From 2cc0be78dcfd36cb25e40a906640b29d152756ea Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 7 Dec 2021 12:52:38 -0500 Subject: [PATCH] import httpd-2.4.51-2.el9 --- .gitignore | 2 +- .httpd.metadata | 2 +- SOURCES/KEYS | 60 +++++++++ SOURCES/apachectl.sh | 7 ++ SOURCES/httpd-2.4.48-r1825120.patch | 99 +++++++++++++++ SOURCES/httpd-2.4.48-r1869842.patch | 117 ------------------ SOURCES/httpd-2.4.48.tar.bz2.asc | 17 --- ...ssl3.patch => httpd-2.4.51-openssl3.patch} | 104 ++++++++-------- ...7397.patch => httpd-2.4.51-r1877397.patch} | 66 +++++----- SOURCES/httpd-2.4.51.tar.bz2.asc | 17 +++ SOURCES/httpd.conf | 6 +- SOURCES/ssl.conf | 18 +-- SPECS/httpd.spec | 26 +++- 13 files changed, 299 insertions(+), 242 deletions(-) create mode 100644 SOURCES/httpd-2.4.48-r1825120.patch delete mode 100644 SOURCES/httpd-2.4.48-r1869842.patch delete mode 100644 SOURCES/httpd-2.4.48.tar.bz2.asc rename SOURCES/{httpd-2.4.48-openssl3.patch => httpd-2.4.51-openssl3.patch} (83%) rename SOURCES/{httpd-2.4.48-r1877397.patch => httpd-2.4.51-r1877397.patch} (76%) create mode 100644 SOURCES/httpd-2.4.51.tar.bz2.asc diff --git a/.gitignore b/.gitignore index ac688fe..613e631 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/apache-poweredby.png -SOURCES/httpd-2.4.48.tar.bz2 +SOURCES/httpd-2.4.51.tar.bz2 diff --git a/.httpd.metadata b/.httpd.metadata index 4765aac..d0f70f2 100644 --- a/.httpd.metadata +++ b/.httpd.metadata @@ -1,2 +1,2 @@ 3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png -834876db80fc290e531f0e088d255434828b81b5 SOURCES/httpd-2.4.48.tar.bz2 +d8ae02630f836d7cf60e24f4676e633518f16e2b SOURCES/httpd-2.4.51.tar.bz2 diff --git a/SOURCES/KEYS b/SOURCES/KEYS index 03af62d..27c70fd 100644 --- a/SOURCES/KEYS +++ b/SOURCES/KEYS @@ -8756,3 +8756,63 @@ ekJ4VhpVUYgDv8+EzGS9SkgY/DpiyLvPtuhqLXos4ABSwQOEYfG3RhGy7h2B404e Ot6BQHeyFl0mtrYT1mI= =L7j3 -----END PGP PUBLIC KEY BLOCK----- + +pub rsa4096 2021-09-01 [SC] + 26F51EF9A82F4ACB43F1903ED377C9E7D1944C66 +uid [ ultimativ ] Stefan Eissing (icing) +sub rsa4096 2021-09-01 [E] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: GPGTools - https://gpgtools.org + +mQINBGEvgQMBEADHvUv7G4XclbrRea5S/m0xcV/n4eAOE7UjoDhJurR2NYEA7Ori +YML3h+Uo0a8Fr7BWdvi9FucaxUbZ7ohbUULBNfFDRpH52ojNnnKaKgtWNbGjz0BJ +3y9Udlo7jblGXnsO5zDUoQI8t5I3MjrCK3lU5OO0gvMloa8aSl/rQJ4zo5AYx2VN +Tek0JNcccp5LJaQ31BmoC0ucanBZniQG0CrMKUw6utNoY/6HF2jNVxzBs0VBneA2 +LhIJ/2QKYIEfqTTmmDqeor/Uk3xowEpnAiEe1Y+QKlRkvNs0txekB9XKbW+L6yS8 +yW7VPtAMU4IAA6FKvSOAPWSAuqc0beitZarCw4zCLf5EsluI+r0j4nJ/rCNroiUe +CNCDx4i5wwV39m0+Dmei3HuXUBqyH1ydDspZdgSGacLqUOsj7M+v+lpWiWEgbEo8 +w1jeQ9mn+Juj73QLR3bmUxjTe8acTl22/FGKndMcNf+pawLh51NvqmOPGOX+w+Ul +jWIVG6nTCBZB3OACk8to16YMgw8NfK38VHM76YpMOJwgEk+kqljDU0vvI1LIxoT/ +BHyup3Bf2scPPKhe7U47+WBz2f2FC9ZQdlm7VhMYWhGfiilY+SkAHGIto6KEeavv +O5lo2ziOqsotQeYSN/2nyWLcayC5dQxmZJoo1VvjibRm/GkDGLTmc0wEcwARAQAB +tCtTdGVmYW4gRWlzc2luZyAoaWNpbmcpIDxzdGVmYW5AZWlzc2luZy5vcmc+iQJO +BBMBCgA4FiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmEvgQMCGwMFCwkIBwMFFQoJ +CAsFFgIDAQACHgECF4AACgkQ03fJ59GUTGaH/g//XHeDFajXzOuebcvVf6iQKUMS +WYlV/GO2f27ZutNv1nFmD6zvlOZ6yr+JANoMAK9iXK6K/R8fYlL1LzkJvCS4V0i3 +fnbZto3bd2Eiyitvs0ppj1c6GLOU5EtWLHsa3l1/X7EGjY9yOguqk168wLwMOXpy +YXGOzdqUxrep91kE4Z3y3YflcRm+3Fvi4dARnjAZguiMvbOLaiEHZ4jDDcckxQr3 +9uOWpq7OYY07PvemqCJyczVkzEKxDj7hm62p9HvoJB/KwTFkYW1aLfB8fd834iEc +6DoF17V8DoPMoU1kLRdcVDEsJPpFFEBF3pn2cmi+oOryRrSK1Rbo+HHQyFqo3D01 +9/svYZHRXnXhRbfBd45/qYaJOeq4tqo572Lv2LFDkuZ6S3rJ1qgVPSvSHL7kkOxh ++/x2zRujXzgdVorjXLYw6LfkCHzaevd/DVycHh6d5ctfiTSEsy3JVp+XKK94r8Rb +e9ybf6whA7tEnuwr0sX5219eYGWw5/awMn8UfMSdrRYQbRdW7Wr8vA+7UMdlY+VI +51gFBAod11bSi9uMPToXczwYH3OMRnAn04sIp2BOwCwnIW4h+RD71pnZgDMcxiil +NxhZJYw8w5dvla2v3zxh+oCa+bdP79wHbphNVVWMfhJcnRbQlDiZgoKXdPhU+mcN +BlyebrE81USOWMS6XXi5Ag0EYS+BAwEQAJ1jce2bjEpG6RNaXkN03GuzB8EOOW4K +J7t2ZNhX77okMdcUrXcu8DvvDG7okGDtwB+Ql6yWwbJeCIxhyWeeF+TwcZWvBs00 +3uiiZLfissN4pn9198BtxntUVqoc1NKbAudOyAimlCUlDExEhHQQ6PYP7i6xBf/M +3MZlYyni2ZnMjbsxuNXTN0TR2J53sKCaQvjQjWQwD9N5/0ZivU/uiCuG1Sbn6Wjt +Xp511g74m0Rio68i12/QVEfMZWhorWDhDxQSPhVWqFC1sChLDHZ/7L1IhzMX0q3W +xPCK+rBsMSy/SWw5GotrQATIgJLTGQG7tehDWiVDTxCQSrELQoawJdO99g6C+OEL +m3Z5CnDYVwD4CLPB+DRROaB8UbauvMJZCHMo3OXUALj89ZRpD20h2RQyIkTl37LS +J9IYM9SxA792ujNoUbdWS/FNIUpopP94jemyaj6qqEBwUGMvIPE0RdsIPdOEcuS3 +3kW9W/bHlWCe8m0CIPbwZFohNGk9+KBalz1CTNnZxB7rvRyLLhzJws9BqtU7X3dy +J0ZcYHGQJsvU8ZfAM/EUMLbyvUSbnDdNwDDjduO8ZuOWYjg5f/FwSR25k/yGvfUe +RyiptHnl5c7BMkNaEtfHFVDPOIts6vDVD3K/np9AK7UY58snaMnqFTtxz1munJSX +C0IXelr+V6hRABEBAAGJAjYEGAEKACAWIQQm9R75qC9Ky0PxkD7Td8nn0ZRMZgUC +YS+BAwIbDAAKCRDTd8nn0ZRMZqEoD/49MVe/6bW54eh0CG6B07tY1qlkelSv+xfY +tgZ3V+vZFtLVjo0RYpeP4Yt0ZtpNqZEPnHqwAvD7TZQayNVgo13uK/0aBlAhVtWZ +54nuItHcwT90u+3Tj5hnHwPptIxSsfRWEAg5BkegQN76c+yhNHWJ5U2H2pG2+YkP +dXHS89/nbDEi9kZhgtIer9lhmZSgSO2RYzj/QHgLNEor3IGUGAI3u0M2o+dcoVyH +NJGPRboBzCm8qNDt/3cctQDzFdDA+3X7KbPKekYs3ewuO1l+JtXtnq3S4tkvMDI1 +ZKX0RBydw5w+bksTk6Z7X7nbYmPCeNNBVQUshwQwDXCHPDXd1MxWJHqTz8lOPo70 +fHH0DWTTOw9rNMacUnz7FE0veDcknOZQ4snbHwZkUC4Mg5wM6KOyWgrTW6XK0TSx +Su1Qou7xKD/A1zgx9C0eIqicnifDUEY9SGfXaJrsJDJICEP0BtmcfsP0Z8DcmzOv +atfaF/cmJBtSR6IegJYJCtrlFdpIKQSikZO4QP5B3odc0ipuklkJcPkbQhpx+C5x +O3yU7Izv+cy+yhF+uq8NtWVQx+WCtt4RWqSn6sxtUvTb5qnRbMQtZJ2vbN8+WqTK +ZNlXGF7PBgjSTJnHmCvaT4gfVnJ/NAwn4stq+bdPnrBSKaDnYGwWpV9g8u+XSpOF +ebJKIV3Evw== +=tHCM +-----END PGP PUBLIC KEY BLOCK----- + diff --git a/SOURCES/apachectl.sh b/SOURCES/apachectl.sh index 766cfba..823db3b 100755 --- a/SOURCES/apachectl.sh +++ b/SOURCES/apachectl.sh @@ -15,6 +15,13 @@ # See the License for the specific language governing permissions and # limitations under the License. +### +### NOTE: This is a replacement version of the "apachectl" script with +### some differences in behaviour to the version distributed with +### Apache httpd. Please read the apachectl(8) man page for more +### information. +### + if [ "x$1" = "x-k" ]; then shift fi diff --git a/SOURCES/httpd-2.4.48-r1825120.patch b/SOURCES/httpd-2.4.48-r1825120.patch new file mode 100644 index 0000000..4eb0a59 --- /dev/null +++ b/SOURCES/httpd-2.4.48-r1825120.patch @@ -0,0 +1,99 @@ +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 4e2e80d..10a2c86 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -2256,51 +2256,6 @@ int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, + return OK; + } + +-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a, +- const X509_NAME * const *b) +-{ +- return(X509_NAME_cmp(*a, *b)); +-} +- +-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, +- server_rec *s, apr_pool_t *ptemp, +- const char *file) +-{ +- int n; +- STACK_OF(X509_NAME) *sk; +- +- sk = (STACK_OF(X509_NAME) *) +- SSL_load_client_CA_file(file); +- +- if (!sk) { +- return; +- } +- +- for (n = 0; n < sk_X509_NAME_num(sk); n++) { +- X509_NAME *name = sk_X509_NAME_value(sk, n); +- +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209) +- "CA certificate: %s", +- modssl_X509_NAME_to_string(ptemp, name, 0)); +- +- /* +- * note that SSL_load_client_CA_file() checks for duplicates, +- * but since we call it multiple times when reading a directory +- * we must also check for duplicates ourselves. +- */ +- +- if (sk_X509_NAME_find(ca_list, name) < 0) { +- /* this will be freed when ca_list is */ +- sk_X509_NAME_push(ca_list, name); +- } +- else { +- /* need to free this ourselves, else it will leak */ +- X509_NAME_free(name); +- } +- } +- +- sk_X509_NAME_free(sk); +-} + + static apr_status_t ssl_init_ca_cert_path(server_rec *s, + apr_pool_t *ptemp, +@@ -2324,7 +2279,7 @@ static apr_status_t ssl_init_ca_cert_path(server_rec *s, + } + file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL); + if (ca_list) { +- ssl_init_PushCAList(ca_list, s, ptemp, file); ++ SSL_add_file_cert_subjects_to_stack(ca_list, file); + } + if (xi_list) { + load_x509_info(ptemp, xi_list, file); +@@ -2341,19 +2296,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, + const char *ca_file, + const char *ca_path) + { +- STACK_OF(X509_NAME) *ca_list; +- +- /* +- * Start with a empty stack/list where new +- * entries get added in sorted order. +- */ +- ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp); ++ STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();; + + /* + * Process CA certificate bundle file + */ + if (ca_file) { +- ssl_init_PushCAList(ca_list, s, ptemp, ca_file); ++ SSL_add_file_cert_subjects_to_stack(ca_list, ca_file); + /* + * If ca_list is still empty after trying to load ca_file + * then the file failed to load, and users should hear about that. +@@ -2377,11 +2326,6 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, + return NULL; + } + +- /* +- * Cleanup +- */ +- (void) sk_X509_NAME_set_cmp_func(ca_list, NULL); +- + return ca_list; + } + diff --git a/SOURCES/httpd-2.4.48-r1869842.patch