diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 1a883c8c23..8f811382f1 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -29,7 +29,7 @@ jobs: strategy: fail-fast: false matrix: - include: + include: # ------------------------------------------------------------------------- - name: Empty APLOGNO() test env: | @@ -67,11 +67,11 @@ jobs: env: | TEST_ARGS=-order=random # ------------------------------------------------------------------------- - - name: GCC 10 maintainer-mode w/-Werror, install + VPATH + - name: GCC 12 maintainer-mode w/-Werror, install + VPATH config: --enable-mods-shared=reallyall --enable-maintainer-mode notest-cflags: -Werror -O2 env: | - CC=gcc-10 + CC=gcc-12 TEST_VPATH=1 TEST_INSTALL=1 SKIP_TESTING=1 @@ -153,6 +153,20 @@ jobs: TEST_ARGS="-defines LDAP" TESTS="t/modules/" # ------------------------------------------------------------------------- + - name: APR 1.7.x, APR-util 1.7.x, LDAP + config: --enable-mods-shared=reallyall + pkgs: ldap-utils + env: | + APR_VERSION=1.7.x + APU_VERSION=1.7.x + APU_CONFIG="--with-crypto --with-ldap" + TEST_MALLOC=1 + TEST_LDAP=1 + TEST_ARGS="-defines LDAP" + TESTS="t/modules/" + CLEAR_CACHE=1 + # ------------------------------------------------------------------------- + ### TODO: if: *condition_not_24x - name: APR trunk thread debugging config: --enable-mods-shared=reallyall --with-mpm=event env: | @@ -210,17 +224,6 @@ jobs: # TEST_MD=1 # ------------------------------------------------------------------------- ### TODO: if: *condition_not_24x - - name: MOD_TLS test suite - config: --enable-mods-shared=reallyall --with-mpm=event --enable-mpms-shared=event - pkgs: curl python3-pytest nghttp2-client python3-cryptography python3-requests python3-multipart python3-filelock python3-websockets cargo cbindgen - env: | - APR_VERSION=1.7.4 - APU_VERSION=1.6.3 - APU_CONFIG="--with-crypto" - RUSTLS_VERSION="v0.13.0" - NO_TEST_FRAMEWORK=1 - TEST_INSTALL=1 - TEST_MOD_TLS=1 # ------------------------------------------------------------------------- ### TODO if: *condition_not_24x ### TODO: Fails because :i386 packages are not being found. @@ -244,10 +247,14 @@ jobs: CONFIG: ${{ matrix.config }} name: ${{ matrix.name }} steps: + # JOBID is used in the cache keys, created here as a hash of all + # properties of the environment, including the image OS version, + # compiler flags and any job-specific properties. - name: Set environment variables run: | echo "${{ matrix.env }}" >> $GITHUB_ENV - echo JOBID=`echo "${{ matrix.notest-cflags }} ${{ matrix.env }} ${{ matrix.config }}'"| md5sum - | sed 's/ .*//'` >> $GITHUB_ENV + echo JOBID=`echo "OS=$ImageOS ${{ matrix.notest-cflags }} ${{ matrix.env }} ${{ matrix.config }}" \ + | md5sum - | sed 's/ .*//'` >> $GITHUB_ENV # https://github.com/actions/runner-images/issues/9491#issuecomment-1989718917 - name: Workaround ASAN issue in Ubuntu 22.04 run: sudo sysctl vm.mmap_rnd_bits=28 @@ -258,7 +265,7 @@ jobs: cpanminus libtool-bin libapr1-dev libaprutil1-dev liblua5.3-dev libbrotli-dev libcurl4-openssl-dev libnghttp2-dev libjansson-dev libpcre2-dev gdb - perl-doc ${{ matrix.pkgs }} + perl-doc libsasl2-dev ${{ matrix.pkgs }} - uses: actions/checkout@v4 - name: Cache installed libraries uses: actions/cache@v4 @@ -285,5 +292,6 @@ jobs: if: failure() with: name: error_log-${{ env.JOBID }} - path: test/perl-framework/t/logs/error_log - + path: | + **/config.log + test/perl-framework/t/logs/error_log diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml new file mode 100644 index 0000000000..ac9cb119a8 --- /dev/null +++ b/.github/workflows/windows.yml @@ -0,0 +1,63 @@ +name: Windows + +on: + push: + branches: [ "*" ] + paths-ignore: + - 'docs/**' + - STATUS + - CHANGES + - changes-entries/* + pull_request: + branches: [ "trunk", "2.4.x" ] + paths-ignore: + - 'docs/**' + - STATUS + - CHANGES + - changes-entries/* + +jobs: + build: + strategy: + fail-fast: false + matrix: + include: + - name: Default + triplet: x64-windows + arch: x64 + build-type: Debug + generator: "Ninja" + + runs-on: windows-latest + timeout-minutes: 30 + name: ${{ matrix.name }} + env: + VCPKG_BINARY_SOURCES: "clear;x-gha,readwrite" + steps: + - name: Export GitHub Actions cache environment variables + uses: actions/github-script@v7 + with: + script: | + core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || ''); + core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); + + - name: Install dependencies + run: vcpkg install --triplet ${{ matrix.triplet }} apr[private-headers] apr-util pcre2 openssl + + - uses: actions/checkout@v3 + + - name: Configure CMake + shell: cmd + run: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -arch=${{ matrix.arch }} + cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{ matrix.build-type }} ^ + -G "${{ matrix.generator }}" ^ + -DCMAKE_TOOLCHAIN_FILE=C:/vcpkg/scripts/buildsystems/vcpkg.cmake ^ + -DAPR_INCLUDE_DIR=C:/vcpkg/installed/${{ matrix.triplet }}/include ^ + "-DAPR_LIBRARIES=C:/vcpkg/installed/${{ matrix.triplet }}/lib/libapr-1.lib;C:/vcpkg/installed/${{ matrix.triplet }}/lib/libaprutil-1.lib" + + - name: Build + shell: cmd + run: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -arch=${{ matrix.arch }} + cmake --build ${{github.workspace}}/build --config ${{ matrix.build-type }} diff --git a/ABOUT_APACHE b/ABOUT_APACHE index 490b806739..2443b12851 100644 --- a/ABOUT_APACHE +++ b/ABOUT_APACHE @@ -128,7 +128,7 @@ group of volunteers who vote on changes to the distributed server), then you need to start by subscribing to the dev@httpd.apache.org mailing list. One warning though: traffic is high, 1000 to 1500 messages/month. To subscribe to the list, send an email to dev-subscribe@httpd.apache.org. -We recommend reading the list for a while before trying to jump in to +We recommend reading the list for a while before trying to jump in to development. NOTE: The developer mailing list (dev@httpd.apache.org) is not diff --git a/CHANGES b/CHANGES index cd86fe7540..bc3396dd7b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,123 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.63 + + *) mod_dav: Update redirect-carefully example BrowserMatch config + to match more recent client versions. PR 66148, 67039. + [Michal Maloszewski , + Romain Tartière ] + + *) mod_cache_socache: Fix possible crash on error path. PR 69358. + [Ruediger Pluem] + + *) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails. + [StephenWall] + + *) mod_md: update to version 2.4.31 + - Improved error reporting when waiting for ACME server to verify domains + or finalizing the order fails, e.g. times out. + - Increasing the timeouts to wait for ACME server to verify domain names + and issue the certificate from 30 seconds to 5 minutes. + - Change a log level from error to debug when Stapling is enabled but a + certificate carries no OCSP responder URL. + + *) mod_proxy_balancer: Fix the handling of the stickysession configuration + parameter by the balancer manager. PR 69510 + [Yutaka Tokunou ] + + *) Add the ldap-search option to mod_authnz_ldap, allowing authorization + to be based on arbitrary expressions that do not include the username. + Make sure that when ldap searches are too long, we explicitly log the + error. [Graham