Menu
▾
▴
aolserver-commits — AOLserver Commit Notifications
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(54) |
Feb
(71) |
Mar
(93) |
Apr
(48) |
May
(53) |
Jun
(33) |
Jul
(19) |
Aug
(39) |
Sep
(35) |
Oct
(36) |
Nov
(33) |
Dec
(13) |
| 2004 |
Jan
(10) |
Feb
(1) |
Mar
(17) |
Apr
(9) |
May
(40) |
Jun
(132) |
Jul
(133) |
Aug
(178) |
Sep
(104) |
Oct
(31) |
Nov
(80) |
Dec
(18) |
| 2005 |
Jan
(54) |
Feb
(9) |
Mar
(35) |
Apr
(2) |
May
(20) |
Jun
(3) |
Jul
(45) |
Aug
(202) |
Sep
(2) |
Oct
(26) |
Nov
|
Dec
(4) |
| 2006 |
Jan
|
Feb
(7) |
Mar
(8) |
Apr
(66) |
May
(9) |
Jun
(40) |
Jul
(4) |
Aug
(4) |
Sep
|
Oct
|
Nov
(1) |
Dec
(4) |
| 2007 |
Jan
(2) |
Feb
(14) |
Mar
(4) |
Apr
(1) |
May
(5) |
Jun
(5) |
Jul
|
Aug
(8) |
Sep
(3) |
Oct
(7) |
Nov
|
Dec
|
| 2008 |
Jan
(6) |
Feb
|
Mar
(1) |
Apr
(8) |
May
(46) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(9) |
Oct
(3) |
Nov
|
Dec
(5) |
| 2009 |
Jan
(9) |
Feb
(2) |
Mar
(3) |
Apr
|
May
(6) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(11) |
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
(10) |
Aug
(5) |
Sep
(1) |
Oct
(13) |
Nov
|
Dec
(4) |
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
|
Sep
(5) |
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(5) |
|
From: Scott S. G. <sc...@us...> - 2016-12-18 19:22:30
|
Update of /cvsroot/aolserver/nsopenssl In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv25869 Added Files: dh2048.h Log Message: Forgot to add the 2048 bit ECDH .c file. --- NEW FILE: dh2048.h --- /* 2048-bit DH params from OpenSSL 1.1.0c apps/dh2048.pem */ #ifndef HEADER_DH_H #include <openssl/dh.h> #endif DH *get_dh2048() { static unsigned char dh2048_p[]={ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, 0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF, 0xFF,0xFF,0xFF,0xFF, }; static unsigned char dh2048_g[]={ 0x02, }; DH *dh; if ((dh=DH_new()) == NULL) return(NULL); dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) { DH_free(dh); return(NULL); } return(dh); } |
|
From: Scott S. G. <sc...@us...> - 2016-12-18 19:21:49
|
Update of /cvsroot/aolserver/nsopenssl In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv25785 Modified Files: ChangeLog README sslcontext.c Log Message: Changed ECDH to use 2048 bit ECDH parameters as 1024 bit or less parameters are now considered weak and insecure and can subject your site to the LOGJAM attack. The 1024 bit ECDH included code is commented out; what bit size parameters one sets up may become a configuration option in the future. See: https://weakdh.org Turned on preference for enforcing server cipher order (SSL_OP_CIPHER_SERVER_PREFERENCE) to prevent a client from using a lower security cipher suite if a higher security one is available on both ends (though I think you can set the order manually via the CipherSuite parameter and set a less secure cipher suite order). This is hard-coded for now but may become an option in the future with a reasonable default. Updated README ns_param for Protocols and CipherSuites to be more secure examples. Index: README =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/README,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** README 25 Aug 2004 21:33:47 -0000 1.6 --- README 18 Dec 2016 19:21:47 -0000 1.7 *************** *** 134,139 **** ns_param CADir ca-client/dir ns_param CAFile ca-client/ca-client.crt ! ns_param Protocols "SSLv3, TLSv1" ! ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:++EXP" ns_param PeerVerify false ns_param PeerVerifyDepth 3 --- 134,140 ---- ns_param CADir ca-client/dir ns_param CAFile ca-client/ca-client.crt ! ns_param Protocols "-SSLv2 -SSLv3 TLSv1 TLSv1.1 TLSv1.2" ! ns_param CipherSuite "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA:!IDEA:!SEED" ! #ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:-MEDIUM:-LOW:-EXP" ns_param PeerVerify false ns_param PeerVerifyDepth 3 Index: sslcontext.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v retrieving revision 1.14 retrieving revision 1.15 diff -C2 -d -r1.14 -r1.15 *** sslcontext.c 18 Dec 2016 18:21:58 -0000 1.14 --- sslcontext.c 18 Dec 2016 19:21:47 -0000 1.15 *************** *** 39,42 **** --- 39,43 ---- #include "nsopenssl.h" #include "dh1024.h" + #include "dh2048.h" Tcl_HashTable NsOpenSSLServers; *************** *** 212,215 **** --- 213,218 ---- NsOpenSSLContextInit(char *server, NsOpenSSLContext *sslcontext) { + const char * dh_bits = "2048"; + if (sslcontext == NULL) { Ns_Log(Error, "%s (%s): SSL context is NULL", MODULE, server); *************** *** 228,231 **** --- 231,237 ---- if (sslcontext->role) { sslcontext->sslctx = SSL_CTX_new(SSLv23_server_method()); + SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + Ns_Log(Notice, "%s (%s): '%s' prefer server cipher set to on", + MODULE, server, sslcontext->name); } else { sslcontext->sslctx = SSL_CTX_new(SSLv23_client_method()); *************** *** 267,277 **** */ ! DH *dh = get_dh1024(); if (dh == NULL || SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 0) { ! Ns_Log(Error, "%s (%s): failed to set DH parameters - some ciphers will not be available", ! MODULE, server); } else { ! Ns_Log(Notice, "%s (%s): DH parameters (1024 bit) set", ! MODULE, server); /* * Necessary for OpenSSL 1.0.2 - 1.0.2e to fix vulnerability. --- 273,283 ---- */ ! DH *dh = get_dh2048(); if (dh == NULL || SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 0) { ! Ns_Log(Error, "%s (%s): '%s' failed to set DH parameters - some ciphers will not be available", ! MODULE, server, sslcontext->name); } else { ! Ns_Log(Notice, "%s (%s): '%s' DH parameters (%s bit) set", ! MODULE, server, sslcontext->name, dh_bits); /* * Necessary for OpenSSL 1.0.2 - 1.0.2e to fix vulnerability. *************** *** 294,303 **** EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ! if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) != 1) { ! Ns_Log(Error, "%s (%s): failed to set ECDH parameters - some ciphers will not be available", ! MODULE, server); } else { ! Ns_Log(Notice, "%s (%s): ECDH parameters set using the prime256v1 curve", ! MODULE, server); } EC_KEY_free (ecdh); --- 300,309 ---- EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ! if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) == 0) { ! Ns_Log(Error, "%s (%s): '%s' failed to set ECDH parameters - some ciphers will not be available", ! MODULE, server, sslcontext->name); } else { ! Ns_Log(Notice, "%s (%s): '%s' ECDH parameters set using the prime256v1 curve", ! MODULE, server, sslcontext->name); } EC_KEY_free (ecdh); Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v retrieving revision 1.120 retrieving revision 1.121 diff -C2 -d -r1.120 -r1.121 *** ChangeLog 18 Dec 2016 18:21:58 -0000 1.120 --- ChangeLog 18 Dec 2016 19:21:47 -0000 1.121 *************** *** 1,2 **** --- 1,23 ---- + 2016-12-19 Scott S. Goodwin <sc...@sc...> + + * sslcontext.c: Changed ECDH to use 2048 bit ECDH parameters as 1024 + bit or less parameters are now considered weak and insecure and can + subject your site to the LOGJAM attack. The 1024 bit ECDH included + code is commented out; what bit size parameters one sets up may + become a configuration option in the future. + + See: https://weakdh.org + + Turned on preference for enforcing server cipher order + (SSL_OP_CIPHER_SERVER_PREFERENCE) to prevent a client from using a + lower security cipher suite if a higher security one is available on + both ends (though I think you can set the order manually via the + CipherSuite parameter and set a less secure cipher suite order). This + is hard-coded for now but may become an option in the future with a + reasonable default. + + * README: Updated ns_param for Protocols and CipherSuites to be more + secure examples. + 2016-12-18 Scott S. Goodwin <sc...@sc...> |
|
From: Scott S. G. <sc...@us...> - 2016-12-18 18:22:00
|
Update of /cvsroot/aolserver/nsopenssl In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv22782 Modified Files: ChangeLog defaults.h sslcontext.c Log Message: * sslcontext.c: Fixed Protocols string processing and setting of SSL/TLS protocols. The existing code wasn't doing the right things, and is now processing the Protocols string properly. Added the TLSv1.1 and TLSv1.2 protocols as options. The 'All' parameter in the Protocols string is dangerous as it will silently turn on SSLv2 and SSLv3, so better logging information has been added. Needs to be refactored to simplify the code (will do that another time). Also fixed the ECDH notice about failing to set ECDH parameters when they were actually set successfully. * defaults.h: Updated DEFAULT_PROTOCOLS to be more secure. SSLv2 and SSLv3 are not secure and we take them out up front. We don't use the "All" parameter. ns_param Protocols "-SSLv2 -SSLv3 TLSv1 TLSv1.1 TLSv1.2" Index: sslcontext.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v retrieving revision 1.13 retrieving revision 1.14 diff -C2 -d -r1.13 -r1.14 *** sslcontext.c 17 Dec 2016 22:55:49 -0000 1.13 --- sslcontext.c 18 Dec 2016 18:21:58 -0000 1.14 *************** *** 294,298 **** EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ! if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) == 1) { Ns_Log(Error, "%s (%s): failed to set ECDH parameters - some ciphers will not be available", MODULE, server); --- 294,298 ---- EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ! if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) != 1) { Ns_Log(Error, "%s (%s): failed to set ECDH parameters - some ciphers will not be available", MODULE, server); *************** *** 1858,1890 **** char *lprotocols = NULL; ! bits = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; if (sslcontext->protocols == NULL) { ! Ns_Log(Notice, "%s (%s): '%s' protocol parameter not set; using all protocols: SSLv2, SSLv3 and TLSv1", ! MODULE, sslcontext->server, sslcontext->name); bits &= ~bits; ! } else { ! lprotocols = ns_strdup(sslcontext->protocols); ! lprotocols = Ns_StrToLower(lprotocols); ! if (strstr(lprotocols, "all") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using all protocols: SSLv2, SSLv3 and TLSv1", ! MODULE, sslcontext->server, sslcontext->name); ! bits &= ~bits; ! } else { ! if (strstr(lprotocols, "sslv2") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using SSLv2 protocol", MODULE, sslcontext->server, sslcontext->name); ! bits &= ~SSL_OP_NO_SSLv2; ! } ! if (strstr(lprotocols, "sslv3") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using SSLv3 protocol", MODULE, sslcontext->server, sslcontext->name); ! bits &= ~SSL_OP_NO_SSLv3; ! } ! if (strstr(lprotocols, "tlsv1") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using TLSv1 protocol", ! MODULE, sslcontext->server, sslcontext->name); ! bits &= ~SSL_OP_NO_TLSv1; ! } ! } ! ns_free(lprotocols); } if (SSL_CTX_set_options(sslcontext->sslctx, bits) == 0) { Ns_Log(Error, "%s (%s): protocol initialization failed", --- 1858,1927 ---- char *lprotocols = NULL; ! /* Turn off all protocols to start with */ ! bits = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; ! ! /* This should always be set when the context is initialized, but just in case ... */ if (sslcontext->protocols == NULL) { ! sslcontext->protocols = DEFAULT_PROTOCOLS; ! Ns_Log(Notice, "%s (%s): '%s' no Protocols string is set in the config file - using the default: %s", ! MODULE, sslcontext->server, sslcontext->name, DEFAULT_PROTOCOLS); ! } ! ! lprotocols = Ns_StrToLower(ns_strdup(sslcontext->protocols)); ! ! if (strstr(lprotocols, "all") != NULL) { bits &= ~bits; ! Ns_Log(Warning, "%s (%s): '%s' enabling all protocols; ensure you turn off SSLv2 and SSLv3 in config Protocols string as they are insecure", ! MODULE, sslcontext->server, sslcontext->name); ! Ns_Log(Notice, "%s (%s): '%s' you are using this Protocols string: %s", ! MODULE, sslcontext->server, sslcontext->name, sslcontext->protocols); ! Ns_Log(Notice, "%s (%s): '%s' consider using this Protocols string instead: %s", ! MODULE, sslcontext->server, sslcontext->name, "ALL -SSLv2 -SSLv3"); } + + if (strstr(lprotocols, "-sslv2") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling SSLv2 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_SSLv2; + } else if (strstr(lprotocols, "sslv2") != NULL) { + Ns_Log(Warning, "%s (%s): '%s' enabling SSLv2 protocol - SSLv2 is insecure and should not be used", + MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_SSLv2; + } + + if (strstr(lprotocols, "-sslv3") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling SSLv3 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_SSLv3; + } else if (strstr(lprotocols, "sslv3") != NULL) { + Ns_Log(Warning, "%s (%s): '%s' enabling SSLv3 protocol - SSLv3 is insecure and should not be used", + MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_SSLv3; + } + + if (strstr(lprotocols, "-tlsv1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling TLSv1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_TLSv1; + } else if (strstr(lprotocols, "tlsv1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' enabling TLSv1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_TLSv1; + } + + if (strstr(lprotocols, "-tlsv1.1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling TLSv1.1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_TLSv1_1; + } else if (strstr(lprotocols, "tlsv1.1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' enabling TLSv1.1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_TLSv1_1; + } + + if (strstr(lprotocols, "-tlsv1.2") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling TLSv1.2 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_TLSv1_2; + } else if (strstr(lprotocols, "tlsv1.2") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' enabling TLSv1.2 protocol", MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_TLSv1_2; + } + + ns_free(lprotocols); + if (SSL_CTX_set_options(sslcontext->sslctx, bits) == 0) { Ns_Log(Error, "%s (%s): protocol initialization failed", Index: defaults.h =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/defaults.h,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** defaults.h 24 Jun 2004 03:29:37 -0000 1.4 --- defaults.h 18 Dec 2016 18:21:58 -0000 1.5 *************** *** 10,14 **** #define SERVER_ROLE 1 #define CLIENT_ROLE 0 ! #define DEFAULT_PROTOCOLS "All" #define DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST //#define DEFAULT_CERT_FILE "certificate.pem" --- 10,14 ---- #define SERVER_ROLE 1 #define CLIENT_ROLE 0 ! #define DEFAULT_PROTOCOLS "-SSLv2 -SSLv3 TLSv1 TLSv1.1 TLSv1.2" #define DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST //#define DEFAULT_CERT_FILE "certificate.pem" Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v retrieving revision 1.119 retrieving revision 1.120 diff -C2 -d -r1.119 -r1.120 *** ChangeLog 17 Dec 2016 22:55:49 -0000 1.119 --- ChangeLog 18 Dec 2016 18:21:58 -0000 1.120 *************** *** 1,14 **** ! 2016-12-17 Scott S. Goodwin <sc...@sc...> ! * sslcontext.c: Set up ECDH parameters to enable the use of ciphers ! that require these parameters, some of which provide for forward ! secrecy. Without configured ECDH paramaters, OpenSSL silently ignores ! ciphers that require them, even if you expliticly add them to the ! CipherSuite configuration string. Also minor cleanup of the DH code ! committed yesterday. ! See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman ! 2016-12-16 Scott S. Goodwin <sc...@sc...> * sslcontext.c: Set up ECDH parameters to enable the use of ciphers --- 1,21 ---- ! 2016-12-18 Scott S. Goodwin <sc...@sc...> ! * sslcontext.c: Fixed Protocols string processing and setting of ! SSL/TLS protocols. The existing code wasn't doing the right things, ! and is now processing the Protocols string properly. Added the ! TLSv1.1 and TLSv1.2 protocols as options. The 'All' parameter in the ! Protocols string is dangerous as it will silently turn on SSLv2 and ! SSLv3, so better logging information has been added. Needs to be ! refactored to simplify the code (will do that another time). Also ! fixed the ECDH notice about failing to set ECDH parameters when they ! were actually set successfully. ! * defaults.h: Updated DEFAULT_PROTOCOLS to be more secure. SSLv2 and ! SSLv3 are not secure and we take them out up front. We don't use the ! "All" parameter. ! ns_param Protocols "-SSLv2 -SSLv3 TLSv1 TLSv1.1 TLSv1.2" ! ! 2016-12-17 Scott S. Goodwin <sc...@sc...> * sslcontext.c: Set up ECDH parameters to enable the use of ciphers *************** *** 16,20 **** secrecy. Without configured ECDH paramaters, OpenSSL silently ignores ciphers that require them, even if you expliticly add them to the ! CipherSuite configuration string. See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman --- 23,28 ---- secrecy. Without configured ECDH paramaters, OpenSSL silently ignores ciphers that require them, even if you expliticly add them to the ! CipherSuite configuration string. Also minor cleanup of the DH code ! committed yesterday. See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman |
|
From: Scott S. G. <sc...@us...> - 2016-12-17 22:55:51
|
Update of /cvsroot/aolserver/nsopenssl In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv6781 Modified Files: ChangeLog sslcontext.c Log Message: Set up ECDH parameters to enable the use of ciphers that require these parameters, some of which provide for forward secrecy. Without configured ECDH paramaters, OpenSSL silently ignores ciphers that require them, even if you expliticly add them to the CipherSuite configuration string. Also minor cleanup of the DH code committed yesterday. See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman Index: sslcontext.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v retrieving revision 1.12 retrieving revision 1.13 diff -C2 -d -r1.12 -r1.13 *** sslcontext.c 16 Dec 2016 16:45:41 -0000 1.12 --- sslcontext.c 17 Dec 2016 22:55:49 -0000 1.13 *************** *** 267,281 **** */ ! DH *dh = get_dh1024 (); ! if (SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 1) { Ns_Log(Notice, "%s (%s): DH parameters (1024 bit) set", MODULE, server); ! /* This apparently prevents some sort of DH attack */ SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE); } else { ! Ns_Log(Error, "%s (%s): failed to set DH parameters - some ciphers will not be available", MODULE, server); } ! DH_free (dh); /* --- 267,305 ---- */ ! DH *dh = get_dh1024(); ! if (dh == NULL || SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 0) { ! Ns_Log(Error, "%s (%s): failed to set DH parameters - some ciphers will not be available", ! MODULE, server); ! } else { Ns_Log(Notice, "%s (%s): DH parameters (1024 bit) set", MODULE, server); ! /* ! * Necessary for OpenSSL 1.0.2 - 1.0.2e to fix vulnerability. ! * Works in OpenSSL < 1.0.2 to prevent using same DH params repeatedly. ! * No effect in OpenSSL > 1.0.2e which forces it on regardless. ! */ SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE); + } + DH_free(dh); + + /* + * Set up ECDH parameters to enable the use of ciphers that require these + * parameters, some of which provide for forward secrecy. Without + * configured ECDH paramaters, OpenSSL silently ignores ciphers that + * require them, even if you expliticly add them to the CipherSuite + * configuration string. + * + * See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman + */ + + EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) == 1) { + Ns_Log(Error, "%s (%s): failed to set ECDH parameters - some ciphers will not be available", + MODULE, server); } else { ! Ns_Log(Notice, "%s (%s): ECDH parameters set using the prime256v1 curve", MODULE, server); } ! EC_KEY_free (ecdh); /* Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v retrieving revision 1.118 retrieving revision 1.119 diff -C2 -d -r1.118 -r1.119 *** ChangeLog 16 Dec 2016 16:45:41 -0000 1.118 --- ChangeLog 17 Dec 2016 22:55:49 -0000 1.119 *************** *** 1,2 **** --- 1,23 ---- + 2016-12-17 Scott S. Goodwin <sc...@sc...> + + * sslcontext.c: Set up ECDH parameters to enable the use of ciphers + that require these parameters, some of which provide for forward + secrecy. Without configured ECDH paramaters, OpenSSL silently ignores + ciphers that require them, even if you expliticly add them to the + CipherSuite configuration string. Also minor cleanup of the DH code + committed yesterday. + + See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman + + 2016-12-16 Scott S. Goodwin <sc...