Changes in / [556783e:e376ed8] in mod_gnutls


Ignore:
Files:
1 added
32 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    r556783e re376ed8  
     1** Version 0.9.1 (2019-11-29)
     2- Fix possible segfault (NULL pointer dereference) on failed TLS
     3  handshake. Calling ssl_var_lookup() after a failed handshake could
     4  lead to GnuTLS session information functions being called on a NULL
     5  session pointer, leading to segfault.
     6- Remove URLs from expected error responses in the test suite. Apache
     7  HTTPD removed request URLs from canned error messages to prevent
     8  misleading text/links being displayed via crafted links
     9  (CVE-2019-10092). Adjust the expected error responses in our tests
     10  so they can pass again.
     11- Test suite: Ignore "Content-Length" header of responses. Thanks to
     12  Krista Karppinen!
     13- Add a section about module dependencies on socache to the handbook
     14- Restructure the manpage build and move it to section 5 (config
     15  files)
     16- Test suite: Restructure certificate directories
     17
    118** Version 0.9.0 (2019-01-23)
    219- Security fix: Refuse to send or receive any data over a failed TLS
  • configure.ac

    r556783e re376ed8  
    1 AC_INIT(mod_gnutls, 0.9.0)
     1AC_INIT(mod_gnutls, 0.9.1)
    22OOO_CONFIG_NICE(config.nice)
    33MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
  • doc/.gitignore

    r556783e re376ed8  
    11*.html
    2 *.man
     2*.5
    33*.pdf
    44doxygen.conf
  • doc/Makefile.am

    r556783e re376ed8  
    1 EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in
     1EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in \
     2        mod_gnutls.whatis
    23
    34if USE_PANDOC
    45html_DATA = mod_gnutls_manual.html
    5 man3_MANS = mod_gnutls_manual.man
     6man5_MANS = mod_gnutls.5
    67if USE_PDFLATEX
    78# pandoc && pdflatex
     
    1516endif
    1617
    17 MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man3_MANS)
     18MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man5_MANS)
    1819
    1920%.yaml: %.yaml.in
     
    2122
    2223if USE_PANDOC
    23 %.man: %.mdwn %.yaml
     24%.5: %.whatis %_manual.mdwn %_manual.yaml
    2425        $(PANDOC) --standalone -f markdown -t man -o $@ $^
    2526
    2627if USE_PDFLATEX
    27 %.pdf: %.mdwn
    28         $(PANDOC) --toc -f markdown -o $@ $<
     28%.pdf: %.mdwn %.yaml
     29        $(PANDOC) --toc -f markdown -o $@ $^
    2930endif
    3031endif
    3132
    32 %.html: %.mdwn
     33%.html: %.mdwn %.yaml
    3334if USE_PANDOC
    34         $(PANDOC) --toc --standalone -f markdown -o $@ $<
     35        $(PANDOC) --toc --standalone -f markdown -o $@ $^
    3536else
    3637if USE_MARKDOWN
  • doc/mod_gnutls_manual.mdwn

    r556783e re376ed8  
    1 % `mod_gnutls` Manual
    2 
    31* * * * *
    42
     
    4745
    4846    LoadModule gnutls_module modules/mod_gnutls.so
     47
     48Module Dependencies
     49-------------------
     50
     51`mod_gnutls` uses the Apache HTTPD [Shared Object
     52Cache](http://httpd.apache.org/docs/current/en/socache.html) to cache
     53[OCSP responses for OCSP stapling](#gnutlsocspcache) and [TLS
     54sessions](#gnutlscache). To use either cache you need to load a
     55suitable `mod_socache_PROVIDER` module, which should be provided by
     56your Apache installation.
     57
     58It is recommended to load at least `mod_socache_shmcb`. If that module
     59is loaded `mod_gnutls` will [enable OCSP stapling by
     60default](#gnutlsocspstapling), without needing any further
     61configuration other than a [certificate chain](#gnutlscertificatefile)
     62with OCSP support.
    4963
    5064Note on HTTP/2
     
    327341certificate, and optionally those of the issuing Certificate
    328342Authorities (CAs). If the file contains multiple certificates they
    329 should be ordered from EE to the CA closest to the root CA (or the
    330 root CA itself).
     343must be ordered from EE to the CA closest to the root CA (or the root
     344CA itself).
    331345
    332346Including at least the immediately issuing CA is highly recommended
  • doc/mod_gnutls_manual.yaml.in

    r556783e re376ed8  
    11---
    2 title: The mod_gnutls Manual
    3 section: 3
     2title: mod_gnutls Manual
     3section: 5
    44header: mod_gnutls
    55footer: __MOD_GNUTLS_VERSION__
  • src/mod_gnutls.c

