Age | Commit message (Collapse) | Author |
|
|
|
|
|
Make sure that the beginning of a new request starts with an
alphabetic character. This is a quick way to detect non-ASCII
requests (eg. TLS on port 80). The full validation of the request
method is done once the input line is read.
Make sure that non-terminated lines do not exceed the
SERVER_MAXHEADERLENGTH which is 8k. As the current read watermark is
set to 64k, this means that the limit check is triggered after max.
64k of input, depending on the TCP read buffer.
OK benno@ jsing@
|
|
|
|
see old-style signatures. Clue for people trying pkg_add -current against
6.0 or earlier.
|
|
magic for packages location...). Fairly straightforward
if pkg.conf defines installpath=, it takes precedence
(manual trumps automatic)
to be fully documented once the dust settles.
okay aja@
|
|
|
|
to the new bcrypt version $2b$ and use more rounds. Prof. Falken's password
is much safer now. Found thanks to a problem report by John McGuigan.
ok beck
|
|
not update it during upgrades anymore. pkg_add(1) will soon use the
installurl file as primary source to find the package repository.
OK espie@, tb@
|
|
This ensures, that a trailing whitespace does not break pkg_add.
OK espie@
|
|
tb@ was initially concerned about next-server but there were more
similar occurrences. Simple solution - "hostname" - proposed by jmc@
ok from both
|
|
ok gilles@
|
|
|
|
instead pull in <netinet/in.h> or <arpa/inet.h> when those are needed.
ok florian@ beck@ millert@
|
|
before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
|
Tested & OK jung@
|
|
It is rarely needed and imposes a light DoS risk. LibreSSL's libssl
allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION
option instead of the complicated implementation that was used before.
It now turns it off completely instead of allowing one initial
client-initiated renegotiation.
It can still be enabled with "tls client-renegotiation".
ok benno@ beck@ jsing@
|
|
don't have EAI_NODATA, so make this easier for people
from bernard spill
|
|
when signing the certificates by the local CA. This can make things easier if
you want to take a CSR from ikectl to another CA for signing, they often copy
extensions from the request. ok reyk@
|
|
OPENBSD-SENSORS-MIB, % is the unit for this value and is already present
in sensorUnits, and it's harder for NMS to parse "100.00%" as a number.
From Joel Knight.
|
|
using keypair_ocsp..
ok reyk@
|
|
|
|
added associated to a keypair used for SNI, and are usable for more than
just the "main" certificate. Modify httpd to use this.
Bump libtls minor.
ok jsing@
|
|
The previous implementation loaded all the output into a single output
buffer and used its size to determine the Content-Length of the body.
The new implementation calculates the body length first and writes the
individual ranges in an async way using the bufferevent mechanism.
This prevents httpd from using too much memory and applies the
watermark and throttling mechanisms to range requests.
Problem reported by Pierre Kim (pierre.kim.sec at gmail.com)
OK benno@ sunil@
|
|
Introduce a new variable clt_headersdone in the async HTTP parser.
OK sunil@ benno@
|
|
Either libevent or the TLS callback can trigger an EOF when the
connection is closed.
OK sunil@ jung@ benno@
|
|
ok rzalamena@
|
|
|
|
OK jsg@
|
|
|
|
These values are in microseconds, not milliseconds.
ok sthen@
|
|
- there is no Challenges section
reported by michael reed
|
|
interfere with read-only src tree setups.
|
|
so delete it. Of course, the notice is still present as a comment
in the source code of the page, at the place where it belongs.
Found because it also violated "new sentence, new line".
|
|
ok jmc@
|
|
from holger mikolon, plus one more in nc;
|
|
manual page. Also, replace an alternative fact given for the 'dump' command
with an actual fact: it does not accept an argument.
|
|
OK aja@
|
|
early if _OSrev is empty.
OK aja@
|
|
OK aja@
|
|
OK aja@
|
|
ok jsing@
|
|
|
|
ok jsing@ rpe@
|
|
Conformance to C99, and avoiding build break on VisualStudio and HP-UX.
OK millert@
|
|
erroring out when we can't read a plist.
|
|
actual pkg name as intended.
(forgot who reported that one, sorry)
|
|
as a result pkg_add + signify fails with weird error messages, as it relies
on default SIGPIPE behavior.
Finally fix the problem, sanitize our running environment before forking.
Problem reported by various people.
|
|
sync with ocspcheck and acme-client
ok benno@
|
|
ok beck@
|