*) Upgraded to Apache 1.3.24
*) Support leading whitespaces in commands of SSLLog "|..." directives.
*) Fixed timeout handling on connection establishment by correctly
resetting the timeout on errors.
*) Fixed two memory leaks related to CA certificate configuration.
*) Fixed memory leak related to temporary DH key handling.
*) Fixed memory leak on shutdown if CRLs are used.
*) Fixed remaining SIGBUS problems on SPARC inside SHMCB session
cache implementation.
Relevant changes from version 2.8.6 include:
*) Fixed potential buffer overflow in DBM and SHMHT session
cache if very very large certificate chains are used.
*) Compliance with POSIX 1003.1-2001 (SUSv3) by replacing obsolete
"head -1" and "tail -1" constructs with sed variants in scripts.
*) Upgraded to Apache 1.3.23
*) Fixed a subtle indexing bug in SHMCB. Each sub-cache used an
indexing structure that (correctly) used index values (and ranges)
as "unsigned int", but the meta-structure in the header had these
ranged as "unsigned char".
*) Perform the SHMCB remove operation under mutual exclusion
to prevent a inter-process synchronization problem.
*) Made sure that mod_ssl does not segfault in case of
SCOREBOARD_SIZE < 1024.
*) Merged in the SDBM patch from Uwe Ohse which fixes a problem with
sdbms .dir file, which arrises when a second .dir block is needed
for the first time. read() returns 0 in that case, and the library
forgot to initialize that new block. A related problem is that the
calculation of db->maxbno is wrong. It just appends 4096*BYTESIZ
bits, which is not enough except for small databases (.dir
basically doubles everytime it's too small).
This value may be customized in various ways:
PKG_SYSCONFBASE is the main config directory under which all package
configuration files are to be found.
PKG_SYSCONFSUBDIR is the subdirectory of PKG_SYSCONFBASE under which the
configuration files for a particular package may be found.
PKG_SYSCONFDIR.${PKGBASE} overrides the value of ${PKG_SYSCONFDIR} for a
particular package.
Users will typically want to set PKG_SYSCONFBASE to /etc, or accept the
default location of ${PREFIX}/etc.
This obsoletes the use of CONFDIR, which was active for only 6 days, so no
need to have a workaround to still accept old CONFDIR settings.
bsd.pkg.install.mk:
* Remove old DEINSTALL/INSTALL scripts.
* Move some text printed at POST-INSTALL time into the MESSAGE file.
* Adjust rc.d scripts to respect rc.conf settings, so that the
script may be directly copied into /etc/rc.d.
Changes from version 2.8.4 include:
*) Upgraded to Apache 1.3.22
*) Fixed check whether server certificate wildcard CommonName (CN)
matches the configured server name.
*) Fixed buffer overflow.
foo-* to foo-[0-9]*. This is to cause the dependencies to match only the
packages whose base package name is "foo", and not those named "foo-bar".
A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net. Also
change dependency examples in Packages.txt to reflect this.
from version 2.8.3 is upgrading the mod_ssl sources to patch against Apache
1.3.20. The pkgsrc changes include unifying repeated SED replacement info
for various files into one location, FILES_SUBST.
*) Allow loadcacert.cgi script to work inside mod_perl.
*) Fixed typo in the directive descriptions in mod_ssl.c
*) Fixed ENGINE support: the engine support is are now already
loaded at configure time. Else mod_ssl fails to find them.
*) Moved the Shared Memory Cyclic Buffer (SHMCB) session cache
variant from "experimental" state to "production" by removing the
`#ifdef SSL_EXPERIMENTAL_SHMCB ...#endif' wrappers. This means
that now `SSLSessionCache shmcb:...' is unconditionally available.
*) Made the mutex handling more robust by retrying the
semaphore-based operations in interrupt situations
(errno == EINTR).
*) Also log the OpenSSL error message if the RSA temporary
key(s) cannot be generated.
*) Fixed mod_ssl Auth handler: it now returns DECLINED instead of
OK if authentication is passed successfully to allow other modules
(usually mod_auth) to still deny the request.
*) Fixed certificate DN handling under EBCDIC platforms.
first component is now a package name+version/pattern, no more
executable/patchname/whatnot.
While there, introduce BUILD_USES_MSGFMT as shorthand to pull in
devel/gettext unless /usr/bin/msgfmt exists (i.e. on post-1.5 -current).
Patch by Alistair Crooks <agc@netbsd.org>
-) Rename mod_ssl.conf to apache_start.conf.
*) Upgraded to Apache 1.3.17 as base version.
*) Allow %{ENV:variable} in SSLRequire expressions, too.
*) Make sure the user is not able to fake the client certificate
based authentication by just entering an X.509 Subject DN
("/XX=YYY/XX=YYY/..") as the username and "password" as the
password if "SSLVerifyClient optional" is used in combination
with "SSLOptions +FakeBasicAuth".
Convert most MESSAGE files to new syntax (${VARIABLE} gets replaced,
not @VARIABLE@, nor @@VARIABLE@@).