Leggett] + + *) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution + in the host name or port. PR 69233. [Yann Ylavic] + + *) mod_log_config: Fix merging for the "LogFormat" directive. + PR 65222. [Michael Kaufmann ] + + *) mod_lua: Make r.ap_auth_type writable. PR 62497. + [Michael Osipov ] + + *) mod_md: update to version 2.4.29 + - Fixed HTTP-01 challenges to not carry a final newline, as some ACME + server fail to ignore it. [Michael Kaufmann (@mkauf)] + - Fixed missing label+newline in server-status plain text output when + MDStapling is enabled. + + *) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE + without "SSLCryptoDevice" configured. [Joe Orton] + + *) mod_authnz_ldap: Fix possible memory corruption if the + AuthLDAPSubGroupAttribute directive is configured. [Joe Orton] + + *) mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME when set via SetHandler. + PR 69203. [Yann Ylavic] + + *) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs, + including "unix:" ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem] + + *) mod_rewrite: Error out in case a RewriteRule in directory context uses the + proxy, but mod_proxy is not loaded. PR 56264. + [Christophe Jaillet, Michael Streeter ] + + *) http: Remove support for Request-Range header sent by Navigator 2-3 and + MSIE 3. [Stefan Fritsch] + + *) mod_rewrite: Don't require [UNC] flag to preserve a leading // + added by applying the perdir prefix to the substitution. + [Ruediger Pluem, Eric Covener] + + *) Windows: Restore the ability to "Include" configuration files on UNC + paths. PR 69313 [Eric Covener] + + *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs + in (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic] + + *) mod_md: update to version 2.4.28 + - When the server starts, it looks for new, staged certificates to + activate. If the staged set of files in 'md/staging/' is messed + up, this could prevent further renewals to happen. Now, when the staging + set is present, but could not be activated due to an error, purge the + whole directory. [icing] + - Fix certificate retrieval on ACME renewal to not require a 'Location:' + header returned by the ACME CA. This was the way it was done in ACME + before it became an IETF standard. Let's Encrypt still supports this, + but other CAs do not. [icing] + - Restore compatibility with OpenSSL < 1.1. [ylavic] + + *) mod_tls: removed the experimental module. It now is availble standalone + from https://github.com/icing/mod_tls. The rustls provided API is not + stable and does not align with the httpd release cycle. + [Stefan Eissing] + + *) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F. + PR 69197. [Yann Ylavic, Eric Covener] + + *) mod_http2: Return connection monitoring to the event MPM when blocking + on client updates. [Stefan Eissing, Yann Ylavic] + Changes with Apache 2.4.62 + *) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with + mod_rewrite in server/vhost context on Windows (cve.mitre.org) + SSRF in Apache HTTP Server on Windows with mod_rewrite in + server/vhost context, allows to potentially leak NTML hashes to + a malicious server via SSRF and malicious requests. + Users are recommended to upgrade to version 2.4.62 which fixes + this issue. + Credits: Smi1e (DBAPPSecurity Ltd.) + + *) SECURITY: CVE-2024-40725: Apache HTTP Server: source code + disclosure with handlers configured via AddType (cve.mitre.org) + A partial fix for CVE-2024-39884 in the core of Apache HTTP + Server 2.4.61 ignores some use of the legacy content-type based + configuration of handlers. "AddType" and similar configuration, + under some circumstances where files are requested indirectly, + result in source code disclosure of local content. For example, + PHP scripts may be served instead of interpreted. + Users are recommended to upgrade to version 2.4.62, which fixes + this issue. + *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets with BalancerMember(s). PR 69168. [Yann Ylavic] @@ -119,7 +236,7 @@ Changes with Apache 2.4.60 Credits: Marc Stern () *) mod_proxy: Fix DNS requests and connections closed before the - configured addressTTL. BZ 69126. [Yann Ylavic] + configured addressTTL. PR 69126. [Yann Ylavic] *) core: On Linux, log the real thread ID in error logs. [Joe Orton] @@ -1325,7 +1442,7 @@ Changes with Apache 2.4.48 [Yann Ylavic] *) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling. - BZ 65294. [Yann Ylavic] + PR 65294. [Yann Ylavic] *) core: Fix a regression that stripped the ETag header from 304 responses. PR 61820 [Ruediger Pluem, Roy T. Fielding] diff --git a/CMakeLists.txt b/CMakeLists.txt index 7b30547d39..9b38f699db 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -27,6 +27,7 @@ FIND_PACKAGE(Lua51) FIND_PACKAGE(OpenSSL) FIND_PACKAGE(ZLIB) FIND_PACKAGE(CURL) +FIND_PACKAGE(PCRE2 COMPONENTS 8BIT) # Options for support libraries not supported by cmake-bundled FindFOO @@ -47,7 +48,10 @@ ENDIF() # PCRE names its libraries differently for debug vs. release builds. # We can't query our own CMAKE_BUILD_TYPE at configure time. # If the debug version exists in PREFIX/lib, default to that one. -IF(EXISTS "${CMAKE_INSTALL_PREFIX}/lib/pcre2-8d.lib") +IF(PCRE2_FOUND) + SET(default_pcre_libraries "PCRE2::8BIT") + SET(default_pcre_cflags "-DHAVE_PCRE2") +ELSEIF(EXISTS "${CMAKE_INSTALL_PREFIX}/lib/pcre2-8d.lib") SET(default_pcre_libraries ${CMAKE_INSTALL_PREFIX}/lib/pcre2-8d.lib) SET(default_pcre_cflags "-DHAVE_PCRE2") ELSEIF(EXISTS "${CMAKE_INSTALL_PREFIX}/lib/pcre2-8.lib") @@ -628,11 +632,10 @@ ENDIF() CONFIGURE_FILE(os/win32/BaseAddr.ref ${PROJECT_BINARY_DIR}/ COPYONLY) ADD_EXECUTABLE(gen_test_char server/gen_test_char.c) -GET_TARGET_PROPERTY(GEN_TEST_CHAR_EXE gen_test_char LOCATION) ADD_CUSTOM_COMMAND( COMMENT "Generating character tables, test_char.h, for current locale" DEPENDS gen_test_char - COMMAND ${GEN_TEST_CHAR_EXE} > ${PROJECT_BINARY_DIR}/test_char.h + COMMAND $ > ${PROJECT_BINARY_DIR}/test_char.h OUTPUT ${PROJECT_BINARY_DIR}/test_char.h ) ADD_CUSTOM_TARGET( diff --git a/NOTICE b/NOTICE index 4ac4b6f5a6..7890540f67 100644 --- a/NOTICE +++ b/NOTICE @@ -1,5 +1,5 @@ Apache HTTP Server -Copyright 2024 The Apache Software Foundation. +Copyright 2025 The Apache Software Foundation. This product includes software developed at The Apache Software Foundation (https://www.apache.org/). diff --git a/STATUS b/STATUS index b3689bedc3..e090204898 100644 --- a/STATUS +++ b/STATUS @@ -29,7 +29,8 @@ Release history: [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, while x.