b/SOURCES/httpd-2.4.48-r1869842.patch deleted file mode 100644 index 7629a13..0000000 --- a/SOURCES/httpd-2.4.48-r1869842.patch +++ /dev/null @@ -1,117 +0,0 @@ -# ./pullrev.sh 1869842 -http://svn.apache.org/viewvc?view=revision&revision=1869842 - ---- httpd-2.4.48/modules/ssl/ssl_engine_config.c.r1869842 -+++ httpd-2.4.48/modules/ssl/ssl_engine_config.c -@@ -75,6 +75,10 @@ - mc->stapling_refresh_mutex = NULL; - #endif - -+#ifdef HAVE_OPENSSL_KEYLOG -+ mc->keylog_file = NULL; -+#endif -+ - apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY, - apr_pool_cleanup_null, - pool); ---- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1869842 -+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c -@@ -445,6 +445,28 @@ - init_bio_methods(); - #endif - -+#ifdef HAVE_OPENSSL_KEYLOG -+ { -+ const char *logfn = getenv("SSLKEYLOGFILE"); -+ -+ if (logfn) { -+ rv = apr_file_open(&mc->keylog_file, logfn, -+ APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE, -+ APR_FPROT_UREAD|APR_FPROT_UWRITE, -+ mc->pPool); -+ if (rv) { -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226) -+ "Could not open log file '%s' configured via SSLKEYLOGFILE", -+ logfn); -+ return rv; -+ } -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227) -+ "Init: Logging SSL private key material to %s", logfn); -+ } -+ } -+#endif -+ - return OK; - } - -@@ -806,6 +828,12 @@ - * https://github.com/openssl/openssl/issues/7178 */ - SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); - #endif -+ -+#ifdef HAVE_OPENSSL_KEYLOG -+ if (mctx->sc->mc->keylog_file) { -+ SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog); -+ } -+#endif - - return APR_SUCCESS; - } ---- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1869842 -+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c -@@ -2822,3 +2822,17 @@ - } - - #endif /* HAVE_SRP */ -+ -+ -+#ifdef HAVE_OPENSSL_KEYLOG -+/* Callback used with SSL_CTX_set_keylog_callback. */ -+void modssl_callback_keylog(const SSL *ssl, const char *line) -+{ -+ conn_rec *conn = SSL_get_app_data(ssl); -+ SSLSrvConfigRec *sc = mySrvConfig(conn->base_server); -+ -+ if (sc && sc->mc->keylog_file) { -+ apr_file_printf(sc->mc->keylog_file, "%s\n", line); -+ } -+} -+#endif ---- httpd-2.4.48/modules/ssl/ssl_private.h.r1869842 -+++ httpd-2.4.48/modules/ssl/ssl_private.h -@@ -252,6 +252,10 @@ - #endif - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) -+#define HAVE_OPENSSL_KEYLOG -+#endif -+ - /* mod_ssl headers */ - #include "ssl_util_ssl.h" - -@@ -620,6 +624,11 @@ - apr_global_mutex_t *stapling_cache_mutex; - apr_global_mutex_t *stapling_refresh_mutex; - #endif -+ -+#ifdef HAVE_OPENSSL_KEYLOG -+ /* Used for logging if SSLKEYLOGFILE is set at startup. */ -+ apr_file_t *keylog_file; -+#endif - } SSLModConfigRec; - - /** Structure representing configured filenames for certs and keys for -@@ -979,6 +988,11 @@ - int ssl_callback_SRPServerParams(SSL *, int *, void *); - #endif - -+#ifdef HAVE_OPENSSL_KEYLOG -+/* Callback used with SSL_CTX_set_keylog_callback. */ -+void modssl_callback_keylog(const SSL *ssl, const char *line); -+#endif -+ - /** I/O */ - void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *); - void ssl_io_filter_register(apr_pool_t *); diff --git a/SOURCES/httpd-2.4.48.tar.bz2.asc b/SOURCES/httpd-2.4.48.tar.bz2.asc deleted file mode 100644 index 22d6908..0000000 --- a/SOURCES/httpd-2.4.48.tar.bz2.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJSBAABCgA8FiEExVq3uROesiY80aq8GbAz0XYMInsFAmCi3n8eHGNocmlzdG9w -aGUuamFpbGxldEB3YW5hZG9vLmZyAAoJEBmwM9F2DCJ7jtwP/R/k4OULx5uQFxyN -cc4yzClTRK1wK3q5RgGyRH6+eYX6tVOtpPTY0pjLuPaOp05gPg0Ega3tIleEMYvq -q0oX3yzLKvlHUSFmJuZUACeNYp+ekzEa031SXGWXGQQIh5H3PSmMOTEB/o/3NZuY -zQmHbuSdQspNmOF7P6q+ZeM3ojZBVnXTWabV4dCEMAFV3iseeB3ZeeXOE1dzcXlA -Z4nslAC+/ZE1q8eZ17P2t/cD2INVO9rbjSqX2VBjoIG/M57rR/1IAGuktyrMohh+ -ZWBBg2ZRpljTWQpMh+V5fd9inxkDr1DYpML+XkZN+FoE6W1TcXiPeFyp6n6blzWN -EY1lUGCqBuWsX8F1CRQSyNtQWOF0Wn+XHb1WSepCCBBZ0CPr/hEWQlmHDclO0O6R -w6H1+xEOFRwa8Mpz1qS0N3Q4WyNeEm66ShNGIqBt1sdiUc4/u0aWyXiKjwPWAs2w -GWOYnej41jgAn6GNXGfRTeQZrP1o0jDylYLJxDGxC+dS7Z7UXo+P8QK6YuSHqrF+ -0oTSgbYKkCLE3+B9MvCzqSRrvx5zk57gqZl1iMhOj85X5Pv4hSpcokoalrhTy+PQ -q4v3LK4q4hORS+Jz/jvXB+8HTa6D5A0PdOdlQtXOMlAjLc0PMw2QKgfAoq0jaUyV -Y4Nh8QSEPWiMKNQgsotZon7c6glp -=h1iL ------END PGP SIGNATURE----- diff --git a/SOURCES/httpd-2.4.48-openssl3.patch b/SOURCES/httpd-2.4.51-openssl3.patch similarity index 83% rename from SOURCES/httpd-2.4.48-openssl3.patch rename to SOURCES/httpd-2.4.51-openssl3.patch index f218d16..a4423c7 100644 --- a/SOURCES/httpd-2.4.48-openssl3.patch +++ b/SOURCES/httpd-2.4.51-openssl3.patch @@ -1,11 +1,9 @@ https://github.com/apache/httpd/pull/258 -diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index 4da24eddcc..5d199cddaf 100644 ---- a/modules/ssl/ssl_engine_init.c -+++ b/modules/ssl/ssl_engine_init.c -@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +--- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3 ++++ httpd-2.4.51/modules/ssl/ssl_engine_init.c +@@ -91,7 +91,6 @@ return 1; } @@ -13,7 +11,7 @@ index 4da24eddcc..5d199cddaf 100644 /* * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* -@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen) +@@ -171,6 +170,7 @@ return NULL; /* impossible to reach. */ } @@ -21,7 +19,7 @@ index 4da24eddcc..5d199cddaf 100644 static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, server_rec *s) -@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, +@@ -440,8 +440,9 @@ modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ @@ -32,19 +30,19 @@ index 4da24eddcc..5d199cddaf 100644 init_bio_methods(); #endif -@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, +@@ -862,7 +863,11 @@ { SSL_CTX *ctx = mctx->ssl_ctx; +#if MODSSL_USE_OPENSSL_PRE_1_1_API ++ /* Note that for OpenSSL>=1.1, auto selection is enabled via ++ * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); -+#else -+ SSL_CTX_set_dh_auto(ctx, 1); +#endif SSL_CTX_set_info_callback(ctx, ssl_callback_Info); -@@ -843,6 +848,23 @@ static void ssl_init_ctx_callbacks(server_rec *s, +@@ -871,6 +876,23 @@ #endif } @@ -68,7 +66,7 @@ index 4da24eddcc..5d199cddaf 100644 static apr_status_t ssl_init_ctx_verify(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, -@@ -883,10 +905,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s, +@@ -911,10 +933,8 @@ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "Configuring client authentication"); @@ -81,7 +79,7 @@ index 4da24eddcc..5d199cddaf 100644 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895) "Unable to configure verify locations " "for client authentication"); -@@ -971,6 +991,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, +@@ -999,6 +1019,23 @@ return APR_SUCCESS; } @@ -105,7 +103,7 @@ index 4da24eddcc..5d199cddaf 100644 static apr_status_t ssl_init_ctx_crl(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, -@@ -1009,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, +@@ -1037,8 +1074,8 @@ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900) "Configuring certificate revocation facility"); @@ -116,7 +114,7 @@ index 4da24eddcc..5d199cddaf 100644 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901) "Host %s: unable to configure X.509 CRL storage " "for certificate revocation", mctx->sc->vhost_id); -@@ -1239,6 +1276,31 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag, +@@ -1267,6 +1304,31 @@ return 0; } @@ -148,7 +146,7 @@ index 4da24eddcc..5d199cddaf 100644 static apr_status_t ssl_init_server_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, -@@ -1249,7 +1311,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, +@@ -1277,7 +1339,7 @@ const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; int i; X509 *cert; @@ -157,7 +155,7 @@ index 4da24eddcc..5d199cddaf 100644 #ifdef HAVE_ECC EC_GROUP *ecparams = NULL; int nid; -@@ -1344,8 +1406,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, +@@ -1372,8 +1434,7 @@ } else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, SSL_FILETYPE_PEM) < 1) @@ -167,13 +165,15 @@ index 4da24eddcc..5d199cddaf 100644 ssl_asn1_t *asn1; const unsigned char *ptr; -@@ -1434,12 +1495,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s, +@@ -1462,13 +1523,22 @@ */ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); if (certfile && !modssl_is_engine_id(certfile) - && (dhparams = ssl_dh_GetParamFromFile(certfile))) { - SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); + && (dh = ssl_dh_GetParamFromFile(certfile))) { ++ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey() ++ * for OpenSSL 3.0+. */ + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) "Custom DH parameters (%d bits) for %s loaded from %s", @@ -182,9 +182,17 @@ index 4da24eddcc..5d199cddaf 100644 + modssl_DH_bits(dh), vhost_id, certfile); + DH_free(dh); } ++#if !MODSSL_USE_OPENSSL_PRE_1_1_API ++ else { ++ /* If no parameter is manually configured, enable auto ++ * selection. */ ++ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); ++ } ++#endif #ifdef HAVE_ECC -@@ -1490,6 +1551,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, + /* +@@ -1518,6 +1588,7 @@ char buf[TLSEXT_TICKET_KEY_LEN]; char *path; modssl_ticket_key_t *ticket_key = mctx->ticket_key; @@ -192,7 +200,7 @@ index 4da24eddcc..5d199cddaf 100644 if (!ticket_key->file_path) { return APR_SUCCESS; -@@ -1517,11 +1579,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, +@@ -1545,11 +1616,22 @@ } memcpy(ticket_key->key_name, buf, 16); @@ -219,7 +227,7 @@ index 4da24eddcc..5d199cddaf 100644 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913) "Unable to initialize TLS session ticket key callback " "(incompatible OpenSSL version?)"); -@@ -1652,7 +1725,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, +@@ -1680,7 +1762,7 @@ return ssl_die(s); } @@ -228,7 +236,7 @@ index 4da24eddcc..5d199cddaf 100644 for (n = 0; n < ncerts; n++) { int i; -@@ -2249,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data) +@@ -2277,10 +2359,11 @@ } @@ -242,11 +250,9 @@ index 4da24eddcc..5d199cddaf 100644 return APR_SUCCESS; } -diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c -index cabf753790..3db7077f1e 100644 ---- a/modules/ssl/ssl_engine_io.c -+++ b/modules/ssl/ssl_engine_io.c -@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio) +--- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3 ++++ httpd-2.4.51/modules/ssl/ssl_engine_io.c +@@ -194,6 +194,10 @@ static int bio_filter_out_read(BIO *bio, char *out, int outl) { /* this is never called */ @@ -257,7 +263,7 @@ index cabf753790..3db7077f1e 100644 return -1; } -@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) +@@ -293,12 +297,20 @@ static int bio_filter_out_gets(BIO *bio, char *buf, int size) { /* this is never called */ @@ -278,7 +284,7 @@ index cabf753790..3db7077f1e 100644 return -1; } -@@ -533,22 +545,47 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) +@@ -533,22 +545,47 @@ static int bio_filter_in_write(BIO *bio, const char *in, int inl) { @@ -327,7 +333,7 @@ index cabf753790..3db7077f1e 100644 } #if MODSSL_USE_OPENSSL_PRE_1_1_API -@@ -573,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = { +@@ -573,7 +610,7 @@ bio_filter_in_read, bio_filter_in_puts, /* puts is never called */ bio_filter_in_gets, /* gets is never called */ @@ -336,11 +342,9 @@ index cabf753790..3db7077f1e 100644 bio_filter_create, bio_filter_destroy, NULL -diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c -index b99dcf19d4..aced92d2d0 100644 ---- a/modules/ssl/ssl_engine_kernel.c -+++ b/modules/ssl/ssl_engine_kernel.c -@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client = +--- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3 ++++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c +@@ -1685,6 +1685,7 @@ ** _________________________________________________________________ */ @@ -348,7 +352,7 @@ index b99dcf19d4..aced92d2d0 100644 /* * Hand out standard DH parameters, based on the authentication strength */ -@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) +@@ -1730,6 +1731,7 @@ return modssl_get_dh_params(keylen); } @@ -356,7 +360,7 @@ index b99dcf19d4..aced92d2d0 100644 /* * This OpenSSL callback function is called when OpenSSL -@@ -2614,7 +2616,11 @@ int ssl_callback_SessionTicket(SSL *ssl, +@@ -2614,7 +2616,11 @@ unsigned char *keyname, unsigned char *iv, EVP_CIPHER_CTX *cipher_ctx, @@ -369,7 +373,7 @@ index b99dcf19d4..aced92d2d0 100644 int mode) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -@@ -2641,7 +2647,13 @@ int ssl_callback_SessionTicket(SSL *ssl, +@@ -2640,7 +2646,13 @@ } EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ticket_key->aes_key, iv); @@ -384,7 +388,7 @@ index b99dcf19d4..aced92d2d0 100644 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289) "TLS session ticket key for %s successfully set, " -@@ -2662,7 +2674,13 @@ int ssl_callback_SessionTicket(SSL *ssl, +@@ -2661,7 +2673,13 @@ EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ticket_key->aes_key, iv); @@ -399,11 +403,9 @@ index b99dcf19d4..aced92d2d0 100644 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290) "TLS session ticket key for %s successfully set, " -diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c -index 7dbbbdb55e..3b3ceacf0a 100644 ---- a/modules/ssl/ssl_engine_log.c -+++ b/modules/ssl/ssl_engine_log.c -@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s) +--- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3 ++++ httpd-2.4.51/modules/ssl/ssl_engine_log.c +@@ -78,6 +78,16 @@ return APR_EGENERAL; } @@ -420,7 +422,7 @@ index 7dbbbdb55e..3b3ceacf0a 100644 /* * Prints the SSL library error information. */ -@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) +@@ -87,7 +97,7 @@ const char *data; int flags; @@ -429,10 +431,8 @@ index 7dbbbdb55e..3b3ceacf0a 100644 const char *annotation; char err[256]; -diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h -index a6fc7513a2..b091c58c94 100644 ---- a/modules/ssl/ssl_private.h -+++ b/modules/ssl/ssl_private.h +--- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3 ++++ httpd-2.4.51/modules/ssl/ssl_private.h @@ -89,6 +89,9 @@ /* must be defined before including ssl.h */ #define OPENSSL_NO_SSL_INTERN @@ -459,7 +459,7 @@ index a6fc7513a2..b091c58c94 100644 #else /* defined(LIBRESSL_VERSION_NUMBER) */ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) #endif -@@ -674,7 +676,11 @@ typedef struct { +@@ -681,7 +683,11 @@ typedef struct { const char *file_path; unsigned char key_name[16]; @@ -471,7 +471,7 @@ index a6fc7513a2..b091c58c94 100644 unsigned char aes_key[16]; } modssl_ticket_key_t; #endif -@@ -938,8 +944,16 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); +@@ -945,8 +951,16 @@ int ssl_callback_ClientHello(SSL *, int *, void *); #endif #ifdef HAVE_TLS_SESSION_TICKETS @@ -490,7 +490,7 @@ index a6fc7513a2..b091c58c94 100644 #endif #ifdef HAVE_TLS_ALPN -@@ -1112,10 +1126,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); +@@ -1124,10 +1138,12 @@ #endif diff --git a/SOURCES/httpd-2.4.48-r1877397.patch b/SOURCES/httpd-2.4.51-r1877397.patch similarity index 76% rename from SOURCES/httpd-2.4.48-r1877397.patch rename to SOURCES/httpd-2.4.51-r1877397.patch index 030a226..f629317 100644 --- a/SOURCES/httpd-2.4.48-r1877397.patch +++ b/SOURCES/httpd-2.4.51-r1877397.patch @@ -1,8 +1,8 @@ diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index 699bdcd..15f68f9 100644 ---- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1877397 -+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c -@@ -871,6 +871,13 @@ +index 211ebff..c8cb1af 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -871,6 +871,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog); } #endif @@ -16,7 +16,7 @@ index 699bdcd..15f68f9 100644 return APR_SUCCESS; } -@@ -892,6 +899,14 @@ +@@ -892,6 +899,14 @@ static void ssl_init_ctx_session_cache(server_rec *s, } } @@ -31,8 +31,8 @@ index 699bdcd..15f68f9 100644 static void ssl_init_ctx_callbacks(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, -@@ -905,7 +920,13 @@ - SSL_CTX_set_dh_auto(ctx, 1); +@@ -905,7 +920,13 @@ static void ssl_init_ctx_callbacks(server_rec *s, + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); #endif - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); @@ -46,9 +46,11 @@ index 699bdcd..15f68f9 100644 #ifdef HAVE_TLS_ALPN SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL); ---- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1877397 -+++ httpd-2.4.48/modules/ssl/ssl_engine_io.c -@@ -209,11 +209,13 @@ +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c +index 79b9a70..3a0c22a 100644 +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -209,11 +209,13 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl) BIO_clear_retry_flags(bio); @@ -62,7 +64,7 @@ index 699bdcd..15f68f9 100644 ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c, "bio_filter_out_write: %i bytes", inl); -@@ -474,11 +476,13 @@ +@@ -474,11 +476,13 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) BIO_clear_retry_flags(bio); @@ -76,9 +78,11 @@ index 699bdcd..15f68f9 100644 if (!inctx->bb) { inctx->rc = APR_EOF; ---- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1877397 -+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c -@@ -992,7 +992,7 @@ +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 591f6ae..8416864 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -992,7 +992,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo /* Toggle the renegotiation state to allow the new * handshake to proceed. */ @@ -87,7 +91,7 @@ index 699bdcd..15f68f9 100644 SSL_renegotiate(ssl); SSL_do_handshake(ssl); -@@ -1019,7 +1019,7 @@ +@@ -1019,7 +1019,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo */ SSL_peek(ssl, peekbuf, 0); @@ -96,7 +100,7 @@ index 699bdcd..15f68f9 100644 if (!SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) -@@ -1078,7 +1078,7 @@ +@@ -1078,7 +1078,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { int vmode_inplace, vmode_needed; int change_vmode = FALSE; @@ -105,7 +109,7 @@ index 699bdcd..15f68f9 100644 vmode_inplace = SSL_get_verify_mode(ssl); vmode_needed = SSL_VERIFY_NONE; -@@ -1180,8 +1180,6 @@ +@@ -1180,8 +1180,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon return HTTP_FORBIDDEN; } @@ -114,7 +118,7 @@ index 699bdcd..15f68f9 100644 modssl_set_app_data2(ssl, r); SSL_do_handshake(ssl); -@@ -1191,7 +1189,6 @@ +@@ -1191,7 +1189,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon */ SSL_peek(ssl, peekbuf, 0); @@ -122,7 +126,7 @@ index 699bdcd..15f68f9 100644 modssl_set_app_data2(ssl, NULL); /* -@@ -2263,8 +2260,8 @@ +@@ -2263,8 +2260,8 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c, /* * This callback function is executed while OpenSSL processes the SSL * handshake and does SSL record layer stuff. It's used to trap @@ -133,7 +137,7 @@ index 699bdcd..15f68f9 100644 */ void ssl_callback_Info(const SSL *ssl, int where, int rc) { -@@ -2276,14 +2273,12 @@ +@@ -2276,14 +2273,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) return; } @@ -154,7 +158,7 @@ index 699bdcd..15f68f9 100644 { SSLConnRec *sslconn; -@@ -2308,6 +2303,7 @@ +@@ -2308,6 +2303,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) sslconn->reneg_state = RENEG_REJECT; } } @@ -162,9 +166,11 @@ index 699bdcd..15f68f9 100644 s = mySrvFromConn(c); if (s && APLOGdebug(s)) { ---- httpd-2.4.48/modules/ssl/ssl_private.h.r1877397 -+++ httpd-2.4.48/modules/ssl/ssl_private.h -@@ -512,6 +512,16 @@ +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index a329d99..7666c31 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -512,6 +512,16 @@ typedef struct { apr_time_t source_mtime; } ssl_asn1_t; @@ -181,7 +187,7 @@ index 699bdcd..15f68f9 100644 /** * Define the mod_ssl per-module configuration structure * (i.e. the global configuration for each httpd process) -@@ -544,18 +554,13 @@ +@@ -543,18 +553,13 @@ typedef struct { NON_SSL_SET_ERROR_MSG /* Need to set the error message */ } non_ssl_request; @@ -207,7 +213,7 @@ index 699bdcd..15f68f9 100644 server_rec *server; SSLDirConfigRec *dc; -@@ -1160,6 +1165,9 @@ +@@ -1158,6 +1163,9 @@ int ssl_is_challenge(conn_rec *c, const char *servername, * the configured ENGINE. */ int modssl_is_engine_id(const char *name); @@ -217,9 +223,11 @@ index 699bdcd..15f68f9 100644 #endif /* SSL_PRIVATE_H */ /** @} */ ---- httpd-2.4.48/modules/ssl/ssl_util_ssl.c.r1877397 -+++ httpd-2.4.48/modules/ssl/ssl_util_ssl.c -@@ -589,3 +589,19 @@ +diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c +index 38079a9..dafb833 100644 +--- a/modules/ssl/ssl_util_ssl.c ++++ b/modules/ssl/ssl_util_ssl.c +@@ -589,3 +589,19 @@ cleanup: } return rv; } diff --git a/SOURCES/httpd-2.4.51.tar.bz2.asc b/SOURCES/httpd-2.4.51.tar.bz2.asc new file mode 100644 index 0000000..5c06626 --- /dev/null +++ b/SOURCES/httpd-2.4.51.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmFe8kEACgkQ03fJ59GU +TGatthAAtWzeOD1TCIEvf5f9bAIZDK9vjEEnBZDeYMMrH1wVJGNJm48XP08O/Kbq +qhvc9201RUwkAtWEUX811ZBAYd5A8lAqetfmIuCSHerYSOU0CbhvBjKsuIJVIKWD +Wo1uPUDWk068V0HBquQtW6AEB4oo16fKPMEr1aOOxFpR+F806daJN1gt3ubPzkNJ +rZd4E6dV00eEymeUIfk0BjDqSWKHmUr+08/dtWqc7kGYGcnJzu0e5pr6cc0hOV2o +mqYm28F7eMSe5JCnAOd1LnnqtOwV81mZLxiAxR40PoFhV7IoBLo0zAJ99AHxJfA2 +9RjCmZ/WYtleeDT7mC1cdATHKOPRaubklzK6Ntf7tMaRIO07hnIfIRXQveKG7h+G +Og6PGtfR9bwDGrg2f5Dr+R2fwUJO7EL31IxTYQFBUDe2Q82aNIWpdIFdte93nc+S +HqjWq3w6zq+jdSm3xvyLB0LLSOguXhcjj5VEqV+aExZPASbf+Q8bG51mSbMQhkaq +fEheFcdhu3Sm0x5xQXvEM3gX5XUr8vmrPWaacayPYfS7MinWukV0hXe5/DoYkFTt +a1pt6bHcyVfR0tB0Q3bvm59EeaxLVfogb6Eq74RlrfYiCU/Qx7bMUs3tSeIkHGmY +cNhpxzc/36i4Cf+fBDPKuJroXYV5wFoQmpnXVLAqRd6jWZcOizY= +=f5dx +-----END PGP SIGNATURE----- diff --git a/SOURCES/httpd.conf b/SOURCES/httpd.conf index 6ab68cb..609b2e2 100644 --- a/SOURCES/httpd.conf +++ b/SOURCES/httpd.conf @@ -38,8 +38,10 @@ ServerRoot "/etc/httpd" # ports, instead of the default. See also the # directive. # -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. +# Change this to Listen on a specific IP address, but note that if +# httpd.service is enabled to run at boot time, the address may not be +# available when the service starts. See the httpd.service(8) man +# page for more information. # #Listen 12.34.56.78:80 Listen 80 diff --git a/SOURCES/ssl.conf b/SOURCES/ssl.conf index 373b9e5..d28adf3 100644 --- a/SOURCES/ssl.conf +++ b/SOURCES/ssl.conf @@ -23,22 +23,6 @@ SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 -# Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the -# SSL library. The seed data should be of good random quality. -# WARNING! On some platforms /dev/random blocks if not enough entropy -# is available. This means you then cannot use the /dev/random device -# because it would lead to very long connection times (as long as -# it requires to make more entropy available). But usually those -# platforms additionally provide a /dev/urandom device which doesn't -# block. So, if available, use this one instead. Read the mod_ssl User -# Manual for more details. -SSLRandomSeed startup file:/dev/urandom 256 -SSLRandomSeed connect builtin -#SSLRandomSeed startup file:/dev/random 512 -#SSLRandomSeed connect file:/dev/random 512 -#SSLRandomSeed connect file:/dev/urandom 512 - # # Use "SSLCryptoDevice" to enable any supported hardware # accelerators. Use "openssl engine -v" to list supported @@ -70,7 +54,7 @@ LogLevel warn SSLEngine on # List the protocol versions which clients are allowed to connect with. -# The OpenSSL system profile is configured by default. See +# The OpenSSL system profile is used by default. See # update-crypto-policies(8) for more details. #SSLProtocol all -SSLv3 #SSLProxyProtocol all -SSLv3 diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 2d2f16a..225795b 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -12,8 +12,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.48 -Release: 17%{?dist} +Version: 2.4.51 +Release: 2%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -76,7 +76,6 @@ Patch25: httpd-2.4.43-selinux.patch Patch26: httpd-2.4.43-gettid.patch Patch27: httpd-2.4.43-icons.patch Patch30: httpd-2.4.43-cachehardmax.patch -Patch32: httpd-2.4.48-r1869842.patch Patch34: httpd-2.4.43-socket-activation.patch Patch38: httpd-2.4.43-sslciphdefault.patch Patch39: httpd-2.4.43-sslprotdefault.patch @@ -91,6 +90,8 @@ Patch47: httpd-2.4.43-pr37355.patch Patch48: httpd-2.4.46-freebind.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1950021 Patch49: httpd-2.4.48-ssl-proxy-chains.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2004143 +Patch50: httpd-2.4.48-r1825120.patch # Bug fixes @@ -99,11 +100,11 @@ Patch60: httpd-2.4.43-enable-sslv3.patch Patch61: httpd-2.4.46-htcacheclean-dont-break.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1986822 # https://bugzilla.redhat.com/show_bug.cgi?id=1976080 -Patch62: httpd-2.4.48-openssl3.patch +Patch62: httpd-2.4.51-openssl3.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1932442 Patch64: httpd-2.4.48-full-release.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1950011 -Patch65: httpd-2.4.48-r1877397.patch +Patch65: httpd-2.4.51-r1877397.patch # Security fixes @@ -242,7 +243,6 @@ written in the Lua programming language. %patch26 -p1 -b .gettid %patch27 -p1 -b .icons %patch30 -p1 -b .cachehardmax -%patch32 -p1 -b .r1869842 %patch34 -p1 -b .socketactivation %patch38 -p1 -b .sslciphdefault %patch39 -p1 -b .sslprotdefault @@ -254,6 +254,7 @@ written in the Lua programming language. %patch47 -p1 -b .pr37355 %patch48 -p1 -b .freebind %patch49 -p1 -b .ssl-proxy-chains +%patch50 -p1 -b .r1825120 %patch60 -p1 -b .enable-sslv3 %patch61 -p1 -b .htcacheclean-dont-break @@ -806,6 +807,19 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Nov 08 2021 Luboš Uhliarik - 2.4.51-2 +- Resolves: #2005416 - httpd default configuration changes + +* Tue Oct 19 2021 Luboš Uhliarik - 2.4.51-1 +- new version 2.4.51 (#2011090) + +* Fri Sep 17 2021 Luboš Uhliarik - 2.4.49-1 +- new version 2.4.49 (#2005339) + +* Wed Sep 15 2021 Luboš Uhliarik - 2.4.48-18 +- Resolves: #2004143 - RFE: mod_ssl: allow sending multiple CA names which + differ only in case + * Mon Aug 09 2021 Mohan Boddu - 2.4.48-17 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688