By default, substitutions are done for LOCALBASE, PKGNAME, PREFIX,
X11BASE, X11PREFIX; additional patterns can be added via MESSAGE_SUBST.
Clean up some packages while I'm there; add RCS tags to most MESSAGEs.
Remove some uninteresting MESSAGEs.
1.3.14.1, adding a superminor version number to indicate possible EAPI
update.
*) Fixed the parsing of SSLSessionCache directives. The prefixes were
incorrectly skipped and leaded to "unable to open semaphore file"
errors.
o Added experimental support for OpenSSL's crypto device support
o Completely removed RSAref support
o Added new Cyclic Buffer based Shared Memory Session Cache variant
o Restructured the Session Cache implementation(s)
o Upgrade to Apache 1.3.14
Also make me the maintainer. Relevant changes from version 2.6.3:
-) Install ${sbindir}/mkcert.sh to ease generation of SSL certificates.
*) Fixed server restarts: Under non-DSO run-time situation, the
OpenSSL library was shutdown (and never re-initialized) and this
way caused segfaults on server restarts. This affected only
installations where mod_ssl+OpenSSL were built as a static module
instead of a DSO. This nasty bug was unfortunately introduced in
2.6.5 as a side-effect of an (otherwise correct) memory leak bugfix.
*) Various typo fixes in user manual.
*) Removed more memory leaks by freeing even more stuff
from the OpenSSL toolkit on module shutdown.
*) Added missing TLSv1, EXP40 and EXP56 keywords to
ssl_reference's documentation of SSLCipherSuite.
*) Added hints about MSIE workarounds (-SSLv3, !EXP56, etc.)
to the FAQ entry about MSIE errors.
*) Added !EXP56 to pre-configured SSLCipherSuite in order to avoid
MSIE5.x problems in advance.
*) Allow spaces in ServerRoot and SSLPassPhraseDialog arguments
which is especially important for the Win32 environment.
*) Fixed syntax errors in ssl_howto.wml: "Deny all" -> "Deny from all"
*) Removed a left-over ssl_scache_expire() call in ssl_scache_init()
which made the life of vendors complicated.
*) Allow more fine-tuned overriding of ap_server_root_relative calls
by providing the context of the call.
*) Added Equifax Secure CA certificates to ca-bundle.crt.
*) Let the pass phrase dialog force the prompt to occur only once
(no verification step), because mod_ssl uses the dialog only for
pass phrases which are required for reading private keys. This as a
side-effect should fix a problem under Win32 where a second prompt
occured for unknown reasons.
*) Added more compatibility to Stronghold v2's SSL_SessionCache.
*) Added two more EAPI hools under SSL_VENDOR: one for overriding
ap_server_root_relative calls and one for hooking into the server
configuration step.
*) Fixed SSL display for mod_status in `short report' situation.
*) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
support (ssl_engine_ext.c/mod_proxy) under _NOT_ SSL_EXPERIMENTAL.
Main change is support for apache-1.3.11.
In more detail:
Changes with mod_ssl 2.5.0 (08-Jan-2000 to 22-Jan-2000)
*) Switched the old "POST for HTTPS" support code from
defined(SSL_EXPERIMENTAL) to !defined(SSL_CONSERVATIVE), because this
code is both already stable (even it's not a conservative approach) and
important. This way POST support is now available per default, but still
can be disabled/removed by very conservative people with an easy
--enable-rule=SSL_CONSERVATIVE.
*) Added SSL_CONSERVATIVE rule to src/Configuration.tmpl which
complements SSL_EXPERIMENTAL. Both rules are per default set
to "no", i.e. disabled. But while SSL_EXPERIMENTAL still enables
experimental code, enables SSL_CONSERVATIVE conservative code. That is,
actually per default some non-conservative things might be enabled which
can be _disabled_ by forcing mod_ssl to use only conservative
approaches.
*) Added entry about "no shared ciphers" to FAQ.
*) Upgraded to the new Apache version: 1.3.11 (BTW, Apache 1.3.10
was never released). This moves the mod_ssl community to the
latest Apache state and this way implicitly provides them over 70
bugfixes and cleanups which 1.3.11 provides over 1.3.9.
Changes with mod_ssl 2.4.10 (24-Nov-1999 to 08-Jan-2000)
*) Mentioned MD5-encrypted password in ssl_reference.wml in addition
to DES-encrypted password.
*) Added a new FAQ entry about the path internally pre-defined by
EAPI_MM_CORE_PATH.
*) Adjust the name-based-vhost complain: Talk say "you should not
use" instead of "you cannot use", because first there are
situations where it can be reasonable to use name-based vhosts with
SSL and second there is no technical restriction on the mod_ssl side,
of course.
*) Changed the license on mod_define.c from the BSD/Apache-style
license to a even less restrictive MIT-style license to allow
everyone to do with this module what they want.
*) Fixed a compile-time warning under very strict compilers by using
a more correct `ssl_verify_t' (enum based) instead of `int' in
ssl_engine_config.c.
