*) Moved the Shared Memory Cyclic Buffer (SHMCB) session cache
variant from "experimental" state to "production" by removing the
`#ifdef SSL_EXPERIMENTAL_SHMCB ...#endif' wrappers. This means
that now `SSLSessionCache shmcb:...' is unconditionally available.
*) Made the mutex handling more robust by retrying the
semaphore-based operations in interrupt situations
(errno == EINTR).
*) Also log the OpenSSL error message if the RSA temporary
key(s) cannot be generated.
*) Fixed mod_ssl Auth handler: it now returns DECLINED instead of
OK if authentication is passed successfully to allow other modules
(usually mod_auth) to still deny the request.
*) Fixed certificate DN handling under EBCDIC platforms.
-) Rename mod_ssl.conf to apache_start.conf.
*) Upgraded to Apache 1.3.17 as base version.
*) Allow %{ENV:variable} in SSLRequire expressions, too.
*) Make sure the user is not able to fake the client certificate
based authentication by just entering an X.509 Subject DN
("/XX=YYY/XX=YYY/..") as the username and "password" as the
password if "SSLVerifyClient optional" is used in combination
with "SSLOptions +FakeBasicAuth".
Convert most MESSAGE files to new syntax (${VARIABLE} gets replaced,
not @VARIABLE@, nor @@VARIABLE@@).
By default, substitutions are done for LOCALBASE, PKGNAME, PREFIX,
X11BASE, X11PREFIX; additional patterns can be added via MESSAGE_SUBST.
Clean up some packages while I'm there; add RCS tags to most MESSAGEs.
Remove some uninteresting MESSAGEs.
o Added experimental support for OpenSSL's crypto device support
o Completely removed RSAref support
o Added new Cyclic Buffer based Shared Memory Session Cache variant
o Restructured the Session Cache implementation(s)
o Upgrade to Apache 1.3.14
Also make me the maintainer. Relevant changes from version 2.6.3:
-) Install ${sbindir}/mkcert.sh to ease generation of SSL certificates.
*) Fixed server restarts: Under non-DSO run-time situation, the
OpenSSL library was shutdown (and never re-initialized) and this
way caused segfaults on server restarts. This affected only
installations where mod_ssl+OpenSSL were built as a static module
instead of a DSO. This nasty bug was unfortunately introduced in
2.6.5 as a side-effect of an (otherwise correct) memory leak bugfix.
*) Various typo fixes in user manual.
*) Removed more memory leaks by freeing even more stuff
from the OpenSSL toolkit on module shutdown.
*) Added missing TLSv1, EXP40 and EXP56 keywords to
ssl_reference's documentation of SSLCipherSuite.
*) Added hints about MSIE workarounds (-SSLv3, !EXP56, etc.)
to the FAQ entry about MSIE errors.
*) Added !EXP56 to pre-configured SSLCipherSuite in order to avoid
MSIE5.x problems in advance.
*) Allow spaces in ServerRoot and SSLPassPhraseDialog arguments
which is especially important for the Win32 environment.
*) Fixed syntax errors in ssl_howto.wml: "Deny all" -> "Deny from all"
*) Removed a left-over ssl_scache_expire() call in ssl_scache_init()
which made the life of vendors complicated.
*) Allow more fine-tuned overriding of ap_server_root_relative calls
by providing the context of the call.
*) Added Equifax Secure CA certificates to ca-bundle.crt.
*) Let the pass phrase dialog force the prompt to occur only once
(no verification step), because mod_ssl uses the dialog only for
pass phrases which are required for reading private keys. This as a
side-effect should fix a problem under Win32 where a second prompt
occured for unknown reasons.
*) Added more compatibility to Stronghold v2's SSL_SessionCache.
*) Added two more EAPI hools under SSL_VENDOR: one for overriding
ap_server_root_relative calls and one for hooking into the server
configuration step.
*) Fixed SSL display for mod_status in `short report' situation.
*) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
support (ssl_engine_ext.c/mod_proxy) under _NOT_ SSL_EXPERIMENTAL.
Apache server and OpenSSl-0.9.4.
Makefile: Take advantage of the working configure script.
patches/patch-aa: replace this with a gross hack that finds the libssl
shared library with our current version of the OpenSSL pkg.