    r556783e re376ed8  
    33 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
    5  *  Copyright 2015-2018 Fiona Klute
     5 *  Copyright 2015-2019 Fiona Klute
    66 *
    77 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    179179
    180180    /* TLS parameters are empty if there is no session */
    181     if (ctxt == NULL || ctxt->c == NULL)
     181    if (ctxt == NULL || ctxt->c == NULL || ctxt->session == NULL)
    182182        return NULL;
    183183
  • test/runtests

    r556783e re376ed8  
    5050# Compare expected/actual outputs, filtering out headers from actual
    5151# output that are expected to change between runs or builds (currently
    52 # "Date" and "Server"). The headers must be excluded in the expected
    53 # output.
     52# "Date", "Server" and "Content-Length"). The headers must be excluded
     53# in the expected output.
    5454#
    5555# Parameters:
     
    6464        grep -v -P '^Date:\s.*GMT\s?$' | \
    6565        grep -v -P '^Server:\sApache'  | \
     66        grep -v -P '^Content-Length:\s\d+\s?$' | \
    6667        tail -n "$(wc -l < ${expected})" )
    6768}
  • test/tests/00_basic/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/01_serverwide_priorities/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/03_cachetimeout_in_vhost/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/04_basic_nosni/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/06_verify_sni_a/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/07_verify_sni_b/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/08_verify_no_sni_fallback_to_first_vhost/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/10_basic_client_verification/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/14_resume_session/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/15_basic_msva/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/18_client_verification_wrong_cert/output

    r556783e re376ed8  
     1<html><head>
     2<title>403 Forbidden</title>
    13</head><body>
    24<h1>Forbidden</h1>
    3 <p>You don't have permission to access /test.txt
    4 on this server.<br />
    5 </p>
     5<p>You don't have permission to access this resource.</p>
    66</body></html>
    77- Peer has closed the GnuTLS connection
  • test/tests/19_TLS_reverse_proxy/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Content-Type: text/plain
    43Connection: close
  • test/tests/20_TLS_reverse_proxy_client_auth/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Content-Type: text/plain
    43Connection: close
  • test/tests/21_TLS_reverse_proxy_wrong_cert/output

    r556783e re376ed8  
    11HTTP/1.1 502 Proxy Error
    2 Content-Length: 407
    32Connection: close
    43Content-Type: text/html; charset=iso-8859-1
     
    1110<p>The proxy server received an invalid
    1211response from an upstream server.<br />
    13 The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
    14 Reason: <strong>Error reading from remote server</strong></p></p>
     12The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
    1513</body></html>
    1614- Peer has closed the GnuTLS connection
  • test/tests/22_TLS_reverse_proxy_crl_revoke/output

    r556783e re376ed8  
    11HTTP/1.1 502 Proxy Error
    2 Content-Length: 407
    32Connection: close
    43Content-Type: text/html; charset=iso-8859-1
     
    1110<p>The proxy server received an invalid
    1211response from an upstream server.<br />
    13 The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
    14 Reason: <strong>Error reading from remote server</strong></p></p>
     12The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
    1513</body></html>
    1614- Peer has closed the GnuTLS connection
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/output

    r556783e re376ed8  
    11HTTP/1.1 502 Proxy Error
    2 Content-Length: 407
    32Connection: close
    43Content-Type: text/html; charset=iso-8859-1
     
    1110<p>The proxy server received an invalid
    1211response from an upstream server.<br />
    13 The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
    14 Reason: <strong>Error reading from remote server</strong></p></p>
     12The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
    1513</body></html>
    1614- Peer has closed the GnuTLS connection
  • test/tests/24_pkcs11_cert/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/27_OCSP_server/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/29_force_handshake_vhost/output

    r556783e re376ed8  
    11HTTP/1.1 421 Misdirected Request
    2 Content-Length: 322
    32Connection: close
    43Content-Type: text/html; charset=iso-8859-1
  • test/tests/30_ip_based_vhosts/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/31_vhost_SNI_serveralias_match/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Connection: close
    43Content-Type: text/plain
  • test/tests/32_vhost_SNI_serveralias_mismatch/output

    r556783e re376ed8  
    11HTTP/1.1 421 Misdirected Request
    2 Content-Length: 322
    32Connection: close
    43Content-Type: text/html; charset=iso-8859-1
  • test/tests/33_vhost_SNI_serveralias_missinghost/output

    r556783e re376ed8  
    11HTTP/1.1 421 Misdirected Request
    2 Content-Length: 322
    32Connection: close
    43Content-Type: text/html; charset=iso-8859-1
  • test/tests/34_TLS_reverse_proxy_h2/output

    r556783e re376ed8  
    11Accept-Ranges: bytes
    2 Content-Length: 5
    32Content-Type: text/plain
    43Connection: close
Note: See TracChangeset for help on using the changeset viewer.