*) Various minor documentation updates.
*) Made the EAPI-vs-plain-API complain in mod_so more clear.
*) Adjusted all copyright messages to contain the new year 2000 ;)
*) Fixed INSTALL.W32 document for latest OpenSSL versions.
*) Fixed SSL session id context configuration: the value is now an
MD5 of `server:port' and this way always a string of just 32 bytes,
so OpenSSL's SSL_set_session_id_context() doesn't fail.
*) Removed old CVS informations from etc/patch.tar tarball.
Changes with mod_ssl 2.4.9 (05-Nov-1999 to 24-Nov-1999)
*) Fixed SSLRequire expression evaluation for number strings.
Expressions like `SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128'
didn't work if SSL_CIPHER_USEKEYSIZE was "40" because the evaluation
used strcmp(3) and this fails to compare numbers of different length.
An own comparison function is now used to avoid this problem.
*) Now on Win32 a warning is logged once on startup that mod_ssl is
NOT officially supported under Win32 and people have to use it there on
their own risk (and so shouldn't complain if it doesn't work). Because
only the Unix platform is officially supported and mod_ssl is checked
for security issues only related this platform.
*) For performance reasons it is unreasonable to create the SSL_*
CGI/SSI variables _all the time_, because their creation is
a rather expensive operation which slows down the server
noticeable. Instead it is more reasonable to let them create for
CGI and SSI requests _only_. For consistency reason with other
`SSLOptions' variables (which all have positive names) and to
avoid necessary cleanups changes in the future, I decided to make
the incompatibility change _NOW_ (sorry).
In short: With mod_ssl 2.4.9 per default no SSI/CGI variables
SSL_* are created any longer (only the special "HTTPS" variable is
always created). Instead one has to use `SSLOptions +StdEnvVars'
to switch the creation on.
*) Added an `SSLOptions' variable `StdEnvVars' which now controls
the creation of the numerious SSL_* CGI/SSI variables.
*) Renamed old variable SSL_{CLIENT,SERVER}_{S,I}_DN_SP to more
correct SSL_{CLIENT,SERVER}_{S,I}_DN_ST variable to conform to
RFC2156 and current OpenSSL state (which also prints this OID as
"ST" and no longer "SP").
*) Added support for SSL_{CLIENT,SERVER}_{S,I}_DN_{T,I,G,S,D,UID}
variables (corresponding to X.509 title, initials, givenName, surname,
description and uniqueIdentifier OIDs) to allow the checking of more
X.509 certificate ingredients.
*) Allow mod_rewrite to also lookup the "HTTPS" variable, for instance
via ``RewriteCond %{HTTPS} !=on''.
*) Removed old URL references to rsaref20.tar.Z from INSTALL document.
*) Now an explicit error message is logged also if an SSL session cannot be
stored to the DBM file via dbm_store (and not just if dbm_open failed).
*) Now the pass phrase dialog no longer uses the hard-coded
filedescriptor 10 as the storage for stderr while the pass phrase dialog
is displayed. Instead (at least under Unix) it tries to open /dev/null
and uses this filedescriptor instead. And when this fails (or always
under Win32) it uses the hard-coded filedescriptor 50 (a lot higher than
10 to avoid problems with logfile rotation programs and other things
Apache could have started).
*) Fixed SSL_make_ciphersuite() function: it calculated the required string
length incorrectly and could segfault. BUT THIS FUNCTION IS STILL NOT
USED IN MOD_SSL AT ALL, so don't panic. This function is for debugging
purposes only.
*) Fixed a filedescriptor leak which happened if encrypted private keys
were used. Here the pass phrase dialog forgot to close a temporary
filedescriptor.
*) Added three new OpenSSL log entry annotations: First, "*no start
line*" now triggers "Bad file contents or format - or even just
a forgotten SSLCertificate KeyFile?" and "*bad password read*"
triggers "You entered an incorrect pass phrase!?". Additionally
"*bad mac decode*" now triggers "Browser still remembered details
of a re-created server certificate?" because people often get "bad
data" dialog boxes while (re-)testing with Snake Oil certs.
*) Added hint about possibly blocking /dev/random devices also to
httpd.conf-default to make sure people don't overlook this subtle
platform-dependent problem. Additionally a new FAQ entry was
made about this, too.
*) Added an entry to the FAQ about GIDs and their intermediate
certificate which has to be configured with SSLCertificateChainFile.
*) Fixed some external URLs in the FAQ.
for each of the continuation lines, rather than using backslashes to
continue a single, long definition. This makes it much easier to spot
pre-requisite packages and other dependencies.
XXX Maybe we could tell the configure script that OpenSSL and RSAref
are in the "system" location and have the configure script pick it up with
the -I and -L flags.
Apache server and OpenSSl-0.9.4.
Makefile: Take advantage of the working configure script.
patches/patch-aa: replace this with a gross hack that finds the libssl
shared library with our current version of the OpenSSL pkg.
