- Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require"
was not enforced in per-location context if "SSLVerifyClient optional"
was configured in the global virtual host configuration.
Sync apache with the latest ap-ssl.
as the INSTALL and DEINSTALL scripts no longer distinguish between
the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the
packages in pkgsrc accordingly.
Changes with mod_ssl 2.8.23 (30-Oct-2004 to 06-Jul-2005)
*) Ported to OpenSSL 0.9.8
*) Fixed connection timeout handling by calling the EAPI connection
close hook after (and not before) the B_OUT flag was set on the
underlying I/O buffer in order to prevent attempted buffer flushes
from blocking the connection.
*) Updated the ca-bundle.crt file from Mozilla's "certdata.txt"
(CVS revision 1.37).
*) Fix timeout handling in POST request processing by resetting
timeouts.
*) Fixed double-definition of OPENSSL_free under OpenSSL 0.9.6 by
fixing the version test in ssl_util_ssl.h
*) Adjusted all copyright messages to contain the new year 2005 ;)
- With OpenSSL 0.9.7, prevent session resumption during a
renegotiation to force the client to negotiate a new (and
acceptable to mod_ssl) cipher suite. Additionally, ensure
that a correct cipher suite has been negotiated afterwards
(CAN-2004-0885).
- Fixed more printf(3) style format string bugs (not security
related) which could crash the server if mod_ssl's trace
or debug log level is enabled.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
which are the full option names used to set rpath directives for the
linker and the compiler, respectively. In places were we are invoking
the linker, use "${LINKER_RPATH_FLAG} <path>", where the space is
inserted in case the flag is a word, e.g. -rpath. The default values
of *_RPATH_FLAG are set by the compiler/*.mk files, depending on the
compiler that you use. They may be overridden on a ${OPSYS}-specific
basis by setting _OPSYS_LINKER_RPATH_FLAG and _OPSYS_COMPILER_RPATH_FLAG,
respectively. Garbage-collect _OPSYS_RPATH_NAME and _COMPILER_LD_FLAG.
- fix installation of example README.CSR.
Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004)
*) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation
if the Subject-DN in the client certificate exceeds 6KB in length.
(CVE CAN-2004-0488).
*) Handle the case of OpenSSL retry requests after interrupted system
calls during the SSL handshake phase.
*) Remove some unused functions.
Changes with mod_ssl 2.8.17 (01-Nov-2003 to 11-May-2004)
*) Upgraded to Apache 1.3.31
*) Log the OpenSSL error stack contents if the crypto engine
load/init fails.
*) Fixed segfault in lookup of variable SESSION_ID
in case SSL_get_session() returns NULL.
*) Bugfix "dbm" session cache: the DBM file was closed
too early (before accessing the data).
*) Bugfix "shmcb" session cache for situations where
the session data is bigger than the cache size.
*) Adjusted all copyright messages to contain the new year 2004 ;)
Major changes since 2.8.15:
*) Upgraded to Apache 1.3.29
*) Avoid memory corruption in certificate handling caused by a heap
memory double-freeing situation.
*) Allow "HTTPS" variable to be passed through by suEXEC.
*) Clear the OpenSSL error code in pass phrase reading code to
workaround the following situation: multiple keys, all with
different passphrases -- entering the correct pass phrase at each
prompt leads to an OpenSSL error message after the last prompt.
*) Reverted the recent change where ap_cleanup_for_exec() called
ap_kill_alloc_shared(). This caused nasty side-effects in other
processes and is not necessary at all (because shared memory
segments are not inherited across exec).
*) mod_ssl was checking the OpenSSL error reason code against
SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since
OpenSSL reason codes are not unique, this isn't always the case.
It now additionally checks that the library is the SSL library.
USE_GCC2 or USE_GCC3 where appropriate.
the functionality of the old gcc.buildlink2.mk has been rolled into
compiler.mk now, which is automatically used.
more changes to come later...
Changes with mod_ssl 2.8.14 (18-Mar-2002 to 21-Mar-2003)
*) Fixed logic in the destruction of a temporary certificate
structure and this way avoid a crash due to freeing NULL object.
*) Removed one newly introduced X509_free() call in the context of
SSL_get_certificate(), because this function does not increment a
reference count (although SSL_get_peer_certificate() does).
*) Fixed hash-table based shared memory session cache (shmht)
implementation by making sure that the underlying hash table
library does not crash if memory cannot be allocated.
Changes with mod_ssl 2.8.13 (23-Oct-2002 to 18-Mar-2003)
*) Always enforce RSA blinding on RSA private keys in order to be
resistent to timing attacks.
*) Added timeout also to the "pre-sucking" of the trailing data in
POST request handling.
*) Correctly shutdown shared memory pools on fork+exec situations.
*) Bugfix SSL client certificate verification: OpenSSL was not
informed with SSL_set_verify_result(ssl, X509_V_OK) in case
mod_ssl forced the verification to be ok.
*) Consistently use OPENSSL_free() instead of plain free() to
deallocate memory chunks allocated inside OpenSSL.
*) Fixed various memory leaks related to X509 certificates.
New patch-ac sent to maintainer.
Makefiles simply need to use this value often, for better or for
worse.
(2) Create a new variable FIX_RPATH that lists variables that should
be cleansed of -R or -rpath values if ${_USE_RPATH} is "no". By
default, FIX_RPATH contains LIBS, X11_LDFLAGS, and LDFLAGS, and
additional variables may be appended from package Makefiles.
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002)
*) Fixed potential Cross-Site-Scripting bug.
*) Allow also 8192 bytes of shared memory data size.
- Upgraded to Apache 1.3.27.
- Fixed internal error handling for CRL verification.
- Initialize OpenSSL ENGINE before initializing OpenSSL
to workaround problems with the PRNG.
- Also find "openssl" executable in "sbin" directories.
- Honor specified number of maximum bytes on SSLRandomSeed
if reading from EGD.
- Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002)
*) Fixed off-by-one buffer overflow bug in the compatibility
functionality (mapping of old directives to new ones).
*) Fixed memory leak in processing of CA certificates.
*) In case there is actually a certificate chain in the session cache,
we now use the value of SSL_get_peer_certificate(ssl) to verify as
it will have been removed from the chain before it was put in the
cache.
*) Seed the PRNG with a maximum of 1K from the internal scoreboard.
