Changes in / [556783e:e376ed8] in mod_gnutls
- Files:
-
- 1 added
- 32 edited
Legend:
- Unmodified
- Added
- Removed
-
CHANGELOG
r556783e re376ed8 1 ** Version 0.9.1 (2019-11-29) 2 - Fix possible segfault (NULL pointer dereference) on failed TLS 3 handshake. Calling ssl_var_lookup() after a failed handshake could 4 lead to GnuTLS session information functions being called on a NULL 5 session pointer, leading to segfault. 6 - Remove URLs from expected error responses in the test suite. Apache 7 HTTPD removed request URLs from canned error messages to prevent 8 misleading text/links being displayed via crafted links 9 (CVE-2019-10092). Adjust the expected error responses in our tests 10 so they can pass again. 11 - Test suite: Ignore "Content-Length" header of responses. Thanks to 12 Krista Karppinen! 13 - Add a section about module dependencies on socache to the handbook 14 - Restructure the manpage build and move it to section 5 (config 15 files) 16 - Test suite: Restructure certificate directories 17 1 18 ** Version 0.9.0 (2019-01-23) 2 19 - Security fix: Refuse to send or receive any data over a failed TLS -
configure.ac
r556783e re376ed8 1 AC_INIT(mod_gnutls, 0.9. 0)1 AC_INIT(mod_gnutls, 0.9.1) 2 2 OOO_CONFIG_NICE(config.nice) 3 3 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION -
doc/.gitignore
r556783e re376ed8 1 1 *.html 2 *. man2 *.5 3 3 *.pdf 4 4 doxygen.conf -
doc/Makefile.am
r556783e re376ed8 1 EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in 1 EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in \ 2 mod_gnutls.whatis 2 3 3 4 if USE_PANDOC 4 5 html_DATA = mod_gnutls_manual.html 5 man 3_MANS = mod_gnutls_manual.man6 man5_MANS = mod_gnutls.5 6 7 if USE_PDFLATEX 7 8 # pandoc && pdflatex … … 15 16 endif 16 17 17 MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man 3_MANS)18 MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man5_MANS) 18 19 19 20 %.yaml: %.yaml.in … … 21 22 22 23 if USE_PANDOC 23 %. man: %.mdwn %.yaml24 %.5: %.whatis %_manual.mdwn %_manual.yaml 24 25 $(PANDOC) --standalone -f markdown -t man -o $@ $^ 25 26 26 27 if USE_PDFLATEX 27 %.pdf: %.mdwn 28 $(PANDOC) --toc -f markdown -o $@ $ <28 %.pdf: %.mdwn %.yaml 29 $(PANDOC) --toc -f markdown -o $@ $^ 29 30 endif 30 31 endif 31 32 32 %.html: %.mdwn 33 %.html: %.mdwn %.yaml 33 34 if USE_PANDOC 34 $(PANDOC) --toc --standalone -f markdown -o $@ $ <35 $(PANDOC) --toc --standalone -f markdown -o $@ $^ 35 36 else 36 37 if USE_MARKDOWN -
doc/mod_gnutls_manual.mdwn
r556783e re376ed8 1 % `mod_gnutls` Manual2 3 1 * * * * * 4 2 … … 47 45 48 46 LoadModule gnutls_module modules/mod_gnutls.so 47 48 Module Dependencies 49 ------------------- 50 51 `mod_gnutls` uses the Apache HTTPD [Shared Object 52 Cache](http://httpd.apache.org/docs/current/en/socache.html) to cache 53 [OCSP responses for OCSP stapling](#gnutlsocspcache) and [TLS 54 sessions](#gnutlscache). To use either cache you need to load a 55 suitable `mod_socache_PROVIDER` module, which should be provided by 56 your Apache installation. 57 58 It is recommended to load at least `mod_socache_shmcb`. If that module 59 is loaded `mod_gnutls` will [enable OCSP stapling by 60 default](#gnutlsocspstapling), without needing any further 61 configuration other than a [certificate chain](#gnutlscertificatefile) 62 with OCSP support. 49 63 50 64 Note on HTTP/2 … … 327 341 certificate, and optionally those of the issuing Certificate 328 342 Authorities (CAs). If the file contains multiple certificates they 329 should be ordered from EE to the CA closest to the root CA (or the 330 rootCA itself).343 must be ordered from EE to the CA closest to the root CA (or the root 344 CA itself). 331 345 332 346 Including at least the immediately issuing CA is highly recommended -
doc/mod_gnutls_manual.yaml.in
r556783e re376ed8 1 1 --- 2 title: Themod_gnutls Manual3 section: 32 title: mod_gnutls Manual 3 section: 5 4 4 header: mod_gnutls 5 5 footer: __MOD_GNUTLS_VERSION__ -
src/mod_gnutls.c
r556783e re376ed8 3 3 * Copyright 2008, 2014 Nikos Mavrogiannopoulos 4 4 * Copyright 2011 Dash Shendy 5 * Copyright 2015-201 8Fiona Klute5 * Copyright 2015-2019 Fiona Klute 6 6 * 7 7 * Licensed under the Apache License, Version 2.0 (the "License"); … … 179 179 180 180 /* TLS parameters are empty if there is no session */ 181 if (ctxt == NULL || ctxt->c == NULL )181 if (ctxt == NULL || ctxt->c == NULL || ctxt->session == NULL) 182 182 return NULL; 183 183 -
test/runtests
