Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Duplicate UNIQUE_IDs with mod_http2 #195

Closed
mkauf opened this issue Feb 14, 2020 · 8 comments
Closed

Duplicate UNIQUE_IDs with mod_http2 #195

mkauf opened this issue Feb 14, 2020 · 8 comments

Comments

@mkauf
Copy link
Contributor

mkauf commented Feb 14, 2020

It can happen that the same request ID (UNIQUE_ID) is calculated twice by mod_unique_id when HTTP/2 is used. This is not a theoretical problem, it really occurs on busy servers.

mod_unique_id uses the current connection ID as an input for calculating the UNIQUE_ID. For HTTP 1.x, the current thread number is used as connection ID.

For HTTP/2, mod_h2 calculates a connection ID per stream, in h2_task_do(). For a 64-bit system:

task->c->id = (c->master->id << 32) ^ task->stream_id;

mod_unique_id only uses the lower 32 bits of this value in gen_unique_id():

new_unique_id.thread_index = htonl((unsigned int)c->id);

So effectively this is executed:

new_unique_id.thread_index = htonl((unsigned int)task->stream_id);

There is not enough "uniqueness" in this value.

Bugfix

This problem can be fixed in several ways:

  • change mod_h2 to calculate the connection ID on 64-bit systems like on 32-bit systems
  • change mod_unique_id to include all 64 bits of the connection ID into UNIQUE_ID
  • change mod_unique_id to XOR the lower 32 bits of the connection ID with the upper 32 bits of the connection ID, and then use the resulting value for the UNIQUE_ID

The last approach could be implemented like this:

if (sizeof(long) > sizeof(int)) {
    new_unique_id.thread_index = htonl((unsigned int)(c->id >> (sizeof(int) * 8) ^ c->id));
}
else {
    new_unique_id.thread_index = htonl((unsigned int)c->id);
}

Unfortunately, duplicated IDs still showed up even with this patch. So probably including all 64 bits of the connection ID into UNIQUE_ID is the better approach.

@icing
Copy link
Owner

icing commented Feb 17, 2020

urgs, just looked at mod_unique_id. Do I see this right that the cur_unique_id.counter is not atomic and will not necessarily increase every time?

It "cleverly" relies on not being invoked from multiple threads for the same c->id mod 32bit. Interesting. And broken. It relies on a http/1.x processing model.

But of course no one can know what a change in mod_unique_id's implementation would trigger...But ultimately, this discussion needs to be done on the httpd dev list.

connection ids are implemented by the mpm and mpm_event indeed does

  #define ID_FROM_CHILD_THREAD(c, t)    ((c * thread_limit) + t)
  long conn_id = ID_FROM_CHILD_THREAD(my_child_num, my_thread_num);

Hmm. Maybe h2 should calc the id like this?

-        task->c->id = (c->master->id << free_bits)^slave_id;
+        task->c->id = (c->master->id << 8)^worker_id;

Maybe that works better, but there will still be configurations where collisions are possible. Maybe not very common ones.

Could you test this?

@mkauf
Copy link
Contributor Author

mkauf commented Feb 17, 2020

You‘re right, the counter in mod_unique_id is not increased atomically. As a bugfix, mod_unique_id could increase the counter atomically and ignore the connection id. Not sure what this means for the performance, probably atomic operations were slow when mod_unique_id was created.

I‘m currently on holiday, I can test your proposed change next week.

@icing
Copy link
Owner

icing commented Feb 18, 2020

Enjoy your holiday!