{even}.z versions are Stable/GA releases.] - 2.4.62 : In development + 2.4.63 : In development + 2.4.62 : Released on July 17, 2024 2.4.61 : Released on July 03, 2024 2.4.60 : Released on July 01, 2024 2.4.59 : Released on April 04, 2024 @@ -156,72 +157,25 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_http2: sync with github module. Add async handling - on newer httpd for blocked connections, fix yield handling. - Trunk version of patch: - https://svn.apache.org/r1918003 - https://svn.apache.org/r1918022 - https://svn.apache.org/r1918035 - https://svn.apache.org/r1918078 - https://svn.apache.org/r1918098 - https://svn.apache.org/r1918099 - https://svn.apache.org/r1918257 - https://svn.apache.org/r1918482 - https://svn.apache.org/r1918483 - https://svn.apache.org/r1918491 - https://svn.apache.org/r1919141 - https://svn.apache.org/r1919148 - 2.4.x version of patch: - https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/449.diff - PR: https://github.com/apache/httpd/pull/449 - +1: ylavic, icing, gbechis - rpluem says: PR currently has merge conflicts that need to be resolved - ylavic says: PR rebased and r1919141 added (colspan adjustment in mod_status) - Added r1919148 too for another old) colspan issue - Tiny fix which needs vote reset? PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] - *) Add the ldap-search option to mod_authnz_ldap, allowing authorization - to be based on arbitrary expressions that do not include the username. - Make sure that when ldap searches are too long, we explicitly log the - error. - Trunk version of patch: - https://svn.apache.org/r1589993 - https://svn.apache.org/r1591012 - https://svn.apache.org/r1596108 - https://svn.apache.org/r1745033 - https://svn.apache.org/r1913958 - https://svn.apache.org/r1913959 - https://svn.apache.org/r1914091 - https://svn.apache.org/r1914281 - Backport version for 2.4.x of patch: - https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-ldap-search5.patch - +1: minfrin - - *) mod_proxy: prevent bad busy values and problems with bybusyness - Trunk version of patch: - https://svn.apache.org/r1912245 - https://svn.apache.org/r1913930 - svn merge -c 1912245 ^/httpd/httpd/trunk . - svn merge -c 1913930 ^/httpd/httpd/trunk . - +1: minfrin - minfrin: r1913930 added, votes reset, mmn bump needed - ylavic: not sure since it's not public (i.e. in mod_proxy.h)? - minfrin: true, mmn bump not needed - ylavic: new proposal in https://github.com/apache/httpd/pull/396 - -1: jfclere The new proposal is NOT in trunk - - *) mod_ldap: Add a hint to install the apr_ldap module on init failure. - trunk patch: http://svn.apache.org/r1914038 - 2.4.x patch: svn merge -c r1914038 ^/httpd/httpd/trunk . - +1: minfrin - - *) CMake: Use full path to gen_test_char.exe in CUSTOM_COMMAND. - trunk patch: http://svn.apache.org/r1902366 - 2.4.x patch: svn merge -c r1902366 ^/httpd/httpd/trunk . + *) CMake: Remove awk dependency when building using CMake. Before this awk was + required for -DWITH_MODULES option. + trunk patch: https://svn.apache.org/r1919413 + https://svn.apache.org/r1919587 + https://svn.apache.org/r1919602 + 2.4.x patch: svn merge -c r1919413 -c r1919587 -c r1919602 ^/httpd/httpd/trunk . +1: ivan + +0: jorton - falls under RTC exception for "non-Unix build" + + *) core: In set_override(), check the return value of set_allow_opts(). + Github #310 + trunk patch: https://svn.apache.org/r1917017 + https://svn.apache.org/r1923218 + 2.4.x patch: svn merge -c 1917017,1923218 ^/httpd/httpd/trunk . + +1: rjung (reduce code drift), jorton PATCHES/ISSUES THAT ARE BEING WORKED [ New entries should be added at the START of the list ] @@ -247,33 +201,6 @@ PATCHES/ISSUES THAT ARE BEING WORKED does a minor bump only. minfrin: Two new directives need to be documented. - * mod_proxy_http: Don't establish or reuse a backend connection before pre- - fetching the request body, so to minimize the delay between it is supposed - to be alive and the first bytes sent: this is a best effort to prevent the - backend from closing because of idle or keepalive timeout in the meantime. - Also, handle a new "proxy-flushall" environment variable which allows to - flush any forwarded body data immediately. PR 56541+37920. - trunk patch: http://svn.apache.org/r1656259 - http://svn.apache.org/r1656359 (CHANGES entry) - 2.4.x patch: trunk works (modulo CHANGES, docs/log-message-tags) - +1: ylavic - -0: jim: This seems to be a hit to normal performance, to handle an - error and/or non-normal condition. The pre-fetch is - expensive, and is always done, even before we know that - the backend is available to rec' it. I understand the - error described, but is the fix actually worth it (plus - it seems to allow for a DDoS vector). - ylavic: It seems to me that the problem is real since we reuse the - connection before prefetching 16K (either controlled by the - client, or by an input filter), we currently always prefetch - these bytes already. Regarding performance I don't see any - difference (more cycles) compared with the current code. - However I think I failed to rebuild the header_brigade when - the proxy loop is retried (ping), so I need to rework this. - Do you think we'd better remove the prefetch, or maybe just - make it nonblocking (by default)? - jim: Non-blocking seems the best way to handle... - PATCHES/ISSUES THAT ARE STALLED *) core: avoid duplicate headers when using ap_send_error_response. @@ -411,4 +338,17 @@ PATCHES/ISSUES THAT ARE STALLED +1: minfrin -1: jorton, appears to be a duplicate of the existing -B option + *) mod_proxy: prevent bad busy values and problems with bybusyness + Trunk version of patch: + https://svn.apache.org/r1912245 + https://svn.apache.org/r1913930 + svn merge -c 1912245 ^/httpd/httpd/trunk . + svn merge -c 1913930 ^/httpd/httpd/trunk . + +1: minfrin + minfrin: r1913930 added, votes reset, mmn bump needed + ylavic: not sure since it's not public (i.e. in mod_proxy.h)? + minfrin: true, mmn bump not needed + ylavic: new proposal in https://github.com/apache/httpd/pull/396 + -1: jfclere The new proposal is NOT in trunk + diff --git a/docs/conf/charset.conv b/docs/conf/charset.conv index 3cd6fa9d89..bd7ae87c22 100644 --- a/docs/conf/charset.conv +++ b/docs/conf/charset.conv @@ -12,7 +12,7 @@ zh-cn GB2312 Chinese-Simplified zh-tw Cp950 Chinese cs ISO-8859-2 Czech hu ISO-8859-2 Hungarian -hr ISO-8859-2 Croation +hr ISO-8859-2 Croatian pl ISO-8859-2 Polish ro ISO-8859-2 Romanian sr ISO-8859-2 Serbian @@ -52,4 +52,4 @@ ar ISO-8859-6 Arabic et ISO-8859-1 Estonian lv ISO-8859-2 Latvian lt ISO-8859-2 Lithuanian - \ No newline at end of file + diff --git a/docs/conf/extra/httpd-dav.conf.in b/docs/conf/extra/httpd-dav.conf.in index f1d35e04c2..2bf55455e0 100644 --- a/docs/conf/extra/httpd-dav.conf.in +++ b/docs/conf/extra/httpd-dav.conf.in @@ -43,8 +43,11 @@ Alias /uploads "@@ServerRoot@@/uploads" BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully -BrowserMatch "^WebDAVFS/1.[01234]" redirect-carefully -BrowserMatch "^gnome-vfs/1.0" redirect-carefully +BrowserMatch "^WebDAVFS/1\.[012]" redirect-carefully +BrowserMatch "^gnome-vfs/1\.0" redirect-carefully +BrowserMatch "^gvfs/1" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully BrowserMatch " Konqueror/4" redirect-carefully +BrowserMatch " Konqueror/5" redirect-carefully +BrowserMatch " dolphin/" redirect-carefully diff --git a/docs/conf/mime.types b/docs/conf/mime.types index 98a8e8451a..92ee7178aa 100644 --- a/docs/conf/mime.types +++ b/docs/conf/mime.types @@ -1553,6 +1553,7 @@ image/ief ief image/jpeg jpeg jpg jpe # image/jpm # image/jpx +image/jxl jxl image/ktx ktx # image/naplps image/png png diff --git a/docs/manual/bind.html.de b/docs/manual/bind.html.de index 5edd2033f2..fe44ac3047 100644 --- a/docs/manual/bind.html.de +++ b/docs/manual/bind.html.de @@ -220,7 +220,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/bind.html'; } })(window, document); //--> - - - - -
<-
- -
-

