rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- create default dummy cert in /etc/pki/tls

Browse Source 
- use a pseudo-random serial number on the dummy cert
- change default ssl.conf to point at /etc/pki/tls
- merge back -suexec subpackage; SELinux policy can now be used to
    persistently disable suexec (#155716)
- drop /etc/httpd/conf/ssl.* directories and Makefiles
- unconditionally enable PIE support
- mod_ssl: fix for picking up -shutdown options (upstream #34452)
This commit is contained in:
jorton 2005-04-25 21:35:08 +00:00
parent 98f24d7e8c
commit 06872c83d1
2 changed files with 33 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
httpd.spec
View File

@ -7,7 +7,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.0.54 Version: 2.0.54
Release: 4 Release: 5
URL: http://httpd.apache.org/ URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
Source1: index.html Source1: index.html
@ -21,8 +21,6 @@ Source10: httpd.conf
Source11: ssl.conf Source11: ssl.conf
Source12: welcome.conf Source12: welcome.conf
Source13: manual.conf Source13: manual.conf
Source14: mod_ssl-Makefile.crt
Source15: mod_ssl-Makefile.crl
# Documentation # Documentation
Source30: migration.xml Source30: migration.xml
Source31: migration.css Source31: migration.css
@ -49,6 +47,7 @@ Patch27: httpd-2.0.48-sslpphrase.patch
Patch28: httpd-2.0.48-worker.patch Patch28: httpd-2.0.48-worker.patch
Patch29: httpd-2.0.48-workerhup.patch Patch29: httpd-2.0.48-workerhup.patch
Patch30: httpd-2.0.48-davmisc.patch Patch30: httpd-2.0.48-davmisc.patch
Patch31: httpd-2.0.54-ssltrans.patch
# Features/functional changes # Features/functional changes
Patch70: httpd-2.0.48-release.patch Patch70: httpd-2.0.48-release.patch
Patch71: httpd-2.0.40-xfsz.patch Patch71: httpd-2.0.40-xfsz.patch
@ -75,7 +74,7 @@ BuildRequires: db4-devel, expat-devel, findutils, perl, pkgconfig, xmlto >= 0.0.
BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0, BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0,
BuildRequires: zlib-devel BuildRequires: zlib-devel
Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
Requires: httpd-suexec Obsoletes: httpd-suexec
Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
Prereq: sh-utils, textutils, /usr/sbin/useradd Prereq: sh-utils, textutils, /usr/sbin/useradd
Provides: webserver Provides: webserver
@ -120,7 +119,7 @@ Group: System Environment/Daemons
Summary: SSL/TLS module for the Apache HTTP server Summary: SSL/TLS module for the Apache HTTP server
Epoch: 1 Epoch: 1
BuildRequires: openssl-devel, distcache-devel BuildRequires: openssl-devel, distcache-devel
Prereq: openssl, dev, /bin/cat Requires(pre): openssl >= 0.9.7f-4, dev, /bin/cat
Requires: httpd = %{version}-%{release}, make, httpd-mmn = %{mmn} Requires: httpd = %{version}-%{release}, make, httpd-mmn = %{mmn}
Obsoletes: stronghold-mod_ssl Obsoletes: stronghold-mod_ssl
@ -129,22 +128,13 @@ The mod_ssl module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols. Security (TLS) protocols.
%package suexec
Group: System Environment/Daemons
Summary: suexec binary for the Apache HTTP server
Requires(pre): httpd = %{version}-%{release}
%description suexec
This package includes the /usr/sbin/suexec binary which can be installed
to allow the Apache HTTP server to run CGI programs (and any programs
executed by SSI pages) as a user other than the 'apache' user.
