Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls-alpn-01 does not work with TLS <= 1.2 if client certificates are required #172

Closed
mkauf opened this issue Jan 17, 2020 · 6 comments
Closed

Comments

@mkauf
Copy link
Contributor

mkauf commented Jan 17, 2020

There is a limitation when using the "tls-alpn-01" challenge type: mod_md cannot get a certificate from Let's Encrypt if client certificates are required and if TLS <= 1.2 is used (SSLVerifyClient require and SSLProtocol TLSv1.2). The TLS handshake initiated by the Let's Encrypt server fails, because the Let's Encrypt server does not have a client certificate.

This message is logged:

(22)Invalid argument: AH10056: processing www.example.com: remote error: tls: handshake failure

I think that the Let's Encrypt server actually does get the certificate containing the challenge response, but it does not accept it because the handshake fails. Maybe the Let's Encrypt server software could be improved.

Another approach would be to not require a client certificate when the "acme-tls/1" protocol has been negotiated. This Apache patch works for me:

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index d3f00c2df4..39e3c21806 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2662,6 +2662,10 @@ int ssl_callback_alpn_select(SSL *ssl,
                     return SSL_TLSEXT_ERR_ALERT_FATAL;
                 }
             }
+
+            if (0 == strcmp("acme-tls/1", proposed)) {
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
+            }
         }
     }
 

Note that there is this "paranoid" check in ssl_io_filter_handshake() that checks again (after the TLS handshake) whether there is a client certificate:

/*
 * Make really sure that when a peer certificate
 * is required we really got one... (be paranoid)
 */
if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
    !sslconn->client_cert)
{
    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02011)
                  "No acceptable peer certificate available");

    ssl_filter_io_shutdown(filter_ctx, c, 1);
    return APR_ECONNABORTED;
}
@icing
Copy link
Owner

icing commented Jan 21, 2020

Urgs, nasty things. I do agree that a SSL Verify settings should not apply here. However I am not sure how to best achieve that. Checking for a fixed string can only be a proof of concept here...

There have been issues with differences in TLS versions and when verify callbacks actually happen, so this code in mod_ssl is easy to break.

Since you have the setup: is the code lines 2355+ in ssl_engine_kernel.c too late to disable client certs? Because there it would fit, I guess.

@mkauf
Copy link
Contributor Author

mkauf commented Jan 21, 2020

Since you have the setup: is the code lines 2355+ in ssl_engine_kernel.c too late to disable client certs? Because there it would fit, I guess.

It's not too late, this works:

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index d3f00c2df4..12f36e2779 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2354,6 +2354,7 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
                 if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return APR_EGENERAL;
                 }
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
             }
             else {
                 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
@@ -2661,6 +2662,7 @@ int ssl_callback_alpn_select(SSL *ssl,
                 if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return SSL_TLSEXT_ERR_ALERT_FATAL;
                 }
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
             }
         }
     }

Additionally we could call SSL_set_verify_result(ssl, X509_V_OK); to clear any existing verification result, but I think that none should exist at this point.

@tlhackque
Copy link
Contributor

I also use client verification for some vhosts.
The code in mod_ssl has changed. The following looks right for 2.4.41, but other issues are keeping me from getting that far...

In any case, a solution needs to be checked in to mod_ssl. I looked at trunk; the code is unchanged (2357 maps to ~line 2401 at this writing). Has anyone filed a an issue about this with mod_ssl? (Or taken ownership?)

I haven't followed the code in detail, but one thing that occurs to me is that it's important that these "challenge" connections aren't cached (whether they succed or fail) or looked-up in the caches. Both be sure that the right certificates are sent, and to make sure that on the non-challenge connections, verification works as configured...

--- modules/ssl/ssl_engine_kernel.c~    2020-02-08 13:25:39.000000000 -0500
+++ modules/ssl/ssl_engine_kernel.c     2020-02-09 21:33:44.000000000 -0500
@@ -2357,10 +2357,11 @@
                  * that need to be answered with a special certificate and will
                  * otherwise not answer any requests. */
                 if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return APR_EGENERAL;
                 }
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
             }
             else {
                 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
                               "No matching SSL virtual host for servername "
                               "%s found (using default/first virtual host)",

asfgit pushed a commit to apache/httpd that referenced this issue Feb 11, 2020
…es github

     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1873888 13f79535-47bb-0310-9956-ffa450edef68
@icing
Copy link
Owner

icing commented Feb 11, 2020

I applied the change as tested by @mkauf in r1873888 on Apache subversion trunk and will propose for backport into the 2.4.x branch.