r556783e re376ed8 50 50 # Compare expected/actual outputs, filtering out headers from actual 51 51 # output that are expected to change between runs or builds (currently 52 # "Date" and "Server"). The headers must be excluded in the expected53 # output.52 # "Date", "Server" and "Content-Length"). The headers must be excluded 53 # in the expected output. 54 54 # 55 55 # Parameters: … … 64 64 grep -v -P '^Date:\s.*GMT\s?$' | \ 65 65 grep -v -P '^Server:\sApache' | \ 66 grep -v -P '^Content-Length:\s\d+\s?$' | \ 66 67 tail -n "$(wc -l < ${expected})" ) 67 68 } -
test/tests/00_basic/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/01_serverwide_priorities/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/03_cachetimeout_in_vhost/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/04_basic_nosni/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/06_verify_sni_a/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/07_verify_sni_b/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/08_verify_no_sni_fallback_to_first_vhost/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/10_basic_client_verification/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/14_resume_session/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/15_basic_msva/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/18_client_verification_wrong_cert/output
r556783e re376ed8 1 <html><head> 2 <title>403 Forbidden</title> 1 3 </head><body> 2 4 <h1>Forbidden</h1> 3 <p>You don't have permission to access /test.txt 4 on this server.<br /> 5 </p> 5 <p>You don't have permission to access this resource.</p> 6 6 </body></html> 7 7 - Peer has closed the GnuTLS connection -
test/tests/19_TLS_reverse_proxy/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Content-Type: text/plain 4 3 Connection: close -
test/tests/20_TLS_reverse_proxy_client_auth/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Content-Type: text/plain 4 3 Connection: close -
test/tests/21_TLS_reverse_proxy_wrong_cert/output
r556783e re376ed8 1 1 HTTP/1.1 502 Proxy Error 2 Content-Length: 4073 2 Connection: close 4 3 Content-Type: text/html; charset=iso-8859-1 … … 11 10 <p>The proxy server received an invalid 12 11 response from an upstream server.<br /> 13 The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> 14 Reason: <strong>Error reading from remote server</strong></p></p> 12 The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> 15 13 </body></html> 16 14 - Peer has closed the GnuTLS connection -
test/tests/22_TLS_reverse_proxy_crl_revoke/output
r556783e re376ed8 1 1 HTTP/1.1 502 Proxy Error 2 Content-Length: 4073 2 Connection: close 4 3 Content-Type: text/html; charset=iso-8859-1 … … 11 10 <p>The proxy server received an invalid 12 11 response from an upstream server.<br /> 13 The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> 14 Reason: <strong>Error reading from remote server</strong></p></p> 12 The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> 15 13 </body></html> 16 14 - Peer has closed the GnuTLS connection -
test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
r556783e re376ed8 1 1 HTTP/1.1 502 Proxy Error 2 Content-Length: 4073 2 Connection: close 4 3 Content-Type: text/html; charset=iso-8859-1 … … 11 10 <p>The proxy server received an invalid 12 11 response from an upstream server.<br /> 13 The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> 14 Reason: <strong>Error reading from remote server</strong></p></p> 12 The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> 15 13 </body></html> 16 14 - Peer has closed the GnuTLS connection -
test/tests/24_pkcs11_cert/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/27_OCSP_server/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/29_force_handshake_vhost/output
r556783e re376ed8 1 1 HTTP/1.1 421 Misdirected Request 2 Content-Length: 3223 2 Connection: close 4 3 Content-Type: text/html; charset=iso-8859-1 -
test/tests/30_ip_based_vhosts/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/31_vhost_SNI_serveralias_match/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Connection: close 4 3 Content-Type: text/plain -
test/tests/32_vhost_SNI_serveralias_mismatch/output
r556783e re376ed8 1 1 HTTP/1.1 421 Misdirected Request 2 Content-Length: 3223 2 Connection: close 4 3 Content-Type: text/html; charset=iso-8859-1 -
test/tests/33_vhost_SNI_serveralias_missinghost/output
r556783e re376ed8 1 1 HTTP/1.1 421 Misdirected Request 2 Content-Length: 3223 2 Connection: close 4 3 Content-Type: text/html; charset=iso-8859-1 -
test/tests/34_TLS_reverse_proxy_h2/output
r556783e re376ed8 1 1 Accept-Ranges: bytes 2 Content-Length: 53 2 Content-Type: text/plain 4 3 Connection: close
Note: See TracChangeset
for help on using the changeset viewer.