- Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require"
was not enforced in per-location context if "SSLVerifyClient optional"
was configured in the global virtual host configuration.
Sync apache with the latest ap-ssl.
Changes with mod_ssl 2.8.23 (30-Oct-2004 to 06-Jul-2005)
*) Ported to OpenSSL 0.9.8
*) Fixed connection timeout handling by calling the EAPI connection
close hook after (and not before) the B_OUT flag was set on the
underlying I/O buffer in order to prevent attempted buffer flushes
from blocking the connection.
*) Updated the ca-bundle.crt file from Mozilla's "certdata.txt"
(CVS revision 1.37).
*) Fix timeout handling in POST request processing by resetting
timeouts.
*) Fixed double-definition of OPENSSL_free under OpenSSL 0.9.6 by
fixing the version test in ssl_util_ssl.h
*) Adjusted all copyright messages to contain the new year 2005 ;)
- With OpenSSL 0.9.7, prevent session resumption during a
renegotiation to force the client to negotiate a new (and
acceptable to mod_ssl) cipher suite. Additionally, ensure
that a correct cipher suite has been negotiated afterwards
(CAN-2004-0885).
- Fixed more printf(3) style format string bugs (not security
related) which could crash the server if mod_ssl's trace
or debug log level is enabled.
- fix installation of example README.CSR.
Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004)
*) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation
if the Subject-DN in the client certificate exceeds 6KB in length.
(CVE CAN-2004-0488).
*) Handle the case of OpenSSL retry requests after interrupted system
calls during the SSL handshake phase.
*) Remove some unused functions.
Changes with mod_ssl 2.8.17 (01-Nov-2003 to 11-May-2004)
*) Upgraded to Apache 1.3.31
*) Log the OpenSSL error stack contents if the crypto engine
load/init fails.
*) Fixed segfault in lookup of variable SESSION_ID
in case SSL_get_session() returns NULL.
*) Bugfix "dbm" session cache: the DBM file was closed
too early (before accessing the data).
*) Bugfix "shmcb" session cache for situations where
the session data is bigger than the cache size.
*) Adjusted all copyright messages to contain the new year 2004 ;)
Major changes since 2.8.15:
*) Upgraded to Apache 1.3.29
*) Avoid memory corruption in certificate handling caused by a heap
memory double-freeing situation.
*) Allow "HTTPS" variable to be passed through by suEXEC.
*) Clear the OpenSSL error code in pass phrase reading code to
workaround the following situation: multiple keys, all with
different passphrases -- entering the correct pass phrase at each
prompt leads to an OpenSSL error message after the last prompt.
*) Reverted the recent change where ap_cleanup_for_exec() called
ap_kill_alloc_shared(). This caused nasty side-effects in other
processes and is not necessary at all (because shared memory
segments are not inherited across exec).
*) mod_ssl was checking the OpenSSL error reason code against
SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since
OpenSSL reason codes are not unique, this isn't always the case.
It now additionally checks that the library is the SSL library.
Changes with mod_ssl 2.8.14 (18-Mar-2002 to 21-Mar-2003)
*) Fixed logic in the destruction of a temporary certificate
structure and this way avoid a crash due to freeing NULL object.
*) Removed one newly introduced X509_free() call in the context of
SSL_get_certificate(), because this function does not increment a
reference count (although SSL_get_peer_certificate() does).
*) Fixed hash-table based shared memory session cache (shmht)
implementation by making sure that the underlying hash table
library does not crash if memory cannot be allocated.
Changes with mod_ssl 2.8.13 (23-Oct-2002 to 18-Mar-2003)
*) Always enforce RSA blinding on RSA private keys in order to be
resistent to timing attacks.
*) Added timeout also to the "pre-sucking" of the trailing data in
POST request handling.
*) Correctly shutdown shared memory pools on fork+exec situations.
*) Bugfix SSL client certificate verification: OpenSSL was not
informed with SSL_set_verify_result(ssl, X509_V_OK) in case
mod_ssl forced the verification to be ok.