@mkauf
Copy link
Contributor Author

mkauf commented Feb 24, 2020

Thanks! I have tested this change:

-        task->c->id = (c->master->id << free_bits)^slave_id;
+        task->c->id = (c->master->id << 8)^worker_id;

It works fine, I got no duplicate UNIQUE_IDs so far 👍

For the test, I have used mod_asis and mod_include with this file:

Status: 200 OK
Content-Type: text/plain

<!--#echo var="UNIQUE_ID" -->

I have collected UNIQUE_IDs for approximately an hour, in 5 different terminals:

while true; do curl -k -s https://localhost/ https://localhost/ https://localhost/ https://localhost/ https://localhost/ >> /data/curl1.log; done
while true; do curl -k -s https://localhost/ https://localhost/ https://localhost/ https://localhost/ https://localhost/ >> /data/curl2.log; done
while true; do curl -k -s https://localhost/ https://localhost/ https://localhost/ https://localhost/ https://localhost/ >> /data/curl3.log; done
while true; do curl -k -s https://localhost/ https://localhost/ https://localhost/ https://localhost/ https://localhost/ >> /data/curl4.log; done
while true; do curl -k -s https://localhost/ https://localhost/ https://localhost/ https://localhost/ https://localhost/ >> /data/curl5.log; done

Check for duplicate UNIQUE_IDs:

cat /data/curl*.log | sort | uniq -c | grep -v '1 '

@mkauf
Copy link
Contributor Author

mkauf commented Mar 2, 2020

For comparison: nginx uses 16 random bytes for "$request_id" - no counters involved.

@mkauf
Copy link
Contributor Author

mkauf commented Mar 2, 2020

Is task->c->id = (c->master->id << 8)^worker_id; a "good enough" solution, or do we need to think about other options?

@icing
Copy link
Owner

icing commented Mar 2, 2020

If it works for you, I tend to consider it good enough. I can make the change in the module and apache subversion and propose for backport.

I'd dare not change the general implementation in 2.4.x, because there is bound to be someone using HTTP/1.1 who is relying on the current characteristics.

Works for you?

icing pushed a commit that referenced this issue Mar 2, 2020
--------------------------------------------------------------------------------
 * Fixes issue #195 regarding h2 slave connection ids that resulted in duplicate
   request ids being generated under loads.
asfgit pushed a commit to apache/httpd that referenced this issue Mar 2, 2020
…que request

     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874689 13f79535-47bb-0310-9956-ffa450edef68
@mkauf
Copy link
Contributor Author

mkauf commented Mar 2, 2020

Yes, works for me, thanks!

asfgit pushed a commit to apache/httpd that referenced this issue Mar 6, 2020
  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]


Submitted by: icing
Reviewed by: icing, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874909 13f79535-47bb-0310-9956-ffa450edef68
clrpackages pushed a commit to clearlinux-pkgs/httpd that referenced this issue Apr 3, 2020
- Release 2.4.43 fixes CVE-2020-1934, CVE-2020-1927;
- Dropped mod_systemd patches as upstreams includes it since 2.4.42;
- Added --enable-systemd to the configuration step;

Changes with Apache 2.4.43

  *) SECURITY: CVE-2020-1934 (cve.mitre.org)
     mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
     server. [Eric Covener]

  *) SECURITY: CVE-2020-1927 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     The fix for CVE-2019-10098 was not effective.  [Ruediger Pluem]

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Changes with Apache 2.4.42

  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891.
     [Yann Ylavic]

  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]

  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco <renier.velazco upr.edu>]

  *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
     PR64172.

  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
     to allow customization of the usertrack cookie. PR64077.
     [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

  *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
     AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

  *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
     [Eric Covener, Yann Ylavic]

  *) Add a config layout for OpenWRT. [Graham Leggett]

  *) Add support for cross compiling to apxs. If apxs is being executed from
     somewhere other than its target location, add that prefix to includes and
     library directories. Without this, apxs would fail to find config_vars.mk
     and exit. [Graham Leggett]

  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
     [Graham Leggett]

  *) mod_ssl: Support use of private keys and certificates from an
     OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
     [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