@sc...> + + * sslcontext.c: Set up ECDH parameters to enable the use of ciphers + that require these parameters, some of which provide for forward + secrecy. Without configured ECDH paramaters, OpenSSL silently ignores + ciphers that require them, even if you expliticly add them to the + CipherSuite configuration string. + + See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman + 2016-12-16 Scott S. Goodwin <sc...@sc...> *************** *** 9,12 **** --- 30,47 ---- distribution in apps/dh1024.pem. + We create the .h file this way: + + $OPENSSL dhparam -inform PEM -in $DH_PEM_FILE -C -noout >> $DH_C_FILE + + Where: + + DH_PEM_FILE -> OpenSSL source dist apps/dh1024.pem file + DH_C_FILE -> dh1024.h in the nsopenssl distribution directory + + The source dh1024.pem file might be regenerated and a new one supplied + with each release of OpenSSL. + + See: https://wiki.openssl.org/index.php/Diffie-Hellman_parameters + 2004-11-20 tag v3_0beta26 |
|
From: Scott S. G. <sc...@us...> - 2016-12-16 16:45:43
|
Update of /cvsroot/aolserver/nsopenssl In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv29122 Modified Files: ChangeLog sslcontext.c Added Files: dh1024.h Log Message: sslcontext.c, dh1024.h: Added 1024 bit DH parameters so that ciphers that utilize DH parameters can be configured. If DH parameters are not available, any ciphers that require them are silently ignored by OpenSSL even if you've explicitly specified them in the CipherSuite configuration string. Some of these ciphers provide for forward secrecy. The parameters come from the OpenSSL distribution in apps/dh1024.pem. Index: sslcontext.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v retrieving revision 1.11 retrieving revision 1.12 diff -C2 -d -r1.11 -r1.12 *** sslcontext.c 28 Mar 2006 17:56:30 -0000 1.11 --- sslcontext.c 16 Dec 2016 16:45:41 -0000 1.12 *************** *** 38,41 **** --- 38,42 ---- #include "nsopenssl.h" + #include "dh1024.h" Tcl_HashTable NsOpenSSLServers; *************** *** 247,257 **** SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_ALL); - /* This apparently prevents some sort of DH attack */ - SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE); - /* Temporary key callback required for 40-bit export browsers */ SSL_CTX_set_tmp_rsa_callback(sslcontext->sslctx, IssueTmpRSAKey); /* * Failure in one of these will cause SSL context to be left uninitialized. */ --- 248,283 ---- SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_ALL); /* Temporary key callback required for 40-bit export browsers */ SSL_CTX_set_tmp_rsa_callback(sslcontext->sslctx, IssueTmpRSAKey); /* + * Set up DH parameters to enable use of some forward secrecy ciphers. + * For now we will only use 1024 bit DH params generated by the latest + * OpenSSL release. We create the .h file this way: + * + * $OPENSSL dhparam -inform PEM -in $DH_PEM_FILE -C -noout >> $DH_C_FILE + * + * DH_PEM_FILE -> OpenSSL source dist apps/dh1024.pem file + * DH_C_FILE -> dh1024.h in the nsopenssl distribution directory + * + * The source dh1024.pem file might be regenerated and a new one supplied + * with each release of OpenSSL. + * + * See: https://wiki.openssl.org/index.php/Diffie-Hellman_parameters + */ + + DH *dh = get_dh1024 (); + if (SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 1) { + Ns_Log(Notice, "%s (%s): DH parameters (1024 bit) set", + MODULE, server); + /* This apparently prevents some sort of DH attack */ + SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE); + } else { + Ns_Log(Error, "%s (%s): failed to set DH parameters - some ciphers will not be available", + MODULE, server); + } + DH_free (dh); + + /* * Failure in one of these will cause SSL context to be left uninitialized. */ Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v retrieving revision 1.117 retrieving revision 1.118 diff -C2 -d -r1.117 -r1.118 *** ChangeLog 20 Nov 2004 06:43:51 -0000 1.117 --- ChangeLog 16 Dec 2016 16:45:41 -0000 1.118 *************** *** 1,2 **** --- 1,12 ---- + 2016-12-16 Scott S. Goodwin <sc...@sc...> + + * sslcontext.c, dh1024.h: Added 1024 bit DH parameters so that + ciphers that utilize DH parameters can be configured. If DH + parameters are not available, any ciphers that require them are + silently ignored by OpenSSL even if you've explicitly specified them + in the CipherSuite configuration string. Some of these ciphers + provide for forward secrecy. The parameters come from the OpenSSL + distribution in apps/dh1024.pem. + 2004-11-20 tag v3_0beta26 --- NEW FILE: dh1024.h --- /* 1024-bit DH params from OpenSSL 1.0.1j apps/dh1024.pem */ #ifndef HEADER_DH_H #include <openssl/dh.h> #endif DH *get_dh1024() { static unsigned char dh1024_p[]={ 0xF4,0x88,0xFD,0x58,0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4, 0x91,0x07,0x36,0x6B,0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C, 0x88,0xB3,0x1C,0x7C,0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0, 0x43,0xF0,0xA5,0x5B,0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D, 0x38,0xD3,0x34,0xFD,0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C, 0xDE,0x33,0x21,0x2C,0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40, 0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03, 0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB, 0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D, 0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB, 0xA2,0x5E,0xC3,0x55,0xE9,0x2F,0x78,0xC7, }; static unsigned char dh1024_g[]={ 0x02, }; DH *dh; if ((dh=DH_new()) == NULL) return(NULL); dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) { DH_free(dh); return(NULL); } return(dh); } |
|
From: Jeff R. <dv...@us...> - 2014-07-08 02:07:41
|
Update of /cvsroot/aolserver/aolserver/nsd In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv18266 Modified Files: tclcache.c Log Message: Fixed panic when running against a tcl build with TCL_COMPILE_DEBUG. A SetFromAny proc should not invalidate an existing stringrep, which SetCacheFromAny was doing. Index: tclcache.c =================================================================== RCS file: /cvsroot/aolserver/aolserver/nsd/tclcache.c,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** tclcache.c 5 Jul 2011 18:37:47 -0000 1.5 --- tclcache.c 8 Jul 2014 02:07:38 -0000 1.6 *************** *** 730,735 **** objPtr->typePtr = &cacheType; objPtr->internalRep.otherValuePtr = cachePtr; - Tcl_InvalidateStringRep(objPtr); - objPtr->length = 0; /* ensure there's no stumbling */ return TCL_OK; } --- 730,733 ---- |
|
From: gustafn <gne...@us...> - 2014-06-27 10:00:30
|
