changes

apach加密模块

   *) Fixed I/O pre-sucking for HTTPS proxy situations where
      no mod_ssl context is attached to SSL structures.

   *) Fixed Mutex acquiring under Win32: the result value
      was computed incorrectly and leaded to warning log entries.

   *) Catch SIGPIPE in truerand.c (a contrib program in pkg.contrib/) to allow
      it behave correctly under `SSLRandomSeed exec:bin/truerand N'.

  Changes with mod_ssl 2.3.10 (26-Jul-1999 to 28-Jul-1999)

   *) Changed the handling of the `per-URL SSL re-configuration in conjunction
      with POST method based HTTP requests' problem: Per default mod_ssl now
      returns a METHOD_NOT_ALLOWED HTTP error when one tries to POST to a URL
      which has SSL parameters re-configured, because mod_ssl per default
      cannot handle this situation (for technical reasons). This way the I/O
      errors which occured in the past are now at least replaced by a correct
      error message. 

      But when you build with --enable-rule=SSL_EXPERIMENTAL you get
      experimental support for this situation and you then _CAN_ use POST even
      in conjunction with per-URL SSL re-configurations.
      
      But nevertheless one have to keep in mind that the POST body is still
      transferred under the global SSL parameters and that the renegotiation
      (typically to a stronger cipher, etc.) happens only before the response
      is sent (and not before the POST data is read!). The rule of thumb is:
      per-URL SSL parameters _CANNOT_ be applied to _ANY_ part of the
      _REQUEST_, they are only guarrantied to be applied to the _RESPONSE_.

      In practice there are situations (for instance when the client resumes
      the request already with previously renegotiated parameters, etc.) where
      the situation _CAN_ be better. But you cannot _EXPECT_ it to be better
      and mod_ssl _CANNOT GUARRANTY_ it to be better, of course.

   *) Added support for latest OpenSSL 0.9.4-dev snapshot version.

   *) Fixed initialization and cleanup related problems with SSLMutex: The
      mutex is now closed before the chown and the mutex is removed only in
      the parent on module shutdown.

   *) Removed HTTPD_ROOT from EAPI_MM_CORE_PATH definition in httpd.h
      because it is redundant and can cause problems.

  Changes with mod_ssl 2.3.9 (25-Jul-1999 to 26-Jul-1999)
   
   *) Compile ap_make_shared_sub_pool() only under -DEAPI
      and added it to httpd.exp.

   *) Fixed alloc.c again: the ap_mm_destroy has to be used only for
      defined(EAPI) && defined(EAPI_MM) and not just for defined(EAPI).

  Changes with mod_ssl 2.3.8 (25-Jul-1999 to 25-Jul-1999)

   *) Fixed a nasty problem with early pool cleanups during 
      startup when shared memory session caches are configured.

  Changes with mod_ssl 2.3.7 (14-Jul-1999 to 25-Jul-1999)

   *) Optimization for logfile handling: We now short-circuit the
      filedescriptors for inherited logfiles in order to save filedescriptors.
      This is important for mass virtual hosting situations where we really
      have to reduce the resource consumption. 

   *) Enhanced the DBM-based SSL Session Cache:

      o the cache DBM files are removed on shutdowns and restarts now
        to prevent the occurance of DBM inconsistencies over long runs.

      o the DBM store operation now stores only data which has
        sizeof(key)+sizeof(data) < 1024 to make sure some broken vendor DBM
        libraries do not segfault on large entries.  Only with the built-in
        SDBM library up to 8KB are stored.

      o the expiry procedure was rewritten to prevent problems with
        less smart DBM libraries: Instead of iterating and deleting in
        parallel (which causes some DBM libraries to become totally crazy) a
        two pass approach is used. In the first pass the DBM library is
        scanned and expired elements are remembered only. In the second pass
        the rememebered elements are actually deleted.

   *) Fixed SSL mutex handling: the mutex file was not removed on shutdown.

   *) Fixed global shared memory pool handling in alloc.c: The shared memory
      related temporary files of MM were not removed because ap_mm_destroy()
      was missing on exit.

   *) A few adjustments anf fixes to the FAQ and added hint to OpenSA
      to INSTALL.Win32.

