECLARE(void) ap_fini_vhost_config(ap
/* The next things to go into the hash table are the virtual hosts
* themselves. They're listed off of main_s->next in the reverse
- * order they occured in the config file, so we insert them at
+ * order they occurred in the config file, so we insert them at
* the iphash_table_tail but don't advance the tail.
*/
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/ab.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/ab.c?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/ab.c (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/ab.c Mon Nov 14 10:26:31 2016
@@ -194,6 +194,9 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
#ifdef SSL_OP_NO_TLSv1_2
#define HAVE_TLSV1_X
#endif
+#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
+#define HAVE_TLSEXT
+#endif
#endif
#include <math.h>
@@ -310,7 +313,7 @@ int isproxy = 0;
apr_interval_time_t aprtimeout = apr_time_from_sec(30); /* timeout value */
/* overrides for ab-generated common headers */
-int opt_host = 0; /* was an optional "Host:" header specified? */
+const char *opt_host; /* which optional "Host:" header specified, if any */
int opt_useragent = 0; /* was an optional "User-Agent:" header specified? */
int opt_accept = 0; /* was an optional "Accept:" header specified? */
/*
@@ -343,6 +346,10 @@ SSL_CTX *ssl_ctx;
char *ssl_cipher = NULL;
char *ssl_info = NULL;
BIO *bio_out,*bio_err;
+#ifdef HAVE_TLSEXT
+int tls_use_sni = 1; /* used by default, -I disables it */
+const char *tls_sni = NULL; /* 'opt_host' if any, 'hostname' otherwise */
+#endif
#endif
apr_time_t start, lasttime, stoptime;
@@ -864,6 +871,11 @@ static void output_results(int sig)
if (is_ssl && ssl_info) {
printf("SSL/TLS Protocol: %s\n", ssl_info);
}
+#ifdef HAVE_TLSEXT
+ if (is_ssl && tls_sni) {
+ printf("TLS Server Name: %s\n", tls_sni);
+ }
+#endif
#endif
printf("\n");
printf("Document Path: %s\n", path);
@@ -1332,6 +1344,11 @@ static void start_connect(struct connect
BIO_set_callback(bio, ssl_print_cb);
BIO_set_callback_arg(bio, (void *)bio_err);
}
+#ifdef HAVE_TLSEXT
+ if (tls_sni) {
+ SSL_set_tlsext_host_name(c->ssl, tls_sni);
+ }
+#endif
} else {
c->ssl = NULL;
}
@@ -1710,6 +1727,18 @@ static void test(void)
/* Header overridden, no need to add, as it is already in hdrs */
}
+#ifdef HAVE_TLSEXT
+ if (is_ssl && tls_use_sni) {
+ apr_ipsubnet_t *ip;
+ if (((tls_sni = opt_host) || (tls_sni = hostname)) &&
+ (!*tls_sni || apr_ipsubnet_create(&ip, tls_sni, NULL,
+ cntxt) == APR_SUCCESS)) {
+ /* IP not allowed in TLS SNI extension */
+ tls_sni = NULL;
+ }
+ }
+#endif
+
if (!opt_useragent) {
/* User-Agent: header not overridden, add default value to hdrs */
hdrs = apr_pstrcat(cntxt, hdrs, "User-Agent: ApacheBench/", AP_AB_BASEREVISION, "\r\n", NULL);
@@ -2009,6 +2038,9 @@ static void usage(const char *progname)
#define TLS1_X_HELP_MSG ""
#endif
+#ifdef HAVE_TLSEXT
+ fprintf(stderr, " -I Disable TLS Server Name Indication (SNI) extension\n");
+#endif
fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");
fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n");
fprintf(stderr, " (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
@@ -2180,7 +2212,7 @@ int main(int argc, const char * const ar
myhost = NULL; /* 0.0.0.0 or :: */
apr_getopt_init(&opt, cntxt, argc, argv);
- while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:"
+ while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwiIx:y:z:C:H:P:A:g:X:de:SqB:m:"
#ifdef USE_SSL
"Z:f:"
#endif
@@ -2299,7 +2331,16 @@ int main(int argc, const char * const ar
* allow override of some of the common headers that ab adds
*/
if (strncasecmp(opt_arg, "Host:", 5) == 0) {
- opt_host = 1;
+ char *host;
+ apr_size_t len;
+ opt_arg += 5;
+ while (apr_isspace(*opt_arg))
+ opt_arg++;
+ len = strlen(opt_arg);
+ host = strdup(opt_arg);
+ while (len && apr_isspace(host[len-1]))
+ host[--len] = '\0';
+ opt_host = host;
} else if (strncasecmp(opt_arg, "Accept:", 7) == 0) {
opt_accept = 1;
} else if (strncasecmp(opt_arg, "User-Agent:", 11) == 0) {
