import httpd-2.4.51-2.el9

2021-12-07 12:52:38 -05:00 · 2021-12-07 12:52:38 -05:00 · 2cc0be78dc
parent c50aa5610e
commit 2cc0be78dc
13 changed files with 299 additions and 242 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/apache-poweredby.png
-SOURCES/httpd-2.4.48.tar.bz2
+SOURCES/httpd-2.4.51.tar.bz2
--- a/.httpd.metadata
+++ b/.httpd.metadata
@ -1,2 +1,2 @@
 3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png
-834876db80fc290e531f0e088d255434828b81b5 SOURCES/httpd-2.4.48.tar.bz2
+d8ae02630f836d7cf60e24f4676e633518f16e2b SOURCES/httpd-2.4.51.tar.bz2
--- a/SOURCES/KEYS
+++ b/SOURCES/KEYS
@ -8756,3 +8756,63 @@ ekJ4VhpVUYgDv8+EzGS9SkgY/DpiyLvPtuhqLXos4ABSwQOEYfG3RhGy7h2B404e
 Ot6BQHeyFl0mtrYT1mI=
 =L7j3
 -----END PGP PUBLIC KEY BLOCK-----
+
+pub   rsa4096 2021-09-01 [SC]
+      26F51EF9A82F4ACB43F1903ED377C9E7D1944C66
+uid        [ ultimativ ] Stefan Eissing (icing) <stefan@eissing.org>
+sub   rsa4096 2021-09-01 [E]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: GPGTools - https://gpgtools.org
+
+mQINBGEvgQMBEADHvUv7G4XclbrRea5S/m0xcV/n4eAOE7UjoDhJurR2NYEA7Ori
+YML3h+Uo0a8Fr7BWdvi9FucaxUbZ7ohbUULBNfFDRpH52ojNnnKaKgtWNbGjz0BJ
+3y9Udlo7jblGXnsO5zDUoQI8t5I3MjrCK3lU5OO0gvMloa8aSl/rQJ4zo5AYx2VN
+Tek0JNcccp5LJaQ31BmoC0ucanBZniQG0CrMKUw6utNoY/6HF2jNVxzBs0VBneA2
+LhIJ/2QKYIEfqTTmmDqeor/Uk3xowEpnAiEe1Y+QKlRkvNs0txekB9XKbW+L6yS8
+yW7VPtAMU4IAA6FKvSOAPWSAuqc0beitZarCw4zCLf5EsluI+r0j4nJ/rCNroiUe
+CNCDx4i5wwV39m0+Dmei3HuXUBqyH1ydDspZdgSGacLqUOsj7M+v+lpWiWEgbEo8
+w1jeQ9mn+Juj73QLR3bmUxjTe8acTl22/FGKndMcNf+pawLh51NvqmOPGOX+w+Ul
+jWIVG6nTCBZB3OACk8to16YMgw8NfK38VHM76YpMOJwgEk+kqljDU0vvI1LIxoT/
+BHyup3Bf2scPPKhe7U47+WBz2f2FC9ZQdlm7VhMYWhGfiilY+SkAHGIto6KEeavv
+O5lo2ziOqsotQeYSN/2nyWLcayC5dQxmZJoo1VvjibRm/GkDGLTmc0wEcwARAQAB
+tCtTdGVmYW4gRWlzc2luZyAoaWNpbmcpIDxzdGVmYW5AZWlzc2luZy5vcmc+iQJO
+BBMBCgA4FiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmEvgQMCGwMFCwkIBwMFFQoJ
+CAsFFgIDAQACHgECF4AACgkQ03fJ59GUTGaH/g//XHeDFajXzOuebcvVf6iQKUMS
+WYlV/GO2f27ZutNv1nFmD6zvlOZ6yr+JANoMAK9iXK6K/R8fYlL1LzkJvCS4V0i3
+fnbZto3bd2Eiyitvs0ppj1c6GLOU5EtWLHsa3l1/X7EGjY9yOguqk168wLwMOXpy
+YXGOzdqUxrep91kE4Z3y3YflcRm+3Fvi4dARnjAZguiMvbOLaiEHZ4jDDcckxQr3
+9uOWpq7OYY07PvemqCJyczVkzEKxDj7hm62p9HvoJB/KwTFkYW1aLfB8fd834iEc
+6DoF17V8DoPMoU1kLRdcVDEsJPpFFEBF3pn2cmi+oOryRrSK1Rbo+HHQyFqo3D01
+9/svYZHRXnXhRbfBd45/qYaJOeq4tqo572Lv2LFDkuZ6S3rJ1qgVPSvSHL7kkOxh
+/x2zRujXzgdVorjXLYw6LfkCHzaevd/DVycHh6d5ctfiTSEsy3JVp+XKK94r8Rb
+e9ybf6whA7tEnuwr0sX5219eYGWw5/awMn8UfMSdrRYQbRdW7Wr8vA+7UMdlY+VI
+51gFBAod11bSi9uMPToXczwYH3OMRnAn04sIp2BOwCwnIW4h+RD71pnZgDMcxiil
+NxhZJYw8w5dvla2v3zxh+oCa+bdP79wHbphNVVWMfhJcnRbQlDiZgoKXdPhU+mcN
+BlyebrE81USOWMS6XXi5Ag0EYS+BAwEQAJ1jce2bjEpG6RNaXkN03GuzB8EOOW4K
+J7t2ZNhX77okMdcUrXcu8DvvDG7okGDtwB+Ql6yWwbJeCIxhyWeeF+TwcZWvBs00
+3uiiZLfissN4pn9198BtxntUVqoc1NKbAudOyAimlCUlDExEhHQQ6PYP7i6xBf/M
+3MZlYyni2ZnMjbsxuNXTN0TR2J53sKCaQvjQjWQwD9N5/0ZivU/uiCuG1Sbn6Wjt
+Xp511g74m0Rio68i12/QVEfMZWhorWDhDxQSPhVWqFC1sChLDHZ/7L1IhzMX0q3W
+xPCK+rBsMSy/SWw5GotrQATIgJLTGQG7tehDWiVDTxCQSrELQoawJdO99g6C+OEL
+m3Z5CnDYVwD4CLPB+DRROaB8UbauvMJZCHMo3OXUALj89ZRpD20h2RQyIkTl37LS
+J9IYM9SxA792ujNoUbdWS/FNIUpopP94jemyaj6qqEBwUGMvIPE0RdsIPdOEcuS3
+3kW9W/bHlWCe8m0CIPbwZFohNGk9+KBalz1CTNnZxB7rvRyLLhzJws9BqtU7X3dy
+J0ZcYHGQJsvU8ZfAM/EUMLbyvUSbnDdNwDDjduO8ZuOWYjg5f/FwSR25k/yGvfUe
+RyiptHnl5c7BMkNaEtfHFVDPOIts6vDVD3K/np9AK7UY58snaMnqFTtxz1munJSX
+C0IXelr+V6hRABEBAAGJAjYEGAEKACAWIQQm9R75qC9Ky0PxkD7Td8nn0ZRMZgUC
+YS+BAwIbDAAKCRDTd8nn0ZRMZqEoD/49MVe/6bW54eh0CG6B07tY1qlkelSv+xfY
+tgZ3V+vZFtLVjo0RYpeP4Yt0ZtpNqZEPnHqwAvD7TZQayNVgo13uK/0aBlAhVtWZ
+54nuItHcwT90u+3Tj5hnHwPptIxSsfRWEAg5BkegQN76c+yhNHWJ5U2H2pG2+YkP
+dXHS89/nbDEi9kZhgtIer9lhmZSgSO2RYzj/QHgLNEor3IGUGAI3u0M2o+dcoVyH
+NJGPRboBzCm8qNDt/3cctQDzFdDA+3X7KbPKekYs3ewuO1l+JtXtnq3S4tkvMDI1
+ZKX0RBydw5w+bksTk6Z7X7nbYmPCeNNBVQUshwQwDXCHPDXd1MxWJHqTz8lOPo70
+fHH0DWTTOw9rNMacUnz7FE0veDcknOZQ4snbHwZkUC4Mg5wM6KOyWgrTW6XK0TSx
+Su1Qou7xKD/A1zgx9C0eIqicnifDUEY9SGfXaJrsJDJICEP0BtmcfsP0Z8DcmzOv
+atfaF/cmJBtSR6IegJYJCtrlFdpIKQSikZO4QP5B3odc0ipuklkJcPkbQhpx+C5x
+O3yU7Izv+cy+yhF+uq8NtWVQx+WCtt4RWqSn6sxtUvTb5qnRbMQtZJ2vbN8+WqTK
+ZNlXGF7PBgjSTJnHmCvaT4gfVnJ/NAwn4stq+bdPnrBSKaDnYGwWpV9g8u+XSpOF
+ebJKIV3Evw==
+=tHCM
+-----END PGP PUBLIC KEY BLOCK-----
+
