changes

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

   *) Fixed check whether server certificate wildcard CommonName (CN)
      matches the configured server name.

   *) Use correct ANSI C prototypes also in (semi-automatically
      generated) ssl_engine_dh.c

   *) Fixed buffer overflow in ssl_expr_eval_func_file().

  Changes with mod_ssl 2.8.4 (04-May-2001 to 20-May-2001)

   *) Removed old db1/ndbm.h kludge from mod_ssl.h, because it should be
      not needed at all, because mod_ssl downgrades to SDBM anyway on all
      Linux platforms. Additionally made the Linux check more accurate
      by using src/Configure's $PLAT variable instead of $OS.

   *) Upgraded to Apache 1.3.20

   *) +------------------------------------------------------------------+
      | Officially moved mod_ssl to Apache 2.0:                          |
      | The mod_ssl 2.8.x source tree is now frozen for development      |
      | and will only be updated for bugfixes and Apache 1.3.x version   |
      | upgrades. The last release (2.8.3) was imported to the ASF CVS   |
      | repository under httpd-2.0/modules/ssl/. All development efforts |
      | are now directed to the Apache 2.0 area. Nevertheless, mod_ssl   |
      | 2.8.x releases will occur as long as Apache 1.3.x releases occur.|
      +------------------------------------------------------------------+

  Changes with mod_ssl 2.8.3 (30-Mar-2001 to 04-May-2001)

   *) Allow loadcacert.cgi script to work inside mod_perl.

   *) Fixed typo in the directive descriptions in mod_ssl.c

   *) Fixed EAPI context usage in http_request.c: a context pointer
      potentially can be NULL requests and can cause a segfault if
      dereferenced.

   *) Fixed ENGINE support: the engine support is are now already
      loaded at configure time. Else mod_ssl fails to find them.

   *) Fixed typo in httpd.conf-dist.

  Changes with mod_ssl 2.8.2 (03-Mar-2001 to 30-Mar-2001)

   *) Moved the Shared Memory Cyclic Buffer (SHMCB) session cache
      variant from "experimental" state to "production" by removing the
      `#ifdef SSL_EXPERIMENTAL_SHMCB ...#endif' wrappers. This means
      that now `SSLSessionCache shmcb:...' is unconditionally available.

   *) Modified (only) Win32's specific function SSL_recvwithtimeout()
      to use the same retry logic as SSL_writewithtimeout(). This
      fixes some problems with MSIE 5.x clients.

   *) Made the mutex handling more robust by retrying the
      semaphore-based operations in interrupt situations 
      (errno == EINTR).

   *) Also log the OpenSSL error message if the RSA temporary
      key(s) cannot be generated.

   *) Mention in INSTALL document that building OpenSSL with
      `no-threads' increased performance without negative side-effects
      because Apache 1.3 is never multi-threaded.

   *) Fixed mod_ssl Auth handler: it now returns DECLINED instead of
      OK if authentication is passed successfully to allow other modules
      (usually mod_auth) to still deny the request.

   *) Allow IPC semaphore support also under Tru64 5.x.

   *) Fixed certificate DN handling under EBCDIC platforms.

   *) Try to avoid casting warnings by using "unsigned long" type
      instead of "unsigned int" in the EAPI macros AP_CTX_XXXX.

   *) Make sure that the default path /usr/include is never added to
      CFLAGS with an explicit -I options to avoid conflicts with vendor
      include paths.

   *) Make extra sure the ssl_expr_parse.[ch] and ssl_expr_scan.c
      files are not regenerated for regular users by timestamping
      them in a little bit more conservative way.

   *) More fixes to configure.bat and Makefile.win32 to
      make mod_ssl work again under Win32.

  Changes with mod_ssl 2.8.1 (30-Jan-2001 to 03-Mar-2001)

   *) Conditionally adjusted source to build quietly also under
      latest OpenSSL 0.9.7-dev versions.

   *) Added a bunch of (untested!) adjustments and fixes for 
      the Win32 platform as posted to modssl-users some time
      ago by various people.

   *) Fixed SSLCipherSuite example in httpd.conf-dist: 
      The string EXP56 is actually EXPORT56, although OpenSSL
      internally the variable is named SSL_TXT_EXP56.

   *) Upgraded to Apache 1.3.19 as base version.

   *) Extended FAQ entry for MSIE problems.

   *) Added FAQ entry for questions "Why do I get lots of random SSL
      errors under heavy load?"

  Changes with mod_ssl 2.8.0 (14-Oct-2000 to 30-Jan-2001)
   
   *) Upgraded to Apache 1.3.17 as base version.
   
   *) Changed ApacheModuleSSL.dll to mod_ssl.so in Makefile.Win32 to
      make mod_ssl not too broken after Apache 1.3.16's Win32 changes.

   *) Enhanced ApacheCore.def patch for Win32 folks.

   *) Upgraded to Apache 1.3.16 as base version.
    
   *) Fixed ssl_intro.wml: DES uses 56 bit, not 54 bit.

   *) Allow %{ENV:variable} in SSLRequire expressions, too.

   *) Fixed version parsing for APXS stuff in configure.

   *) Fixed Geoff Thorpe's Email addresses in various places.

   *) Fixed typo in INSTALL document.

   *) Make sure the user is not able to fake the client certificate
      based authentication by just entering an X.509 Subject DN
      ("/XX=YYY/XX=YYY/..") as the username and "password" as the
      password if "SSLVerifyClient optional" is used in combination
      with "SSLOptions +FakeBasicAuth".

   *) Fixed URLs in FAQ.

   *) Various fixes for the Win32 world:
      reflect renaming of "makefile.nt" to "makefile.win"; scache
      reorganisation adjustments; etc.

      ____   _____ 
     |___ \ |___  |
       __) |   / / 
      / __/ _ / /  
  __ |_____(_)_/______________________________________________
              
  Changes with mod_ssl 2.7.1 (13-Oct-2000 to 14-Oct-2000)

   *) Fixed the parsing of SSLSessionCache directives. The prefixes were
      incorrectly skipped and leaded to "unable to open semaphore file"
      errors.

  Changes with mod_ssl 2.7.0 (12-Aug-2000 to 13-Oct-2000)

   *) Upgraded to Apache 1.3.14 as base version.

   *) Added new Cyclic Buffer based Shared Memory Session Cache
      as ssl_scache_shmcb.c. This was contributed by Geoff Thorpe
      <geoff@geoffthorpe.net> and is derived from the "c2shm" variant
      used in Stronghold V3. It uses a fixed size cyclic buffer placed
      over a shared memory segment for storing SSL session ids. This
      way it is even more efficient and faster than the old hash table
      based shared memory cache (ssl_scache_shmht.c). It can be used
      by building mod_ssl with --enable-rule=SSL_EXPERIMENTAL and then
      using "SSLSessionCache shmcb:<path-to-temp-file>(<bytes>)".

   *) Cleaned up and restructured the session cache implementation.
      ssl_engine_scache.c was split into ssl_scache.c (the abstraction
      layer), ssl_scache_dbm.c (the DBM-based implementation) and
      ssl_scache_shmht.c (the shared memory based implementation which
      uses a hash table).

   *) Added experimental support for the ENGINE branch of OpenSSL 0.9.6.
      A new SSLCryptoDevice configuration directive is available if the
      OpenSSL-ENGINE 0.9.6 package and --enable-rule=SSL_EXPERIMENTAL
      is used. The default is "SSLCryptoDevice builtin". To enable
      to use of a crypto device use "SSLCryptoDevice <name>",
      where <name> is its ID as used with the OpenSSL command line
      option "-engine <name>". 

   *) Completely removed RSAref support to make sure US residents no
      longer try to use this ancient piece of restricted/buggy code.

   *) mod_ssl failed to start if two certificate keys are encrypted 
      with different pass phrases and SSLProxyVerify was specified.  

      ____    __   
     |___ \  / /_  
       __) || '_ \ 
      / __/ | (_) |
  __ |_____(_)___/____________________________________________

  Changes with mod_ssl 2.6.6 (04-Jul-2000 to 12-Aug-2000)

   *) Fixed experimental HTTPS proxy code: A segfault was
      produced by an incorrect logging command.

   *) Fixed server restarts: Under non-DSO run-time situation, the 
      OpenSSL library was shutdown (and never re-initialized) and this 
      way caused segfaults on server restarts. This affected only 
      installations where mod_ssl+OpenSSL were built as a static module
      instead of a DSO. This nasty bug was unfortunately introduced in
      2.6.5 as a side-effect of an (otherwise correct) memory leak bugfix.
   
   *) Upgraded both the user manual sources and the website
      www.modssl.org from WML 1.6 to WML 2.0 format.

   *) Various typo fixes in user manual.

   *) Typo fix in INSTALL document related to RSAref.

  Changes with mod_ssl 2.6.5 (01-May-2000 to 04-Jul-2000)

   *) Removed more memory leaks by freeing even more stuff
      from the OpenSSL toolkit on module shutdown.

   *) Added missing TLSv1, EXP40 and EXP56 keywords to
      ssl_reference's documentation of SSLCipherSuite.

   *) Updated INSTALL document for MM 1.1.x.

   *) Added hints about MSIE workarounds (-SSLv3, !EXP56, etc.)
      to the FAQ entry about MSIE errors.

   *) Added !EXP56 to pre-configured SSLCipherSuite in order to avoid
      MSIE5.x problems in advance.

   *) Fixed typos in INSTALL: sbin -> bin for apachectl.

   *) mod_ssl's configure script now touches also ssl_expr_scan.l and
      ssl_expr_parse.y when applying the sources corrupted timestamps do
      not trigger the lex/yacc Makefile rules (which are intended for
      developer use only).

   *) Allow spaces in ServerRoot and SSLPassPhraseDialog arguments
      which is especially important for the Win32 environment.

   *) Fixed syntax errors in ssl_howto.wml: "Deny all" -> "Deny from all"

   *) Be aware of extended SERVER_BASEVERSION strings in configure.

   *) Removed a left-over ssl_scache_expire() call in ssl_scache_init()
      which made the life of vendors complicated.

   *) Allow more fine-tuned overriding of ap_server_root_relative calls
      by providing the context of the call.

  Changes with mod_ssl 2.6.4 (16-Apr-2000 to 01-May-2000)

   *) Fixed Win32 build by adding gdi32.lib to the libraries
      and an additional include for <winsock2.h>.

   *) Added Equifax Secure CA certificates to ca-bundle.crt.

   *) Let the pass phrase dialog force the prompt to occur only once
      (no verification step), because mod_ssl uses the dialog only for
      pass phrases which are required for reading private keys. This as a
      side-effect should fix a problem under Win32 where a second prompt
      occured for unknown reasons.

   *) Added more compatibility to Stronghold v2's SSL_SessionCache.
   
   *) Added two more EAPI hools under SSL_VENDOR: one for overriding
      ap_server_root_relative calls and one for hooking into the server
      configuration step.

   *) Fixed SSL display for mod_status in `short report' situation.

   *) Made the SSL_EXPERIMENTAL stuff more flexible by checking
      for particular subset SSL_EXPERIMENTAL_xxxx defines and let
      SSL_EXPERIMENTAL define all those per default. This reduces the
      amount of patching vendors have to do in order to just enable a
      subset of the experimental code.

   *) Added hint to INSTALL document about port specifiers in test URLs
      (`:8080' and `:8443') if the installation is done under a non-root
      user.

   *) Fixed Win32's configure.bat: the check for OpenSSL
      header and libraries is now extended.

   *) Fixed --with-apxs under Solaris where libssl.module
      has to know $CC in order to enable the libgcc.a workaround.

   *) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
      support (ssl_engine_ext.c/mod_proxy) under _NOT_ SSL_EXPERIMENTAL.

  Changes with mod_ssl 2.6.3 (02-Mar-2000 to 16-Apr-2000)

   *) Moved the session cache expire time calculation and handling in
      ssl_engine_scache.c down to the particular cache-type dependent
      expire functions to allow a custom vendor supplied cache to perform
      its own expire handling.

   *) The sub-shells from libssl.module are now called with an
      explicitly determined Bourne Shell (instead of the implicit she-bang
      line). This both avoids problems on brain-dead platforms where
      /bin/sh is broken (Ultrix, etc.) and workarounds a CVS problem in
      OpenBSD where on read-only checkouts the x-bits sometimes get lost.

   *) Do a slightly better initialization of the random file
      in src/support/mkcert.sh if $HOME/.rnd doesn't exist.

   *) Be aware of OpenSSL 0.9.5's X509_V_ERR_CERT_UNTRUSTED error.

   *) Cleaned up and optimized ssl_engine_vars.c by kicking out the old
      static cipher table and calculating the cipher bits dynamically. This
      avoids lots of string comparisons, reduces further maintainance costs
      and makes the code smaller.

   *) Cleaned up pkg.contrib/truerand.c: volatile variables,
      correct function return types, etc.