Apache Module mod_tls

-
-

Available Languages:  en 

-
- - - - -
Description:TLS v1.2 and v1.3 implemented in memory-safe Rust via - the rustls library -
Status:Experimental
Module Identifier:tls_module
Source File:mod_tls.c
Compatibility:Available in version 2.4.52 and later
-

Summary

- -

- mod_tls is an alternative to mod_ssl for providing https to a server. - It's feature set is a subset, described in more detail below. It can - be used as a companion to mod_ssl, e.g. both modules can be loaded at - the same time. -

- mod_tls, being written in C, used the Rust implementation of TLS named - rustls via its C interface - rustls-ffi. This gives - memory safe cryptography and protocol handling at comparable - performance. -

- It can be configured for frontend and backend connections. The configuration - directive have been kept mostly similar to mod_ssl ones. -

-
- -
top
-
-

TLS in a VirtualHost context

- -
Listen 443
-TLSEngine 443
-
-<VirtualHost *:443>
-  ServerName example.net
-  TLSCertificate file_with_certificate.pem file_with_key.pem
-  ...
-</VirtualHost>
- -

- The above is a minimal configuration. Instead of enabling mod_tls - in every virtual host, the port for incoming TLS connections is - specified. -

- You cannot mix virtual hosts with mod_ssl and mod_tls on the same - port. It's either or. SNI and ALPN are supported. You may use several - virtual hosts on the same port and a mix of protocols like http/1.1 - and h2. -

-
top
-
-

Feature Comparison with mod_ssl

-

- The table below gives a comparison of feature between - mod_ssl and mod_tls. If a feature of mod_ssl is no listed here, - it is not supported by mod_tls. The one difference, probably most relevant - is the lack for client certificate support in the current version of - mod_tls. -

- - - - - - - - - - - - - - - - - - - - - - - -
Featuremod_sslmod_tlsComment
Frontend TLSyesyes
Backend TLSyesyes
TLS v1.3yes*yes*)with recent OpenSSL
TLS v1.2yesyes
TLS v1.0yes*no*)if enabled in OpenSSL
SNI Virtual Hostsyesyes
Client Certificatesyesno
Machine Certificates for Backendyesyes
OCSP Staplingyesyes**)via mod_md
Backend OCSP checkyesno**)stapling will be verified
TLS version to allowmin-maxmin
TLS ciphersexclusive listpreferred/suppressed
TLS cipher orderingclient/serverclient/server
TLS sessionsyesyes
SNI strictnessdefault nodefault yes
Option EnvVarsexhaustivelimited**)see var list
Option ExportCertDataclient+serverserver
Backend CAfile/dirfile
Revocation CRLsyesno
TLS Renegotiationyes*no*)in TLS v1.2
Encrypted Cert Keysyesno
-

-

-
top
-
-

TLS Protocols

-

- mod_tls supports TLS protocol version 1.2 and 1.3. Should there ever be - a version 1.4 and rustls supports it, it will be available as well. -

-

- In mod_tls, you configure the minimum version to use, never the maximum: -

-
TLSProtocol TLSv1.3+
- -

- This allows only version 1.3 and whatever may be its successor one day when talking - to your server or to a particular virtual host. -

-
top
-
-

TLS Ciphers

-

- The list of TLS ciphers supported in the rustls library, - can be found here. All TLS v1.3 - ciphers are supported. For TLS v1.2, only ciphers that rustls considers - secure are available. -