   *) Fixed ``SSLRandomSeed exec:..'' for OS/2 and Win32.

   *) Fixed shared memory pool handling in alloc.c:
      Two realloc() calls were not shared memory aware.

  Changes with mod_ssl 2.3.6 (22-Jun-1999 to 14-Jul-1999)

   *) Enhanced ap_mm_create() failure messages in alloc.c
   
   *) Fixed a core dump for the rare situation where mod_ssl was build
      statically into Apache but not enabled (AddModule).

   *) Perform more tries to chown() used DBM files.

   *) Fixed memory leaks on restarts related to shared memory session cache:
      the MM object wasn't removed at all.

   *) Allow SSL_DBM_FILE_SUFFIX_DIR and SSL_DBM_FILE_SUFFIX_PAG
      to be overridden via CFLAGS.
   
   *) Fixed grammar and typos in ssl_reference.wml

   *) Done a blind update of the INSTALL.Win32 document.

   *) Added five new FAQ entries.

   *) Fixed EAPI MM related permission problems.

   *) On startup the configured cipher suite is now also
      displayed under log level "trace".

   *) Let the Win32 configure.bat complain when --with-apache or
      --with-ssl is missing.

   *) Added new `SSLCertificateChainFile /path/to/file' directive. This can
      point to a file containing the concatenation of PEM encoded CA
      certificates which explicitly form the server certificate chain. This is
      intended for instance for the Global-ID situation where one _has_ to
      send the intermediate CA of Verisign with the GID while one wants to
      avoid that under client authentication all clients issued by this CA are
      accepted (which would happen when one references the CA cert via
      SSLCACertificatePath or SSLCACertificateFile instead of
      SSLCertificateChainFile).

   *) Changed the "Interrupted by system" `error' to `info' level in
      case errno is not > 0.

  Changes with mod_ssl 2.3.5 (18-Jun-1999 to 22-Jun-1999)

   *) Rewritten the DBM and SHM expiration functions in ssl_engine_scache.c to
      avoid problematic situation where one deletes an entry before the
      iteration counter was incremented. This was perhaps also another reasons
      for the session cache related core dumps.

   *) Fixed a nasty bug in ssl_util_table.c: A static (heap-based) calloc()
      call was forgotten to be converted to a dynamic (shared memory based)
      table->calloc() call. This leaded to various core dumps once the session
      cache's hash table was filled as had to be resized (which occured
      only after some time of operation, of course).

   *) Now mod_ssl displays an info logfile entry when the server certificate
      is a SCG one and warning logfile entries when the server certificate has
      BasicConstraints CA:TRUE or pathlen>0.

   *) Fixed FakeBasicAuth handling: ssl::client::dn wasn't
      set correctly and wasn't set at all in renegotiation context.

   *) Fixed HowTo example with +FakeBasicAuth: AuthName was
      missing and typos

  Changes with mod_ssl 2.3.4 (09-Jun-1999 to 18-Jun-1999)

   *) The Fake Basic Auth stuff now is logging it's operation.

   *) Fixed pkg.contrib/cca.sh script: CA:TRUE was incorrect
      for a client certificate, of course.

   *) Added session cache status display to the pages generated by mod_status.
      When "ExtendedStatus on" is used mod_ssl appends session cache
      information (supported for both DBM and SHM).

   *) Fixed ``SSLVerifyClient optional_no_ca'' for per-directory context.

   *) Added ``SSLOptions +OptRenegotiate'':
      This enables optimized SSL connection renegotiation handling when SSL
      directives are used in per-directory context. Per default a strict
      handling is enabled where every per-directory reconfiguration of SSL
      parameters cause a full SSL renegotiation handshake.  When this option
      is used mod_ssl tries to avoid unnecessary handshakes by doing more
      granular (but still safe) parameter checks. This should reduce
      the renegotiation overhead a little bit.

   *) Also print SSL errors on SSL_ERROR_SYSCALL situation.

   *) Make sure EAPI_MM=SYSTEM doesn't add -I/usr/include to CFLAGS (which
      occurrs for instance under Debian where MM is installed in system
      locations).

   *) The SSL session context is now also set on session renegotiations.

  Changes with mod_ssl 2.3.3 (08-Jun-1999 to 09-Jun-1999)

   *) Various type fixes for Session Cache code.

   *) A few fixes to make the Win32 world happy again.

   *) Fixed glibc 2.1 ndbm.h inclusion problems.

   *) Make sure that in "SSLSessionCache shm:/path/to/file(NNN)"
      the size NNN cannot be specified greater than the maximum
      possible shared memory segment (which is platform
      dependent, of course).

  Changes with mod_ssl 2.3.2 (28-May-1999 to 08-Jun-1999)

   *) Removed obsolete mca.sh script and updated cca.sh script to current
      OpenSSL state.

   *) Now "SSLSessionCache none" really disables _all_ caching,
      i.e. including the internal OpenSSL cache.

   *) Added Shared Memory based SSL Session Cache: A new "SSLSessionCache
      shm:/path/to/file(bytes)" variant of the SSL session cache was added.
      This uses a high-performance hash table inside a shared memory segment
      to provide the fastest inter-process session cache which is possible.
      For this Apache+EAPI has to be built with EAPI_MM (linked against the MM
      library, the shared memory abstraction).
   
   *) Fixed the EAPI_MM related patches to Apache's src/Configure:
      The variables were overridden instead of extended.

   *) Added hint to FAQ to make sure people enter the FQDN for CommonName when
      generating a server certificate. Added hint to EGD to reference chapter.

   *) Some more Win32 fixes.

   *) Fixed a session cache problem on shutdowns.

   *) Fixed mod_ssl's ``configure --with-mm=DIR''

  Changes with mod_ssl 2.3.1 (25-Apr-1999 to 28-May-1999)

   *) Fixed two memory leaks in ssl_util_ssl.c related to BIOs.

   *) Fixed EAPI sources in src/ap/: They failed to compile
      when -DEAPI wasn't used which isn't nice.

   *) Fixed Win32 stuff: src/ap/ap.mak missed entries for ap_mm.[ch],
      src/modules/ssl/Makefile.win32 missed entry for ssl_engine_dh.c,
      configure.bat wasn't aware of the new include/openssl/ layout.

  Changes with mod_ssl 2.3.0 (12-Apr-1999 to 25-May-1999)

   *) Upgraded to final OpenSSL 0.9.3 API and made this
      version the lowest possible OpenSSL version for mod_ssl.

   *) Fixed ap_mm.c stubs.

   *) Updated dependencies in src/modules/ssl/Makefile.tmpl

   *) Fixed INSTALL document for OpenSSL 0.9.3: 
      -DNO_IDEA => no-idea and -DRSAref & friends => rsaref.

   *) ** Second major step for DH/DSA support **: 
      The mod_ssl module itself is now aware of multiple certificate/keys when
      they are of a different type (one RSA, the other DSA). All internal
      cert/key related handling which was hard-coded for RSA was replaced by
      generic code which supports both RSA and DSA. This way now all SSL
      ciphers, including the real Diffie-Hellman ciphers like
      EDH-DSS-DES-CBC3-SHA are supported by mod_ssl.

   *) Upgraded Thawte's sxnet stuff in pkg.contrib/

   *) Added new variable SSL_SESSION_ID which contains the hex-encoded SSL
      session id. This variable is also exported to the SSI/CGI environment
      and can be used as a session-unique key.

   *) Added more error checking for SSL_XXX variable lookups.

   *) ** First major step for DH/DSA support **: 
      1) snakeoil.{crt,key} was renamed to snakeoil-rsa.{crt,key} and a
      snakeoil-dsa.{crt,key} was created. 2) src/support/ca-fix.c was kicked
      out (it's obsolete with OpenSSL 0.9.3) and 3) src/support/mkcert.sh was
      changed to use the new `openssl x509 -extfile ..' instead of ca-fix and
      to support the generation of DSA certs/keys via `openssl gendsa'.
      Finally 4) the top-level Makefiles were adjusted to support an
      ALGO={RSA,DSA} parameter for selecting the algorithm in batch and a
      VIEW=1 parameter for viewing the generated cert/key in plain text