%prep %prep
%setup -q %setup -q
%patch1 -p1 -b .apctl %patch1 -p1 -b .apctl
%patch2 -p1 -b .apxs %patch2 -p1 -b .apxs
%patch3 -p1 -b .linkmods %patch3 -p1 -b .linkmods
%patch4 -p1 -b .deplibs %patch4 -p1 -b .deplibs
%patch5 -p1 -b .pie
%patch6 -p1 -b .syspcre %patch6 -p1 -b .syspcre
%patch8 -p1 -b .vpathinc %patch8 -p1 -b .vpathinc
%patch9 -p1 -b .apctlopts %patch9 -p1 -b .apctlopts
@ -161,6 +151,7 @@ executed by SSI pages) as a user other than the 'apache' user.
%patch28 -p1 -b .worker %patch28 -p1 -b .worker
%patch29 -p1 -b .workerhup %patch29 -p1 -b .workerhup
%patch30 -p1 -b .davmisc %patch30 -p1 -b .davmisc
%patch31 -p1 -b .ssltrans
%patch71 -p0 -b .xfsz %patch71 -p0 -b .xfsz
%patch72 -p1 -b .pod %patch72 -p1 -b .pod
@ -194,15 +185,6 @@ if test "x${vmmn}" != "x%{mmn}"; then
exit 1 exit 1
fi fi
# Conditionally enable PIE support
if echo 'static int foo[30000]; int main () { return 0; }' |
gcc -pie -fpie -O2 -xc - -o pietest &&
./pietest; then
%patch5 -p1 -b .pie
: PIE support enabled
else
: WARNING: PIE support not enabled
fi
: Building for '%{distro}' with MMN %{mmn} and vendor string '%{vstring}' : Building for '%{distro}' with MMN %{mmn} and vendor string '%{vstring}'
@ -310,16 +292,7 @@ mkdir $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
install -m 644 $RPM_SOURCE_DIR/httpd.sysconf \ install -m 644 $RPM_SOURCE_DIR/httpd.sysconf \
$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/httpd $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/httpd
# mod_ssl bits
for suffix in crl crt csr key prm; do
mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/ssl.${suffix}
done
# Makefiles for certificate management # Makefiles for certificate management
for ext in crt crl; do
install -m 644 $RPM_SOURCE_DIR/mod_ssl-Makefile.${ext} \
$RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/ssl.${ext}/Makefile.${ext}
done
ln -s ../../../usr/share/ssl/certs/Makefile $RPM_BUILD_ROOT/etc/httpd/conf ln -s ../../../usr/share/ssl/certs/Makefile $RPM_BUILD_ROOT/etc/httpd/conf
# for holding mod_dav lock database # for holding mod_dav lock database
@ -445,11 +418,14 @@ if [ $1 = 0 ]; then
/sbin/chkconfig --del httpd /sbin/chkconfig --del httpd
fi fi
%define certdir %{_sysconfdir}/pki/ssl/certs
%define keydir %{_sysconfdir}/pki/ssl/private
%post -n mod_ssl %post -n mod_ssl
umask 077 umask 077
if [ ! -f %{_sysconfdir}/httpd/conf/ssl.key/server.key ] ; then if [ ! -f %{keydir}/localhost.key ] ; then
%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{_sysconfdir}/httpd/conf/ssl.key/server.key 2> /dev/null %{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{keydir}/localhost.key 2> /dev/null
fi fi
FQDN=`hostname` FQDN=`hostname`
@ -457,8 +433,10 @@ if [ "x${FQDN}" = "x" ]; then
FQDN=localhost.localdomain FQDN=localhost.localdomain
fi fi
if [ ! -f %{_sysconfdir}/httpd/conf/ssl.crt/server.crt ] ; then if [ ! -f %{certdir}/localhost.crt ] ; then
cat << EOF | %{_bindir}/openssl req -new -key %{_sysconfdir}/httpd/conf/ssl.key/server.key -x509 -days 365 -out %{_sysconfdir}/httpd/conf/ssl.crt/server.crt 2>/dev/null cat << EOF | %{_bindir}/openssl req -new -key %{keydir}/localhost.key \
-x509 -days 365 -set_serial $RANDOM \
-out %{certdir}/localhost.crt 2>/dev/null
-- --
SomeState SomeState
SomeCity SomeCity
@ -517,6 +495,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/httpd.worker %{_sbindir}/httpd.worker
%{_sbindir}/apachectl %{_sbindir}/apachectl
%{_sbindir}/rotatelogs %{_sbindir}/rotatelogs
%attr(4510,root,%{suexec_caller}) %{_sbindir}/suexec
%dir %{_libdir}/httpd %dir %{_libdir}/httpd
%dir %{_libdir}/httpd/modules %dir %{_libdir}/httpd/modules
@ -541,7 +520,6 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man?/* %{_mandir}/man?/*
%exclude %{_mandir}/man8/apxs.8* %exclude %{_mandir}/man8/apxs.8*
%exclude %{_mandir}/man8/suexec.8*
%files manual %files manual
%defattr(-,root,root) %defattr(-,root,root)
@ -552,9 +530,6 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root) %defattr(-,root,root)