- mod_tls supports the following names for TLS ciphers: -

-
    -
  1. - The IANA assigned name - which uses `_` to separate parts. Example: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -
  2. -
  3. - The OpenSSL name, using `-` as separator (for 1.2). Example: ECDHE-ECDSA-AES256-SHA384. - Such names often appear in documentation. `mod_tls` defines them for all TLS v1.2 ciphers. - For TLS v1.3 ciphers, names starting with TLS13_ are also supported. -
  4. -
  5. - The IANA assigned identifier, - which is a 16-bit numeric value. Example: 0xc024. - You can use this in configurations as TLS_CIPHER_0xc024. -
  6. -
-

- You can configure a preference for ciphers, which means they will be used - for clients that support them. If you do not configure a preference, rustls - will use the one that it considers best. This is recommended. -

-

- Should you nevertheless have the need to prefer one cipher over another, you - may configure it like this: -

-
TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384
-# or several
-TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
- -

- If you name a cipher that is unknown, the configuration will fail. - If you name a cipher is not supported by rustls (or no - longer supported in an updated version of rustls for security - reasons), mod_tls will log a WARNING, but continue to work. -

-

- A similar mechanism exists, if you want to disable a particular cipher: -

-
TLSCipherSuppress ECDHE-ECDSA-AES256-SHA384
- -

- A suppressed cipher will not longer be used. - If you name a cipher that is unknown, the configuration will fail. - If you name a cipher is not supported by rustls (or no - longer supported in an updated version of rustls for security - reasons), mod_tls will log a WARNING, but continue to work. -

-
top
-
-

Virtual Hosts

-

- mod_tls uses the SNI (Server Name Indicator) to select one of the - configured virtual hosts that match the port being served. Should - the client not provide an SNI, the first configured - virtual host will be selected. If the client does provide - an SNI (as all today's clients do), it must match one - virtual host (ServerName or - ServerAlias) - or the connection will fail. -

-

- As with mod_ssl, you may specify ciphers and protocol - versions for the base server (global) and/or individual virtual hosts - that are selected via SNI by the client. -

-
Listen 443
-TLSEngine 443
-
-<VirtualHost *:443>
-  ServerName example1.net
-  TLSCertificate example1-cert.pem
-  ...
-</VirtualHost>
-
-<VirtualHost *:443>
-  ServerName example2.net
-  TLSCertificate example2-cert.pem
-  ...
-  TLSProtocol v1.3+
-</VirtualHost>
- -

- The example above show different TLS settings for virtual hosts on the - same port. This is supported. example1 can be contacted via - all TLS versions and example2 only allows v1.3 or later. -

-
top
-
-

ACME Certificates

-

- ACME certificates via mod_md are supported, just as - for mod_ssl. A minimal configuration: -

-
Listen 443
-TLSEngine 443
-MDomain example.net
-
-<VirtualHost *:443>
-  ServerName example.net
-  ...
-</VirtualHost>
- -
top
-
-

OCSP Stapling

-

- mod_tls has no own implementation to retrieve OCSP information for - a certificate. However, it will use such for Stapling if it is provided - by mod_md. See mod_md's documentation - on how to enable this. -

-
top
-
-

TLS Variables

-

- Via the directive TLSOptions, several variables - are placed into the environment of requests and can be inspected, for - example in a CGI script. -

-

- The variable names are given by mod_ssl. Note that these - are only a subset of the many variables that mod_ssl exposes. -

- - - - - - - - - - - - - -
VariableTLSOptionDescription
SSL_TLS_SNI*the server name indicator (SNI) send by the client
SSL_PROTOCOL*the TLS protocol negotiated
SSL_CIPHER*the name of the TLS cipher negotiated
SSL_VERSION_INTERFACEStdEnvVarsthe module version
SSL_VERSION_LIBRARYStdEnvVarsthe rustls-ffi version
SSL_SECURE_RENEGStdEnvVarsalways `false`
SSL_COMPRESS_METHODStdEnvVarsalways `false`
SSL_CIPHER_EXPORTStdEnvVarsalways `false`
SSL_CLIENT_VERIFYStdEnvVarsalways `false`
SSL_SESSION_RESUMEDStdEnvVarseither `Resumed` if a known TLS session id was presented by the client or `Initial` otherwise
SSL_SERVER_CERTExportCertDatathe selected server certificate in PEM format
-

- The variable SSL_SESSION_ID is intentionally not supported as - it contains sensitive information. -

-
top
-
-

Client Certificates

-

- While rustls supports client certificates in principle, parts - of the infrastructure to make use of these in a server are not - offered. -

-

- Among these features are: revocation lists, inspection of certificate - extensions and the matched issuer chain for OCSP validation. Without these, - revocation of client certificates is not possible. Offering authentication - without revocation is not considered an option. -

-

- Work will continue on this and client certificate support may become - available in a future release. -

-
-
top
-

TLSCertificate Directive

- - - - - - -
Description:adds a certificate and key (PEM encoded) to a server/virtual host.
Syntax:TLSCertificate cert_file [key_file]
Context:server config, virtual host
Status:Experimental
Module:mod_tls
-

- If you do not specify a separate key file, the key is assumed to also be - found in the first file. You may add more than one certificate to a - server/virtual host. The first certificate suitable for a client is then chosen. -

- The path can be specified relative to the server root. -

- -
-
top
-

TLSCiphersPrefer Directive

- - - - - - -
Description:defines ciphers that are preferred.
Syntax:TLSCiphersPrefer cipher(-list)
Context:server config, virtual host
Status:Experimental
Module:mod_tls
-

- This will not disable any ciphers supported by `rustls`. If you - specify a cipher that is completely unknown, the configuration will - fail. If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

-

-

Example

TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
-
-

- The example gives 2 ciphers preference over others, in the - order they are mentioned. -

- -
-
top
-

TLSCiphersSuppress Directive

- - - - - - -
Description:defines ciphers that are not to be used.
Syntax:TLSCiphersSuppress cipher(-list)
Context:server config, virtual host
Status:Experimental
Module:mod_tls
-

- This will not disable any unmentioned ciphers supported by `rustls`. - If you specify a cipher that is completely unknown, the configuration will fail. - If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

-

-

Example

TLSCiphersSuppress ECDHE-ECDSA-CHACHA20-POLY1305
-
-

- The example removes a cipher for use in connections. -

- -
-
top
-

TLSEngine Directive

- - - - - - -
Description:defines on which address+port the module shall handle incoming connections.
Syntax:TLSEngine [address:]port
Context:server config
Status:Experimental
Module:mod_tls
-

- This is set on a global level, not in individual <VirtualHost>s. - It will affect all <VirtualHost> - that match the specified address/port. - You can use TLSEngine several times to use more than one address/port. -

-

-

Example

TLSEngine 443
-
-

- The example tells mod_tls to handle incoming connection on port 443 for - all listeners. -