*) Consistently use OPENSSL_free() instead of plain free() to
deallocate memory chunks allocated inside OpenSSL.
*) Fixed various memory leaks related to X509 certificates.
New patch-ac sent to maintainer.
Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002)
*) Fixed potential Cross-Site-Scripting bug.
*) Allow also 8192 bytes of shared memory data size.
- Upgraded to Apache 1.3.27.
- Fixed internal error handling for CRL verification.
- Initialize OpenSSL ENGINE before initializing OpenSSL
to workaround problems with the PRNG.
- Also find "openssl" executable in "sbin" directories.
- Honor specified number of maximum bytes on SSLRandomSeed
if reading from EGD.
- Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002)
*) Fixed off-by-one buffer overflow bug in the compatibility
functionality (mapping of old directives to new ones).
*) Fixed memory leak in processing of CA certificates.
*) In case there is actually a certificate chain in the session cache,
we now use the value of SSL_get_peer_certificate(ssl) to verify as
it will have been removed from the chain before it was put in the
cache.
*) Seed the PRNG with a maximum of 1K from the internal scoreboard.
*) Upgraded to Apache 1.3.24
*) Support leading whitespaces in commands of SSLLog "|..." directives.
*) Fixed timeout handling on connection establishment by correctly
resetting the timeout on errors.
*) Fixed two memory leaks related to CA certificate configuration.
*) Fixed memory leak related to temporary DH key handling.
*) Fixed memory leak on shutdown if CRLs are used.
*) Fixed remaining SIGBUS problems on SPARC inside SHMCB session
cache implementation.
Relevant changes from version 2.8.6 include:
*) Fixed potential buffer overflow in DBM and SHMHT session
cache if very very large certificate chains are used.
*) Compliance with POSIX 1003.1-2001 (SUSv3) by replacing obsolete
"head -1" and "tail -1" constructs with sed variants in scripts.
*) Upgraded to Apache 1.3.23
*) Fixed a subtle indexing bug in SHMCB. Each sub-cache used an
indexing structure that (correctly) used index values (and ranges)
as "unsigned int", but the meta-structure in the header had these
ranged as "unsigned char".
*) Perform the SHMCB remove operation under mutual exclusion
to prevent a inter-process synchronization problem.
*) Made sure that mod_ssl does not segfault in case of
SCOREBOARD_SIZE < 1024.
*) Merged in the SDBM patch from Uwe Ohse which fixes a problem with
sdbms .dir file, which arrises when a second .dir block is needed
for the first time. read() returns 0 in that case, and the library
forgot to initialize that new block. A related problem is that the
calculation of db->maxbno is wrong. It just appends 4096*BYTESIZ
bits, which is not enough except for small databases (.dir
basically doubles everytime it's too small).
Changes from version 2.8.4 include:
*) Upgraded to Apache 1.3.22
*) Fixed check whether server certificate wildcard CommonName (CN)
matches the configured server name.
*) Fixed buffer overflow.
*) Allow loadcacert.cgi script to work inside mod_perl.
*) Fixed typo in the directive descriptions in mod_ssl.c
*) Fixed ENGINE support: the engine support is are now already
loaded at configure time. Else mod_ssl fails to find them.
*) Moved the Shared Memory Cyclic Buffer (SHMCB) session cache
variant from "experimental" state to "production" by removing the
`#ifdef SSL_EXPERIMENTAL_SHMCB ...#endif' wrappers. This means
that now `SSLSessionCache shmcb:...' is unconditionally available.
*) Made the mutex handling more robust by retrying the
semaphore-based operations in interrupt situations
(errno == EINTR).
*) Also log the OpenSSL error message if the RSA temporary
key(s) cannot be generated.
*) Fixed mod_ssl Auth handler: it now returns DECLINED instead of
OK if authentication is passed successfully to allow other modules
(usually mod_auth) to still deny the request.
*) Fixed certificate DN handling under EBCDIC platforms.
