8.86. httpd

Bug Fixes

BZ#876626

Previously, the system did not initialize shared memory session cache when the Apache HTTP Server loaded the mod_ssl module for the first time during a configuration reload. As a consequence, the system terminated the httpd service unexpectedly in the described situation. With this update, the problem has been fixed, and httpd no longer crashes when loaded for the first time after a configuration reload.

BZ#972949

Previously, the bybusyness algorithm, contained in the mod_proxy_balancer module, did not balance the workload after a worker tried to send a request to a non-working node. Consequently, once the non-working node became working again, mod_proxy_balancer did not recover the worker that tried to send the request because it still considered the worker busy. With this update, the algorithm has been fixed and mod_proxy_balancer now uses the worker after a node recovery as expected.

BZ#976644

Prior to this update, the mod_proxy module did not ignore the EINTR return value of the poll() function. As a consequence, mod_proxy broke the connection during an attempt to send a request using the CONNECT method when the child process was terminated. A patch has been applied to fix this problem, and mod_proxy now ignores EINTR and continues with the CONNECT request as expected in the described situation.

BZ#979129

Previously, the mod_cgi module did not correctly handle the situation when a client failed to send a request before timeout. Consequently, the client received the "500 Internal Server Error" HTTP status code instead of the "408 Request Timeout" HTTP status code. With this update, the problem has been fixed, and the client now receives "408 Request Timeout" after a failed attempt to send a request before timeout.

BZ#991556

Previously, the Apache Portable Runtime (APR) library bucket brigade in the mod_proxy_http module contained objects allocated from another APR pool that could be freed before the APR bucket brigade. Consequently, trying to free already freed objects in an APR bucket brigade cleanup could cause the httpd service to terminate unexpectedly. With this update, the APR bucket brigade in mod_proxy_http is now destroyed sooner than the APR pool from which the objects stored in the APR bucket brigade are allocated. As a result, httpd no longer crashes in mod_proxy_http during an APR bucket brigade cleanup.

BZ#1012766

Prior to this update, the mod_proxy_http module did not honor the ErrorLog directive defined in VirtualHost configuration for certain errors. As a consequence, the "proxy: error reading response" message could be logged into the global error log even though a VirtualHost-specific error log was configured. A patch has been applied to fix this bug, and mod_proxy_http now logs "proxy: error reading response" into the correct log file.

BZ#1032733

Prior to this update, the status line of an HTTP response message from server did not, under certain circumstances, include the HTTP reason phrase if it contained the status code. As a consequence, the server displayed only the status code to the HTTP client. With this update, the bug has been fixed, and the status line issued to the HTTP client now contains both the status code and the reason phrase as expected.

BZ#1034984

Previously, the mod_ssl module directives did not contain support for using the Transport Layer Security cryptographic protocol version 1.2 (TLSv1.2). As a consequence, the user could not set up mod_ssl to disable TLSv1.2. With this update, support for TLSv1.2 configuration options has been added to mod_ssl. As a result, it is now possible to set up mod_ssl to disable TLSv1.2.

BZ#1035666

Prior to this update, the mod_ssl module did not support wildcard certificates with the SSLProxy directive. As a consequence, SSLProxy did not work when a wildcard certificate was used, and the user had to set the SSLProxyCheckPeerCN directive to "off" as a workaround. A patch has been applied to fix this bug, and mod_ssl now supports wildcard certificates with SSLProxy.

BZ#1037832

Previously, the mod_ssl module stored all Certificate Revocation Lists (CRL) in cache, and the user could not disable the caching. Consequently, the httpd service could consume a lot of memory when a large amount of CRLs were stored in cache. To fix this problem, the DisableCRLCaching directive has been added to mod_ssl to disable CRL caching. As a result, mod_ssl can now be configured to no longer store CRLs in cache.

BZ#1048757

Previously, a function handling dynamic groups, which is included in the mod_ldap module, contained an incorrect pointer assignment. As a consequence, the system caused the httpd service to terminate unexpectedly with a segmentation fault when multiple dynamic groups were used. A patch has been applied to fix this bug, and httpd no longer crashes when more than one dynamic group is used.

BZ#1071883, 1100680

Prior to this update, the mod_ssl module only supported ephemeral Diffie-Hellman (DH) keys of 512-bit and 1024-bit lengths. Consequently, Secure Sockets Layer (SSL) cipher suites using ephemeral DH keys could not be used in FIPS mode. With this update, mod_ssl uses ephemeral DH keys of key lengths up to 8192 bits. As a result, mod_ssl now works as expected in FIPS mode.

BZ#1077336

Previously, when running the "apachectl status" command, the exit code failed to be changed when the httpd service was not running. As a consequence, "apachectl status" could return the exit code 0, indicating success, even when httpd was not running. A patch has been provided to fix this bug and "apachectl status" now exits with the correct exit code when httpd is not running.

BZ#1090445

Prior to this update, the SSLProtocol directive exposed by the mod_ssl module did not allow control over whether the TLSv1.1 or TLSv1.2 protocols were enabled. Consequently, the user could not set mod_ssl to disable TLSv1.1 or TLSV1.2. With this update, support for TLSv1.2 and TLSv1.2 configuration options has been added to mod_ssl, and mod_ssl now supports TLSv1.1 and TLSv1.2 in the SSLProtocol Directive.

BZ#1094990

Previously, the mod_cache module did not correctly handle requests to the back-end server due to a race condition between removing and renaming cached files and due to inconsistencies in generating the cache hash codes when handling the HTTP Range requests. Consequently, mod_cache could pass multiple requests to the back-end server to refresh the cache instead of a single request. With this update, the race condition has been fixed and hash codes for an object in cache are generated consistently even when handling Range requests. As a result, mod_cache now passes only a single request to the back-end server when refreshing the cache.

BZ#1103115

Prior to this update, the %post script of the mod_ssl module used an RSA key hard-coded to a 1024-bit length. As a consequence, the user could not install mod_ssl in FIPS mode. To fix this bug, the mod_ssl %post script has been updated to use 2048-bit RSA key. As a result, it is now possible to install mod_ssl in FIPS mode.

BZ#1111410

Previously, the mod_proxy module did not close the client connection when the back-end server connection was closed. Consequently, mod_proxy kept the client connection open until it timed out. A patch has been provided to fix this bug and mod_proxy now closes the client connection immediately after mod_proxy closes connection to the back-end server.

Enhancements

BZ#1035818

This update introduces support for Elliptic Curve Cryptography (ECC) keys and Elliptic Curve Diffie-Hellman (ECDH) ciphers in Red Hat Enterprise Linux 6 because the OpenSSL toolkit in Red Hat Enterprise Linux 6 also supports ECDH.