--- a/SOURCES/apachectl.sh
+++ b/SOURCES/apachectl.sh
@ -15,6 +15,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+###
+### NOTE: This is a replacement version of the "apachectl" script with
+### some differences in behaviour to the version distributed with
+### Apache httpd.  Please read the apachectl(8) man page for more
+### information.
+###
+
 if [ "x$1" = "x-k" ]; then
    shift
 fi
--- a/SOURCES/httpd-2.4.48-r1825120.patch
+++ b/SOURCES/httpd-2.4.48-r1825120.patch
@ -0,0 +1,99 @@
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 4e2e80d..10a2c86 100644
+--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
+@@ -2256,51 +2256,6 @@ int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
+     return OK;
+ }
+ 
+-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
+-                                           const X509_NAME * const *b)
+-{
+-    return(X509_NAME_cmp(*a, *b));
+-}
+-
+-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
+-                                server_rec *s, apr_pool_t *ptemp,
+-                                const char *file)
+-{
+-    int n;
+-    STACK_OF(X509_NAME) *sk;
+-
+-    sk = (STACK_OF(X509_NAME) *)
+-             SSL_load_client_CA_file(file);
+-
+-    if (!sk) {
+-        return;
+-    }
+-
+-    for (n = 0; n < sk_X509_NAME_num(sk); n++) {
+-        X509_NAME *name = sk_X509_NAME_value(sk, n);
+-
+-        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
+-                     "CA certificate: %s",
+-                     modssl_X509_NAME_to_string(ptemp, name, 0));
+-
+-        /*
+-         * note that SSL_load_client_CA_file() checks for duplicates,
+-         * but since we call it multiple times when reading a directory
+-         * we must also check for duplicates ourselves.
+-         */
+-
+-        if (sk_X509_NAME_find(ca_list, name) < 0) {
+-            /* this will be freed when ca_list is */
+-            sk_X509_NAME_push(ca_list, name);
+-        }
+-        else {
+-            /* need to free this ourselves, else it will leak */
+-            X509_NAME_free(name);
+-        }
+-    }
+-
+-    sk_X509_NAME_free(sk);
+-}
+ 
+ static apr_status_t ssl_init_ca_cert_path(server_rec *s,
+                                           apr_pool_t *ptemp,
+@@ -2324,7 +2279,7 @@ static apr_status_t ssl_init_ca_cert_path(server_rec *s,
+         }
+         file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
+         if (ca_list) {
+-            ssl_init_PushCAList(ca_list, s, ptemp, file);
+            SSL_add_file_cert_subjects_to_stack(ca_list, file);
+         }
+         if (xi_list) {
+             load_x509_info(ptemp, xi_list, file);
+@@ -2341,19 +2296,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
+                                          const char *ca_file,
+                                          const char *ca_path)
+ {
+-    STACK_OF(X509_NAME) *ca_list;
+-
+-    /*
+-     * Start with a empty stack/list where new
+-     * entries get added in sorted order.
+-     */
+-    ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
+    STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();;
+ 
+     /*
+      * Process CA certificate bundle file
+      */
+     if (ca_file) {
+-        ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
+        SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
+         /*
+          * If ca_list is still empty after trying to load ca_file
+          * then the file failed to load, and users should hear about that.
+@@ -2377,11 +2326,6 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
+         return NULL;
+     }
+ 
+-    /*
+-     * Cleanup
+-     */
+-    (void) sk_X509_NAME_set_cmp_func(ca_list, NULL);
+-
+     return ca_list;
+ }
+ 
--- a/SOURCES/httpd-2.4.48-r1869842.patch
+++ b/SOURCES/httpd-2.4.48-r1869842.patch
@ -1,117 +0,0 @@
-# ./pullrev.sh 1869842
-http://svn.apache.org/viewvc?view=revision&revision=1869842
-
--- httpd-2.4.48/modules/ssl/ssl_engine_config.c.r1869842
-+++ httpd-2.4.48/modules/ssl/ssl_engine_config.c
-@@ -75,6 +75,10 @@
-     mc->stapling_refresh_mutex = NULL;
- #endif
- 
-+#ifdef HAVE_OPENSSL_KEYLOG
-+    mc->keylog_file = NULL;
-+#endif
-+
-     apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
-                           apr_pool_cleanup_null,
-                           pool);
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1869842
-+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
-@@ -445,6 +445,28 @@
-     init_bio_methods();
- #endif
- 
-+#ifdef HAVE_OPENSSL_KEYLOG
-+    {
-+        const char *logfn = getenv("SSLKEYLOGFILE");
-+
-+        if (logfn) {
-+            rv = apr_file_open(&mc->keylog_file, logfn,
-+                               APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE,
-+                               APR_FPROT_UREAD|APR_FPROT_UWRITE,
-+                               mc->pPool);
-+            if (rv) {
-+                ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226)
-+                             "Could not open log file '%s' configured via SSLKEYLOGFILE",
-+                             logfn);
-+                return rv;
-+            }
-+
-+            ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227)
-+                         "Init: Logging SSL private key material to %s", logfn);
-+        }
-+    }
-+#endif
-+    
-     return OK;
- }
- 
-@@ -806,6 +828,12 @@
-      * https://github.com/openssl/openssl/issues/7178 */
-     SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
- #endif
-+
-+#ifdef HAVE_OPENSSL_KEYLOG
-+    if (mctx->sc->mc->keylog_file) {
-+        SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
-+    }
-+#endif
-     
-     return APR_SUCCESS;
- }
--- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1869842
-+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c
-@@ -2822,3 +2822,17 @@
- }
- 
- #endif /* HAVE_SRP */
-+
-+
-+#ifdef HAVE_OPENSSL_KEYLOG
-+/* Callback used with SSL_CTX_set_keylog_callback. */
-+void modssl_callback_keylog(const SSL *ssl, const char *line)
-+{
-+    conn_rec *conn = SSL_get_app_data(ssl);
-+    SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
-+
-+    if (sc && sc->mc->keylog_file) {
-+        apr_file_printf(sc->mc->keylog_file, "%s\n", line);
-+    }
-+}
-+#endif
--- httpd-2.4.48/modules/ssl/ssl_private.h.r1869842
-+++ httpd-2.4.48/modules/ssl/ssl_private.h
-@@ -252,6 +252,10 @@
- #endif
- #endif
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
-+#define HAVE_OPENSSL_KEYLOG
-+#endif
-+
- /* mod_ssl headers */
- #include "ssl_util_ssl.h"
- 
-@@ -620,6 +624,11 @@
-     apr_global_mutex_t   *stapling_cache_mutex;
-     apr_global_mutex_t   *stapling_refresh_mutex;
- #endif
-+
-+#ifdef HAVE_OPENSSL_KEYLOG
-+    /* Used for logging if SSLKEYLOGFILE is set at startup. */
-+    apr_file_t      *keylog_file;
-+#endif
- } SSLModConfigRec;
- 
- /** Structure representing configured filenames for certs and keys for
-@@ -979,6 +988,11 @@
- int          ssl_callback_SRPServerParams(SSL *, int *, void *);
- #endif
- 
-+#ifdef HAVE_OPENSSL_KEYLOG
-+/* Callback used with SSL_CTX_set_keylog_callback. */
-+void         modssl_callback_keylog(const SSL *ssl, const char *line);
-+#endif
-+
- /**  I/O  */
- void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
- void         ssl_io_filter_register(apr_pool_t *);
--- a/SOURCES/httpd-2.4.48.tar.bz2.asc
+++ b/SOURCES/httpd-2.4.48.tar.bz2.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJSBAABCgA8FiEExVq3uROesiY80aq8GbAz0XYMInsFAmCi3n8eHGNocmlzdG9w
-aGUuamFpbGxldEB3YW5hZG9vLmZyAAoJEBmwM9F2DCJ7jtwP/R/k4OULx5uQFxyN
-cc4yzClTRK1wK3q5RgGyRH6+eYX6tVOtpPTY0pjLuPaOp05gPg0Ega3tIleEMYvq
-q0oX3yzLKvlHUSFmJuZUACeNYp+ekzEa031SXGWXGQQIh5H3PSmMOTEB/o/3NZuY
-zQmHbuSdQspNmOF7P6q+ZeM3ojZBVnXTWabV4dCEMAFV3iseeB3ZeeXOE1dzcXlA
-Z4nslAC+/ZE1q8eZ17P2t/cD2INVO9rbjSqX2VBjoIG/M57rR/1IAGuktyrMohh+
-ZWBBg2ZRpljTWQpMh+V5fd9inxkDr1DYpML+XkZN+FoE6W1TcXiPeFyp6n6blzWN
-EY1lUGCqBuWsX8F1CRQSyNtQWOF0Wn+XHb1WSepCCBBZ0CPr/hEWQlmHDclO0O6R
-w6H1+xEOFRwa8Mpz1qS0N3Q4WyNeEm66ShNGIqBt1sdiUc4/u0aWyXiKjwPWAs2w
-GWOYnej41jgAn6GNXGfRTeQZrP1o0jDylYLJxDGxC+dS7Z7UXo+P8QK6YuSHqrF+
-0oTSgbYKkCLE3+B9MvCzqSRrvx5zk57gqZl1iMhOj85X5Pv4hSpcokoalrhTy+PQ
-q4v3LK4q4hORS+Jz/jvXB+8HTa6D5A0PdOdlQtXOMlAjLc0PMw2QKgfAoq0jaUyV
-Y4Nh8QSEPWiMKNQgsotZon7c6glp
-=h1iL
-----END PGP SIGNATURE-----
--- a/SOURCES/httpd-2.4.51-openssl3.patch
+++ b/SOURCES/httpd-2.4.51-openssl3.patch
@ -1,11 +1,9 @@

 https://github.com/apache/httpd/pull/258

-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index 4da24eddcc..5d199cddaf 100644
--- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+--- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3
+++ httpd-2.4.51/modules/ssl/ssl_engine_init.c
+@@ -91,7 +91,6 @@
 
     return 1;
 }
@ -13,7 +11,7 @@ index 4da24eddcc..5d199cddaf 100644
 
 /*
  * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
-@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen)
+@@ -171,6 +170,7 @@
         
     return NULL; /* impossible to reach. */
 }
@ -21,7 +19,7 @@ index 4da24eddcc..5d199cddaf 100644
 
 static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
                                        server_rec *s)
-@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+@@ -440,8 +440,9 @@
 
     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
 
@ -32,19 +30,19 @@ index 4da24eddcc..5d199cddaf 100644
     init_bio_methods();
 #endif
 
-@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+@@ -862,7 +863,11 @@
 {
     SSL_CTX *ctx = mctx->ssl_ctx;
 
 +#if MODSSL_USE_OPENSSL_PRE_1_1_API
+    /* Note that for OpenSSL>=1.1, auto selection is enabled via
+     * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
-+#else
-+    SSL_CTX_set_dh_auto(ctx, 1);
 +#endif
 
     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
 
-@@ -843,6 +848,23 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+@@ -871,6 +876,23 @@
 #endif
 }
 
@ -68,7 +66,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_ctx_verify(server_rec *s,
                                         apr_pool_t *p,
                                         apr_pool_t *ptemp,
-@@ -883,10 +905,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s,
+@@ -911,10 +933,8 @@
         ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
                      "Configuring client authentication");
 
@ -81,7 +79,7 @@ index 4da24eddcc..5d199cddaf 100644
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
                     "Unable to configure verify locations "
                     "for client authentication");
-@@ -971,6 +991,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
+@@ -999,6 +1019,23 @@
     return APR_SUCCESS;
 }
 
@ -105,7 +103,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_ctx_crl(server_rec *s,
                                      apr_pool_t *p,
                                      apr_pool_t *ptemp,
-@@ -1009,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
+@@ -1037,8 +1074,8 @@
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
                  "Configuring certificate revocation facility");
 
@ -116,7 +114,7 @@ index 4da24eddcc..5d199cddaf 100644
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
                      "Host %s: unable to configure X.509 CRL storage "
                      "for certificate revocation", mctx->sc->vhost_id);
-@@ -1239,6 +1276,31 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
+@@ -1267,6 +1304,31 @@
    return 0;
 }
 
@ -148,7 +146,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_server_certs(server_rec *s,
                                           apr_pool_t *p,
                                           apr_pool_t *ptemp,
-@@ -1249,7 +1311,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1277,7 +1339,7 @@
     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
     int i;
     X509 *cert;
@ -157,7 +155,7 @@ index 4da24eddcc..5d199cddaf 100644
 #ifdef HAVE_ECC
     EC_GROUP *ecparams = NULL;
     int nid;
-@@ -1344,8 +1406,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1372,8 +1434,7 @@
         }
         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
                                               SSL_FILETYPE_PEM) < 1)
@ -167,13 +165,15 @@ index 4da24eddcc..5d199cddaf 100644
             ssl_asn1_t *asn1;
             const unsigned char *ptr;
 
-@@ -1434,12 +1495,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1462,13 +1523,22 @@
      */
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
     if (certfile && !modssl_is_engine_id(certfile)
 -        && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
 -        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
 +        && (dh = ssl_dh_GetParamFromFile(certfile))) {
+        /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
+         * for OpenSSL 3.0+. */
 +        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                      "Custom DH parameters (%d bits) for %s loaded from %s",
@ -182,9 +182,17 @@ index 4da24eddcc..5d199cddaf 100644
 +                     modssl_DH_bits(dh), vhost_id, certfile);
 +        DH_free(dh);
     }
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
+    else {
+        /* If no parameter is manually configured, enable auto
+         * selection. */
+        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
+    }
+#endif
 
 #ifdef HAVE_ECC
-@@ -1490,6 +1551,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
+     /*
+@@ -1518,6 +1588,7 @@
     char buf[TLSEXT_TICKET_KEY_LEN];
     char *path;
     modssl_ticket_key_t *ticket_key = mctx->ticket_key;
@ -192,7 +200,7 @@ index 4da24eddcc..5d199cddaf 100644
 
     if (!ticket_key->file_path) {
         return APR_SUCCESS;
-@@ -1517,11 +1579,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
+@@ -1545,11 +1616,22 @@
     }
 
     memcpy(ticket_key->key_name, buf, 16);
@ -219,7 +227,7 @@ index 4da24eddcc..5d199cddaf 100644
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
                      "Unable to initialize TLS session ticket key callback "
                      "(incompatible OpenSSL version?)");
-@@ -1652,7 +1725,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
+@@ -1680,7 +1762,7 @@
         return ssl_die(s);
     }
 
@ -228,7 +236,7 @@ index 4da24eddcc..5d199cddaf 100644
 
     for (n = 0; n < ncerts; n++) {
         int i;
-@@ -2249,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data)
+@@ -2277,10 +2359,11 @@
 
     }
 
@ -242,11 +250,9 @@ index 4da24eddcc..5d199cddaf 100644
 
     return APR_SUCCESS;
 }
-diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
-index cabf753790..3db7077f1e 100644
--- a/modules/ssl/ssl_engine_io.c
-+++ b/modules/ssl/ssl_engine_io.c
-@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
+--- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3
+++ httpd-2.4.51/modules/ssl/ssl_engine_io.c
+@@ -194,6 +194,10 @@
 static int bio_filter_out_read(BIO *bio, char *out, int outl)
 {
     /* this is never called */
@ -257,7 +263,7 @@ index cabf753790..3db7077f1e 100644
     return -1;
 }
 
-@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
+@@ -293,12 +297,20 @@
 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
 {
     /* this is never called */
@ -278,7 +284,7 @@ index cabf753790..3db7077f1e 100644
     return -1;
 }
 
-@@ -533,22 +545,47 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
+@@ -533,22 +545,47 @@
 
 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
 {
@ -327,7 +333,7 @@ index cabf753790..3db7077f1e 100644
 }
 
 #if MODSSL_USE_OPENSSL_PRE_1_1_API
-@@ -573,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = {
+@@ -573,7 +610,7 @@
     bio_filter_in_read,
     bio_filter_in_puts,         /* puts is never called */
     bio_filter_in_gets,         /* gets is never called */
@ -336,11 +342,9 @@ index cabf753790..3db7077f1e 100644
     bio_filter_create,
     bio_filter_destroy,
     NULL
-diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
-index b99dcf19d4..aced92d2d0 100644
--- a/modules/ssl/ssl_engine_kernel.c
-+++ b/modules/ssl/ssl_engine_kernel.c
-@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
+--- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3
+++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c
+@@ -1685,6 +1685,7 @@
 **  _________________________________________________________________
 */
 
@ -348,7 +352,7 @@ index b99dcf19d4..aced92d2d0 100644
 /*
  * Hand out standard DH parameters, based on the authentication strength
  */
-@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
+@@ -1730,6 +1731,7 @@
 
     return modssl_get_dh_params(keylen);
 }
@ -356,7 +360,7 @@ index b99dcf19d4..aced92d2d0 100644
 
 /*
  * This OpenSSL callback function is called when OpenSSL
-@@ -2614,7 +2616,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2614,7 +2616,11 @@
                                unsigned char *keyname,
                                unsigned char *iv,
                                EVP_CIPHER_CTX *cipher_ctx,
@ -369,7 +373,7 @@ index b99dcf19d4..aced92d2d0 100644
                                int mode)
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-@@ -2641,7 +2647,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2640,7 +2646,13 @@
         }
         EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
                            ticket_key->aes_key, iv);
@ -384,7 +388,7 @@ index b99dcf19d4..aced92d2d0 100644
 
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
                       "TLS session ticket key for %s successfully set, "
-@@ -2662,7 +2674,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2661,7 +2673,13 @@
 
         EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
                            ticket_key->aes_key, iv);
@ -399,11 +403,9 @@ index b99dcf19d4..aced92d2d0 100644
 
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
                       "TLS session ticket key for %s successfully set, "
-diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
-index 7dbbbdb55e..3b3ceacf0a 100644
--- a/modules/ssl/ssl_engine_log.c
-+++ b/modules/ssl/ssl_engine_log.c
-@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
+--- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3
+++ httpd-2.4.51/modules/ssl/ssl_engine_log.c
+@@ -78,6 +78,16 @@
     return APR_EGENERAL;
 }
 
@ -420,7 +422,7 @@ index 7dbbbdb55e..3b3ceacf0a 100644
 /*
  * Prints the SSL library error information.
  */
-@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
+@@ -87,7 +97,7 @@
     const char *data;
     int flags;
 
@ -429,10 +431,8 @@ index 7dbbbdb55e..3b3ceacf0a 100644
         const char *annotation;
         char err[256];
 
-diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
-index a6fc7513a2..b091c58c94 100644
--- a/modules/ssl/ssl_private.h
-+++ b/modules/ssl/ssl_private.h
+--- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3
+++ httpd-2.4.51/modules/ssl/ssl_private.h
@@ -89,6 +89,9 @@
 /* must be defined before including ssl.h */
 #define OPENSSL_NO_SSL_INTERN
@ -459,7 +459,7 @@ index a6fc7513a2..b091c58c94 100644
 #else /* defined(LIBRESSL_VERSION_NUMBER) */
 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
 #endif
-@@ -674,7 +676,11 @@ typedef struct {
+@@ -681,7 +683,11 @@
 typedef struct {
     const char *file_path;
     unsigned char key_name[16];
@ -471,7 +471,7 @@ index a6fc7513a2..b091c58c94 100644
     unsigned char aes_key[16];
 } modssl_ticket_key_t;
 #endif
-@@ -938,8 +944,16 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+@@ -945,8 +951,16 @@
 int          ssl_callback_ClientHello(SSL *, int *, void *);
 #endif
 #ifdef HAVE_TLS_SESSION_TICKETS
@ -490,7 +490,7 @@ index a6fc7513a2..b091c58c94 100644
 #endif
 
 #ifdef HAVE_TLS_ALPN
-@@ -1112,10 +1126,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
+@@ -1124,10 +1138,12 @@
 
 #endif
 
--- a/SOURCES/httpd-2.4.51-r1877397.patch
+++ b/SOURCES/httpd-2.4.51-r1877397.patch
@ -1,8 +1,8 @@
 diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index 699bdcd..15f68f9 100644
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1877397
-+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
-@@ -871,6 +871,13 @@
+index 211ebff..c8cb1af 100644
+--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
+@@ -871,6 +871,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
         SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
     }
 #endif
@ -16,7 +16,7 @@ index 699bdcd..15f68f9 100644
     
     return APR_SUCCESS;
 }
-@@ -892,6 +899,14 @@
+@@ -892,6 +899,14 @@ static void ssl_init_ctx_session_cache(server_rec *s,
     }
 }
 
@ -31,8 +31,8 @@ index 699bdcd..15f68f9 100644
 static void ssl_init_ctx_callbacks(server_rec *s,
                                    apr_pool_t *p,
                                    apr_pool_t *ptemp,
-@@ -905,7 +920,13 @@
-     SSL_CTX_set_dh_auto(ctx, 1);
+@@ -905,7 +920,13 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 #endif
 
 -    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
@ -46,9 +46,11 @@ index 699bdcd..15f68f9 100644
 
 #ifdef HAVE_TLS_ALPN
     SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
--- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1877397
-+++ httpd-2.4.48/modules/ssl/ssl_engine_io.c
-@@ -209,11 +209,13 @@
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+index 79b9a70..3a0c22a 100644
+--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
+@@ -209,11 +209,13 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
 
     BIO_clear_retry_flags(bio);
 
@ -62,7 +64,7 @@ index 699bdcd..15f68f9 100644
 
     ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
                   "bio_filter_out_write: %i bytes", inl);
-@@ -474,11 +476,13 @@
+@@ -474,11 +476,13 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
 
     BIO_clear_retry_flags(bio);
 
@ -76,9 +78,11 @@ index 699bdcd..15f68f9 100644
 
     if (!inctx->bb) {
         inctx->rc = APR_EOF;
--- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1877397
-+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c
-@@ -992,7 +992,7 @@
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index 591f6ae..8416864 100644
+--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
+@@ -992,7 +992,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
 
             /* Toggle the renegotiation state to allow the new
              * handshake to proceed. */
@ -87,7 +91,7 @@ index 699bdcd..15f68f9 100644
 
             SSL_renegotiate(ssl);
             SSL_do_handshake(ssl);
-@@ -1019,7 +1019,7 @@
+@@ -1019,7 +1019,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
              */
             SSL_peek(ssl, peekbuf, 0);
 
@ -96,7 +100,7 @@ index 699bdcd..15f68f9 100644
 
             if (!SSL_is_init_finished(ssl)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
-@@ -1078,7 +1078,7 @@
+@@ -1078,7 +1078,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
         (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
         int vmode_inplace, vmode_needed;
         int change_vmode = FALSE;
@ -105,7 +109,7 @@ index 699bdcd..15f68f9 100644
 
         vmode_inplace = SSL_get_verify_mode(ssl);
         vmode_needed = SSL_VERIFY_NONE;
-@@ -1180,8 +1180,6 @@
+@@ -1180,8 +1180,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
                 return HTTP_FORBIDDEN;
             }
             
@ -114,7 +118,7 @@ index 699bdcd..15f68f9 100644
             modssl_set_app_data2(ssl, r);
 
             SSL_do_handshake(ssl);
-@@ -1191,7 +1189,6 @@
+@@ -1191,7 +1189,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
              */
             SSL_peek(ssl, peekbuf, 0);
 
@ -122,7 +126,7 @@ index 699bdcd..15f68f9 100644
             modssl_set_app_data2(ssl, NULL);
 
             /*
-@@ -2263,8 +2260,8 @@
+@@ -2263,8 +2260,8 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c,
 /*
  * This callback function is executed while OpenSSL processes the SSL
  * handshake and does SSL record layer stuff.  It's used to trap
@ -133,7 +137,7 @@ index 699bdcd..15f68f9 100644
  */
 void ssl_callback_Info(const SSL *ssl, int where, int rc)
 {
-@@ -2276,14 +2273,12 @@
+@@ -2276,14 +2273,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
         return;
     }
 
@ -154,7 +158,7 @@ index 699bdcd..15f68f9 100644
     {
         SSLConnRec *sslconn;
 
-@@ -2308,6 +2303,7 @@
+@@ -2308,6 +2303,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
             sslconn->reneg_state = RENEG_REJECT;
         }
     }
@ -162,9 +166,11 @@ index 699bdcd..15f68f9 100644
 
     s = mySrvFromConn(c);
     if (s && APLOGdebug(s)) {
--- httpd-2.4.48/modules/ssl/ssl_private.h.r1877397
-+++ httpd-2.4.48/modules/ssl/ssl_private.h
-@@ -512,6 +512,16 @@
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index a329d99..7666c31 100644
+--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
+@@ -512,6 +512,16 @@ typedef struct {
     apr_time_t     source_mtime;
 } ssl_asn1_t;
 
@ -181,7 +187,7 @@ index 699bdcd..15f68f9 100644
 /**
  * Define the mod_ssl per-module configuration structure
  * (i.e. the global configuration for each httpd process)
-@@ -544,18 +554,13 @@
+@@ -543,18 +553,13 @@ typedef struct {
         NON_SSL_SET_ERROR_MSG  /* Need to set the error message */
     } non_ssl_request;
 
@ -207,7 +213,7 @@ index 699bdcd..15f68f9 100644
 
     server_rec *server;
     SSLDirConfigRec *dc;
-@@ -1160,6 +1165,9 @@
+@@ -1158,6 +1163,9 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
  * the configured ENGINE. */
 int modssl_is_engine_id(const char *name);
 
@ -217,9 +223,11 @@ index 699bdcd..15f68f9 100644
 #endif /* SSL_PRIVATE_H */
 /** @} */
 
--- httpd-2.4.48/modules/ssl/ssl_util_ssl.c.r1877397
-+++ httpd-2.4.48/modules/ssl/ssl_util_ssl.c
-@@ -589,3 +589,19 @@
+diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
+index 38079a9..dafb833 100644
+--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
+@@ -589,3 +589,19 @@ cleanup:
     }
     return rv;
 }
--- a/SOURCES/httpd-2.4.51.tar.bz2.asc
+++ b/SOURCES/httpd-2.4.51.tar.bz2.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmFe8kEACgkQ03fJ59GU
+TGatthAAtWzeOD1TCIEvf5f9bAIZDK9vjEEnBZDeYMMrH1wVJGNJm48XP08O/Kbq
+qhvc9201RUwkAtWEUX811ZBAYd5A8lAqetfmIuCSHerYSOU0CbhvBjKsuIJVIKWD
+Wo1uPUDWk068V0HBquQtW6AEB4oo16fKPMEr1aOOxFpR+F806daJN1gt3ubPzkNJ
+rZd4E6dV00eEymeUIfk0BjDqSWKHmUr+08/dtWqc7kGYGcnJzu0e5pr6cc0hOV2o
+mqYm28F7eMSe5JCnAOd1LnnqtOwV81mZLxiAxR40PoFhV7IoBLo0zAJ99AHxJfA2
+9RjCmZ/WYtleeDT7mC1cdATHKOPRaubklzK6Ntf7tMaRIO07hnIfIRXQveKG7h+G
+Og6PGtfR9bwDGrg2f5Dr+R2fwUJO7EL31IxTYQFBUDe2Q82aNIWpdIFdte93nc+S
+HqjWq3w6zq+jdSm3xvyLB0LLSOguXhcjj5VEqV+aExZPASbf+Q8bG51mSbMQhkaq
+fEheFcdhu3Sm0x5xQXvEM3gX5XUr8vmrPWaacayPYfS7MinWukV0hXe5/DoYkFTt
+a1pt6bHcyVfR0tB0Q3bvm59EeaxLVfogb6Eq74RlrfYiCU/Qx7bMUs3tSeIkHGmY
+cNhpxzc/36i4Cf+fBDPKuJroXYV5wFoQmpnXVLAqRd6jWZcOizY=
+=f5dx
+-----END PGP SIGNATURE-----
--- a/SOURCES/httpd.conf
+++ b/SOURCES/httpd.conf
@ -38,8 +38,10 @@ ServerRoot "/etc/httpd"
 # ports, instead of the default. See also the <VirtualHost>
 # directive.
 #
-# Change this to Listen on specific IP addresses as shown below to 
-# prevent Apache from glomming onto all bound IP addresses.
+# Change this to Listen on a specific IP address, but note that if
+# httpd.service is enabled to run at boot time, the address may not be
+# available when the service starts.  See the httpd.service(8) man
+# page for more information.
 #
 #Listen 12.34.56.78:80
 Listen 80
--- a/SOURCES/ssl.conf
+++ b/SOURCES/ssl.conf
@ -23,22 +23,6 @@ SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
 SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
 SSLSessionCacheTimeout  300

-#   Pseudo Random Number Generator (PRNG):
-#   Configure one or more sources to seed the PRNG of the 
-#   SSL library. The seed data should be of good random quality.
-#   WARNING! On some platforms /dev/random blocks if not enough entropy
-#   is available. This means you then cannot use the /dev/random device
-#   because it would lead to very long connection times (as long as
-#   it requires to make more entropy available). But usually those
-#   platforms additionally provide a /dev/urandom device which doesn't
-#   block. So, if available, use this one instead. Read the mod_ssl User
-#   Manual for more details.
-SSLRandomSeed startup file:/dev/urandom  256
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random  512
-#SSLRandomSeed connect file:/dev/random  512
-#SSLRandomSeed connect file:/dev/urandom 512
-
 #
 # Use "SSLCryptoDevice" to enable any supported hardware
 # accelerators. Use "openssl engine -v" to list supported
@ -70,7 +54,7 @@ LogLevel warn
 SSLEngine on

 #   List the protocol versions which clients are allowed to connect with.
-#   The OpenSSL system profile is configured by default.  See
+#   The OpenSSL system profile is used by default.  See
 #   update-crypto-policies(8) for more details.
 #SSLProtocol all -SSLv3
 #SSLProxyProtocol all -SSLv3
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -12,8 +12,8 @@

 Summary: Apache HTTP Server
 Name: httpd
-Version: 2.4.48
-Release: 17%{?dist}
+Version: 2.4.51
+Release: 2%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -76,7 +76,6 @@ Patch25: httpd-2.4.43-selinux.patch
 Patch26: httpd-2.4.43-gettid.patch
 Patch27: httpd-2.4.43-icons.patch
 Patch30: httpd-2.4.43-cachehardmax.patch
-Patch32: httpd-2.4.48-r1869842.patch
 Patch34: httpd-2.4.43-socket-activation.patch
 Patch38: httpd-2.4.43-sslciphdefault.patch
 Patch39: httpd-2.4.43-sslprotdefault.patch
@ -91,6 +90,8 @@ Patch47: httpd-2.4.43-pr37355.patch
 Patch48: httpd-2.4.46-freebind.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1950021
 Patch49: httpd-2.4.48-ssl-proxy-chains.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2004143
+Patch50: httpd-2.4.48-r1825120.patch


 # Bug fixes
@ -99,11 +100,11 @@ Patch60: httpd-2.4.43-enable-sslv3.patch
 Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1986822
 # https://bugzilla.redhat.com/show_bug.cgi?id=1976080
-Patch62: httpd-2.4.48-openssl3.patch
+Patch62: httpd-2.4.51-openssl3.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1932442
 Patch64: httpd-2.4.48-full-release.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1950011
-Patch65: httpd-2.4.48-r1877397.patch
+Patch65: httpd-2.4.51-r1877397.patch


 # Security fixes
@ -242,7 +243,6 @@ written in the Lua programming language.
 %patch26 -p1 -b .gettid
 %patch27 -p1 -b .icons
 %patch30 -p1 -b .cachehardmax
-%patch32 -p1 -b .r1869842
 %patch34 -p1 -b .socketactivation
 %patch38 -p1 -b .sslciphdefault
 %patch39 -p1 -b .sslprotdefault
@ -254,6 +254,7 @@ written in the Lua programming language.
 %patch47 -p1 -b .pr37355
 %patch48 -p1 -b .freebind
 %patch49 -p1 -b .ssl-proxy-chains
+%patch50 -p1 -b .r1825120

 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .htcacheclean-dont-break
@ -806,6 +807,19 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Mon Nov 08 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-2
+- Resolves: #2005416 - httpd default configuration changes
+
+* Tue Oct 19 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-1
+- new version 2.4.51 (#2011090)
+
+* Fri Sep 17 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1
+- new version 2.4.49 (#2005339)
+
+* Wed Sep 15 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-18
+- Resolves: #2004143 - RFE: mod_ssl: allow sending multiple CA names which
+  differ only in case
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-17
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688