@tlhackque
Copy link
Contributor

Great. Many thanks. FWIW, I found the second case in 2.4, my backport now looks like this:

--- modules/ssl/ssl_engine_kernel.c.cv-base     2020-02-08 13:25:39.000000000 -0500
+++ modules/ssl/ssl_engine_kernel.c     2020-02-11 12:20:58.000000000 -0500
@@ -2357,10 +2357,11 @@
                  * that need to be answered with a special certificate and will
                  * otherwise not answer any requests. */
                 if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return APR_EGENERAL;
                 }
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
             }
             else {
                 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
                               "No matching SSL virtual host for servername "
                               "%s found (using default/first virtual host)",
@@ -2664,10 +2665,11 @@

             if (ssl_is_challenge(c, servername, &cert, &key)) {
                 if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return SSL_TLSEXT_ERR_ALERT_FATAL;
                 }
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
             }
         }
     }

     return SSL_TLSEXT_ERR_OK;

asfgit pushed a commit to apache/httpd that referenced this issue Feb 21, 2020
  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]


Submitted by: icing
Reviewed by: icing, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874283 13f79535-47bb-0310-9956-ffa450edef68
@icing
Copy link
Owner

icing commented Mar 24, 2020

Will be part of next Apache release.

@icing icing closed this as completed Mar 24, 2020
clrpackages pushed a commit to clearlinux-pkgs/httpd that referenced this issue Apr 3, 2020
- Release 2.4.43 fixes CVE-2020-1934, CVE-2020-1927;
- Dropped mod_systemd patches as upstreams includes it since 2.4.42;
- Added --enable-systemd to the configuration step;

Changes with Apache 2.4.43

  *) SECURITY: CVE-2020-1934 (cve.mitre.org)
     mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
     server. [Eric Covener]

  *) SECURITY: CVE-2020-1927 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     The fix for CVE-2019-10098 was not effective.  [Ruediger Pluem]

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Changes with Apache 2.4.42

  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891.
     [Yann Ylavic]

  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]

  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco <renier.velazco upr.edu>]

  *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
     PR64172.

  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
     to allow customization of the usertrack cookie. PR64077.
     [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

  *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
     AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

  *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
     [Eric Covener, Yann Ylavic]

  *) Add a config layout for OpenWRT. [Graham Leggett]

  *) Add support for cross compiling to apxs. If apxs is being executed from
     somewhere other than its target location, add that prefix to includes and
     library directories. Without this, apxs would fail to find config_vars.mk
     and exit. [Graham Leggett]

  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
     [Graham Leggett]

  *) mod_ssl: Support use of private keys and certificates from an
     OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
     [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

  *) mod_md:
     - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
       thanks to Timothe Litt (@tlhackque).
     - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
       check all matching virtual hosts for protocol support. Thanks to @mkauf.
     - Corrected a check when OCSP stapling was configured for hosts
       where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
     - Softening the restrictions where mod_md configuration directives may appear. This should
       allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
       you wanted in the first place, is another matter.
     [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
      Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

  *) test: Added continuous testing with Travis CI.
     This tests various scenarios on Ubuntu with the full test suite.
     Architectures tested: amd64, s390x, ppc64le, arm64
     The tests pass successfully.
     [Luca Toscano, Joe Orton, Mike Rumph, and others]

  *) core: Be stricter in parsing of Transfer-Encoding headers.
     [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

  *) mod_ssl: negotiate the TLS protocol version per name based vhost
     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
     SSLProtocol (from the first vhost declared on the IP:port) is now only
     relevant if no SSLProtocol is declared for the vhost or globally,
     otherwise the vhost or global value apply.  [Yann Ylavic]

  *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
     output.  PR 64096.  [Joe Orton]

  *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
     [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

  *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

  *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
     r:notes_table, r:subprocess_env_table as read-only native table alternatives
     that can be iterated over. [Eric Covener]

  *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
     [Yann Ylavic, Stefan Eissing]

  *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
     r.headers_out, etc) to remove the key from the table. PR63971.
     [Eric Covener]