- -
-
top
-

TLSHonorClientOrder Directive

- - - - - - - -
Description:determines if the order of ciphers supported by the client is honored
Syntax:TLSHonorClientOrder on|off
Default:TLSHonorClientOrder on
Context:server config, virtual host
Status:Experimental
Module:mod_tls
-

- TLSHonorClientOrder determines if the order of ciphers - supported by the client is honored. -

-

- -
-
top
-

TLSOptions Directive

- - - - - - -
Description:enables SSL variables for requests.
Syntax:TLSOptions [+|-]option
Context:server config, virtual host, directory, .htaccess
Status:Experimental
Module:mod_tls
-

- TLSOptions is analog to SSLOptions in mod_ssl. - It can be set per directory/location and `option` can be: -

-
    -
  • `StdEnvVars`: adds more variables to the requests environment, - as forwarded for example to CGI processing and other applications. -
  • -
  • `ExportCertData`: adds certificate related variables to the request environment. -
  • -
  • `Defaults`: resets all options to their default values.
  • -
-

- Adding variables to a request environment adds overhead, especially - when certificates need to be inspected and fields extracted. - Therefore most variables are not set by default. -

-

- You can configure TLSOptions per location or generally on a - server/virtual host. Prefixing an option with `-` disables this - option while leaving others unchanged. - A `+` prefix is the same as writing the option without one. -

-

- The `Defaults` value can be used to reset any options that are - inherited from other locations or the virtual host/server. -

-

Example

<Location /myplace/app>
-  TLSOptions Defaults StdEnvVars
-  ...
-</Location>
-
- -
-
top
-

TLSProtocol Directive

- - - - - - - -
Description:specifies the minimum version of the TLS protocol to use.
Syntax:TLSProtocol version+
Default:TLSProtocol v1.2+
Context:server config, virtual host
Status:Experimental
Module:mod_tls
-

- The default is `v1.2+`. Settings this to `v1.3+` would disable TLSv1.2. -

- -
-
top
-

TLSProxyCA Directive

- - - - - - -
Description:sets the root certificates to validate the backend server with.
Syntax:TLSProxyCA file.pem
Context:server config, virtual host, proxy section
Status:Experimental
Module:mod_tls
-

- -

- -
-
top
-

TLSProxyCiphersPrefer Directive

- - - - - - -
Description:defines ciphers that are preferred for a proxy connection.
Syntax:TLSProxyCiphersPrefer cipher(-list)
Context:server config, virtual host, proxy section
Status:Experimental
Module:mod_tls
-

- This will not disable any ciphers supported by `rustls`. - If you specify a cipher that is completely unknown, the configuration will fail. - If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

- -
-
top
-

TLSProxyCiphersSuppress Directive

- - - - - - -
Description:defines ciphers that are not to be used for a proxy connection.
Syntax:TLSProxyCiphersSuppress cipher(-list)
Context:server config, virtual host, proxy section
Status:Experimental
Module:mod_tls
-

- This will not disable any unmentioned ciphers supported by `rustls`. - If you specify a cipher that is completely unknown, the configuration will fail. - If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

- -
-
top
-

TLSProxyEngine Directive

- - - - - - -
Description:enables TLS for backend connections.
Syntax:TLSProxyEngine on|off
Context:server config, virtual host, proxy section
Status:Experimental
Module:mod_tls
-

- TLSProxyEngine is analog to SSLProxyEngine in mod_ssl. -

- This can be used in a server/virtual host or <Proxy> section to - enable the module for outgoing connections using mod_proxy. -

- -
-
top
-

TLSProxyMachineCertificate Directive

- - - - - - -
Description:adds a certificate and key file (PEM encoded) to a proxy setup.
Syntax:TLSProxyMachineCertificate cert_file [key_file]
Context:server config, virtual host, proxy section
Status:Experimental
Module:mod_tls
-

- The certificate is used to authenticate against a proxied backend server. -

- If you do not specify a separate key file, the key is assumed to also be - found in the first file. You may add more than one certificate to a proxy - setup. The first certificate suitable for a proxy connection to a backend - is then chosen by rustls. -

-

- The path can be specified relative to the server root. -

- -
-
top
-

TLSProxyProtocol Directive

- - - - - - - -
Description:specifies the minimum version of the TLS protocol to use in proxy connections.
Syntax:TLSProxyProtocol version+
Default:TLSProxyProtocol v1.2+
Context:server config, virtual host, proxy section
Status:Experimental
Module:mod_tls
-

- The default is `v1.2+`. Settings this to `v1.3+` would disable TLSv1.2. -

- -
-
top
-

TLSSessionCache Directive

- - - - - - -
Description:specifies the cache for TLS session resumption.
Syntax:TLSSessionCache cache-spec
Context:server config
Status:Experimental
Module:mod_tls
-

- This uses a cache on the server side to allow clients to resume connections. -

- You can set this to `none` or define a cache as in the SSLSessionCache - directive of mod_ssl. -

- If not configured, `mod_tls` will try to create a shared memory cache on its own, - using `shmcb:tls/session-cache` as specification. - Should that fail, a warning is logged, but the server continues. -

- -
-
top
-

TLSStrictSNI Directive

- - - - - - - -
Description:enforces exact matches of client server indicators (SNI) against host names.
Syntax:TLSStrictSNI on|off
Default:TLSStrictSNI on
Context:server config
Status:Experimental
Module:mod_tls
-

- Client connections using SNI will be unsuccessful if no match is found. -

- -
-
-
-

Available Languages:  en 

-
top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our mailing lists.
-
- \ No newline at end of file diff --git a/docs/manual/mod/mod_tls.xml b/docs/manual/mod/mod_tls.xml deleted file mode 100644 index 8e88923482..0000000000 --- a/docs/manual/mod/mod_tls.xml +++ /dev/null @@ -1,640 +0,0 @@ - - - - - - - - - - mod_tls - TLS v1.2 and v1.3 implemented in memory-safe Rust via - the rustls library - - Experimental - mod_tls.c - tls_module - Available in version 2.4.52 and later - -

- mod_tls is an alternative to mod_ssl for providing https to a server. - It's feature set is a subset, described in more detail below. It can - be used as a companion to mod_ssl, e.g. both modules can be loaded at - the same time. -

- mod_tls, being written in C, used the Rust implementation of TLS named - rustls via its C interface - rustls-ffi. This gives - memory safe cryptography and protocol handling at comparable - performance. -

- It can be configured for frontend and backend connections. The configuration - directive have been kept mostly similar to mod_ssl ones. -

-
-
- TLS in a VirtualHost context - -Listen 443 -TLSEngine 443 - -<VirtualHost *:443> - ServerName example.net - TLSCertificate file_with_certificate.pem file_with_key.pem - ... -</VirtualHost> - -

- The above is a minimal configuration. Instead of enabling mod_tls - in every virtual host, the port for incoming TLS connections is - specified. -