  *) mod_md:
     - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
       thanks to Timothe Litt (@tlhackque).
     - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
       check all matching virtual hosts for protocol support. Thanks to @mkauf.
     - Corrected a check when OCSP stapling was configured for hosts
       where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
     - Softening the restrictions where mod_md configuration directives may appear. This should
       allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
       you wanted in the first place, is another matter.
     [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
      Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

  *) test: Added continuous testing with Travis CI.
     This tests various scenarios on Ubuntu with the full test suite.
     Architectures tested: amd64, s390x, ppc64le, arm64
     The tests pass successfully.
     [Luca Toscano, Joe Orton, Mike Rumph, and others]

  *) core: Be stricter in parsing of Transfer-Encoding headers.
     [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

  *) mod_ssl: negotiate the TLS protocol version per name based vhost
     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
     SSLProtocol (from the first vhost declared on the IP:port) is now only
     relevant if no SSLProtocol is declared for the vhost or globally,
     otherwise the vhost or global value apply.  [Yann Ylavic]

  *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
     output.  PR 64096.  [Joe Orton]

  *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
     [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

  *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

  *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
     r:notes_table, r:subprocess_env_table as read-only native table alternatives
     that can be iterated over. [Eric Covener]

  *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
     [Yann Ylavic, Stefan Eissing]

  *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
     r.headers_out, etc) to remove the key from the table. PR63971.
     [Eric Covener]

  *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
     ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
     always `on`, regardless of configuration. Found and reported by
     <Armin.Abfalterer@united-security-providers.ch> and
     <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

  *) mod_http2: Multiple field length violations in the same request no longer cause
     several log entries to be written. [@mkauf]

  *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

  *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
     [Jim Jagielski]

  *) mod_authn_socache: Increase the maximum length of strings that can be cached by
     the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

  *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
     [Ruediger Pluem, Eric Covener]

  *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
     valid (For example, testing for a file on a flash drive that is not mounted)
     [Christophe Jaillet]

  *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
     means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

  *) mod_md v2.2.3:
     - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
       had been additive before which was not the intended behaviour. [@mkauf]
     - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
       documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
     - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
     - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
       "transfer-encoding" to POST requests. This failed in directy communication with
       Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

  *) mod_md: Adding the several new features.
     The module offers an implementation of OCSP Stapling that can replace fully or
     for a limited set of domains the existing one from mod_ssl. OCSP handling
     is part of mod_md's monitoring and message notifications. If can be used
     for sites that do not have ACME certificates.
     The url for a CTLog Monitor can be configured. It is used in the server-status
     to link to the external status page of a certicate.
     The MDMessageCmd is called with argument "installed" when a new certificate
     has been activated on server restart/reload. This allows for processing of
     the new certificate, for example to applications that require it in different
     locations or formats.
     [Stefan Eissing]

  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Apr 6, 2020
Changes with Apache 2.4.43

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Changes with Apache 2.4.42

  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891.
     [Yann Ylavic]

  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]

  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco <renier.velazco upr.edu>]

  *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
     PR64172.

  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
     to allow customization of the usertrack cookie. PR64077.
     [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

  *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
     AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

  *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
     [Eric Covener, Yann Ylavic]

  *) Add a config layout for OpenWRT. [Graham Leggett]

  *) Add support for cross compiling to apxs. If apxs is being executed from
     somewhere other than its target location, add that prefix to includes and
     library directories. Without this, apxs would fail to find config_vars.mk
     and exit. [Graham Leggett]

  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
     [Graham Leggett]

  *) mod_ssl: Support use of private keys and certificates from an
     OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
     [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

  *) mod_md:
     - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
       thanks to Timothe Litt (@tlhackque).
     - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
       check all matching virtual hosts for protocol support. Thanks to @mkauf.
     - Corrected a check when OCSP stapling was configured for hosts
       where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
     - Softening the restrictions where mod_md configuration directives may appear. This should
       allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
       you wanted in the first place, is another matter.
     [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
      Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

  *) test: Added continuous testing with Travis CI.
     This tests various scenarios on Ubuntu with the full test suite.
     Architectures tested: amd64, s390x, ppc64le, arm64
     The tests pass successfully.
     [Luca Toscano, Joe Orton, Mike Rumph, and others]

  *) core: Be stricter in parsing of Transfer-Encoding headers.
     [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

  *) mod_ssl: negotiate the TLS protocol version per name based vhost
     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
     SSLProtocol (from the first vhost declared on the IP:port) is now only
     relevant if no SSLProtocol is declared for the vhost or globally,
     otherwise the vhost or global value apply.  [Yann Ylavic]

  *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
     output.  PR 64096.  [Joe Orton]

  *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
     [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

  *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

  *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
     r:notes_table, r:subprocess_env_table as read-only native table alternatives
     that can be iterated over. [Eric Covener]

  *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
     [Yann Ylavic, Stefan Eissing]

  *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
     r.headers_out, etc) to remove the key from the table. PR63971.
     [Eric Covener]

  *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
     ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
     always `on`, regardless of configuration. Found and reported by
     <Armin.Abfalterer@united-security-providers.ch> and
     <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

  *) mod_http2: Multiple field length violations in the same request no longer cause
     several log entries to be written. [@mkauf]

  *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

  *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
     [Jim Jagielski]

  *) mod_authn_socache: Increase the maximum length of strings that can be cached by
     the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

  *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
     [Ruediger Pluem, Eric Covener]

  *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
     valid (For example, testing for a file on a flash drive that is not mounted)
     [Christophe Jaillet]

  *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
     means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

  *) mod_md v2.2.3:
     - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
       had been additive before which was not the intended behaviour. [@mkauf]
     - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
       documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
     - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
     - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
       "transfer-encoding" to POST requests. This failed in directy communication with
       Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

  *) mod_md: Adding the several new features.
     The module offers an implementation of OCSP Stapling that can replace fully or
     for a limited set of domains the existing one from mod_ssl. OCSP handling
     is part of mod_md's monitoring and message notifications. If can be used
     for sites that do not have ACME certificates.
     The url for a CTLog Monitor can be configured. It is used in the server-status
     to link to the external status page of a certicate.
     The MDMessageCmd is called with argument "installed" when a new certificate
     has been activated on server restart/reload. This allows for processing of
     the new certificate, for example to applications that require it in different
     locations or formats.
     [Stefan Eissing]

  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Apr 6, 2020
Changes with Apache 2.4.43

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Changes with Apache 2.4.42

  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891.
     [Yann Ylavic]

  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]

  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco <renier.velazco upr.edu>]

  *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
     PR64172.

  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
     to allow customization of the usertrack cookie. PR64077.
     [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

  *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
     AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

  *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
     [Eric Covener, Yann Ylavic]

  *) Add a config layout for OpenWRT. [Graham Leggett]

  *) Add support for cross compiling to apxs. If apxs is being executed from
     somewhere other than its target location, add that prefix to includes and
     library directories. Without this, apxs would fail to find config_vars.mk
     and exit. [Graham Leggett]

  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
     [Graham Leggett]

  *) mod_ssl: Support use of private keys and certificates from an
     OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
     [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

  *) mod_md:
     - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
       thanks to Timothe Litt (@tlhackque).
     - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
       check all matching virtual hosts for protocol support. Thanks to @mkauf.
     - Corrected a check when OCSP stapling was configured for hosts
       where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
     - Softening the restrictions where mod_md configuration directives may appear. This should
       allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
       you wanted in the first place, is another matter.
     [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
      Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

  *) test: Added continuous testing with Travis CI.
     This tests various scenarios on Ubuntu with the full test suite.
     Architectures tested: amd64, s390x, ppc64le, arm64
     The tests pass successfully.
     [Luca Toscano, Joe Orton, Mike Rumph, and others]

  *) core: Be stricter in parsing of Transfer-Encoding headers.
     [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

  *) mod_ssl: negotiate the TLS protocol version per name based vhost
     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
     SSLProtocol (from the first vhost declared on the IP:port) is now only
     relevant if no SSLProtocol is declared for the vhost or globally,
     otherwise the vhost or global value apply.  [Yann Ylavic]

  *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
     output.  PR 64096.  [Joe Orton]

  *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
     [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

  *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

  *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
     r:notes_table, r:subprocess_env_table as read-only native table alternatives
     that can be iterated over. [Eric Covener]

  *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
     [Yann Ylavic, Stefan Eissing]

  *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
     r.headers_out, etc) to remove the key from the table. PR63971.
     [Eric Covener]

  *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
     ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
     always `on`, regardless of configuration. Found and reported by
     <Armin.Abfalterer@united-security-providers.ch> and
     <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

  *) mod_http2: Multiple field length violations in the same request no longer cause
     several log entries to be written. [@mkauf]

  *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

  *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
     [Jim Jagielski]

  *) mod_authn_socache: Increase the maximum length of strings that can be cached by
     the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

  *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
     [Ruediger Pluem, Eric Covener]

  *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
     valid (For example, testing for a file on a flash drive that is not mounted)
     [Christophe Jaillet]

  *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
     means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

  *) mod_md v2.2.3:
     - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
       had been additive before which was not the intended behaviour. [@mkauf]
     - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
       documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
     - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
     - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
       "transfer-encoding" to POST requests. This failed in directy communication with
       Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

  *) mod_md: Adding the several new features.
     The module offers an implementation of OCSP Stapling that can replace fully or
     for a limited set of domains the existing one from mod_ssl. OCSP handling
     is part of mod_md's monitoring and message notifications. If can be used
     for sites that do not have ACME certificates.
     The url for a CTLog Monitor can be configured. It is used in the server-status
     to link to the external status page of a certicate.
     The MDMessageCmd is called with argument "installed" when a new certificate
     has been activated on server restart/reload. This allows for processing of
     the new certificate, for example to applications that require it in different
     locations or formats.
     [Stefan Eissing]

  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
bmwiedemann added a commit to bmwiedemann/openSUSE that referenced this issue Apr 7, 2020
https://build.opensuse.org/request/show/791205
by user pgajdos + dimstar_suse
- declare ap_sock_disable_nagle to fix loading mod_proxy_http2
  (thanks to mliska@suse.com)
- modified patches
  % httpd-visibility.patch (refreshed)

- version update to 2.4.43
  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891.
     [Yann Ylavic]
  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]
  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco <re
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Apr 9, 2020
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.89
- www/apache24/PLIST                                            1.32
- www/apache24/distinfo                                         1.42

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr  6 08:27:26 UTC 2020

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache: update to 2.4.43.

   Changes with Apache 2.4.43

     *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

   Changes with Apache 2.4.42

     *) mod_proxy_http: Fix the forwarding of requests with content body when a
        balancer member is unavailable; the retry on the next member was issued
        with an empty body (regression introduced in 2.4.41). PR63891.
        [Yann Ylavic]

     *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
        identifier under load, see <icing/mod_h2#195>.
        [Michael Kaufmann, Stefan Eissing]

     *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
        PR64140. [Renier Velazco <renier.velazco upr.edu>]

     *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
        PR64172.

     *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
        to allow customization of the usertrack cookie. PR64077.
        [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

     *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
        AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

     *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
        [Eric Covener, Yann Ylavic]

     *) Add a config layout for OpenWRT. [Graham Leggett]

     *) Add support for cross compiling to apxs. If apxs is being executed from
        somewhere other than its target location, add that prefix to includes and
        library directories. Without this, apxs would fail to find config_vars.mk
        and exit. [Graham Leggett]

     *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
        issue mod_md#172 (icing/mod_md#172).
        [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

     *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
        [Graham Leggett]

     *) mod_ssl: Support use of private keys and certificates from an
        OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
        [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

     *) mod_md:
        - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
          thanks to Timothe Litt (@tlhackque).
        - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
          check all matching virtual hosts for protocol support. Thanks to @mkauf.
        - Corrected a check when OCSP stapling was configured for hosts
          where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
        - Softening the restrictions where mod_md configuration directives may appear. This should
          allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
          you wanted in the first place, is another matter.
        [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
         Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

     *) test: Added continuous testing with Travis CI.
        This tests various scenarios on Ubuntu with the full test suite.
        Architectures tested: amd64, s390x, ppc64le, arm64
        The tests pass successfully.
        [Luca Toscano, Joe Orton, Mike Rumph, and others]

     *) core: Be stricter in parsing of Transfer-Encoding headers.
        [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

     *) mod_ssl: negotiate the TLS protocol version per name based vhost
        configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
        SSLProtocol (from the first vhost declared on the IP:port) is now only
        relevant if no SSLProtocol is declared for the vhost or globally,
        otherwise the vhost or global value apply.  [Yann Ylavic]

     *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
        output.  PR 64096.  [Joe Orton]

     *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
        [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

     *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

     *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
        r:notes_table, r:subprocess_env_table as read-only native table alternatives
        that can be iterated over. [Eric Covener]

     *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
        [Yann Ylavic, Stefan Eissing]

     *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
        r.headers_out, etc) to remove the key from the table. PR63971.
        [Eric Covener]

     *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
        ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
        always `on`, regardless of configuration. Found and reported by
        <Armin.Abfalterer@united-security-providers.ch> and
        <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

     *) mod_http2: Multiple field length violations in the same request no longer cause
        several log entries to be written. [@mkauf]

     *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
        [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

     *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
        [Jim Jagielski]

     *) mod_authn_socache: Increase the maximum length of strings that can be cached by
        the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

     *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
        [Ruediger Pluem, Eric Covener]

     *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
        valid (For example, testing for a file on a flash drive that is not mounted)
        [Christophe Jaillet]

     *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
        means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

     *) mod_md v2.2.3:
        - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
          had been additive before which was not the intended behaviour. [@mkauf]
        - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
          documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
        - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
        - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
          "transfer-encoding" to POST requests. This failed in directy communication with
          Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

     *) mod_md: Adding the several new features.
        The module offers an implementation of OCSP Stapling that can replace fully or
        for a limited set of domains the existing one from mod_ssl. OCSP handling
        is part of mod_md's monitoring and message notifications. If can be used
        for sites that do not have ACME certificates.
        The url for a CTLog Monitor can be configured. It is used in the server-status
        to link to the external status page of a certicate.
        The MDMessageCmd is called with argument "installed" when a new certificate
        has been activated on server restart/reload. This allows for processing of
        the new certificate, for example to applications that require it in different
        locations or formats.
        [Stefan Eissing]

     *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
        protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue May 27, 2020
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.89
- www/apache24/PLIST                                            1.32
- www/apache24/distinfo                                         1.42

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr  6 08:27:26 UTC 2020

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache: update to 2.4.43.

   Changes with Apache 2.4.43

     *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

   Changes with Apache 2.4.42

     *) mod_proxy_http: Fix the forwarding of requests with content body when a
        balancer member is unavailable; the retry on the next member was issued
        with an empty body (regression introduced in 2.4.41). PR63891.
        [Yann Ylavic]

     *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
        identifier under load, see <icing/mod_h2#195>.
        [Michael Kaufmann, Stefan Eissing]

     *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
        PR64140. [Renier Velazco <renier.velazco upr.edu>]

     *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
        PR64172.

     *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
        to allow customization of the usertrack cookie. PR64077.
        [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

     *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
        AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

     *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
        [Eric Covener, Yann Ylavic]

     *) Add a config layout for OpenWRT. [Graham Leggett]

     *) Add support for cross compiling to apxs. If apxs is being executed from
        somewhere other than its target location, add that prefix to includes and
        library directories. Without this, apxs would fail to find config_vars.mk
        and exit. [Graham Leggett]

     *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
        issue mod_md#172 (icing/mod_md#172).
        [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

     *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
        [Graham Leggett]

     *) mod_ssl: Support use of private keys and certificates from an
        OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
        [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

     *) mod_md:
        - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
          thanks to Timothe Litt (@tlhackque).
        - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
          check all matching virtual hosts for protocol support. Thanks to @mkauf.
        - Corrected a check when OCSP stapling was configured for hosts
          where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
        - Softening the restrictions where mod_md configuration directives may appear. This should
          allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
          you wanted in the first place, is another matter.
        [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
         Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

     *) test: Added continuous testing with Travis CI.
        This tests various scenarios on Ubuntu with the full test suite.
        Architectures tested: amd64, s390x, ppc64le, arm64
        The tests pass successfully.
        [Luca Toscano, Joe Orton, Mike Rumph, and others]

     *) core: Be stricter in parsing of Transfer-Encoding headers.
        [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

     *) mod_ssl: negotiate the TLS protocol version per name based vhost
        configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
        SSLProtocol (from the first vhost declared on the IP:port) is now only
        relevant if no SSLProtocol is declared for the vhost or globally,
        otherwise the vhost or global value apply.  [Yann Ylavic]

     *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
        output.  PR 64096.  [Joe Orton]

     *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
        [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

     *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

     *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
        r:notes_table, r:subprocess_env_table as read-only native table alternatives
        that can be iterated over. [Eric Covener]

     *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
        [Yann Ylavic, Stefan Eissing]

     *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
        r.headers_out, etc) to remove the key from the table. PR63971.
        [Eric Covener]

     *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
        ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
        always `on`, regardless of configuration. Found and reported by
        <Armin.Abfalterer@united-security-providers.ch> and
        <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

     *) mod_http2: Multiple field length violations in the same request no longer cause
        several log entries to be written. [@mkauf]

     *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
        [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

     *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
        [Jim Jagielski]

     *) mod_authn_socache: Increase the maximum length of strings that can be cached by
        the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

     *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
        [Ruediger Pluem, Eric Covener]

     *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
        valid (For example, testing for a file on a flash drive that is not mounted)
        [Christophe Jaillet]

     *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
        means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

     *) mod_md v2.2.3:
        - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
          had been additive before which was not the intended behaviour. [@mkauf]
        - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
          documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
        - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
        - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
          "transfer-encoding" to POST requests. This failed in directy communication with
          Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

     *) mod_md: Adding the several new features.
        The module offers an implementation of OCSP Stapling that can replace fully or
        for a limited set of domains the existing one from mod_ssl. OCSP handling
        is part of mod_md's monitoring and message notifications. If can be used
        for sites that do not have ACME certificates.
        The url for a CTLog Monitor can be configured. It is used in the server-status
        to link to the external status page of a certicate.
        The MDMessageCmd is called with argument "installed" when a new certificate
        has been activated on server restart/reload. This allows for processing of
        the new certificate, for example to applications that require it in different
        locations or formats.
        [Stefan Eissing]

     *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
        protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
notroj pushed a commit to notroj/httpd that referenced this issue Jun 23, 2020
…que request

     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874689 13f79535-47bb-0310-9956-ffa450edef68
@icing icing closed this as completed Jul 13, 2020
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 14, 2021
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.89
- www/apache24/PLIST                                            1.32
- www/apache24/distinfo                                         1.42

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr  6 08:27:26 UTC 2020

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache: update to 2.4.43.

