changes

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

  Changes with mod_ssl 2.4.8 (02-Nov-1999 to 05-Nov-1999)

   *) ** IMPORTANT BUGFIX **
      If (and only if)...
         1. a server restart at least once happened
         2. a HTTPS request occurs from a 40-bit/export browser
         3. the underlaying Unix flavor doesn't map DSOs always
            to the same memory address on each restart
      ...then a segfault was very likely to occur for usually
      all previous mod_ssl version. 
      
      The reason was that mod_ssl's temporary RSA keys and DH parameters
      were stored in the persistent memory pool directly as OpenSSL's
      RSA and DH structures. But although these structures successfully
      survived restarts, the contained pointers, which were placed there
      by OpenSSL and which were referencing _static_ parts of OpenSSL,
      pointed to Nirvana after restarts. So on the next need for RSA
      temporary keys or DH parameters (usually caused by 40bit clients)
      the OpenSSL library internally segfaulted while processing these
      structures.

      This was a very long-standing bug and is now fixed by storing the
      RSA keys and DH parameters as raw (and this way safe) DER-encoded
      ASN.1 dats streams (and not structures) in the persistent memory
      pool.

   *) Added an FAQ entry about Verisign GIDs and the intermediate CA
      certificate which is required to fill the gap in the server certificate
      chain or browsers will complain.

   *) The configure.bat for Win32 now tries to complain if patches were
      rejected while they are applied to the Apache source tree.

   *) Updated ANNOUNCE and README documents.

  Changes with mod_ssl 2.4.7 (22-Oct-1999 to 02-Nov-1999)

   *) Added a check to mod_so to complain with a warning if one loads
      a plain Apache 1.3 DSO under EAPI (which might work, but can also
      segfault).

   *) Added more defensive programming checks in the cert/key handling.

   *) Added an entry to the FAQ about the commercial alternatives.

   *) Disabled SysV IPC semaphore based mutex variant for FreeBSD < 3.0 and
      any OpenBSD and NetBSD platforms because of conflicts with their
      non-POSIX conforming semctl(2) prototypes.

   *) Added an FAQ entry on how to enable Anonymous 
      Diffie-Hellman (ADH) ciphers.

   *) Now `make certificate' allows one to also change the
      certificate validity time (default is still 365 days).

   *) Recreated the ssl.crt/ca-bundle.crt file with all CA certs found in
      Netscape Communicator 4.7's cert7.db file.

  Changes with mod_ssl 2.4.6 (01-Oct-1999 to 22-Oct-1999)

   *) Re-created RSA and DSA certificates and private keys for both SnakeOil
      CA and SnakeOil Server, because the RSA certificate already expired
      recently.  The cert/keys are now valid for the next 2 years.

   *) Freshed up the test welcome page htdocs/index.html with a feather
      background image (just for fun ;) and with a few other cosmetic
      cleanups. 

   *) Fixed a few compile warnings under Win32 environment.

   *) Fixed interactive terminal based pass phrase dialog on Win32 platform by
      explicitly opening `con' (the console) instead of trying to use stdout
      (which seems to be no longer connected to the console under Win32).

   *) Fixed expiration checks for the session cache. The
      calculation and time comparsions were incorrect.

   *) Now `httpd -V' also shows the value of EAPI_MM_CORE_PATH
      (the path to the MM temporary files) if EAPI_MM is activated.

   *) Made sure that `httpd -t' correctly dies, i.e. including a
      cleanup of the global MM shared memory pool. Same for
      `httpd -V'. This is important to not let temporary files
      stay around which confuse `apachectl'.

   *) Changed a few checks in ssl_engine_scache.c to be even more
      conservative in order to prevent problems in advance.
   
   *) Reduced the size check for DBM session caching from 1024 to 950 bytes,
      because most DBM libraries have a limit of 1022. This should make sure
      we do not break some requirements some DBM libraries implicitly assume
      (even they do not explicitly document it).

   *) Fixed SSL_EXPERIMENTAL code related to the POST problem.  We now do a
      more careful memory management and a segfault-situation was removed,
      too.

   *) Now the PID is appended to the global MM based shared memory pool
      alloc.c allocates. This avoids problems with multiple server instances
      run from the same installation.

   *) Fixed a few typos in the INSTALL document.

   *) Fixed a nasty bug in the fixup phase which caused ``SSLOptions
      +ExportCertChain'' to dump core if no client certificates were present.

  Changes with mod_ssl 2.4.5 (28-Sep-1999 to 01-Oct-1999)

   *) Now ``make certificate'' displays a warning message if one generates a
      DSA certificate with it to make sure the user is aware of the fact that
      a DSA-only webserver is currently useless because the popular browsers
      do not speak DH-based ciphers. A hint is given that a DSA cert/key pair
      is only useful in _combination_ with a parallel configured RSA
      cert/key pair.