- You cannot mix virtual hosts with mod_ssl and mod_tls on the same - port. It's either or. SNI and ALPN are supported. You may use several - virtual hosts on the same port and a mix of protocols like http/1.1 - and h2. -

-
- -
Feature Comparison with mod_ssl -

- The table below gives a comparison of feature between - mod_ssl and mod_tls. If a feature of mod_ssl is no listed here, - it is not supported by mod_tls. The one difference, probably most relevant - is the lack for client certificate support in the current version of - mod_tls. -

- - - - - - - - - - - - - - - - - - - - - - - -
Featuremod_sslmod_tlsComment
Frontend TLSyesyes
Backend TLSyesyes
TLS v1.3yes*yes*)with recent OpenSSL
TLS v1.2yesyes
TLS v1.0yes*no*)if enabled in OpenSSL
SNI Virtual Hostsyesyes
Client Certificatesyesno
Machine Certificates for Backendyesyes
OCSP Staplingyesyes**)via mod_md
Backend OCSP checkyesno**)stapling will be verified
TLS version to allowmin-maxmin
TLS ciphersexclusive listpreferred/suppressed
TLS cipher orderingclient/serverclient/server
TLS sessionsyesyes
SNI strictnessdefault nodefault yes
Option EnvVarsexhaustivelimited**)see var list
Option ExportCertDataclient+serverserver
Backend CAfile/dirfile
Revocation CRLsyesno
TLS Renegotiationyes*no*)in TLS v1.2
Encrypted Cert Keysyesno
-

-

-
- -
TLS Protocols -

- mod_tls supports TLS protocol version 1.2 and 1.3. Should there ever be - a version 1.4 and rustls supports it, it will be available as well. -

-

- In mod_tls, you configure the minimum version to use, never the maximum: -

- -TLSProtocol TLSv1.3+ - -

- This allows only version 1.3 and whatever may be its successor one day when talking - to your server or to a particular virtual host. -

-
- -
TLS Ciphers -

- The list of TLS ciphers supported in the rustls library, - can be found here. All TLS v1.3 - ciphers are supported. For TLS v1.2, only ciphers that rustls considers - secure are available. -

- mod_tls supports the following names for TLS ciphers: -

-
    -
  1. - The IANA assigned name - which uses `_` to separate parts. Example: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -
  2. -
  3. - The OpenSSL name, using `-` as separator (for 1.2). Example: ECDHE-ECDSA-AES256-SHA384. - Such names often appear in documentation. `mod_tls` defines them for all TLS v1.2 ciphers. - For TLS v1.3 ciphers, names starting with TLS13_ are also supported. -
  4. -
  5. - The IANA assigned identifier, - which is a 16-bit numeric value. Example: 0xc024. - You can use this in configurations as TLS_CIPHER_0xc024. -
  6. -
-

- You can configure a preference for ciphers, which means they will be used - for clients that support them. If you do not configure a preference, rustls - will use the one that it considers best. This is recommended. -

-

- Should you nevertheless have the need to prefer one cipher over another, you - may configure it like this: -

- -TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384 -# or several -TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 - -

- If you name a cipher that is unknown, the configuration will fail. - If you name a cipher is not supported by rustls (or no - longer supported in an updated version of rustls for security - reasons), mod_tls will log a WARNING, but continue to work. -

-

- A similar mechanism exists, if you want to disable a particular cipher: -

- -TLSCipherSuppress ECDHE-ECDSA-AES256-SHA384 - -

- A suppressed cipher will not longer be used. - If you name a cipher that is unknown, the configuration will fail. - If you name a cipher is not supported by rustls (or no - longer supported in an updated version of rustls for security - reasons), mod_tls will log a WARNING, but continue to work. -

-
- -
Virtual Hosts -

- mod_tls uses the SNI (Server Name Indicator) to select one of the - configured virtual hosts that match the port being served. Should - the client not provide an SNI, the first configured - virtual host will be selected. If the client does provide - an SNI (as all today's clients do), it must match one - virtual host (ServerName or - ServerAlias) - or the connection will fail. -

-

- As with mod_ssl, you may specify ciphers and protocol - versions for the base server (global) and/or individual virtual hosts - that are selected via SNI by the client. -

- -Listen 443 -TLSEngine 443 - -<VirtualHost *:443> - ServerName example1.net - TLSCertificate example1-cert.pem - ... -</VirtualHost> - -<VirtualHost *:443> - ServerName example2.net - TLSCertificate example2-cert.pem - ... - TLSProtocol v1.3+ -</VirtualHost> - -

- The example above show different TLS settings for virtual hosts on the - same port. This is supported. example1 can be contacted via - all TLS versions and example2 only allows v1.3 or later. -

-
- -
ACME Certificates -

- ACME certificates via mod_md are supported, just as - for mod_ssl. A minimal configuration: -

- -Listen 443 -TLSEngine 443 -MDomain example.net - -<VirtualHost *:443> - ServerName example.net - ... -</VirtualHost> - -
- -
OCSP Stapling -

- mod_tls has no own implementation to retrieve OCSP information for - a certificate. However, it will use such for Stapling if it is provided - by mod_md. See mod_md's documentation - on how to enable this. -

-
- -
TLS Variables -

- Via the directive TLSOptions, several variables - are placed into the environment of requests and can be inspected, for - example in a CGI script. -

-

- The variable names are given by mod_ssl. Note that these - are only a subset of the many variables that mod_ssl exposes. -

- - - - - - - - - - - - - -
VariableTLSOptionDescription
SSL_TLS_SNI*the server name indicator (SNI) send by the client
SSL_PROTOCOL*the TLS protocol negotiated
SSL_CIPHER*the name of the TLS cipher negotiated
SSL_VERSION_INTERFACEStdEnvVarsthe module version
SSL_VERSION_LIBRARYStdEnvVarsthe rustls-ffi version
SSL_SECURE_RENEGStdEnvVarsalways `false`
SSL_COMPRESS_METHODStdEnvVarsalways `false`
SSL_CIPHER_EXPORTStdEnvVarsalways `false`
SSL_CLIENT_VERIFYStdEnvVarsalways `false`
SSL_SESSION_RESUMEDStdEnvVarseither `Resumed` if a known TLS session id was presented by the client or `Initial` otherwise
SSL_SERVER_CERTExportCertDatathe selected server certificate in PEM format
-

- The variable SSL_SESSION_ID is intentionally not supported as - it contains sensitive information. -

-
- -
Client Certificates -

- While rustls supports client certificates in principle, parts - of the infrastructure to make use of these in a server are not - offered. -

-

- Among these features are: revocation lists, inspection of certificate - extensions and the matched issuer chain for OCSP validation. Without these, - revocation of client certificates is not possible. Offering authentication - without revocation is not considered an option. -

-

- Work will continue on this and client certificate support may become - available in a future release. -

