Commit Graph

3766 Commits

Author SHA1 Message Date
Glenn Strauss b80d287df7 [mod_mbedtls] fix acme-tls/1 challenge bootstrap
mbedtls does not provide a callback for ALPN and expects certificate to
be set in SNI callback (if set), while still in MBEDTLS_SSL_CLIENT_HELLO
state.  Waiting until after MBEDTLS_SSL_CLIENT_HELLO would be fine for
using ALPN for "h2", but is too late to set acme-tls/1 challenge cert.
Therefore, parse client hello for ALPN prior to initiating mbedtls
processing of handshake.
2021-02-01 03:08:48 -05:00
Glenn Strauss 889d53aea4 [mod_mbedtls] fix acme-tls/1 challenge bootstrap
handle id-pe-acmeIdentifier OID in custom callback
(requires mbedtls 2.23.0 or later)
2021-02-01 03:06:52 -05:00
Glenn Strauss 86a6c9ca35 [mod_wolfssl] copy stapling buf for OCSP resp 2021-02-01 03:00:54 -05:00
Glenn Strauss e37b962c31 [mod_nss] fix acme-tls/1 challenge bootstrap
ALPN requires SNI, but ALPN hook appears to be called before SNI hook in
NSS, so set flag in ALPN hook, and handle acme-tls/1 ALPN in SNI hook
2021-02-01 03:00:54 -05:00
Glenn Strauss 0936fe6905 [mod_gnutls] fix acme-tls/1 challenge bootstrap
parse ALPN in GNUTLS_HOOK_PRE via gnutls_ext_raw_parse()

(does not appear to work when checking in GNUTLS_HOOK_POST)
2021-02-01 03:00:51 -05:00
Glenn Strauss 2d78182546 [TLS] set r->uri.authority empty str upon accept()
ensure not NULL for error messages
2021-01-30 22:17:40 -05:00
Glenn Strauss 77209c7a26 [mod_openssl] fix acme-tls/1 challenge bootstrap
do not send multiple certs in server hello
2021-01-30 22:17:40 -05:00
Glenn Strauss 18fc244a8e [TLS] fix invalid cfg warning 2021-01-30 22:17:40 -05:00
Glenn Strauss 8d4f785f69 [mod_wolfssl] wolfSSL might repeat SNI_Callback()
wolfSSL might call SNI_Callback() multiple times,
so detect and short-circuit if already called for connection
2021-01-30 22:17:40 -05:00
Glenn Strauss f885498b46 [build] fix typo in SConstruct (fixes #3061)
(thx eryretqwewrqr)

  "NameError ins SConstruct"
2021-01-29 16:21:51 -05:00
Glenn Strauss 1098de533a [mod_gnutls,mod_mbedtls] recog common cipherstring
recognize and translate a common recommended cipherstring

 without CBC ciphers reported as weak by SSLLabs)
2021-01-29 13:11:19 -05:00
Glenn Strauss b03b86f47b [core] fix merging large headers across mult reads (fixes #3059)
(thx mitd)

  "Connections stuck in Close_Wait causing 100% cpu usage"
2021-01-29 03:10:22 -05:00
Glenn Strauss cf3e301272 [core] tighten struct data_config and related code
tighten struct data_config and config_cond_info
create config key at startup and reuse for debug/trace
separate routine for configparser_parse_condition()
separate routine for configparser_parse_else_condition()
2021-01-29 03:10:22 -05:00
Glenn Strauss 0045b9aa1a [core] const data_unset *array_get_element_klen()
return (const data_unset *) from array_get_element_klen();
use array_get_data_unset() for non-const (note: marked attribute cold)
2021-01-29 03:10:22 -05:00
Glenn Strauss db73879bf0 [mod_ajp13] AJPv13 Tomcat connector for lighttpd

AJPv13 protocol reference:
2021-01-29 03:10:22 -05:00
Glenn Strauss d9b956b938 [core] enable HTTP/2 by default
HTTP/2 via TLS ALPN extension  (TLS)
HTTP/2 via Upgrade: h2c        (cleartext)
HTTP/2 via Prior Knowledge     (cleartext)

To disable HTTP/2:
  server.feature-flags += ("server.h2proto" => "disable")
To disable upgrade to HTTP/2 over cleartext HTTP:
  server.feature-flags += ("server.h2c"     => "disable")
2021-01-29 03:10:22 -05:00
Glenn Strauss 5ccebbf04e [multiple] quiet some clang-analyzer warnings 2021-01-29 03:10:21 -05:00
Glenn Strauss 33e400b429 [multiple] avoid duplicate parsing in trigger func (#3056)
  "OCSP Stapling reload seems not to work"
2021-01-29 03:10:21 -05:00
Glenn Strauss 81e4f4c4a7 [TLS] detect expired stapling file at startup (fixes #3056)
also adjust time_t comparison to (pc_stapling_nextts > cur_ts + 256)
(time_t is expected to be signed integral type, but might be unsigned)

  "OCSP Stapling reload seems not to work"
2021-01-29 03:10:11 -05:00
Glenn Strauss 3a2ddc6cf8 [core] skip interest in POLLRDHUP after POLLRDHUP (#3059)
  "Connections stuck in Close_Wait causing 100% cpu usage"
2021-01-20 00:46:41 -05:00
Glenn Strauss 471ab4dd5b [core] fix 100% CPU spin if traffic limit hit
(thx Dirk) (reported on FreeBSD)

HTTP/1.1 requests might end up spinning if traffic limits are configured
2021-01-19 12:02:12 -05:00
Glenn Strauss fcbfc08352 [core] check more carefully after SSL_WANT_WRITE
con->is_readable and con->is_writable might be set to -1 by TLS modules
which encounter SSL_WANT_READ or SSL_WANT_WRITE.  Either might occur
during read or write, and so -1 was used to flag this.

However, code which used con->is_readable and con->is_writable now needs
to check for value > 0 rather than treating value as a boolean.
2021-01-19 12:01:10 -05:00
Glenn Strauss b757e738fd [mod_gnutls] fix alt code for coverity 2021-01-17 16:17:01 -05:00
Glenn Strauss 915b4ef3fc [multiple] fix TLS config string parsing
flagged by coverity

(incomplete fix a few commits back)
2021-01-17 15:50:28 -05:00
Glenn Strauss 9d8d559e1f [mod_wolfssl] fix syntax errors 2021-01-17 15:06:24 -05:00
Glenn Strauss 755f895b79 [mod_wolfssl] wipe ssl_pemfile_pkey before free() 2021-01-17 14:52:12 -05:00
Glenn Strauss a16488269d [mod_gnutls] fix ssl.ca_dn_file data access
identified by coverity

If ssl.ca_dn_file is set, then its contents were not properly matched
against the provided client certificate
2021-01-17 14:45:10 -05:00
Glenn Strauss d5b166c04d [multiple] fix TLS config string parsing
flagged by coverity

final segment of colon (':') separated string was being ignored
in some TLS config strings in mod_gnutls and mod_mbedtls

workaround: add ':' at end of config string (or apply this patch)
2021-01-17 14:33:19 -05:00
Glenn Strauss 0e2a14921e [multiple] fix coverity warnings 2021-01-17 14:32:46 -05:00
Glenn Strauss 5b0aed8c32 [mod_deflate] compat with zstd < v1.4.0
ZSTD_compressStream2() was an "advanced API" (experimental; unstable)
in v1.3.x
2021-01-17 08:33:02 -05:00
Glenn Strauss f8792bfb5a [mod_deflate] use zstd typedefs (minor cleanup) 2021-01-17 08:32:38 -05:00
Glenn Strauss 625d57b2d9 build] scripts/ remove --with-maxminddb
remove --with-maxminddb;
  maxminddb libs not currently part of our FreeBSD build images
2021-01-16 23:07:06 -05:00
Glenn Strauss 02c83d735c [build] scripts/ add --with-maxminddb 2021-01-16 22:52:32 -05:00
Glenn Strauss 62a874df32 [mod_alias] modify r->physical.path in place
(reduce string copying)

split out func mod_alias_remap() from handler func for unit testing
2021-01-16 22:33:47 -05:00
Glenn Strauss 43cc87dd67 [build] adjust crypto vars in src/CMakeLists.txt 2021-01-16 20:11:48 -05:00
Glenn Strauss 073f57e51a [core] avoid multiple definition of SHA512_CTX
avoid multiple definition of SHA512_CTX when using Nettle
2021-01-16 20:11:12 -05:00
Glenn Strauss f680e1b234 [build] adjust crypto vars in src/CMakeLists.txt
use different vars for different crypto libs
2021-01-16 17:14:11 -05:00
Glenn Strauss f23be1a116 [build] scripts/ adjustments
remove --with-mbedtls; mbedlts not currently part of our FreeBSD bld img
2021-01-16 16:53:02 -05:00
Glenn Strauss 2c875a649d [build] adjust mbedtls vars in src/CMakeLists.txt 2021-01-16 16:52:27 -05:00
Glenn Strauss 7ec08905b9 [build] fix typo in src/CMakeLists.txt 2021-01-16 16:27:47 -05:00
Glenn Strauss f0b74faa45 [build] scripts/ adjustments
remove --with-nss; nss libs not currently part of our FreeBSD build img
remove with_zstd=yes from SCons build, due to dependency on libpthread
2021-01-16 16:09:08 -05:00
Glenn Strauss 73cace9401 [build] scripts/ w/o --with-wolfssl
WolfSSL is not generally available in *BSD due to WolfSSL limitations.
(Might be revisited with the Dec 2020 release of WolfSSL 4.6.0)
2021-01-16 15:59:57 -05:00
Glenn Strauss 4d5405f0a1 [mod_openssl] update LIBRESSL_VERSION_NUMBER check 2021-01-16 15:58:25 -05:00
Glenn Strauss f6c79fff94 [build] scripts/ --with-nettle 2021-01-16 15:53:11 -05:00
Glenn Strauss fdf45433c8 [core] check ifdef WOLFSSL_SHA512 for SHA512 avail 2021-01-16 15:51:49 -05:00
Glenn Strauss 2d94d56fe5 [build] update scripts/
* remove use of deprecated or obsolete packages on Linux, *BSD builds
  --with-attr --with-fam --with-geoip
* add zstd
* add multiple TLS options to build
  --with-gnutls --with-mbedtls --with-nss --with-openssl --with-wolfssl
  (leave one TLS option (openssl) for SCons static build)
2021-01-16 15:30:53 -05:00
Glenn Strauss db1ca2a60f [core] add decls in connections.h 2021-01-13 16:14:48 -05:00
Glenn Strauss f0074a7ded [mod_access] mark mod_access_check attribute pure 2021-01-13 16:10:16 -05:00
Glenn Strauss 947d36941d [doc] add --with-zstd to INSTALL 2021-01-13 14:39:01 -05:00
Glenn Strauss c0e73fd1d8 [mod_dirlisting] hide unused variable on MacOS
(quiet compiler warning)
2021-01-12 23:01:26 -05:00