   *) Enhanced the pass phrase dialog: Now ``Server <host>:<port> (<algo>)''
      is displayed instead of just ``Server <host>:<port>'' and the
      ``SSLPassPhraseDialog exec:/path/to/program'' is called with arguments
      ``<host>:<port> <algo>'' instead of just ``<host>:<port>'' to allow the
      distinction between RSA and DSA keys both to the user and to the
      program.  This is important, because a single virtual host can use both
      a RSA and a DSA cert/key at the same time.

   *) Added pre-configured (but commented out) SSLCertificate[Key]File
      directives to conf/httpd.conf-dist which explains the use of the
      additional DSA cert/key.

   *) Now the default for SSL_SDBM is 'yes' on Linux boxes because it occurrs
      too often that Linux boxes with broken DBM libraries are used and people
      are wondering why their session cache operations segfault the server. If
      you really want to use the vendor DBM library on Linux you now have to
      use --disable-rule=SSL_SDBM. But I recommend you to use SDBM except
      you know what you're doing.

   *) Fixed typo in FAQ: SSLSessioCache -> SSLSessionCache.
   
   *) Enhanced the logging facility: First the "Connection to child x"
      messages now also contain the client IP address, second every
      logfile entry now has a prefix which contains also the process id in
      addition to the time. This way it's easier to identify logfile entries
      written by different processes.
   
   *) Fixed ssl_engine_vars.c: SSL3_TXT_RSA_IDEA_128_SHA was contained twice
      in a table. Instead the second occurrence should be
      SSL2_TXT_IDEA_128_CBC_WITH_MD5.

   *) Fixed the `union semun' situation for SSLMutex again, this time for
      brain-dead anchient Linux versions which have incorrect semctl(2)
      prototypes. We now enable IPC semaphores only on glibc 2.1 boxes.

  Changes with mod_ssl 2.4.4 (27-Sep-1999 to 28-Sep-1999)

   *) Fixed the `union semun' situation for SSLMutex which was broken in 2.4.3
      because Apache's internal NEED_UNION_SEMUN define is horrible
      inconsistent (it was defined only for Solaris although it should be for
      a lot more platforms). The correct solution actually is this: Some
      platforms have a `union semun' pre-defined but Single Unix Specification
      (SUSv2) says in semctl(2): `If required, it is of type union semun,
      which the application program must explicitly declare'. So we have to
      define it always ourself to avoid problems (but under a different name
      to avoid a namespace clash, of course).

   *) Fixed `make certificate VIEW=1': nested quotes are
      disliked by strict(er) Bourne shell flavors.

  Changes with mod_ssl 2.4.3 (06-Sep-1999 to 27-Sep-1999)

   *) Upgraded pkg.contrib/gid-mkcert.sh to use OpenSSL
      instead of SSLeay+cafix+pkcs12.
   
   *) Enabled SSL_USE_SEM (Semaphore based SSLMutex) now explicitly
      for FreeBSD, NetBSD, OpenBSD, Linux and Solaris.

   *) Fixed ``SSL_CLIENT_CERT_CHAIN<n>'' variable generation under
      ``SSLOptions +ExportOptions''.

   *) Added new ``SSL_CLIENT_VERIFY'' variable which can be used with
      SSLRequire to manually check the verify results under ``SSLVerifyClient
      optional'' in order to redirect to an enrollment page.

   *) Fixed documentation related to SSL_XXX variables.

   *) Fixed timeout handling of internal OpenSSL cache.

   *) Make sure server.key/ca.key files are stored with explicit
      permissions 600 also in conf/ssl.key/ inside the source tree.

   *) Added hint about "Connection refused" problem to FAQ.

   *) Fixed semaphore based SSLMutex variant: the IPC_CREAT fallback was wrong
      and the return code semantics were treated incorrectly. Additionally the
      ownership of the semaphore is now set, too.

  Changes with mod_ssl 2.4.2 (30-Aug-1999 to 06-Sep-1999)
   
   *) Added hint about -fPIC vs. -fpic to INSTALL document.

   *) Changed /sw/bin/perl to the more common /usr/bin/perl
      in pkg.contrib/loadcacert.cgi.

   *) Fixed two (harmless) compile-time warnings related to
      `unsigned char *' vs. `char *'.

   *) Added hint about required browser restarts on re-installations.

   *) Added quotes to DocumentRoot in conf/httpd.conf-dist
      to avoid problems with binbuild.sh.

   *) Fixed --with-apxs: configure.stub.sh has to be `sourced' as
      `./configure.stub.sh' instead of just `configure.stub.sh' or some
      Bourne Shells cannot find it.

  Changes with mod_ssl 2.4.1 (18-Aug-1999 to 30-Aug-1999)

   *) Added logging hint "too restrictive SSLCipherSuite or using DSA server
      certificate?" for "no shared cipher" errors.
   
   *) Added an explicit ap_blush() call to the connection close hook to
      make sure that pending outgoing data is flushed _before_ the SSL
      layer is closed. This is important to make sure that the pending
      data is still transferred through the SSL layer. Else an I/O
      error can occur inside the browser because the pending data is
      transferred as plain data (at a time where the browser will no
      longer expect the data, i.e. after the SSL close notify message
      was already received by it).

   *) Added new FAQ entries.

   *) Show `-D EAPI_MM' on `httpd -V', too.

   *) Pass also $(MFLAGS) to src/support/mkcert.sh for consistency.

   *) Fixed mod_define.html: `docroot' was doubled.

   *) Made sure mkcert.sh handles the algorithm variable more robust in order
      to make sure that people do not accidently choose the DSA variant.

   *) mod_ssl now complains already at startup if one tries to use ``SSLMutex
      file:...'' on Win32 (where the semaphore mutex _has_ to be used).

   *) Removed obsolete pkg.ssldoc/ssl_cover_title.gif

  Changes with mod_ssl 2.4.0 (03-Aug-1999 to 18-Aug-1999)
   
   *) Upgraded from Apache 1.3.6 to Apache 1.3.9 
      (Apache versions 1.3.7 and 1.3.8 were not released).

   *) Fixed a nasty bug in mod_define.c: the global define variable pool was
      never destroyed and this way could lead to segfaults on server restarts.

   *) Pass number of bytes from ``SSLRandomSeed exec:/path/to/prog(bytes)'' as
      first argument to /path/to/prog in order to allow the program to know
      how much bytes of entropy it should provide on stdout.

      ____    _____ 
     |___ \  |___ / 
       __) |   |_ \ 
      / __/ _ ___) |
  __ |_____(_)____/ __________________________________________
               
  Changes with mod_ssl 2.3.11 (28-Jul-1999 to 03-Aug-1999)

   *) Changed pass phrase dialog: Now you're allowed to enter even 1 char pass
      phrases, i.e. you're no longer required to enter more than 4 characters.
      That's important for encrypted private keys not generated via OpenSSL.
   
   *) Added configuration check: Now mod_ssl checks on startup whether the
      CommonName (CN) of a certificate matches the ServerName of the virtual
      host. If not, a warning is given, because it will lead to at least
      popping up dialog boxes in NS and IE.

   *) Added configuration check: Now mod_ssl checks whether more than one
      SSL-aware virtual host uses the same IP:port and complains with a
      warning, because for SSL name-based virtual hosts cannot be used.

   *) Overhauled mod_define: it now uses a global define value table and
      this way not works correctly also in <VirtualHost> sections and other
      contexts.

   *) Added a few more FAQ entries.

   *) Cleaned up ssl_init_Module() function: it now no longer
      destroys the server_rec argument as a side-effect.

   *) Fixed top-level Makefile.tmpl: ssl.crl wasn't created; README.CRL
      wasn't installed; incorporated an important escaping bugfix from Apache
      1.3.7-dev.

   *) Added fallback definitions for TRUE/FALSE to ap_mm.h

   *) Fixed I/O pre-sucking for HTTPS proxy situations where
      no mod_ssl context is attached to SSL structures.

   *) Fixed Mutex acquiring under Win32: the result value
      was computed incorrectly and leaded to warning log entries.

   *) Catch SIGPIPE in truerand.c (a contrib program in pkg.contrib/) to allow
      it behave correctly under `SSLRandomSeed exec:bin/truerand N'.

  Changes with mod_ssl 2.3.10 (26-Jul-1999 to 28-Jul-1999)

   *) Changed the handling of the `per-URL SSL re-configuration in conjunction
      with POST method based HTTP requests' problem: Per default mod_ssl now
      returns a METHOD_NOT_ALLOWED HTTP error when one tries to POST to a URL
      which has SSL parameters re-configured, because mod_ssl per default
      cannot handle this situation (for technical reasons). This way the I/O
      errors which occured in the past are now at least replaced by a correct
      error message. 

      But when you build with --enable-rule=SSL_EXPERIMENTAL you get
      experimental support for this situation and you then _CAN_ use POST even
      in conjunction with per-URL SSL re-configurations.