-
- - - TLSEngine - defines on which address+port the module shall handle incoming connections. - TLSEngine [address:]port - - server config - - -

- This is set on a global level, not in individual VirtualHosts. - It will affect all VirtualHost - that match the specified address/port. - You can use TLSEngine several times to use more than one address/port. -

-

- Example - - TLSEngine 443 - - -

- The example tells mod_tls to handle incoming connection on port 443 for - all listeners. -

-
-
- - - TLSCertificate - adds a certificate and key (PEM encoded) to a server/virtual host. - TLSCertificate cert_file [key_file] - - server config - virtual host - - -

- If you do not specify a separate key file, the key is assumed to also be - found in the first file. You may add more than one certificate to a - server/virtual host. The first certificate suitable for a client is then chosen. -

- The path can be specified relative to the server root. -

-
-
- - - TLSProtocol - specifies the minimum version of the TLS protocol to use. - TLSProtocol version+ - TLSProtocol v1.2+ - - server config - virtual host - - -

- The default is `v1.2+`. Settings this to `v1.3+` would disable TLSv1.2. -

-
-
- - - TLSCiphersPrefer - defines ciphers that are preferred. - TLSCiphersPrefer cipher(-list) - - server config - virtual host - - -

- This will not disable any ciphers supported by `rustls`. If you - specify a cipher that is completely unknown, the configuration will - fail. If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

-

- Example - -TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 - - -

- The example gives 2 ciphers preference over others, in the - order they are mentioned. -

-
-
- - - TLSCiphersSuppress - defines ciphers that are not to be used. - TLSCiphersSuppress cipher(-list) - - server config - virtual host - - -

- This will not disable any unmentioned ciphers supported by `rustls`. - If you specify a cipher that is completely unknown, the configuration will fail. - If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

-

- Example - -TLSCiphersSuppress ECDHE-ECDSA-CHACHA20-POLY1305 - - -

- The example removes a cipher for use in connections. -

-
-
- - - TLSHonorClientOrder - determines if the order of ciphers supported by the client is honored - TLSHonorClientOrder on|off - TLSHonorClientOrder on - - server config - virtual host - - -

- TLSHonorClientOrder determines if the order of ciphers - supported by the client is honored. -

-

-
-
- - - TLSOptions - enables SSL variables for requests. - TLSOptions [+|-]option - - server config - virtual host - directory - .htaccess - - -

- TLSOptions is analog to SSLOptions in mod_ssl. - It can be set per directory/location and `option` can be: -

-
    -
  • `StdEnvVars`: adds more variables to the requests environment, - as forwarded for example to CGI processing and other applications. -
  • -
  • `ExportCertData`: adds certificate related variables to the request environment. -
  • -
  • `Defaults`: resets all options to their default values.
  • -
-

- Adding variables to a request environment adds overhead, especially - when certificates need to be inspected and fields extracted. - Therefore most variables are not set by default. -

-

- You can configure TLSOptions per location or generally on a - server/virtual host. Prefixing an option with `-` disables this - option while leaving others unchanged. - A `+` prefix is the same as writing the option without one. -

-

- The `Defaults` value can be used to reset any options that are - inherited from other locations or the virtual host/server. -

- Example - -<Location /myplace/app> - TLSOptions Defaults StdEnvVars - ... -</Location> - - -
-
- - - TLSProxyEngine - enables TLS for backend connections. - TLSProxyEngine on|off - - server config - virtual host - proxy section - - -

- TLSProxyEngine is analog to SSLProxyEngine in mod_ssl. -

- This can be used in a server/virtual host or Proxy section to - enable the module for outgoing connections using mod_proxy. -

-
-
- - - TLSProxyCA - sets the root certificates to validate the backend server with. - TLSProxyCA file.pem - - server config - virtual host - proxy section - - -

- -

-
-
- - - TLSProxyProtocol - specifies the minimum version of the TLS protocol to use in proxy connections. - TLSProxyProtocol version+ - TLSProxyProtocol v1.2+ - - server config - virtual host - proxy section - - -

- The default is `v1.2+`. Settings this to `v1.3+` would disable TLSv1.2. -

-
-
- - - TLSProxyCiphersPrefer - defines ciphers that are preferred for a proxy connection. - TLSProxyCiphersPrefer cipher(-list) - - server config - virtual host - proxy section - - -

- This will not disable any ciphers supported by `rustls`. - If you specify a cipher that is completely unknown, the configuration will fail. - If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

-
-
- - - TLSProxyCiphersSuppress - defines ciphers that are not to be used for a proxy connection. - TLSProxyCiphersSuppress cipher(-list) - - server config - virtual host - proxy section - - -

- This will not disable any unmentioned ciphers supported by `rustls`. - If you specify a cipher that is completely unknown, the configuration will fail. - If you specify a cipher that is known but not supported by `rustls`, - a warning will be logged but the server will continue. -

-
-
- - - TLSProxyMachineCertificate - adds a certificate and key file (PEM encoded) to a proxy setup. - TLSProxyMachineCertificate cert_file [key_file] - - server config - virtual host - proxy section - - -

- The certificate is used to authenticate against a proxied backend server. -

- If you do not specify a separate key file, the key is assumed to also be - found in the first file. You may add more than one certificate to a proxy - setup. The first certificate suitable for a proxy connection to a backend - is then chosen by rustls. -

-

- The path can be specified relative to the server root. -

-
-
- - - TLSStrictSNI - enforces exact matches of client server indicators (SNI) against host names. - TLSStrictSNI on|off - TLSStrictSNI on - - server config - - -

- Client connections using SNI will be unsuccessful if no match is found. -

-
-
- - - TLSSessionCache - specifies the cache for TLS session resumption. - TLSSessionCache cache-spec - - server config - - -

- This uses a cache on the server side to allow clients to resume connections. -

- You can set this to `none` or define a cache as in the SSLSessionCache - directive of mod_ssl. -

- If not configured, `mod_tls` will try to create a shared memory cache on its own, - using `shmcb:tls/session-cache` as specification. - Should that fail, a warning is logged, but the server continues. -

-
-
- -
diff --git a/docs/manual/mod/mod_tls.xml.meta b/docs/manual/mod/mod_tls.xml.meta deleted file mode 100644 index 321d1ad732..0000000000 --- a/docs/manual/mod/mod_tls.xml.meta +++ /dev/null @@ -1,12 +0,0 @@ - - - - - mod_tls - /mod/ - .. - - - en - - diff --git a/docs/manual/mod/mod_unique_id.html.en b/docs/manual/mod/mod_unique_id.html.en index 944a77e05f..ff708cbdd6 100644 --- a/docs/manual/mod/mod_unique_id.html.en +++ b/docs/manual/mod/mod_unique_id.html.en @@ -241,7 +241,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_unique_id.ht } })(window, document); //-->