  *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
     ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
     always `on`, regardless of configuration. Found and reported by
     <Armin.Abfalterer@united-security-providers.ch> and
     <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

  *) mod_http2: Multiple field length violations in the same request no longer cause
     several log entries to be written. [@mkauf]

  *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

  *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
     [Jim Jagielski]

  *) mod_authn_socache: Increase the maximum length of strings that can be cached by
     the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

  *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
     [Ruediger Pluem, Eric Covener]

  *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
     valid (For example, testing for a file on a flash drive that is not mounted)
     [Christophe Jaillet]

  *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
     means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

  *) mod_md v2.2.3:
     - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
       had been additive before which was not the intended behaviour. [@mkauf]
     - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
       documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
     - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
     - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
       "transfer-encoding" to POST requests. This failed in directy communication with
       Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

  *) mod_md: Adding the several new features.
     The module offers an implementation of OCSP Stapling that can replace fully or
     for a limited set of domains the existing one from mod_ssl. OCSP handling
     is part of mod_md's monitoring and message notifications. If can be used
     for sites that do not have ACME certificates.
     The url for a CTLog Monitor can be configured. It is used in the server-status
     to link to the external status page of a certicate.
     The MDMessageCmd is called with argument "installed" when a new certificate
     has been activated on server restart/reload. This allows for processing of
     the new certificate, for example to applications that require it in different
     locations or formats.
     [Stefan Eissing]

  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Apr 6, 2020
Changes with Apache 2.4.43

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Changes with Apache 2.4.42

  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891.
     [Yann Ylavic]

  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]

  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco <renier.velazco upr.edu>]

  *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
     PR64172.

  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
     to allow customization of the usertrack cookie. PR64077.
     [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

  *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
     AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

  *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
     [Eric Covener, Yann Ylavic]

  *) Add a config layout for OpenWRT. [Graham Leggett]

  *) Add support for cross compiling to apxs. If apxs is being executed from
     somewhere other than its target location, add that prefix to includes and
     library directories. Without this, apxs would fail to find config_vars.mk
     and exit. [Graham Leggett]

  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
     [Graham Leggett]

  *) mod_ssl: Support use of private keys and certificates from an
     OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
     [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

  *) mod_md:
     - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
       thanks to Timothe Litt (@tlhackque).
     - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
       check all matching virtual hosts for protocol support. Thanks to @mkauf.
     - Corrected a check when OCSP stapling was configured for hosts
       where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
     - Softening the restrictions where mod_md configuration directives may appear. This should
       allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
       you wanted in the first place, is another matter.
     [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
      Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

  *) test: Added continuous testing with Travis CI.
     This tests various scenarios on Ubuntu with the full test suite.
     Architectures tested: amd64, s390x, ppc64le, arm64
     The tests pass successfully.
     [Luca Toscano, Joe Orton, Mike Rumph, and others]

  *) core: Be stricter in parsing of Transfer-Encoding headers.
     [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

  *) mod_ssl: negotiate the TLS protocol version per name based vhost
     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
     SSLProtocol (from the first vhost declared on the IP:port) is now only
     relevant if no SSLProtocol is declared for the vhost or globally,
     otherwise the vhost or global value apply.  [Yann Ylavic]

  *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
     output.  PR 64096.  [Joe Orton]

  *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
     [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

  *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

  *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
     r:notes_table, r:subprocess_env_table as read-only native table alternatives
     that can be iterated over. [Eric Covener]

  *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
     [Yann Ylavic, Stefan Eissing]

  *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
     r.headers_out, etc) to remove the key from the table. PR63971.
     [Eric Covener]

  *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
     ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
     always `on`, regardless of configuration. Found and reported by
     <Armin.Abfalterer@united-security-providers.ch> and
     <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

  *) mod_http2: Multiple field length violations in the same request no longer cause
     several log entries to be written. [@mkauf]

  *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

  *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
     [Jim Jagielski]

  *) mod_authn_socache: Increase the maximum length of strings that can be cached by
     the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

  *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
     [Ruediger Pluem, Eric Covener]

  *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
     valid (For example, testing for a file on a flash drive that is not mounted)
     [Christophe Jaillet]

  *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
     means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

