mod_ssl: add DH param handling fix (r1916863)

httpd-2.4.59-r1916863.patch

@@ -0,0 +1,54 @@
+# ./pullrev.sh 1916863
+http://svn.apache.org/viewvc?view=revision&revision=1916863
+
+Upstream-Status: in trunk, not proposed for 2.4.x
+
+--- httpd-2.4.59/modules/ssl/ssl_engine_init.c
++++ httpd-2.4.59/modules/ssl/ssl_engine_init.c
+@@ -1416,6 +1416,7 @@
+     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
+     int i;
+     EVP_PKEY *pkey;
++    int custom_dh_done = 0;
+ #ifdef HAVE_ECC
+     EC_GROUP *ecgroup = NULL;
+     int curve_nid = 0;
+@@ -1591,14 +1592,14 @@
+      */
+     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
+     if (certfile && !modssl_is_engine_id(certfile)) {
+-        int done = 0, num_bits = 0;
++        int num_bits = 0;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+         DH *dh = modssl_dh_from_file(certfile);
+         if (dh) {
+             num_bits = DH_bits(dh);
+             SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+             DH_free(dh);
+-            done = 1;
++            custom_dh_done = 1;
+         }
+ #else
+         pkey = modssl_dh_pkey_from_file(certfile);
+@@ -1608,18 +1609,18 @@
+                 EVP_PKEY_free(pkey);
+             }
+             else {
+-                done = 1;
++                custom_dh_done = 1;
+             }
+         }
+ #endif
+-        if (done) {
++        if (custom_dh_done) {
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+                          "Custom DH parameters (%d bits) for %s loaded from %s",
+                          num_bits, vhost_id, certfile);
+         }
+     }
+ #if !MODSSL_USE_OPENSSL_PRE_1_1_API
+-    else {
++    if (!custom_dh_done) {
+         /* If no parameter is manually configured, enable auto
+          * selection. */
+         SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);

httpd.spec

@@ -24,7 +24,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.59
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -101,6 +101,7 @@ Patch37: httpd-2.4.54-selinux.patch
 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
 Patch60: httpd-2.4.43-enable-sslv3.patch
+Patch61: httpd-2.4.59-r1916863.patch
 
 # Security fixes
 # Patch200: ...
@@ -824,6 +825,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Mon Apr 15 2024 Joe Orton <jorton@redhat.com> - 2.4.59-2
+- mod_ssl: add DH param handling fix (r1916863)
+
 * Fri Apr  5 2024 Joe Orton <jorton@redhat.com> - 2.4.59-1
 - update to 2.4.59
 

pullrev.sh

@@ -6,8 +6,8 @@ if [ $# -lt 1 ]; then
 fi
 
 repo="https://svn.apache.org/repos/asf/httpd/httpd/trunk"
-repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x"
-ver=2.4.58
+#repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x"
+ver=2.4.59
 prefix="httpd-${ver}"
 suffix="${SUFFIX:-r$1${2:++}}"
 fn="${prefix}-${suffix}.patch"