%{_libdir}/httpd/modules/mod_ssl.so %{_libdir}/httpd/modules/mod_ssl.so
%config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf %config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
%attr(0700,root,root) %dir %{_sysconfdir}/httpd/conf/ssl.*
%config %{_sysconfdir}/httpd/conf/Makefile
%config %{_sysconfdir}/httpd/conf/ssl.*/*
%attr(0700,apache,root) %dir %{_localstatedir}/cache/mod_ssl %attr(0700,apache,root) %dir %{_localstatedir}/cache/mod_ssl
%attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.dir %attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.dir
%attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.pag %attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.pag
@ -571,12 +546,17 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/httpd/build/instdso.sh %{_libdir}/httpd/build/instdso.sh
%{_libdir}/httpd/build/libtool %{_libdir}/httpd/build/libtool
%files suexec
%defattr(-,root,root)
%attr(4510,root,%{suexec_caller}) %{_sbindir}/suexec
%{_mandir}/man8/suexec.8*
%changelog %changelog
* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 2.0.54-5
- create default dummy cert in /etc/pki/tls
- use a pseudo-random serial number on the dummy cert
- change default ssl.conf to point at /etc/pki/tls
- merge back -suexec subpackage; SELinux policy can now be
used to persistently disable suexec (#155716)
- drop /etc/httpd/conf/ssl.* directories and Makefiles
- unconditionally enable PIE support
- mod_ssl: fix for picking up -shutdown options (upstream #34452)
* Mon Apr 18 2005 Joe Orton <jorton@redhat.com> 2.0.54-4 * Mon Apr 18 2005 Joe Orton <jorton@redhat.com> 2.0.54-4
- replace PreReq with Requires(pre) - replace PreReq with Requires(pre)

33
ssl.conf
View File

@ -107,21 +107,16 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# Server Certificate: # Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If # Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a # the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test # pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated with `make certificate' under # certificate can be generated using the genkey(1) command.
# built time. Keep in mind that if you've both a RSA and a DSA SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
# Server Private Key: # Server Private Key:
# If the key is not combined with the certificate, use this # If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if # directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure # you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.) # both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
# Server Certificate Chain: # Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the # Point SSLCertificateChainFile at a file containing the
@ -130,27 +125,13 @@ SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# the referenced file can be the same as SSLCertificateFile # the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server # when the CA certificates are directly appended to the server
# certificate for convinience. # certificate for convinience.
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA): # Certificate Authority (CA):
# Set the CA certificate verification path where to find CA # Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one # certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded) # huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
# Client Authentication (Type): # Client Authentication (Type):
# Client certificate verification type and depth. Types are # Client certificate verification type and depth. Types are
@ -202,7 +183,7 @@ SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# o OptRenegotiate: # o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL # This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context. # directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$"> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</Files> </Files>