                       _             _ 
   _ __ ___   ___   __| |    ___ ___| |  
  | '_ ` _ \ / _ \ / _` |   / __/ __| |  
  | | | | | | (_) | (_| |   \__ \__ \ |  mod_ssl - Apache Interface to SSLeay  
  |_| |_| |_|\___/ \__,_|___|___/___/_|  http://www.engelschall.com/sw/mod_ssl/
                       |_____|         
  _____________________________________________________________________________


  ChangeLog
  ---------

  Changes with mod_ssl 2.0.0

  *) Added "SSL library type" message to the configuration process
     to inform the user how we recognized the SSLeay location.
     [Ralf S. Engelschall]

  *) Added support for conf/sslkeys/ directory both to configure
     script, Makefile.tmpl and default config files. Additionally now on "make
     install" the hash symlinks are created and a dummy server cert file is
     skipped.
     [Ralf S. Engelschall]

  *) Fixed prop.sh script.
     [Ralf S. Engelschall]

  *) Cleaned up mod_ssl.html document for release.
     [Ralf S. Engelschall]

  *) Cleaned up the README file and added a situation report
     about the author conflict with Ben.
     [Ralf S. Engelschall]

  *) Incorporated changes from Apache-SSL 1.19 to 1.20:
     - Do a cleanup before starting gcache.
       [Ben Laurie <ben@algroup.co.uk>]
     - Make gcache die when httpd dies. 
       This failing in previous versions appears to be a bug in Apache. 
       [Ben Laurie <ben@algroup.co.uk>]
     - Document the biz with passphrases and sleep.
       [Ben Laurie <ben@algroup.co.uk>]
     - Do Apache-SSL on inetd connections.
       [Philippe Vanhaesendonck <pvanhaes@be.oracle.com>]
     ALL OTHER CHANGES BETWEEN APACHE-SSL 1.19 AND 1.20 WERE ALREADY DONE FOR
     MOD_SSL IN THE PAST BY Ralf S. Engelschall. Because it seems Ben just has
     drawn level Apache-SSL with the mod_ssl pre-release I sent to him last
     week.  Hmmmm...
     [Ralf S. Engelschall]

  *) Minor cleanups to README and mod_ssl.html file.
     [Ralf S. Engelschall]

  *) Now create the CHANGES.SSL in <apache>/src/ instead in <apache>/.
     [Ralf S. Engelschall]

  *) Moved patch to a subdir aux/patch/ and added prop.sh for
     a visual process indicator while building the aux tools.
     [Ralf S. Engelschall]

  *) Slightly fixed the configure scripts messages
     [Ralf S. Engelschall]

  *) Added support for checking the Apache version: Now mod_ssl can
     only be applied to the correct matching Apache source tree.
     [Ralf S. Engelschall]

  *) Added configurable support for mod_ssl version strings: Now
     a libssl.version file is created inside src/modules/ssl/ which holds the
     mod_ssl version. From this the libssl.module script creates a
     MOD_SSL_VERSION define holding the value as a string ("X.Y.Z") and a
     MOD_SSL define holding the value with a zero-spaced numerical value
     (XYYZZ). This way the mod_ssl received the string for the Server field
     and other modules can check against certain mod_ssl versions via #ifdef
     or more granular via #if MOD_SSL >= 20000 or whatever.
     [Ralf S. Engelschall]
   
  *) Added support for named to SSLVerifyClient directive: Now the ogly
     numerical levels 0-2 are still valid but can be replaced by better
     readable names: "none", "optional", "require" and "optional_no_ca".
     [Ralf S. Engelschall]

  *) Added Makefile for conf/sslcerts/ directory to keep <hash>.0 
     symlinks up-to-date.
     [Ralf S. Engelschall]

  *) Translated the FAQ into HTML format and appended it to mod_ssl.html.
     Additionally I created a ca.sign script and a Makefile for sslcert/ in
     relation to the FAQ.
     [Ralf S. Engelschall]

  *) Enhanced the logfile support: First I've converted nasty
     fprintf(stderr,..) to ap_log_error() variants. Second I've moved the
     fprintf(pConfig->fileLogfile,...) to ssl_log_own(pConfig,...) calls.  And
     third error messages are now consistently prefixed with "mod_ssl:" and
     "SSLeay:" - dependend from which an error comes. And forth I've added the
     word "SSL" to a lot of messages to indicate that the SSL-relationship.
     Additionally I removed doubled ERR_print_xxx calls.
     [Ralf S. Engelschall]
 