@@ -2364,10 +2405,16 @@ int main(int argc, const char * const ar
#ifndef OPENSSL_NO_SSL2
} else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
meth = SSLv2_client_method();
+#ifdef HAVE_TLSEXT
+ tls_use_sni = 0;
+#endif
#endif
#ifndef OPENSSL_NO_SSL3
} else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
meth = SSLv3_client_method();
+#ifdef HAVE_TLSEXT
+ tls_use_sni = 0;
+#endif
#endif
#ifdef HAVE_TLSV1_X
} else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
@@ -2404,6 +2451,11 @@ int main(int argc, const char * const ar
}
#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
break;
+#ifdef HAVE_TLSEXT
+ case 'I':
+ tls_use_sni = 0;
+ break;
+#endif
#endif
}
}
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/checkgid.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/checkgid.c?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/checkgid.c (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/checkgid.c Mon Nov 14 10:26:31 2016
@@ -15,7 +15,7 @@
*/
/*
- * Given one or more group identifers on the command line (e.g.,
+ * Given one or more group identifiers on the command line (e.g.,
* "httpd" or "#-1"), figure out whether they'll be valid for
* the server to use at run-time.
*
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/htcacheclean.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/htcacheclean.c?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/htcacheclean.c (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/htcacheclean.c Mon Nov 14 10:26:31 2016
@@ -1046,9 +1046,9 @@ static void purge(char *path, apr_pool_t
return;
}
- /* process remaining entries oldest to newest, the check for an emtpy
+ /* process remaining entries oldest to newest, the check for an empty
* ring actually isn't necessary except when the compiler does
- * corrupt 64bit arithmetics which happend to me once, so better safe
+ * corrupt 64bit arithmetics which happened to me once, so better safe
* than sorry
*/
while (!((!s.max || s.sum <= s.max) && (!s.inodes || s.nodes <= s.inodes))
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.c?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.c (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.c Mon Nov 14 10:26:31 2016
@@ -258,7 +258,7 @@ int main(int argc, const char * const ar
resolves++;
/* From here on our we cache each result, even if it was not
- * succesful
+ * successful
*/
cachesize++;
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.pl.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.pl.in?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.pl.in (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/support/logresolve.pl.in Mon Nov 14 10:26:31 2016
@@ -41,7 +41,7 @@
# logfile lines processed per hour compared to ~45,000 per hour
# with 'logresolve'.
#
-# I haven't yet seen any noticable reduction in the percentage of IPs
+# I haven't yet seen any noticeable reduction in the percentage of IPs
# that fail to get resolved. Your mileage will no doubt vary. 5s is long
# enough to wait IMO.
#
@@ -207,7 +207,7 @@ sub nslookup {
# do the hostname lookup inside an eval. The eval will use the
# already configured SIGnal handler and drop out of the {} block
- # regardless of whether the alarm occured or not.
+ # regardless of whether the alarm occurred or not.
eval {
alarm($TIMEOUT);
$hostname = gethostbyaddr(gethostbyname($ip), AF_INET);
Modified: httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/test/make_sni.sh
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/test/make_sni.sh?rev=1769588&r1=1769587&r2=1769588&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/test/make_sni.sh (original)
+++ httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/test/make_sni.sh Mon Nov 14 10:26:31 2016
@@ -82,7 +82,7 @@ do
done
if [ $# = 1 ]; then
- echo "Aborted - just specifing one vhost makes no sense for SNI testing. Go wild !"
+ echo "Aborted - just specifying one vhost makes no sense for SNI testing. Go wild !"
exit 1
fi