  *) mod_md v2.2.3:
     - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
       had been additive before which was not the intended behaviour. [@mkauf]
     - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
       documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
     - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
     - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
       "transfer-encoding" to POST requests. This failed in directy communication with
       Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

  *) mod_md: Adding the several new features.
     The module offers an implementation of OCSP Stapling that can replace fully or
     for a limited set of domains the existing one from mod_ssl. OCSP handling
     is part of mod_md's monitoring and message notifications. If can be used
     for sites that do not have ACME certificates.
     The url for a CTLog Monitor can be configured. It is used in the server-status
     to link to the external status page of a certicate.
     The MDMessageCmd is called with argument "installed" when a new certificate
     has been activated on server restart/reload. This allows for processing of
     the new certificate, for example to applications that require it in different
     locations or formats.
     [Stefan Eissing]

  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Apr 6, 2020
Changes with Apache 2.4.43

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Changes with Apache 2.4.42

  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891.
     [Yann Ylavic]

  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see <icing/mod_h2#195>.
     [Michael Kaufmann, Stefan Eissing]

  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco <renier.velazco upr.edu>]

  *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
     PR64172.

  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
     to allow customization of the usertrack cookie. PR64077.
     [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

  *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
     AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

  *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
     [Eric Covener, Yann Ylavic]

  *) Add a config layout for OpenWRT. [Graham Leggett]

  *) Add support for cross compiling to apxs. If apxs is being executed from
     somewhere other than its target location, add that prefix to includes and
     library directories. Without this, apxs would fail to find config_vars.mk
     and exit. [Graham Leggett]

  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (icing/mod_md#172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
     [Graham Leggett]

  *) mod_ssl: Support use of private keys and certificates from an
     OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
     [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

  *) mod_md:
     - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
       thanks to Timothe Litt (@tlhackque).
     - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
       check all matching virtual hosts for protocol support. Thanks to @mkauf.
     - Corrected a check when OCSP stapling was configured for hosts
       where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
     - Softening the restrictions where mod_md configuration directives may appear. This should
       allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
       you wanted in the first place, is another matter.
     [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
      Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

  *) test: Added continuous testing with Travis CI.
     This tests various scenarios on Ubuntu with the full test suite.
     Architectures tested: amd64, s390x, ppc64le, arm64
     The tests pass successfully.
     [Luca Toscano, Joe Orton, Mike Rumph, and others]

  *) core: Be stricter in parsing of Transfer-Encoding headers.
     [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

  *) mod_ssl: negotiate the TLS protocol version per name based vhost
     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
     SSLProtocol (from the first vhost declared on the IP:port) is now only
     relevant if no SSLProtocol is declared for the vhost or globally,
     otherwise the vhost or global value apply.  [Yann Ylavic]

  *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
     output.  PR 64096.  [Joe Orton]

  *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
     [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

  *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

  *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
     r:notes_table, r:subprocess_env_table as read-only native table alternatives
     that can be iterated over. [Eric Covener]

  *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
     [Yann Ylavic, Stefan Eissing]

  *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
     r.headers_out, etc) to remove the key from the table. PR63971.
     [Eric Covener]

  *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
     ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
     always `on`, regardless of configuration. Found and reported by
     <Armin.Abfalterer@united-security-providers.ch> and
     <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

  *) mod_http2: Multiple field length violations in the same request no longer cause
     several log entries to be written. [@mkauf]

  *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

  *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
     [Jim Jagielski]

  *) mod_authn_socache: Increase the maximum length of strings that can be cached by
     the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

  *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
     [Ruediger Pluem, Eric Covener]

  *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
     valid (For example, testing for a file on a flash drive that is not mounted)
     [Christophe Jaillet]

  *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
     means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

  *) mod_md v2.2.3:
     - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
       had been additive before which was not the intended behaviour. [@mkauf]
     - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
       documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
     - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
     - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
       "transfer-encoding" to POST requests. This failed in directy communication with
       Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

  *) mod_md: Adding the several new features.
     The module offers an implementation of OCSP Stapling that can replace fully or
     for a limited set of domains the existing one from mod_ssl. OCSP handling
     is part of mod_md's monitoring and message notifications. If can be used
     for sites that do not have ACME certificates.
     The url for a CTLog Monitor can be configured. It is used in the server-status
     to link to the external status page of a certicate.
     The MDMessageCmd is called with argument "installed" when a new certificate
     has been activated on server restart/reload. This allows for processing of
     the new certificate, for example to applications that require it in different
     locations or formats.
     [Stefan Eissing]

  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
     protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Apr 9, 2020
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.89
- www/apache24/PLIST                                            1.32
- www/apache24/distinfo                                         1.42

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr  6 08:27:26 UTC 2020

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache: update to 2.4.43.

   Changes with Apache 2.4.43

     *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

   Changes with Apache 2.4.42

     *) mod_proxy_http: Fix the forwarding of requests with content body when a
        balancer member is unavailable; the retry on the next member was issued
        with an empty body (regression introduced in 2.4.41). PR63891.
        [Yann Ylavic]

     *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
        identifier under load, see <icing/mod_h2#195>.
        [Michael Kaufmann, Stefan Eissing]

     *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
        PR64140. [Renier Velazco <renier.velazco upr.edu>]

     *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
        PR64172.

     *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
        to allow customization of the usertrack cookie. PR64077.
        [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

     *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
        AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

     *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
        [Eric Covener, Yann Ylavic]

     *) Add a config layout for OpenWRT. [Graham Leggett]

     *) Add support for cross compiling to apxs. If apxs is being executed from
        somewhere other than its target location, add that prefix to includes and
        library directories. Without this, apxs would fail to find config_vars.mk
        and exit. [Graham Leggett]

     *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
        issue mod_md#172 (icing/mod_md#172).
        [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

     *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
        [Graham Leggett]

     *) mod_ssl: Support use of private keys and certificates from an
        OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
        [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

     *) mod_md:
        - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
          thanks to Timothe Litt (@tlhackque).
        - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
          check all matching virtual hosts for protocol support. Thanks to @mkauf.
        - Corrected a check when OCSP stapling was configured for hosts
          where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
        - Softening the restrictions where mod_md configuration directives may appear. This should
          allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
          you wanted in the first place, is another matter.
        [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
         Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

     *) test: Added continuous testing with Travis CI.
        This tests various scenarios on Ubuntu with the full test suite.
        Architectures tested: amd64, s390x, ppc64le, arm64
        The tests pass successfully.
        [Luca Toscano, Joe Orton, Mike Rumph, and others]

     *) core: Be stricter in parsing of Transfer-Encoding headers.
        [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

     *) mod_ssl: negotiate the TLS protocol version per name based vhost
        configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
        SSLProtocol (from the first vhost declared on the IP:port) is now only
        relevant if no SSLProtocol is declared for the vhost or globally,
        otherwise the vhost or global value apply.  [Yann Ylavic]

     *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
        output.  PR 64096.  [Joe Orton]

     *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
        [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

     *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

     *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
        r:notes_table, r:subprocess_env_table as read-only native table alternatives
        that can be iterated over. [Eric Covener]

     *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
        [Yann Ylavic, Stefan Eissing]

     *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
        r.headers_out, etc) to remove the key from the table. PR63971.
        [Eric Covener]

     *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
        ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
        always `on`, regardless of configuration. Found and reported by
        <Armin.Abfalterer@united-security-providers.ch> and
        <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

     *) mod_http2: Multiple field length violations in the same request no longer cause
        several log entries to be written. [@mkauf]

     *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
        [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

     *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
        [Jim Jagielski]

     *) mod_authn_socache: Increase the maximum length of strings that can be cached by
        the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

     *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
        [Ruediger Pluem, Eric Covener]

     *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
        valid (For example, testing for a file on a flash drive that is not mounted)
        [Christophe Jaillet]

     *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
        means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

     *) mod_md v2.2.3:
        - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
          had been additive before which was not the intended behaviour. [@mkauf]
        - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
          documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
        - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
        - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
          "transfer-encoding" to POST requests. This failed in directy communication with
          Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

     *) mod_md: Adding the several new features.
        The module offers an implementation of OCSP Stapling that can replace fully or
        for a limited set of domains the existing one from mod_ssl. OCSP handling
        is part of mod_md's monitoring and message notifications. If can be used
        for sites that do not have ACME certificates.
        The url for a CTLog Monitor can be configured. It is used in the server-status
        to link to the external status page of a certicate.
        The MDMessageCmd is called with argument "installed" when a new certificate
        has been activated on server restart/reload. This allows for processing of
        the new certificate, for example to applications that require it in different
        locations or formats.
        [Stefan Eissing]

     *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
        protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue May 27, 2020
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.89
- www/apache24/PLIST                                            1.32
- www/apache24/distinfo                                         1.42

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr  6 08:27:26 UTC 2020

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache: update to 2.4.43.

   Changes with Apache 2.4.43

     *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

   Changes with Apache 2.4.42

     *) mod_proxy_http: Fix the forwarding of requests with content body when a
        balancer member is unavailable; the retry on the next member was issued
        with an empty body (regression introduced in 2.4.41). PR63891.
        [Yann Ylavic]

     *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
        identifier under load, see <icing/mod_h2#195>.
        [Michael Kaufmann, Stefan Eissing]

     *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
        PR64140. [Renier Velazco <renier.velazco upr.edu>]

     *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
        PR64172.

     *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
        to allow customization of the usertrack cookie. PR64077.
        [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

     *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
        AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

     *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
        [Eric Covener, Yann Ylavic]

     *) Add a config layout for OpenWRT. [Graham Leggett]

     *) Add support for cross compiling to apxs. If apxs is being executed from
        somewhere other than its target location, add that prefix to includes and
        library directories. Without this, apxs would fail to find config_vars.mk
        and exit. [Graham Leggett]

     *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
        issue mod_md#172 (icing/mod_md#172).
        [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

     *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
        [Graham Leggett]

     *) mod_ssl: Support use of private keys and certificates from an
        OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
        [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

     *) mod_md:
        - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
          thanks to Timothe Litt (@tlhackque).
        - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
          check all matching virtual hosts for protocol support. Thanks to @mkauf.
        - Corrected a check when OCSP stapling was configured for hosts
          where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
        - Softening the restrictions where mod_md configuration directives may appear. This should
          allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
          you wanted in the first place, is another matter.
        [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
         Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

     *) test: Added continuous testing with Travis CI.
        This tests various scenarios on Ubuntu with the full test suite.
        Architectures tested: amd64, s390x, ppc64le, arm64
        The tests pass successfully.
        [Luca Toscano, Joe Orton, Mike Rumph, and others]

     *) core: Be stricter in parsing of Transfer-Encoding headers.
        [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

     *) mod_ssl: negotiate the TLS protocol version per name based vhost
        configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
        SSLProtocol (from the first vhost declared on the IP:port) is now only
        relevant if no SSLProtocol is declared for the vhost or globally,
        otherwise the vhost or global value apply.  [Yann Ylavic]

     *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
        output.  PR 64096.  [Joe Orton]

     *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
        [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

     *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

     *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
        r:notes_table, r:subprocess_env_table as read-only native table alternatives
        that can be iterated over. [Eric Covener]

     *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
        [Yann Ylavic, Stefan Eissing]

     *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
        r.headers_out, etc) to remove the key from the table. PR63971.
        [Eric Covener]

     *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
        ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
        always `on`, regardless of configuration. Found and reported by
        <Armin.Abfalterer@united-security-providers.ch> and
        <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

     *) mod_http2: Multiple field length violations in the same request no longer cause
        several log entries to be written. [@mkauf]

     *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
        [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

     *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
        [Jim Jagielski]

     *) mod_authn_socache: Increase the maximum length of strings that can be cached by
        the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

     *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
        [Ruediger Pluem, Eric Covener]

     *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
        valid (For example, testing for a file on a flash drive that is not mounted)
        [Christophe Jaillet]

     *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
        means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

     *) mod_md v2.2.3:
        - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
          had been additive before which was not the intended behaviour. [@mkauf]
        - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
          documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
        - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
        - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
          "transfer-encoding" to POST requests. This failed in directy communication with
          Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

     *) mod_md: Adding the several new features.
        The module offers an implementation of OCSP Stapling that can replace fully or
        for a limited set of domains the existing one from mod_ssl. OCSP handling
        is part of mod_md's monitoring and message notifications. If can be used
        for sites that do not have ACME certificates.
        The url for a CTLog Monitor can be configured. It is used in the server-status
        to link to the external status page of a certicate.
        The MDMessageCmd is called with argument "installed" when a new certificate
        has been activated on server restart/reload. This allows for processing of
        the new certificate, for example to applications that require it in different
        locations or formats.
        [Stefan Eissing]

     *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
        protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 14, 2021
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.89
- www/apache24/PLIST                                            1.32
- www/apache24/distinfo                                         1.42

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr  6 08:27:26 UTC 2020

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache: update to 2.4.43.

   Changes with Apache 2.4.43

     *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

   Changes with Apache 2.4.42

     *) mod_proxy_http: Fix the forwarding of requests with content body when a
        balancer member is unavailable; the retry on the next member was issued
        with an empty body (regression introduced in 2.4.41). PR63891.
        [Yann Ylavic]

     *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
        identifier under load, see <icing/mod_h2#195>.
        [Michael Kaufmann, Stefan Eissing]

     *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
        PR64140. [Renier Velazco <renier.velazco upr.edu>]

     *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
        PR64172.

     *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
        to allow customization of the usertrack cookie. PR64077.
        [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

     *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
        AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

     *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
        [Eric Covener, Yann Ylavic]

     *) Add a config layout for OpenWRT. [Graham Leggett]

     *) Add support for cross compiling to apxs. If apxs is being executed from
        somewhere other than its target location, add that prefix to includes and
        library directories. Without this, apxs would fail to find config_vars.mk
        and exit. [Graham Leggett]

     *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
        issue mod_md#172 (icing/mod_md#172).
        [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

     *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
        [Graham Leggett]

     *) mod_ssl: Support use of private keys and certificates from an
        OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
        [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

     *) mod_md:
        - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
          thanks to Timothe Litt (@tlhackque).
        - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
          check all matching virtual hosts for protocol support. Thanks to @mkauf.
        - Corrected a check when OCSP stapling was configured for hosts
          where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
        - Softening the restrictions where mod_md configuration directives may appear. This should
          allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
          you wanted in the first place, is another matter.
        [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
         Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

     *) test: Added continuous testing with Travis CI.
        This tests various scenarios on Ubuntu with the full test suite.
        Architectures tested: amd64, s390x, ppc64le, arm64
        The tests pass successfully.
        [Luca Toscano, Joe Orton, Mike Rumph, and others]

     *) core: Be stricter in parsing of Transfer-Encoding headers.
        [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

     *) mod_ssl: negotiate the TLS protocol version per name based vhost
        configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
        SSLProtocol (from the first vhost declared on the IP:port) is now only
        relevant if no SSLProtocol is declared for the vhost or globally,
        otherwise the vhost or global value apply.  [Yann Ylavic]

     *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
        output.  PR 64096.  [Joe Orton]

     *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
        [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

     *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

     *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
        r:notes_table, r:subprocess_env_table as read-only native table alternatives
        that can be iterated over. [Eric Covener]

     *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
        [Yann Ylavic, Stefan Eissing]

     *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
        r.headers_out, etc) to remove the key from the table. PR63971.
        [Eric Covener]

     *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
        ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
        always `on`, regardless of configuration. Found and reported by
        <Armin.Abfalterer@united-security-providers.ch> and
        <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

     *) mod_http2: Multiple field length violations in the same request no longer cause
        several log entries to be written. [@mkauf]

     *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
        [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

     *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
        [Jim Jagielski]

     *) mod_authn_socache: Increase the maximum length of strings that can be cached by
        the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

     *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
        [Ruediger Pluem, Eric Covener]

     *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
        valid (For example, testing for a file on a flash drive that is not mounted)
        [Christophe Jaillet]

     *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
        means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

     *) mod_md v2.2.3:
        - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
          had been additive before which was not the intended behaviour. [@mkauf]
        - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
          documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
        - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
        - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
          "transfer-encoding" to POST requests. This failed in directy communication with
          Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

     *) mod_md: Adding the several new features.
        The module offers an implementation of OCSP Stapling that can replace fully or
        for a limited set of domains the existing one from mod_ssl. OCSP handling
        is part of mod_md's monitoring and message notifications. If can be used
        for sites that do not have ACME certificates.
        The url for a CTLog Monitor can be configured. It is used in the server-status
        to link to the external status page of a certicate.
        The MDMessageCmd is called with argument "installed" when a new certificate
        has been activated on server restart/reload. This allows for processing of
        the new certificate, for example to applications that require it in different
        locations or formats.
        [Stefan Eissing]

     *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
        protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jan 18, 2023
www/apache24: Security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.89
- www/apache24/PLIST                                            1.32
- www/apache24/distinfo                                         1.42

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr  6 08:27:26 UTC 2020

   Modified Files:
   	pkgsrc/www/apache24: Makefile PLIST distinfo

   Log Message:
   apache: update to 2.4.43.

   Changes with Apache 2.4.43

     *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

   Changes with Apache 2.4.42

     *) mod_proxy_http: Fix the forwarding of requests with content body when a
        balancer member is unavailable; the retry on the next member was issued
        with an empty body (regression introduced in 2.4.41). PR63891.
        [Yann Ylavic]

     *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
        identifier under load, see <icing/mod_h2#195>.
        [Michael Kaufmann, Stefan Eissing]

     *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
        PR64140. [Renier Velazco <renier.velazco upr.edu>]

     *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
        PR64172.

     *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
        to allow customization of the usertrack cookie. PR64077.
        [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]

     *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
        AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]

     *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
        [Eric Covener, Yann Ylavic]

     *) Add a config layout for OpenWRT. [Graham Leggett]

     *) Add support for cross compiling to apxs. If apxs is being executed from
        somewhere other than its target location, add that prefix to includes and
        library directories. Without this, apxs would fail to find config_vars.mk
        and exit. [Graham Leggett]

     *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
        issue mod_md#172 (icing/mod_md#172).
        [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

     *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
        [Graham Leggett]

     *) mod_ssl: Support use of private keys and certificates from an
        OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
        [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

     *) mod_md:
        - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
          thanks to Timothe Litt (@tlhackque).
        - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
          check all matching virtual hosts for protocol support. Thanks to @mkauf.
        - Corrected a check when OCSP stapling was configured for hosts
          where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
        - Softening the restrictions where mod_md configuration directives may appear. This should
          allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
          you wanted in the first place, is another matter.
        [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
         Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

     *) test: Added continuous testing with Travis CI.
        This tests various scenarios on Ubuntu with the full test suite.
        Architectures tested: amd64, s390x, ppc64le, arm64
        The tests pass successfully.
        [Luca Toscano, Joe Orton, Mike Rumph, and others]

     *) core: Be stricter in parsing of Transfer-Encoding headers.
        [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

     *) mod_ssl: negotiate the TLS protocol version per name based vhost
        configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
        SSLProtocol (from the first vhost declared on the IP:port) is now only
        relevant if no SSLProtocol is declared for the vhost or globally,
        otherwise the vhost or global value apply.  [Yann Ylavic]

     *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
        output.  PR 64096.  [Joe Orton]

     *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
        [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

     *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

     *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
        r:notes_table, r:subprocess_env_table as read-only native table alternatives
        that can be iterated over. [Eric Covener]

     *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
        [Yann Ylavic, Stefan Eissing]

     *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
        r.headers_out, etc) to remove the key from the table. PR63971.
        [Eric Covener]

     *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
        ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
        always `on`, regardless of configuration. Found and reported by
        <Armin.Abfalterer@united-security-providers.ch> and
        <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

     *) mod_http2: Multiple field length violations in the same request no longer cause
        several log entries to be written. [@mkauf]

     *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
        [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

     *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
        [Jim Jagielski]

     *) mod_authn_socache: Increase the maximum length of strings that can be cached by
        the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]

     *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
        [Ruediger Pluem, Eric Covener]

     *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
        valid (For example, testing for a file on a flash drive that is not mounted)
        [Christophe Jaillet]

     *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
        means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

     *) mod_md v2.2.3:
        - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
          had been additive before which was not the intended behaviour. [@mkauf]
        - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
          documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
        - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
        - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
          "transfer-encoding" to POST requests. This failed in directy communication with
          Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

     *) mod_md: Adding the several new features.
        The module offers an implementation of OCSP Stapling that can replace fully or
        for a limited set of domains the existing one from mod_ssl. OCSP handling
        is part of mod_md's monitoring and message notifications. If can be used
        for sites that do not have ACME certificates.
        The url for a CTLog Monitor can be configured. It is used in the server-status
        to link to the external status page of a certicate.
        The MDMessageCmd is called with argument "installed" when a new certificate
        has been activated on server restart/reload. This allows for processing of
        the new certificate, for example to applications that require it in different
        locations or formats.
        [Stefan Eissing]

     *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
        protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants