From 1ebfa49b02426fdf5516c0618a8ab9f8a3210744 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mon, 15 Apr 2024 09:03:50 +0100 Subject: [PATCH] mod_ssl: add DH param handling fix (r1916863) --- httpd-2.4.59-r1916863.patch | 54 +++++++++++++++++++++++++++++++++++++ httpd.spec | 6 ++++- pullrev.sh | 4 +-- 3 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 httpd-2.4.59-r1916863.patch diff --git a/httpd-2.4.59-r1916863.patch b/httpd-2.4.59-r1916863.patch new file mode 100644 index 0000000..162662c --- /dev/null +++ b/httpd-2.4.59-r1916863.patch @@ -0,0 +1,54 @@ +# ./pullrev.sh 1916863 +http://svn.apache.org/viewvc?view=revision&revision=1916863 + +Upstream-Status: in trunk, not proposed for 2.4.x + +--- httpd-2.4.59/modules/ssl/ssl_engine_init.c ++++ httpd-2.4.59/modules/ssl/ssl_engine_init.c +@@ -1416,6 +1416,7 @@ + const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; + int i; + EVP_PKEY *pkey; ++ int custom_dh_done = 0; + #ifdef HAVE_ECC + EC_GROUP *ecgroup = NULL; + int curve_nid = 0; +@@ -1591,14 +1592,14 @@ + */ + certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); + if (certfile && !modssl_is_engine_id(certfile)) { +- int done = 0, num_bits = 0; ++ int num_bits = 0; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + DH *dh = modssl_dh_from_file(certfile); + if (dh) { + num_bits = DH_bits(dh); + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); + DH_free(dh); +- done = 1; ++ custom_dh_done = 1; + } + #else + pkey = modssl_dh_pkey_from_file(certfile); +@@ -1608,18 +1609,18 @@ + EVP_PKEY_free(pkey); + } + else { +- done = 1; ++ custom_dh_done = 1; + } + } + #endif +- if (done) { ++ if (custom_dh_done) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) + "Custom DH parameters (%d bits) for %s loaded from %s", + num_bits, vhost_id, certfile); + } + } + #if !MODSSL_USE_OPENSSL_PRE_1_1_API +- else { ++ if (!custom_dh_done) { + /* If no parameter is manually configured, enable auto + * selection. */ + SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); diff --git a/httpd.spec b/httpd.spec index 7bb8b5a..864c8b7 100644 --- a/httpd.spec +++ b/httpd.spec @@ -24,7 +24,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.59 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -101,6 +101,7 @@ Patch37: httpd-2.4.54-selinux.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch60: httpd-2.4.43-enable-sslv3.patch +Patch61: httpd-2.4.59-r1916863.patch # Security fixes # Patch200: ... @@ -824,6 +825,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Apr 15 2024 Joe Orton - 2.4.59-2 +- mod_ssl: add DH param handling fix (r1916863) + * Fri Apr 5 2024 Joe Orton - 2.4.59-1 - update to 2.4.59 diff --git a/pullrev.sh b/pullrev.sh index 7ace161..f21a7fb 100755 --- a/pullrev.sh +++ b/pullrev.sh @@ -6,8 +6,8 @@ if [ $# -lt 1 ]; then fi repo="https://svn.apache.org/repos/asf/httpd/httpd/trunk" -repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x" -ver=2.4.58 +#repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x" +ver=2.4.59 prefix="httpd-${ver}" suffix="${SUFFIX:-r$1${2:++}}" fn="${prefix}-${suffix}.patch"