  *) Cleanup up namespace by added lots of `static's, so only the
     module structure and the SSL_HOOK_xxx symbols are now exported.
     [Ralf S. Engelschall]
  
  *) Fixed up Apache API structures for Apache 1.3: added MODULE_VAR_EXPORT for
     consistency and missing module structure dispatch pointers.
     [Ralf S. Engelschall]
      
  *) Completely renamed the functions to use common prefixes which
     indicate their relationship and ordered the functions according to this
     relationship. Additionally a complete list of prototypes is now provided
     in mod_ssl.h. The order of functions now reflects the logical order when
     one wants to review the module: 1. API structures, 2. config handing, 3.
     directive handling, 4. init functions, 5. API hooks, 6. internals, 7.
     caching support, 8. logfile support and 9. utility functions.
     Additionally I cleanup up the namespace of global data symbols:
     They now all have the prefix "_g": bFirstTime -> g_bFirstTime,
     szCacheServerPort -> g_szCacheServerPort, szCacheServerPath ->
     g_szCacheServerPath, s_pServer -> g_pServer.
     [Ralf S. Engelschall]
 
  *) Now all stuff for SSLEay < 0.8.0 is removed because an #error was
     already given and there is now real need to support these versions any
     longer. As a consequence we now also could remove the CACHE_SESSIONS
     #ifdef mess because  this was enabled for >= 0.8.0 since a long time.
     [Ralf S. Engelschall]
 
  *) Cleaned up the mess inside ap_config.h where TRUE, FALSE and BOOL
     where globally defined even when they were only used my mod_ssl.  Now all
     stuff mod_ssl needs is inside mod_ssl.h and not spread over the Apache
     sources without need. I've also cleaned up the "uchar" definition because
     this was defined only by coincidence. I've also replaced ugly
     return 0's with return FALSE and -1 by UNSET when the context was the one
     for UNSET (like for VerifyType). Additionally I replaced some incorrect
     declarations (extern uid_t ap_user_id) by including the correct header
     file (http_config_globals.h). In the same spirit for cleaness I've
     replaced the numerical filedescriptor numbers by the STDXX_FILENO aliases.
     [Ralf S. Engelschall]

  *) Fixed a nasty bug: When a startup error occured an exit() was done.
     But an already started ssl_gcache program was not terminated because the
     exit() doesn't give Apache a chance to cleanup the pools (where the
     program is registered). Fixed by adding a bunch of ap_clear_pool() calls
     before the exit() calls. Additionally some more missing exit()'s were
     added to config checks. And last but not least a termination message is
     now created by ssl_gcache when it is terminated so one now see both the
     start and the termination of ssl_gcache program in the logfiles.
     [Ralf S. Engelschall]

  *) Replaced various sprintf()'s by the more safe and correct ap_snprintf()
     variants. Same for fopen() and ap_pfopen() and other such functions.
     [Ralf S. Engelschall]

  *) Prefixed all SSLeay function calls with __SSLeay to mark them
     for reviewing. I'm still not happy with this long and ugly reading prefix
     but need to use an initial one which doesn't conflict. Additionally
     I've then grep'ed out all __SSLeay prefixed symbols, sorted them by
     group and inserted them into a README which can help identifiying the
     used SSLeay API functions. The whole intent is just to make reviewing
     of the code more easier, because this is really important for
     security related sources.
     [Ralf S. Engelschall]
 
  *) A lot of various minor cleanups and fixes: For instance I've corrected the
     directive descriptions, added some descriptive source comments, etc.
     Really to much of these minor cleanups to write them down, sorry.
     [Ralf S. Engelschall]

  *) Added an FAQ file, assembled from some information found
     on www.apache-ssl.org
     [Ralf S. Engelschall, Ben Laurie <ben@algroup.co.uk>]

  *) Incorporated the changes between Apache-SSL 1.18-1.19
     [Ben Laurie <ben@algroup.co.uk>]

  *) Added back support for the old Apache 1.2 way of configuring and
     building by placing the SSL_BASE into src/Configuration.tmpl and
     providing steps in INSTALL, too.
     [Ralf S. Engelschall]
 