Update of /cvsroot/aolserver/nsopenssl In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv6368/nsopenssl Modified Files: nsopenssl.c Log Message: - fixing visibility for nssha1, nscache and nsopenssl Index: nsopenssl.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/nsopenssl.c,v retrieving revision 1.77 retrieving revision 1.78 diff -C2 -d -r1.77 -r1.78 *** nsopenssl.c 20 Nov 2004 06:42:54 -0000 1.77 --- nsopenssl.c 27 Jun 2014 10:00:27 -0000 1.78 *************** *** 60,64 **** static void LoadSSLDrivers(char *server); ! int Ns_ModuleVersion = 1; --- 60,64 ---- static void LoadSSLDrivers(char *server); ! NS_EXPORT int Ns_ModuleVersion = 1; *************** *** 78,82 **** */ ! int Ns_ModuleInit(char *server, char *module) { --- 78,82 ---- */ ! NS_EXPORT int Ns_ModuleInit(char *server, char *module) { |
|
From: Jeff R. <dv...@us...> - 2013-11-21 21:43:38
|
Update of /cvsroot/aolserver/aolserver/nsd In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv12129 Modified Files: sockcallback.c Log Message: fix size of reallocation unit (many thanks to Wolfgang Winkler for pointing this out) (copied from Naviserver) Index: sockcallback.c =================================================================== RCS file: /cvsroot/aolserver/aolserver/nsd/sockcallback.c,v retrieving revision 1.17 retrieving revision 1.18 diff -C2 -d -r1.17 -r1.18 *** sockcallback.c 13 Apr 2006 19:06:41 -0000 1.17 --- sockcallback.c 21 Nov 2013 21:43:35 -0000 1.18 *************** *** 354,358 **** if (max <= table.numEntries) { max = table.numEntries + 100; ! pfds = ns_realloc(pfds, (size_t)max); } nfds = 1; --- 354,358 ---- if (max <= table.numEntries) { max = table.numEntries + 100; ! pfds = ns_realloc(pfds, sizeof(struct pollfd) * max); } nfds = 1; |
|
From: Jeff R. <dv...@us...> - 2013-11-21 21:37:02
|
Update of /cvsroot/aolserver/aolserver/nsd In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv11617 Modified Files: quotehtml.c Log Message: fix to avoid creating invalid strings when quoting empty string Index: quotehtml.c =================================================================== RCS file: /cvsroot/aolserver/aolserver/nsd/quotehtml.c,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** quotehtml.c 18 Jul 2005 23:33:23 -0000 1.5 --- quotehtml.c 21 Nov 2013 21:37:00 -0000 1.6 *************** *** 62,66 **** end = string + strlen(string); ! do { next = Tcl_UtfNext(string); switch (*string) { --- 62,66 ---- end = string + strlen(string); ! while (string < end) { next = Tcl_UtfNext(string); switch (*string) { *************** *** 90,94 **** } string = next; ! } while (string < end); } --- 90,94 ---- } string = next; ! }; } |
|
From: Jeff R. <dv...@us...> - 2012-09-18 00:29:52
|
Update of /cvsroot/aolserver/aolserver/nsd
In directory vz-cvs-4.sog:/tmp/cvs-serv20320/nsd
Modified Files:
Tag: aolserver_v45_r2
init.tcl
Log Message:
merge trunk changes to release branch
Index: init.tcl
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/init.tcl,v
retrieving revision 1.37.2.2
retrieving revision 1.37.2.3
diff -C2 -d -r1.37.2.2 -r1.37.2.3
*** init.tcl 11 May 2012 17:13:37 -0000 1.37.2.2
--- init.tcl 18 Sep 2012 00:29:50 -0000 1.37.2.3
***************
*** 327,333 ****
foreach n $nslist {
foreach {ns_script ns_import} [_ns_getscript $n] {
! append script [list namespace eval $n $ns_script] \n
if {$ns_import != ""} {
! append import [list namespace eval $n $ns_import] \n
}
}
--- 327,333 ----
foreach n $nslist {
foreach {ns_script ns_import} [_ns_getscript $n] {
! append script [list ::namespace eval $n $ns_script] \n
if {$ns_import != ""} {
! append import [list ::namespace eval $n $ns_import] \n
}
}
***************
*** 429,432 ****
--- 429,434 ----
lappend list $top
foreach c [namespace children $top] {
+ # skip built-in namespaces
+ if {$c in {::oo}} continue
_ns_getnamespaces list $c
}
***************
*** 457,463 ****
proc _ns_create_or_config_ensemble {cmd cfg} {
if {[info command $cmd] eq $cmd && [namespace ensemble exists $cmd]} {
! uplevel 1 [list namespace ensemble configure $cmd {*}$cfg]
} else {
! uplevel 1 [list namespace ensemble create -command $cmd {*}$cfg]
}
}
--- 459,465 ----
proc _ns_create_or_config_ensemble {cmd cfg} {
if {[info command $cmd] eq $cmd && [namespace ensemble exists $cmd]} {
! uplevel 1 [list ::namespace ensemble configure $cmd {*}$cfg]
} else {
! uplevel 1 [list ::namespace ensemble create -command $cmd {*}$cfg]
}
}
***************
*** 468,472 ****
::unset _cfg(-namespace)
::set _encmd [::list ::_ns_create_or_config_ensemble $cmd [::array get _cfg]]
! return [::list namespace eval $_enns $_encmd]\n
}
}
--- 470,474 ----
::unset _cfg(-namespace)
::set _encmd [::list ::_ns_create_or_config_ensemble $cmd [::array get _cfg]]
! return [::list ::namespace eval $_enns $_encmd]\n
}
}
***************
*** 573,577 ****
} else {
# procedure imported from other namespace
! ::append _import [::list namespace import -force $_orig] \n
# renamed after import
::if {[::namespace tail $_orig] != $_proc} {
--- 575,579 ----
} else {
# procedure imported from other namespace
! ::append _import [::list ::namespace import -force $_orig] \n
# renamed after import
::if {[::namespace tail $_orig] != $_proc} {
***************
*** 589,593 ****
::if {[::info exists _prcs($_cmnd)] == 0
&& $_orig != [::namespace which -command $_cmnd]} {
! ::append _import [::list namespace import -force $_orig] \n
}
::append _import [_ns_getensemble $_cmnd]
--- 591,595 ----
::if {[::info exists _prcs($_cmnd)] == 0
&& $_orig != [::namespace which -command $_cmnd]} {
! ::append _import [::list ::namespace import -force $_orig] \n
}
::append _import [_ns_getensemble $_cmnd]
***************
*** 601,605 ****
::set _exp [::namespace export]
if {[::llength $_exp]} {
! ::append _script [::concat namespace export $_exp] \n
}
--- 603,607 ----
::set _exp [::namespace export]
if {[::llength $_exp]} {
! ::append _script [::concat ::namespace export $_exp] \n
}
|
|
From: Jeff R. <dv...@us...> - 2012-09-18 00:29:42
|
Update of /cvsroot/aolserver/aolserver
In directory vz-cvs-4.sog:/tmp/cvs-serv20288
Modified Files:
Tag: aolserver_v45_r2
ChangeLog
Log Message:
merge trunk changes to release branch
Index: ChangeLog
===================================================================
RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v
retrieving revision 1.406.2.2
retrieving revision 1.406.2.3
diff -C2 -d -r1.406.2.2 -r1.406.2.3
*** ChangeLog 11 May 2012 17:13:21 -0000 1.406.2.2
--- ChangeLog 18 Sep 2012 00:29:40 -0000 1.406.2.3
***************
*** 1,2 ****
--- 1,12 ----
+ 2012-09-17 Jeff Rogers <dv...@di...>
+ * include/nsthread.h: update definition of NS_EXPORT to use modern GCC
+ visibility attributes
+ * include/ns.h: add an automatic export for ModInit proc to avoid
+ forcing all modules to change for visibility.
+ * include/ns.mak.in: add NS_MODINIT define when compiling modules
+ to pull in automatic export
+ * nsd/init.tcl: make sure to fully qualify 'namespace'. Omit
+ '::oo' from namespace traversal until tcloo is better understood.
+
2012-05-11 Jeff Rogers <dv...@di...>
* nsd/init.tcl: fix previous version that had renaming logic twice
|
|
From: Jeff R. <dv...@us...> - 2012-09-17 20:48:51
|
Update of /cvsroot/aolserver/aolserver/nsd
In directory vz-cvs-4.sog:/tmp/cvs-serv32082/nsd
Modified Files:
init.tcl
Log Message:
qualified some namespace calls.
Omit '::oo' (tclOO) from namespace traversal until I better understand
the right way to re-create those objects.
Index: init.tcl
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/init.tcl,v
retrieving revision 1.39
retrieving revision 1.40
diff -C2 -d -r1.39 -r1.40
*** init.tcl 11 May 2012 17:22:04 -0000 1.39
--- init.tcl 17 Sep 2012 20:48:49 -0000 1.40
***************
*** 327,333 ****
foreach n $nslist {
foreach {ns_script ns_import} [_ns_getscript $n] {
! append script [list namespace eval $n $ns_script] \n
if {$ns_import != ""} {
! append import [list namespace eval $n $ns_import] \n
}
}
--- 327,333 ----
foreach n $nslist {
foreach {ns_script ns_import} [_ns_getscript $n] {
! append script [list ::namespace eval $n $ns_script] \n
if {$ns_import != ""} {
! append import [list ::namespace eval $n $ns_import] \n
}
}
***************
*** 429,432 ****
--- 429,434 ----
lappend list $top
foreach c [namespace children $top] {
+ # skip built-in namespaces
+ if {$c in {::oo}} continue
_ns_getnamespaces list $c
}
***************
*** 457,463 ****
proc _ns_create_or_config_ensemble {cmd cfg} {
if {[info command $cmd] eq $cmd && [namespace ensemble exists $cmd]} {
! uplevel 1 [list namespace ensemble configure $cmd {*}$cfg]
} else {
! uplevel 1 [list namespace ensemble create -command $cmd {*}$cfg]
}
}
--- 459,465 ----
proc _ns_create_or_config_ensemble {cmd cfg} {
if {[info command $cmd] eq $cmd && [namespace ensemble exists $cmd]} {
! uplevel 1 [list ::namespace ensemble configure $cmd {*}$cfg]
} else {
! uplevel 1 [list ::namespace ensemble create -command $cmd {*}$cfg]
}
}
***************
*** 468,472 ****
::unset _cfg(-namespace)
::set _encmd [::list ::_ns_create_or_config_ensemble $cmd [::array get _cfg]]
! return [::list namespace eval $_enns $_encmd]\n
}
}
--- 470,474 ----
::unset _cfg(-namespace)
::set _encmd [::list ::_ns_create_or_config_ensemble $cmd [::array get _cfg]]
! return [::list ::namespace eval $_enns $_encmd]\n
}
}
***************
*** 573,577 ****
} else {
# procedure imported from other namespace
! ::append _import [::list namespace import -force $_orig] \n
# renamed after import
::if {[::namespace tail $_orig] != $_proc} {
--- 575,579 ----
} else {
# procedure imported from other namespace
! ::append _import [::list ::namespace import -force $_orig] \n
# renamed after import
::if {[::namespace tail $_orig] != $_proc} {
***************
*** 589,593 ****
::if {[::info exists _prcs($_cmnd)] == 0
&& $_orig != [::namespace which -command $_cmnd]} {
! ::append _import [::list namespace import -force $_orig] \n
}
::append _import [_ns_getensemble $_cmnd]
--- 591,595 ----
::if {[::info exists _prcs($_cmnd)] == 0
&& $_orig != [::namespace which -command $_cmnd]} {
! ::append _import [::list ::namespace import -force $_orig] \n
}
::append _import [_ns_getensemble $_cmnd]
***************
*** 601,605 ****
::set _exp [::namespace export]
if {[::llength $_exp]} {
! ::append _script [::concat namespace export $_exp] \n
}
--- 603,607 ----
::set _exp [::namespace export]
if {[::llength $_exp]} {
! ::append _script [::concat ::namespace export $_exp] \n
}
|
|
From: Jeff R. <dv...@us...> - 2012-09-17 20:47:37
|
Update of /cvsroot/aolserver/aolserver In directory vz-cvs-4.sog:/tmp/cvs-serv32057 Modified Files: ChangeLog Log Message: added automatic export for modules Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v retrieving revision 1.409 retrieving revision 1.410 diff -C2 -d -r1.409 -r1.410 *** ChangeLog 17 Sep 2012 18:38:25 -0000 1.409 --- ChangeLog 17 Sep 2012 20:47:35 -0000 1.410 *************** *** 1,6 **** 2012-09-17 Jeff Rogers <dv...@di...> ! * include/nsthread.h: ! * include/ns.h: update definition of NS_EXPORT to use modern GCC visibility attributes 2012-05-11 Jeff Rogers <dv...@di...> --- 1,11 ---- 2012-09-17 Jeff Rogers <dv...@di...> ! * include/nsthread.h: update definition of NS_EXPORT to use modern GCC visibility attributes + * include/ns.h: add an automatic export for ModInit proc to avoid + forcing all modules to change for visibility. + * include/ns.mak.in: add NS_MODINIT define when compiling modules + to pull in automatic export + * nsd/init.tcl: make sure to fully qualify 'namespace'. Omit + '::oo' from namespace traversal until tcloo is better understood. 2012-05-11 Jeff Rogers <dv...@di...> |
|
From: Jeff R. <dv...@us...> - 2012-09-17 18:38:27
|
Update of /cvsroot/aolserver/aolserver In directory vz-cvs-4.sog:/tmp/cvs-serv15977 Modified Files: ChangeLog Log Message: Change NS_EXPORT to use gcc visibility attributes so that -fvisibility=hidden doesn't hide all library symbols Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v retrieving revision 1.408 retrieving revision 1.409 diff -C2 -d -r1.408 -r1.409 *** ChangeLog 11 May 2012 17:21:51 -0000 1.408 --- ChangeLog 17 Sep 2012 18:38:25 -0000 1.409 *************** *** 1,2 **** --- 1,7 ---- + 2012-09-17 Jeff Rogers <dv...@di...> + * include/nsthread.h: + * include/ns.h: update definition of NS_EXPORT to use modern GCC + visibility attributes + 2012-05-11 Jeff Rogers <dv...@di...> * nsd/init.tcl: fix previous version that had renaming logic twice |
|
From: Jeff R. <dv...@us...> - 2012-05-11 17:22:07
|
Update of /cvsroot/aolserver/aolserver/nsd
In directory vz-cvs-4.sog:/tmp/cvs-serv7638/nsd
Modified Files:
init.tcl
Log Message:
merge patch
Index: init.tcl
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/init.tcl,v
retrieving revision 1.38
retrieving revision 1.39
diff -C2 -d -r1.38 -r1.39
*** init.tcl 13 Dec 2011 22:51:13 -0000 1.38
--- init.tcl 11 May 2012 17:22:04 -0000 1.39
***************
*** 590,597 ****
&& $_orig != [::namespace which -command $_cmnd]} {
::append _import [::list namespace import -force $_orig] \n
- # renamed after import
- ::if {[::namespace tail $_orig] != [::namespace tail $_cmnd]} {
- ::append _import [::list rename [::namespace current]::[::namespace tail $_orig] $_cmnd] \n
- }
}
::append _import [_ns_getensemble $_cmnd]
--- 590,593 ----
|
|
From: Jeff R. <dv...@us...> - 2012-05-11 17:21:53
|
Update of /cvsroot/aolserver/aolserver In directory vz-cvs-4.sog:/tmp/cvs-serv7609 Modified Files: ChangeLog Log Message: merge patch Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v retrieving revision 1.407 retrieving revision 1.408 diff -C2 -d -r1.407 -r1.408 *** ChangeLog 13 Dec 2011 22:51:04 -0000 1.407 --- ChangeLog 11 May 2012 17:21:51 -0000 1.408 *************** *** 1,2 **** --- 1,5 ---- + 2012-05-11 Jeff Rogers <dv...@di...> + * nsd/init.tcl: fix previous version that had renaming logic twice + 2011-12-13 Jeff Rogers <dv...@di...> * nsd/init.tcl: add logic to handle commands imported from a namespace |
|
From: Jeff R. <dv...@us...> - 2012-05-11 17:13:39
|
Update of /cvsroot/aolserver/aolserver/nsd
In directory vz-cvs-4.sog:/tmp/cvs-serv5739/nsd
Modified Files:
Tag: aolserver_v45_r2
init.tcl
Log Message:
Fix renaming logic in init.tcl
Index: init.tcl
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/init.tcl,v
retrieving revision 1.37.2.1
retrieving revision 1.37.2.2
diff -C2 -d -r1.37.2.1 -r1.37.2.2
*** init.tcl 13 Dec 2011 22:37:07 -0000 1.37.2.1
--- init.tcl 11 May 2012 17:13:37 -0000 1.37.2.2
***************
*** 590,597 ****
&& $_orig != [::namespace which -command $_cmnd]} {
::append _import [::list namespace import -force $_orig] \n
- # renamed after import
- ::if {[::namespace tail $_orig] != [::namespace tail $_cmnd]} {
- ::append _import [::list rename [::namespace current]::[::namespace tail $_orig] $_cmnd] \n
- }
}
::append _import [_ns_getensemble $_cmnd]
--- 590,593 ----
|
|
From: Jeff R. <dv...@us...> - 2012-05-11 17:13:24
|
Update of /cvsroot/aolserver/aolserver
In directory vz-cvs-4.sog:/tmp/cvs-serv5679
Modified Files:
Tag: aolserver_v45_r2
ChangeLog
Log Message:
Fix renaming logic in init.tcl
Index: ChangeLog
===================================================================
RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v
retrieving revision 1.406.2.1
retrieving revision 1.406.2.2
diff -C2 -d -r1.406.2.1 -r1.406.2.2
*** ChangeLog 13 Dec 2011 22:36:52 -0000 1.406.2.1
--- ChangeLog 11 May 2012 17:13:21 -0000 1.406.2.2
***************
*** 1,2 ****
--- 1,5 ----
+ 2012-05-11 Jeff Rogers <dv...@di...>
+ * nsd/init.tcl: fix previous version that had renaming logic twice
+
2011-12-13 Jeff Rogers <dv...@di...>
* nsd/init.tcl: add logic to handle commands imported from a namespace
|
|
From: Jeff R. <dv...@us...> - 2011-12-13 22:51:15
|
Update of /cvsroot/aolserver/aolserver/nsd
In directory vz-cvs-4.sog:/tmp/cvs-serv16138/nsd
Modified Files:
init.tcl
Log Message:
merge changes from 4.5.2 branch
Index: init.tcl
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/init.tcl,v
retrieving revision 1.37
retrieving revision 1.38
diff -C2 -d -r1.37 -r1.38
*** init.tcl 28 May 2011 00:35:47 -0000 1.37
--- init.tcl 13 Dec 2011 22:51:13 -0000 1.38
***************
*** 574,577 ****
--- 574,581 ----
# procedure imported from other namespace
::append _import [::list namespace import -force $_orig] \n
+ # renamed after import
+ ::if {[::namespace tail $_orig] != $_proc} {
+ ::append _import [::list rename [::namespace tail $_orig] $_proc] \n
+ }
}
}
***************
*** 586,589 ****
--- 590,597 ----
&& $_orig != [::namespace which -command $_cmnd]} {
::append _import [::list namespace import -force $_orig] \n
+ # renamed after import
+ ::if {[::namespace tail $_orig] != [::namespace tail $_cmnd]} {
+ ::append _import [::list rename [::namespace current]::[::namespace tail $_orig] $_cmnd] \n
+ }
}
::append _import [_ns_getensemble $_cmnd]
|
|
From: Jeff R. <dv...@us...> - 2011-12-13 22:51:06
|
Update of /cvsroot/aolserver/aolserver In directory vz-cvs-4.sog:/tmp/cvs-serv16122 Modified Files: ChangeLog Log Message: merge changes from 4.5.2 branch Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v retrieving revision 1.406 retrieving revision 1.407 diff -C2 -d -r1.406 -r1.407 *** ChangeLog 26 Oct 2011 06:23:52 -0000 1.406 --- ChangeLog 13 Dec 2011 22:51:04 -0000 1.407 *************** *** 1,2 **** --- 1,6 ---- + 2011-12-13 Jeff Rogers <dv...@di...> + * nsd/init.tcl: add logic to handle commands imported from a namespace + and then renamed (some tcllib packages do this) + 2011-10-25 tag aolserver_v45_r2 |
|
From: Jeff R. <dv...@us...> - 2011-12-13 22:37:09
|
Update of /cvsroot/aolserver/aolserver/nsd
In directory vz-cvs-4.sog:/tmp/cvs-serv14103/nsd
Modified Files:
Tag: aolserver_v45_r2
init.tcl
Log Message:
add logic to ini.tcl to handle imported/renamed commands
Index: init.tcl
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/init.tcl,v
retrieving revision 1.37
retrieving revision 1.37.2.1
diff -C2 -d -r1.37 -r1.37.2.1
*** init.tcl 28 May 2011 00:35:47 -0000 1.37
--- init.tcl 13 Dec 2011 22:37:07 -0000 1.37.2.1
***************
*** 574,577 ****
--- 574,581 ----
# procedure imported from other namespace
::append _import [::list namespace import -force $_orig] \n
+ # renamed after import
+ ::if {[::namespace tail $_orig] != $_proc} {
+ ::append _import [::list rename [::namespace tail $_orig] $_proc] \n
+ }
}
}
***************
*** 586,589 ****
--- 590,597 ----
&& $_orig != [::namespace which -command $_cmnd]} {
::append _import [::list namespace import -force $_orig] \n
+ # renamed after import
+ ::if {[::namespace tail $_orig] != [::namespace tail $_cmnd]} {
+ ::append _import [::list rename [::namespace current]::[::namespace tail $_orig] $_cmnd] \n
+ }
}
::append _import [_ns_getensemble $_cmnd]
|
|
From: Jeff R. <dv...@us...> - 2011-12-13 22:36:54
|
Update of /cvsroot/aolserver/aolserver
In directory vz-cvs-4.sog:/tmp/cvs-serv14059
Modified Files:
Tag: aolserver_v45_r2
ChangeLog
Log Message:
add logic to ini.tcl to handle imported/renamed commands
Index: ChangeLog
===================================================================
RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v
retrieving revision 1.406
retrieving revision 1.406.2.1
diff -C2 -d -r1.406 -r1.406.2.1
*** ChangeLog 26 Oct 2011 06:23:52 -0000 1.406
--- ChangeLog 13 Dec 2011 22:36:52 -0000 1.406.2.1
***************
*** 1,2 ****
--- 1,6 ----
+ 2011-12-13 Jeff Rogers <dv...@di...>
+ * nsd/init.tcl: add logic to handle commands imported from a namespace
+ and then renamed (some tcllib packages do this)
+
2011-10-25 tag aolserver_v45_r2
|
|
From: Jeff R. <dv...@us...> - 2011-10-26 06:23:54
|
Update of /cvsroot/aolserver/aolserver In directory vz-cvs-4.sog:/tmp/cvs-serv32103 Modified Files: ChangeLog Log Message: poke changelog Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/aolserver/ChangeLog,v retrieving revision 1.405 retrieving revision 1.406 diff -C2 -d -r1.405 -r1.406 *** ChangeLog 26 Oct 2011 06:20:15 -0000 1.405 --- ChangeLog 26 Oct 2011 06:23:52 -0000 1.406 *************** *** 1,2 **** --- 1,4 ---- + 2011-10-25 tag aolserver_v45_r2 + 2011-10-25 Jeff Rogers <dv...@di...> * nsd/nsd.h: set patchlevel to 4.5.2 |
|
From: Jeff R. <dv...@us...> - 2011-10-26 06:20:18
|
Update of /cvsroot/aolserver/aolserver/include
In directory vz-cvs-4.sog:/tmp/cvs-serv30693/include
Modified Files:
ns.h
Log Message:
set patchlevel to 4.5.2
Index: ns.h
===================================================================
RCS file: /cvsroot/aolserver/aolserver/include/ns.h,v
retrieving revision 1.93
retrieving revision 1.94
diff -C2 -d -r1.93 -r1.94
*** ns.h 11 Oct 2011 08:03:09 -0000 1.93
--- ns.h 26 Oct 2011 06:20:15 -0000 1.94
***************
*** 42,51 ****
#define NS_MAJOR_VERSION 4
#define NS_MINOR_VERSION 5
! #define NS_RELEASE_SERIAL 1
#define NS_VERSION_NUM (NS_MAJOR_VERSION * 10000 \
+ NS_MINOR_VERSION * 100 \
+ NS_RELEASE_SERIAL)
#define NS_VERSION "4.5"
! #define NS_PATCH_LEVEL "4.5.1"
#define NS_ALPHA_RELEASE 0
--- 42,51 ----
#define NS_MAJOR_VERSION 4
#define NS_MINOR_VERSION 5
! #define NS_RELEASE_SERIAL 2
#define NS_VERSION_NUM (NS_MAJOR_VERSION * 10000 \
+ NS_MINOR_VERSION * 100 \
+ NS_RELEASE_SERIAL)
#define NS_VERSION "4.5"
! #define NS_PATCH_LEVEL "4.5.2"
#define NS_ALPHA_RELEASE 0
|
|
From: Jeff R. <dv...@us...> - 2011-10-13 23:42:26
|
Update of /cvsroot/aolserver/aolserver/nsd
In directory vz-cvs-4.sog:/tmp/cvs-serv17891/nsd
Modified Files:
driver.c nsd.h
Log Message:
add tuning tweak and config variable to let
driver accept more than one connection per spin.
SF RFE #1014273
Index: driver.c
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/driver.c,v
retrieving revision 1.63
retrieving revision 1.64
diff -C2 -d -r1.63 -r1.64
*** driver.c 11 Oct 2011 08:03:27 -0000 1.63
--- driver.c 13 Oct 2011 23:42:24 -0000 1.64
***************
*** 410,413 ****
--- 410,417 ----
}
drvPtr->keepwait = _MAX(n, 0); /* NB: 0 for no keepalive. */
+ if (!Ns_ConfigGetInt(path, "maxaccept", &n)) {
+ n = 10; /* accept up to 10 connections per driver spin */
+ }
+ drvPtr->maxaccept = _MAX(n, 0); /* NB: 0 for no max. */
if (!Ns_ConfigGetInt(path, "maxreaders", &n) || n < 1) {
n = 10; /* Max of 10 threads for non-event driven I/O. */
***************
*** 1335,1344 ****
*/
! if (!stop && lidx >= 0 && PollIn(&pdata, lidx)
! && ((sockPtr = SockAccept(lsock, drvPtr)) != NULL)) {
! sockPtr->acceptTime = now;
! sockPtr->connPtr = AllocConn(drvPtr, &now, sockPtr);
! SockWait(sockPtr, &now, drvPtr->recvwait, &waitPtr);
! ++drvPtr->stats.accepts;
}
--- 1339,1352 ----
*/
! if (!stop && lidx >= 0 && PollIn(&pdata, lidx)) {
! int naccept = 0;
! while (drvPtr->freeSockPtr != NULL &&
! (drvPtr->maxaccept == 0 || naccept++ < drvPtr->maxaccept) &&
! (sockPtr = SockAccept(lsock, drvPtr)) != NULL) {
! sockPtr->acceptTime = now;
! sockPtr->connPtr = AllocConn(drvPtr, &now, sockPtr);
! SockWait(sockPtr, &now, drvPtr->recvwait, &waitPtr);
! ++drvPtr->stats.accepts;
! }
}
Index: nsd.h
===================================================================
RCS file: /cvsroot/aolserver/aolserver/nsd/nsd.h,v
retrieving revision 1.125
retrieving revision 1.126
diff -C2 -d -r1.125 -r1.126
*** nsd.h 11 Oct 2011 08:03:27 -0000 1.125
--- nsd.h 13 Oct 2011 23:42:24 -0000 1.126
***************
*** 322,325 ****
--- 322,326 ----
int port; /* Port in location. */
int backlog; /* listen() backlog. */
+ int maxaccept; /* connections to accept per spin. */
int maxline; /* Maximum request line length to read. */
|
2 messages has been excluded from this view by a project administrator.
