| Age | Commit message (Collapse) | Author |
|---|
|
tls ticket lifetime default
to turn it on with a 2h ticket lifetime.
Rekeying happens after a quarter of that time.
OK reky@ and bob@
|
|
|
|
ok jmc@
|
|
modern TAILQ_FOREACH_SAFE().
No intentional functional change.
ok millert@ bluhm@ gilles@
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
and this way we can give a separate specific error message.
ok beck@ reyk@
|
|
ok jsing@
|
|
ok jsing@ bcook@
|
|
variable and limit it from 128 to 32 instances (the old value).
While here, move a few PROC_ defines around.
OK rzalamena@
|
|
ok reyk@
|
|
which is actually the same thing (cluebat from reyk@).
|
|
not allow TLS and non-TLS to be configured on the same port, do not allow
TLS options to be specified without a TLS listener and ensure that the TLS
options are the same when a server is specified on the same address/port.
Currently, these configurations are permitted but do not work as intended.
Also factor out and reuse the server matching code, which was previously
duplicated.
ok reyk@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
include the process name, and replace all calls of fatal*(NULL) with
fatal(__func__) for better debugging.
OK benno@
|
|
ok millert krw
|
|
of u_intN_t) and replace u_int with unsigned int. Mixing both
variants is a bad style and most contributors seem to prefer this
style; it also helps us to get used to it, portability, and
standardization.
Theoretically no binary change, except one in practice: httpd.o has a
different checksum because gcc with -O2 pads/optimizes "struct
privsep" differently when using "unsigned int" instead "u_int" for the
affected members. "u_int" is just a typedef of "unsigned int", -O0
doesn't build the difference and clang with -O2 doesn't do it either -
it is just another curiosity from gcc-land.
OK semarie@
|
|
|
|
OK florian@
|
|
eg. default type text/html.
OK florian@
|
|
Input & OK reyk
|
|
|
|
TLS listen statement. A bug was introduced in r1.68 of parse.y, which
results in flags being directly copied from the parent, meaning that the
TLS flag for the second server gets lost.
ok reyk@
|
|
With important help on the pattern matcher from semarie@
OK semarie@
|
|
configuration for multiple listen statements in a server block.
Otherwise httpd will crash when a listen statement with tls is followed
by a listen statement without tls.
Problem reported by Kent Fritz on misc.
ok jsing@ looks good deraadt@
|
|
will be incompatible with this change. We do this early in the
release cycle, so there is a good chance to get more experience with
the impact of it and the upcoming restricted cipher modes.
OK jsing@ deraadt@ benno@ bmercer@ krw@ florian@
|
|
option.
ok reyk@
|
|
OK henning@
|
|
|
|
parameters and the ECDHE curve. This primarily allows for DHE cipher suites
to be enabled.
ok reyk@
|
|
OK florian@
|
|
Reported and tested by Markus Bergkvist
OK florian@
|
|
of ports. It is now possible to use "listen on * port www" again.
Found by ajacoutot@
OK ajacoutot@ blambert@
|
|
needed by its ancestor. jsg@, include-what-you-use, and some manual
review helped to cleanup the headers (take iwyu with a grain of salt).
Based on common practice, httpd.h now also includes the necessary
headers for itself.
OK florian@
|
|
used for portrange operators which weren't used in httpd.
OK florian@
|
|
OK florian@
|
|
Currently the htpasswd file needs to be in the chroot; will hopefully
improved soonish.
Based on a diff from Oscar Linderholm many months ago but turned into
a complete rewrite.
input/OK reyk@
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
|
|
root, tcp etc.
Based on a diff from Nathanael Rensen.
OK florian@
|
|
prevents running out of file descriptors when loading a configuration
with many aliases.
OK florian@
|
|
strip number
Strip number path components from the beginning of the
request URI before looking up the stripped-down URI at
the document root.
reviewed with much patience and OK by reyk@
|
|
possible double free in the error path of the parser.
Found by + OK doug@
|
|
|
|
The implementation is done in the parser by expanding each
alias/listen into an independent server configuration; this makes it
easier to handle internally without adding additional loops or
conditions.
OK florian@
|
|
*Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
|
OK jsg@
|
|
reflect reality.
OK benno@
|
|
from Max Fillinger
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
fixed as /logs within the chroot. As this httpd is properly privesp'ed this
has the nice property of allowing us to put the logs outside the chroot if
we want to.
ok reyk@
|