  *) Added a complete Apache-style mod_ssl.html document which describes all
     mod_ssl directives in detail. I've also painted a nice mod_ssl logo out
     of the old mod_rewrite logo parts and a safety lock which secures the
     feather. The SSLeay logo is also part of the document to give credit.
     [Ralf S. Engelschall]

  *) Added a `configure' frontend script for easy applying the mod_ssl
     source extension and patches to the Apache source tree. It also can
     replace APACI's configure script by running it in the background.
     Additionally a slightly changed GNU patch 2.1 tool is distributed under
     aux/ subdir to make sure the source patching works reliable because
     newer patches have problems with the apache.diff file and some systems
     have no "patch" at all.
     [Ralf S. Engelschall]

  *) Split definitions from mod_ssl.c into own mod_ssl.h and converted all
     source files to the Apache coding styles to be consistent with the
     officially distributed Apache sources.
     [Ralf S. Engelschall]

  *) Generation of a certificate is supported via top-level "make
     certificate" which correctly finds SSLeay both when SSLeay tree is the
     source tree or the installed tree.
     [Ralf S. Engelschall]

  *) Added SSLNeedsSSL to config files and cleaned up the
     SSL-related stuff at the end of httpd.conf-dist.
     [Ralf S. Engelschall]

  *) Out-of-the-box installation for a SSL-aware Apache is provided by
     automatically installing the certificate and the ssl_gcache program.
     Additionally the SSL-related directives in the extended httpd.conf file
     is adjusted, so one immediately can fire up an SSL-aware httpd.
     [Ralf S. Engelschall]

  *) The name of the binary is now again "httpd" instead of the "httpsd"
     because "httpsd" reads ugly and confuses APACI. And there is no real
     need to distinguish between them, because one still can compile a
     standard Apache even after mod_ssl was applied to the Apache source
     tree. Or why isn't everybody using httppd just because mod_perl is
     built in? Bingo!
     [Ralf S. Engelschall]

  *) Added Apache 1.3 Autoconf-style Interface (APACI) support to
     automatically enable the SSL module via --enable-module=ssl.  This also
     triggers the MOD_PERL define, so without this APACI option you still
     can build a standard Apache.
     [Ralf S. Engelschall]

  *) Use the official Apache 1.3 way of adding strings to the
     HTTP Server header: via ap_add_version_component() instead of patching
     the defines in httpd.h.  Additionally it now creates a header like
     ``Server: Apache/1.3.1-dev (Unix) mod_ssl/2.0.0 SSLeay/0.9.0a'' i.e.
     SSLeay is part of the Server header. Because SSLeay's version is more
     important than mod_ssl's.
     [Ralf S. Engelschall]

  *) Removed all broken parts in the original Ben-SSL patch, for instance
     incorrectly added newlines, incorrectly moved SecureWare, etc.
     [Ralf S. Engelschall]

  *) Removed nasty terminal messages like "Skip first time initialization",
     "Launching ....", etc. These can be enabled in the future by using the
     ap_log_error stuff.
     [Ralf S. Engelschall]

  *) Fixed incorrect log_ssl_info prototypes in mod_log_config.c from
     Ben-SSL patch and fixed minor other things.
     [Ralf S. Engelschall]

  *) Cleaned up mod_ssl.c (formerly apache_ssl.c): removed unused variables
     mod_ssl.c, added prototypes, moved extern prototypes. Actually I've
     made it run quietly through ``gcc -Wall -Wshadow -Wpointer-arith
     -Wcast-align -Wmissing-prototypes -Wmissing-declarations
     -Wnested-externs -Winline'', etc.
     [Ralf S. Engelschall]

  *) Renamed apache_ssl.c to mod_ssl.c for consistency and also
     to avoid problems inside APACI. Additionally the APACHE_SSL define was
     renamed to MOD_SSL which is also consistent which the behaviour of
     mod_perl which uses MOD_PERL.
     [Ralf S. Engelschall]

  *) *GENESIS*: Based the complete code on Ben Laurie's latest Apache-SSL
     patch (Ben-SSL) version "apache_1.3.0+ssl_1.18". To avoid confusion and
     to show that its second generation stuff the mod_ssl version starts
     with 2.0.0. I've merged in all my previous work on Apache-SSL for
     Apache 1.3b, i.e. especially the APACI stuff.
     [Ralf S. Engelschall]

