You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2021/07/02 22:39:12 UTC
svn commit: r1891217 - in /httpd/httpd/trunk: ./ changes-entries/
Author: ylavic
Date: Fri Jul 2 22:39:11 2021
New Revision: 1891217
URL: http://svn.apache.org/viewvc?rev=1891217&view=rev
Log:
Sync CHANGES entries.
Removed:
httpd/httpd/trunk/changes-entries/h2_dont_strip_304.txt
httpd/httpd/trunk/changes-entries/prefork_child_init_sigmask.txt
httpd/httpd/trunk/changes-entries/proxy_define_matchable_worker.txt
httpd/httpd/trunk/changes-entries/ssl_alpn_outgoing.txt
httpd/httpd/trunk/changes-entries/ssl_log_handler_move.txt
httpd/httpd/trunk/changes-entries/ssl_proxy.txt
Modified:
httpd/httpd/trunk/CHANGES
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1891217&r1=1891216&r2=1891217&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Jul 2 22:39:11 2021
@@ -1,6 +1,51 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) core/mod_proxy/mod_ssl:
+ Adding `outgoing` flag to conn_rec, indicating a connection is
+ initiated by the server to somewhere, in contrast to incoming
+ connections from clients.
+ Adding 'ap_ssl_bind_outgoing()` function that marks a connection
+ as outgoing and is used by mod_proxy instead of the previous
+ optional function `ssl_engine_set`. This enables other SSL
+ module to secure proxy connections.
+ The optional functions `ssl_engine_set`, `ssl_engine_disable` and
+ `ssl_proxy_enable` are now provided by the core to have backward
+ compatibility with non-httpd modules that might use them. mod_ssl
+ itself no longer registers these functions, but keeps them in its
+ header for backward compatibility.
+ The core provided optional function wrap any registered function
+ like it was done for `ssl_is_ssl`.
+ [Stefan Eissing]
+
+ *) mod_h2: Don't strip headers from 304 responses. [Yann Ylavic]
+
+ *) mpm_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
+ with others when their URLs contain a '$' substitution. PR 65419.
+ [Yann Ylavic]
+
+ *) mpm_prefork: Block signals for child_init hooks to prevent potential
+ threads created from there to catch MPM's signals.
+ [Ruediger Pluem, Yann Ylavic]
+
+ *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
+ connections. If ALPN protocols are provided and sent to the
+ remote server, the received protocol selected is inspected
+ and checked for a match. Without match, the peer handshake
+ fails.
+ An exception is the proposal of "http/1.1" where it is
+ accepted if the remote server did not answer ALPN with
+ a selected protocol. This accomodates for hosts that do
+ not observe/support ALPN and speak http/1.x be default.
+
+ * mod_log_config/mod_ssl: moved the log_handlers registered by mod_ssl
+ into mod_log_config itself. These now use the global `ap_ssl_var_lookup()`
+ functions and work for all running SSL modules.
+ The dependency from mod_ssl to mod_log_config and its header is removed.
+ mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR".
+ This change should be fully compatible to all deployed configurations.
+ [Stefan Eissing]
+
*) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
an attempt to load a dbm driver fails, log clearly which driver triggered
the error (not "default"), and what the error was. [Graham Leggett]