   Changes with Apache 2.4.43

     *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

   Changes with Apache 2.4.42

     *) mod_proxy_http: Fix the forwarding of requests with content body when a
        balancer member is unavailable; the retry on the next member was issued
        with an empty body (regression introduced in 2.4.41). PR63891.
        [Yann Ylavic]

     *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
        identifier under load, see <icing/mod_h2#195>.
        [Michael Kaufmann, Stefan Eissing]

     *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
        PR64140. [Renier Velazco <renier.velazco upr.edu>]

     *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
        PR64172.

     *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
        to allow customization of the usertrack cookie. PR64077.
        [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

     *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
        AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

     *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
        [Eric Covener, Yann Ylavic]

     *) Add a config layout for OpenWRT. [Graham Leggett]

     *) Add support for cross compiling to apxs. If apxs is being executed from
        somewhere other than its target location, add that prefix to includes and
        library directories. Without this, apxs would fail to find config_vars.mk
        and exit. [Graham Leggett]

     *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
        issue mod_md#172 (icing/mod_md#172).
        [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

     *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
        [Graham Leggett]

     *) mod_ssl: Support use of private keys and certificates from an
        OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
        [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

     *) mod_md:
        - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
          thanks to Timothe Litt (@tlhackque).
        - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
          check all matching virtual hosts for protocol support. Thanks to @mkauf.
        - Corrected a check when OCSP stapling was configured for hosts
          where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
        - Softening the restrictions where mod_md configuration directives may appear. This should
          allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
          you wanted in the first place, is another matter.
        [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
         Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

     *) test: Added continuous testing with Travis CI.
        This tests various scenarios on Ubuntu with the full test suite.
        Architectures tested: amd64, s390x, ppc64le, arm64
        The tests pass successfully.
        [Luca Toscano, Joe Orton, Mike Rumph, and others]

     *) core: Be stricter in parsing of Transfer-Encoding headers.
        [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

     *) mod_ssl: negotiate the TLS protocol version per name based vhost
        configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
        SSLProtocol (from the first vhost declared on the IP:port) is now only
        relevant if no SSLProtocol is declared for the vhost or globally,
        otherwise the vhost or global value apply.  [Yann Ylavic]

     *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
        output.  PR 64096.  [Joe Orton]

     *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
        [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

     *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

     *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
        r:notes_table, r:subprocess_env_table as read-only native table alternatives
        that can be iterated over. [Eric Covener]

     *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
        [Yann Ylavic, Stefan Eissing]

     *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
        r.headers_out, etc) to remove the key from the table. PR63971.
        [Eric Covener]

     *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
        ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
        always `on`, regardless of configuration. Found and reported by
        <Armin.Abfalterer@united-security-providers.ch> and
        <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

     *) mod_http2: Multiple field length violations in the same request no longer cause
        several log entries to be written. [@mkauf]

     *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
        [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

     *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
        [Jim Jagielski]

     *) mod_authn_socache: Increase the maximum length of strings that can be cached by
        the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

     *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
        [Ruediger Pluem, Eric Covener]

     *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
        valid (For example, testing for a file on a flash drive that is not mounted)
        [Christophe Jaillet]

     *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
        means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

     *) mod_md v2.2.3:
        - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
          had been additive before which was not the intended behaviour. [@mkauf]
        - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
          documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
        - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
        - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
          "transfer-encoding" to POST requests. This failed in directy communication with
          Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

     *) mod_md: Adding the several new features.
        The module offers an implementation of OCSP Stapling that can replace fully or
        for a limited set of domains the existing one from mod_ssl. OCSP handling
        is part of mod_md's monitoring and message notifications. If can be used
        for sites that do not have ACME certificates.
        The url for a CTLog Monitor can be configured. It is used in the server-status
        to link to the external status page of a certicate.
        The MDMessageCmd is called with argument "installed" when a new certificate
        has been activated on server restart/reload. This allows for processing of
        the new certificate, for example to applications that require it in different
        locations or formats.
        [Stefan Eissing]

     *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
        protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants