Apache web server checkin messages

ben | 21 Jun 2012 18:17

svn commit: r1352596 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h

Author: ben
Date: Thu Jun 21 16:17:41 2012
New Revision: 1352596

URL: http://svn.apache.org/viewvc?rev=1352596&view=rev
Log:
RFC 5878 support.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/mod_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1352596&r1=1352595&r2=1352596&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Jun 21 16:17:41 2012
 <at>  <at>  -1,6 +1,8  <at>  <at> 
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0

+  *) mod_ssl: Add RFC 5878 support. [Ben Laurie]
+
   *) SECURITY: CVE-2012-2687 (cve.mitre.org)
      mod_negotiation: Escape filenames in variant list to prevent an
      possible XSS for a site where untrusted users can upload files to

(Continue reading)

headers

Kaspar Brand | 6 Apr 2013 11:40

Re: svn commit: r1352596 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h

On 21.06.2012 18:17, ben <at> apache.org wrote:
> Author: ben
> Date: Thu Jun 21 16:17:41 2012
> New Revision: 1352596
> 
> URL: http://svn.apache.org/viewvc?rev=1352596&view=rev
> Log:
> RFC 5878 support.
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/ssl/mod_ssl.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>     httpd/httpd/trunk/modules/ssl/ssl_private.h

Considering how things evolved since June last year, I propose to revert
this patch, for the following reasons:

- as pointed out in my backport votes (http://svn.apache.org/r1395229),
the code is still quite far from being an "implementation" of RFC 5878,
and OpenSSL itself hasn't received any updates to the code added in May 2012

- the SSL*AuthzFile directives for mod_ssl are completely undocumented
as of today, and SSL_CTX_use_authz_file uses an opaque format (which
might see further modifications, see e.g. [1])

- earlier this year it became clear that the first version of the
OpenSSL code for "RFC 5878 support" wasn't really correct [2], and
meanwhile the CT I-D has switched to using a dedicated TLS extension

(Continue reading)