import httpd-2.4.51-2.el9

2021-12-07 12:52:38 -05:00 · 2021-12-07 12:52:38 -05:00 · 2cc0be78dc
commit 2cc0be78dc
parent c50aa5610e
13 changed files with 299 additions and 242 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/apache-poweredby.png
-SOURCES/httpd-2.4.48.tar.bz2
+SOURCES/httpd-2.4.51.tar.bz2
--- a/.httpd.metadata
+++ b/.httpd.metadata
@ -1,2 +1,2 @@
 3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png
-834876db80fc290e531f0e088d255434828b81b5 SOURCES/httpd-2.4.48.tar.bz2
+d8ae02630f836d7cf60e24f4676e633518f16e2b SOURCES/httpd-2.4.51.tar.bz2
--- a/SOURCES/KEYS
+++ b/SOURCES/KEYS
@ -8756,3 +8756,63 @@ ekJ4VhpVUYgDv8+EzGS9SkgY/DpiyLvPtuhqLXos4ABSwQOEYfG3RhGy7h2B404e
 Ot6BQHeyFl0mtrYT1mI=
 =L7j3
 -----END PGP PUBLIC KEY BLOCK-----
 pub   rsa4096 2021-09-01 [SC]
      26F51EF9A82F4ACB43F1903ED377C9E7D1944C66
 uid        [ ultimativ ] Stefan Eissing (icing) <stefan@eissing.org>
 sub   rsa4096 2021-09-01 [E]
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: GPGTools - https://gpgtools.org
 mQINBGEvgQMBEADHvUv7G4XclbrRea5S/m0xcV/n4eAOE7UjoDhJurR2NYEA7Ori
 YML3h+Uo0a8Fr7BWdvi9FucaxUbZ7ohbUULBNfFDRpH52ojNnnKaKgtWNbGjz0BJ
 3y9Udlo7jblGXnsO5zDUoQI8t5I3MjrCK3lU5OO0gvMloa8aSl/rQJ4zo5AYx2VN
 Tek0JNcccp5LJaQ31BmoC0ucanBZniQG0CrMKUw6utNoY/6HF2jNVxzBs0VBneA2
 LhIJ/2QKYIEfqTTmmDqeor/Uk3xowEpnAiEe1Y+QKlRkvNs0txekB9XKbW+L6yS8
 yW7VPtAMU4IAA6FKvSOAPWSAuqc0beitZarCw4zCLf5EsluI+r0j4nJ/rCNroiUe
 CNCDx4i5wwV39m0+Dmei3HuXUBqyH1ydDspZdgSGacLqUOsj7M+v+lpWiWEgbEo8
 w1jeQ9mn+Juj73QLR3bmUxjTe8acTl22/FGKndMcNf+pawLh51NvqmOPGOX+w+Ul
 jWIVG6nTCBZB3OACk8to16YMgw8NfK38VHM76YpMOJwgEk+kqljDU0vvI1LIxoT/
 BHyup3Bf2scPPKhe7U47+WBz2f2FC9ZQdlm7VhMYWhGfiilY+SkAHGIto6KEeavv
 O5lo2ziOqsotQeYSN/2nyWLcayC5dQxmZJoo1VvjibRm/GkDGLTmc0wEcwARAQAB
 tCtTdGVmYW4gRWlzc2luZyAoaWNpbmcpIDxzdGVmYW5AZWlzc2luZy5vcmc+iQJO
 BBMBCgA4FiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmEvgQMCGwMFCwkIBwMFFQoJ
 CAsFFgIDAQACHgECF4AACgkQ03fJ59GUTGaH/g//XHeDFajXzOuebcvVf6iQKUMS
 WYlV/GO2f27ZutNv1nFmD6zvlOZ6yr+JANoMAK9iXK6K/R8fYlL1LzkJvCS4V0i3
 fnbZto3bd2Eiyitvs0ppj1c6GLOU5EtWLHsa3l1/X7EGjY9yOguqk168wLwMOXpy
 YXGOzdqUxrep91kE4Z3y3YflcRm+3Fvi4dARnjAZguiMvbOLaiEHZ4jDDcckxQr3
 9uOWpq7OYY07PvemqCJyczVkzEKxDj7hm62p9HvoJB/KwTFkYW1aLfB8fd834iEc
 6DoF17V8DoPMoU1kLRdcVDEsJPpFFEBF3pn2cmi+oOryRrSK1Rbo+HHQyFqo3D01
 9/svYZHRXnXhRbfBd45/qYaJOeq4tqo572Lv2LFDkuZ6S3rJ1qgVPSvSHL7kkOxh
 +/x2zRujXzgdVorjXLYw6LfkCHzaevd/DVycHh6d5ctfiTSEsy3JVp+XKK94r8Rb
 e9ybf6whA7tEnuwr0sX5219eYGWw5/awMn8UfMSdrRYQbRdW7Wr8vA+7UMdlY+VI
 51gFBAod11bSi9uMPToXczwYH3OMRnAn04sIp2BOwCwnIW4h+RD71pnZgDMcxiil
 NxhZJYw8w5dvla2v3zxh+oCa+bdP79wHbphNVVWMfhJcnRbQlDiZgoKXdPhU+mcN
 BlyebrE81USOWMS6XXi5Ag0EYS+BAwEQAJ1jce2bjEpG6RNaXkN03GuzB8EOOW4K
 J7t2ZNhX77okMdcUrXcu8DvvDG7okGDtwB+Ql6yWwbJeCIxhyWeeF+TwcZWvBs00
 3uiiZLfissN4pn9198BtxntUVqoc1NKbAudOyAimlCUlDExEhHQQ6PYP7i6xBf/M
 3MZlYyni2ZnMjbsxuNXTN0TR2J53sKCaQvjQjWQwD9N5/0ZivU/uiCuG1Sbn6Wjt
 Xp511g74m0Rio68i12/QVEfMZWhorWDhDxQSPhVWqFC1sChLDHZ/7L1IhzMX0q3W
 xPCK+rBsMSy/SWw5GotrQATIgJLTGQG7tehDWiVDTxCQSrELQoawJdO99g6C+OEL
 m3Z5CnDYVwD4CLPB+DRROaB8UbauvMJZCHMo3OXUALj89ZRpD20h2RQyIkTl37LS
 J9IYM9SxA792ujNoUbdWS/FNIUpopP94jemyaj6qqEBwUGMvIPE0RdsIPdOEcuS3
 3kW9W/bHlWCe8m0CIPbwZFohNGk9+KBalz1CTNnZxB7rvRyLLhzJws9BqtU7X3dy
 J0ZcYHGQJsvU8ZfAM/EUMLbyvUSbnDdNwDDjduO8ZuOWYjg5f/FwSR25k/yGvfUe
 RyiptHnl5c7BMkNaEtfHFVDPOIts6vDVD3K/np9AK7UY58snaMnqFTtxz1munJSX
 C0IXelr+V6hRABEBAAGJAjYEGAEKACAWIQQm9R75qC9Ky0PxkD7Td8nn0ZRMZgUC
 YS+BAwIbDAAKCRDTd8nn0ZRMZqEoD/49MVe/6bW54eh0CG6B07tY1qlkelSv+xfY
 tgZ3V+vZFtLVjo0RYpeP4Yt0ZtpNqZEPnHqwAvD7TZQayNVgo13uK/0aBlAhVtWZ
 54nuItHcwT90u+3Tj5hnHwPptIxSsfRWEAg5BkegQN76c+yhNHWJ5U2H2pG2+YkP
 dXHS89/nbDEi9kZhgtIer9lhmZSgSO2RYzj/QHgLNEor3IGUGAI3u0M2o+dcoVyH
 NJGPRboBzCm8qNDt/3cctQDzFdDA+3X7KbPKekYs3ewuO1l+JtXtnq3S4tkvMDI1
 ZKX0RBydw5w+bksTk6Z7X7nbYmPCeNNBVQUshwQwDXCHPDXd1MxWJHqTz8lOPo70
 fHH0DWTTOw9rNMacUnz7FE0veDcknOZQ4snbHwZkUC4Mg5wM6KOyWgrTW6XK0TSx
 Su1Qou7xKD/A1zgx9C0eIqicnifDUEY9SGfXaJrsJDJICEP0BtmcfsP0Z8DcmzOv
 atfaF/cmJBtSR6IegJYJCtrlFdpIKQSikZO4QP5B3odc0ipuklkJcPkbQhpx+C5x
 O3yU7Izv+cy+yhF+uq8NtWVQx+WCtt4RWqSn6sxtUvTb5qnRbMQtZJ2vbN8+WqTK
 ZNlXGF7PBgjSTJnHmCvaT4gfVnJ/NAwn4stq+bdPnrBSKaDnYGwWpV9g8u+XSpOF
 ebJKIV3Evw==
 =tHCM
 -----END PGP PUBLIC KEY BLOCK-----
--- a/SOURCES/apachectl.sh
+++ b/SOURCES/apachectl.sh
@ -15,6 +15,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ###
 ### NOTE: This is a replacement version of the "apachectl" script with
 ### some differences in behaviour to the version distributed with
 ### Apache httpd.  Please read the apachectl(8) man page for more
 ### information.
 ###
 if [ "x$1" = "x-k" ]; then
    shift
 fi
--- a/SOURCES/httpd-2.4.48-r1825120.patch
+++ b/SOURCES/httpd-2.4.48-r1825120.patch
@ -0,0 +1,99 @@
 diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
 index 4e2e80d..10a2c86 100644
 --- a/modules/ssl/ssl_engine_init.c
 +++ b/modules/ssl/ssl_engine_init.c
@@ -2256,51 +2256,6 @@ int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
     return OK;
 }
 -static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
 -                                           const X509_NAME * const *b)
 -{
 -    return(X509_NAME_cmp(*a, *b));
 -}
 -
 -static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
 -                                server_rec *s, apr_pool_t *ptemp,
 -                                const char *file)
 -{
 -    int n;
 -    STACK_OF(X509_NAME) *sk;
 -
 -    sk = (STACK_OF(X509_NAME) *)
 -             SSL_load_client_CA_file(file);
 -
 -    if (!sk) {
 -        return;
 -    }
 -
 -    for (n = 0; n < sk_X509_NAME_num(sk); n++) {
 -        X509_NAME *name = sk_X509_NAME_value(sk, n);
 -
 -        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
 -                     "CA certificate: %s",
 -                     modssl_X509_NAME_to_string(ptemp, name, 0));
 -
 -        /*
 -         * note that SSL_load_client_CA_file() checks for duplicates,
 -         * but since we call it multiple times when reading a directory
 -         * we must also check for duplicates ourselves.
 -         */
 -
 -        if (sk_X509_NAME_find(ca_list, name) < 0) {
 -            /* this will be freed when ca_list is */
 -            sk_X509_NAME_push(ca_list, name);
 -        }
 -        else {
 -            /* need to free this ourselves, else it will leak */
 -            X509_NAME_free(name);
 -        }
 -    }
 -
 -    sk_X509_NAME_free(sk);
 -}
 static apr_status_t ssl_init_ca_cert_path(server_rec *s,
                                           apr_pool_t *ptemp,
@@ -2324,7 +2279,7 @@ static apr_status_t ssl_init_ca_cert_path(server_rec *s,
         }
         file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
         if (ca_list) {
 -            ssl_init_PushCAList(ca_list, s, ptemp, file);
 +            SSL_add_file_cert_subjects_to_stack(ca_list, file);
         }
         if (xi_list) {
             load_x509_info(ptemp, xi_list, file);
@@ -2341,19 +2296,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
                                          const char *ca_file,
                                          const char *ca_path)
 {
 -    STACK_OF(X509_NAME) *ca_list;
 -
 -    /*
 -     * Start with a empty stack/list where new
 -     * entries get added in sorted order.
 -     */
 -    ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
 +    STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();;
     /*
      * Process CA certificate bundle file
      */
     if (ca_file) {
 -        ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
 +        SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
         /*
          * If ca_list is still empty after trying to load ca_file
          * then the file failed to load, and users should hear about that.
@@ -2377,11 +2326,6 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
         return NULL;
     }
 -    /*
 -     * Cleanup
 -     */
 -    (void) sk_X509_NAME_set_cmp_func(ca_list, NULL);
 -
     return ca_list;
 }
--- a/SOURCES/httpd-2.4.48-r1869842.patch
+++ b/SOURCES/httpd-2.4.48-r1869842.patch
@ -1,117 +0,0 @@
 # ./pullrev.sh 1869842
 http://svn.apache.org/viewvc?view=revision&revision=1869842
 --- httpd-2.4.48/modules/ssl/ssl_engine_config.c.r1869842
 +++ httpd-2.4.48/modules/ssl/ssl_engine_config.c
@@ -75,6 +75,10 @@
     mc->stapling_refresh_mutex = NULL;
 #endif
 +#ifdef HAVE_OPENSSL_KEYLOG
 +    mc->keylog_file = NULL;
 +#endif
 +
     apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
                           apr_pool_cleanup_null,
                           pool);
 --- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1869842
 +++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
@@ -445,6 +445,28 @@
     init_bio_methods();
 #endif
 +#ifdef HAVE_OPENSSL_KEYLOG
 +    {
 +        const char *logfn = getenv("SSLKEYLOGFILE");
 +
 +        if (logfn) {
 +            rv = apr_file_open(&mc->keylog_file, logfn,
 +                               APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE,
 +                               APR_FPROT_UREAD|APR_FPROT_UWRITE,
 +                               mc->pPool);
 +            if (rv) {
 +                ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226)
 +                             "Could not open log file '%s' configured via SSLKEYLOGFILE",
 +                             logfn);
 +                return rv;
 +            }
 +
 +            ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227)
 +                         "Init: Logging SSL private key material to %s", logfn);
 +        }
 +    }
 +#endif
 +    
     return OK;
 }
@@ -806,6 +828,12 @@
      * https://github.com/openssl/openssl/issues/7178 */
     SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
 #endif
 +
 +#ifdef HAVE_OPENSSL_KEYLOG
 +    if (mctx->sc->mc->keylog_file) {
 +        SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
 +    }
 +#endif
     return APR_SUCCESS;
 }
 --- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1869842
 +++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c
@@ -2822,3 +2822,17 @@
 }
 #endif /* HAVE_SRP */
 +
 +
 +#ifdef HAVE_OPENSSL_KEYLOG
 +/* Callback used with SSL_CTX_set_keylog_callback. */
 +void modssl_callback_keylog(const SSL *ssl, const char *line)
 +{
 +    conn_rec *conn = SSL_get_app_data(ssl);
 +    SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
 +
 +    if (sc && sc->mc->keylog_file) {
 +        apr_file_printf(sc->mc->keylog_file, "%s\n", line);
 +    }
 +}
 +#endif
 --- httpd-2.4.48/modules/ssl/ssl_private.h.r1869842
 +++ httpd-2.4.48/modules/ssl/ssl_private.h
@@ -252,6 +252,10 @@
 #endif
 #endif
 +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 +#define HAVE_OPENSSL_KEYLOG
 +#endif
 +
 /* mod_ssl headers */
 #include "ssl_util_ssl.h"
@@ -620,6 +624,11 @@
     apr_global_mutex_t   *stapling_cache_mutex;
     apr_global_mutex_t   *stapling_refresh_mutex;
 #endif
 +
 +#ifdef HAVE_OPENSSL_KEYLOG
 +    /* Used for logging if SSLKEYLOGFILE is set at startup. */
 +    apr_file_t      *keylog_file;
 +#endif
 } SSLModConfigRec;
 /** Structure representing configured filenames for certs and keys for
@@ -979,6 +988,11 @@
 int          ssl_callback_SRPServerParams(SSL *, int *, void *);
 #endif
 +#ifdef HAVE_OPENSSL_KEYLOG
 +/* Callback used with SSL_CTX_set_keylog_callback. */
 +void         modssl_callback_keylog(const SSL *ssl, const char *line);
 +#endif
 +
 /**  I/O  */
 void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
 void         ssl_io_filter_register(apr_pool_t *);
--- a/SOURCES/httpd-2.4.48.tar.bz2.asc
+++ b/SOURCES/httpd-2.4.48.tar.bz2.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJSBAABCgA8FiEExVq3uROesiY80aq8GbAz0XYMInsFAmCi3n8eHGNocmlzdG9w
 aGUuamFpbGxldEB3YW5hZG9vLmZyAAoJEBmwM9F2DCJ7jtwP/R/k4OULx5uQFxyN
 cc4yzClTRK1wK3q5RgGyRH6+eYX6tVOtpPTY0pjLuPaOp05gPg0Ega3tIleEMYvq
 q0oX3yzLKvlHUSFmJuZUACeNYp+ekzEa031SXGWXGQQIh5H3PSmMOTEB/o/3NZuY
 zQmHbuSdQspNmOF7P6q+ZeM3ojZBVnXTWabV4dCEMAFV3iseeB3ZeeXOE1dzcXlA
 Z4nslAC+/ZE1q8eZ17P2t/cD2INVO9rbjSqX2VBjoIG/M57rR/1IAGuktyrMohh+
 ZWBBg2ZRpljTWQpMh+V5fd9inxkDr1DYpML+XkZN+FoE6W1TcXiPeFyp6n6blzWN
 EY1lUGCqBuWsX8F1CRQSyNtQWOF0Wn+XHb1WSepCCBBZ0CPr/hEWQlmHDclO0O6R
 w6H1+xEOFRwa8Mpz1qS0N3Q4WyNeEm66ShNGIqBt1sdiUc4/u0aWyXiKjwPWAs2w
 GWOYnej41jgAn6GNXGfRTeQZrP1o0jDylYLJxDGxC+dS7Z7UXo+P8QK6YuSHqrF+
 0oTSgbYKkCLE3+B9MvCzqSRrvx5zk57gqZl1iMhOj85X5Pv4hSpcokoalrhTy+PQ
 q4v3LK4q4hORS+Jz/jvXB+8HTa6D5A0PdOdlQtXOMlAjLc0PMw2QKgfAoq0jaUyV
 Y4Nh8QSEPWiMKNQgsotZon7c6glp
 =h1iL
 -----END PGP SIGNATURE-----
--- a/SOURCES/httpd-2.4.51-openssl3.patch
+++ b/SOURCES/httpd-2.4.51-openssl3.patch
@ -1,11 +1,9 @@
 https://github.com/apache/httpd/pull/258
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3
-index 4da24eddcc..5d199cddaf 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_init.c
--- a/modules/ssl/ssl_engine_init.c
+@@ -91,7 +91,6 @@
 +++ b/modules/ssl/ssl_engine_init.c
@@ -91,7 +91,6 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
     return 1;
 }
@ -13,7 +11,7 @@ index 4da24eddcc..5d199cddaf 100644
 /*
  * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
-@@ -171,6 +170,7 @@ DH *modssl_get_dh_params(unsigned keylen)
+@@ -171,6 +170,7 @@
     return NULL; /* impossible to reach. */
 }
@ -21,7 +19,7 @@ index 4da24eddcc..5d199cddaf 100644
 static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
                                        server_rec *s)
-@@ -440,8 +440,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+@@ -440,8 +440,9 @@
     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
@ -32,19 +30,19 @@ index 4da24eddcc..5d199cddaf 100644
     init_bio_methods();
 #endif
-@@ -834,7 +835,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+@@ -862,7 +863,11 @@
 {
     SSL_CTX *ctx = mctx->ssl_ctx;
 +#if MODSSL_USE_OPENSSL_PRE_1_1_API
 +    /* Note that for OpenSSL>=1.1, auto selection is enabled via
 +     * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 +#else
 +    SSL_CTX_set_dh_auto(ctx, 1);
 +#endif
     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
-@@ -843,6 +848,23 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+@@ -871,6 +876,23 @@
 #endif
 }
@ -68,7 +66,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_ctx_verify(server_rec *s,
                                         apr_pool_t *p,
                                         apr_pool_t *ptemp,
-@@ -883,10 +905,8 @@ static apr_status_t ssl_init_ctx_verify(server_rec *s,
+@@ -911,10 +933,8 @@
         ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
                      "Configuring client authentication");
@ -81,7 +79,7 @@ index 4da24eddcc..5d199cddaf 100644
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
                     "Unable to configure verify locations "
                     "for client authentication");
-@@ -971,6 +991,23 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
+@@ -999,6 +1019,23 @@
     return APR_SUCCESS;
 }
@ -105,7 +103,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_ctx_crl(server_rec *s,
                                      apr_pool_t *p,
                                      apr_pool_t *ptemp,
-@@ -1009,8 +1046,8 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
+@@ -1037,8 +1074,8 @@
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
                  "Configuring certificate revocation facility");
@ -116,7 +114,7 @@ index 4da24eddcc..5d199cddaf 100644
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
                      "Host %s: unable to configure X.509 CRL storage "
                      "for certificate revocation", mctx->sc->vhost_id);
-@@ -1239,6 +1276,31 @@ static int ssl_no_passwd_prompt_cb(char *buf, int size, int rwflag,
+@@ -1267,6 +1304,31 @@
    return 0;
 }
@ -148,7 +146,7 @@ index 4da24eddcc..5d199cddaf 100644
 static apr_status_t ssl_init_server_certs(server_rec *s,
                                           apr_pool_t *p,
                                           apr_pool_t *ptemp,
-@@ -1249,7 +1311,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1277,7 +1339,7 @@
     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
     int i;
     X509 *cert;
@ -157,7 +155,7 @@ index 4da24eddcc..5d199cddaf 100644
 #ifdef HAVE_ECC
     EC_GROUP *ecparams = NULL;
     int nid;
-@@ -1344,8 +1406,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1372,8 +1434,7 @@
         }
         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
                                               SSL_FILETYPE_PEM) < 1)
@ -167,13 +165,15 @@ index 4da24eddcc..5d199cddaf 100644
             ssl_asn1_t *asn1;
             const unsigned char *ptr;
-@@ -1434,12 +1495,12 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+@@ -1462,13 +1523,22 @@
      */
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
     if (certfile && !modssl_is_engine_id(certfile)
 -        && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
 -        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
 +        && (dh = ssl_dh_GetParamFromFile(certfile))) {
 +        /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
 +         * for OpenSSL 3.0+. */
 +        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                      "Custom DH parameters (%d bits) for %s loaded from %s",
@ -182,9 +182,17 @@ index 4da24eddcc..5d199cddaf 100644
 +                     modssl_DH_bits(dh), vhost_id, certfile);
 +        DH_free(dh);
     }
 +#if !MODSSL_USE_OPENSSL_PRE_1_1_API
 +    else {
 +        /* If no parameter is manually configured, enable auto
 +         * selection. */
 +        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
 +    }
 +#endif
 #ifdef HAVE_ECC
-@@ -1490,6 +1551,7 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
+     /*
@@ -1518,6 +1588,7 @@
     char buf[TLSEXT_TICKET_KEY_LEN];
     char *path;
     modssl_ticket_key_t *ticket_key = mctx->ticket_key;
@ -192,7 +200,7 @@ index 4da24eddcc..5d199cddaf 100644
     if (!ticket_key->file_path) {
         return APR_SUCCESS;
-@@ -1517,11 +1579,22 @@ static apr_status_t ssl_init_ticket_key(server_rec *s,
+@@ -1545,11 +1616,22 @@
     }
     memcpy(ticket_key->key_name, buf, 16);
@ -219,7 +227,7 @@ index 4da24eddcc..5d199cddaf 100644
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
                      "Unable to initialize TLS session ticket key callback "
                      "(incompatible OpenSSL version?)");
-@@ -1652,7 +1725,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
+@@ -1680,7 +1762,7 @@
         return ssl_die(s);
     }
@ -228,7 +236,7 @@ index 4da24eddcc..5d199cddaf 100644
     for (n = 0; n < ncerts; n++) {
         int i;
-@@ -2249,10 +2322,11 @@ apr_status_t ssl_init_ModuleKill(void *data)
+@@ -2277,10 +2359,11 @@
     }
@ -242,11 +250,9 @@ index 4da24eddcc..5d199cddaf 100644
     return APR_SUCCESS;
 }
-diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3
-index cabf753790..3db7077f1e 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_io.c
--- a/modules/ssl/ssl_engine_io.c
+@@ -194,6 +194,10 @@
 +++ b/modules/ssl/ssl_engine_io.c
@@ -194,6 +194,10 @@ static int bio_filter_destroy(BIO *bio)
 static int bio_filter_out_read(BIO *bio, char *out, int outl)
 {
     /* this is never called */
@ -257,7 +263,7 @@ index cabf753790..3db7077f1e 100644
     return -1;
 }
-@@ -293,12 +297,20 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
+@@ -293,12 +297,20 @@
 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
 {
     /* this is never called */
@ -278,7 +284,7 @@ index cabf753790..3db7077f1e 100644
     return -1;
 }
-@@ -533,22 +545,47 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
+@@ -533,22 +545,47 @@
 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
 {
@ -327,7 +333,7 @@ index cabf753790..3db7077f1e 100644
 }
 #if MODSSL_USE_OPENSSL_PRE_1_1_API
-@@ -573,7 +610,7 @@ static BIO_METHOD bio_filter_in_method = {
+@@ -573,7 +610,7 @@
     bio_filter_in_read,
     bio_filter_in_puts,         /* puts is never called */
     bio_filter_in_gets,         /* gets is never called */
@ -336,11 +342,9 @@ index cabf753790..3db7077f1e 100644
     bio_filter_create,
     bio_filter_destroy,
     NULL
-diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3
-index b99dcf19d4..aced92d2d0 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c
--- a/modules/ssl/ssl_engine_kernel.c
+@@ -1685,6 +1685,7 @@
 +++ b/modules/ssl/ssl_engine_kernel.c
@@ -1685,6 +1685,7 @@ const authz_provider ssl_authz_provider_verify_client =
 **  _________________________________________________________________
 */
@ -348,7 +352,7 @@ index b99dcf19d4..aced92d2d0 100644
 /*
  * Hand out standard DH parameters, based on the authentication strength
  */
-@@ -1730,6 +1731,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
+@@ -1730,6 +1731,7 @@
     return modssl_get_dh_params(keylen);
 }
@ -356,7 +360,7 @@ index b99dcf19d4..aced92d2d0 100644
 /*
  * This OpenSSL callback function is called when OpenSSL
-@@ -2614,7 +2616,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2614,7 +2616,11 @@
                                unsigned char *keyname,
                                unsigned char *iv,
                                EVP_CIPHER_CTX *cipher_ctx,
@ -369,7 +373,7 @@ index b99dcf19d4..aced92d2d0 100644
                                int mode)
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-@@ -2641,7 +2647,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2640,7 +2646,13 @@
         }
         EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
                            ticket_key->aes_key, iv);
@ -384,7 +388,7 @@ index b99dcf19d4..aced92d2d0 100644
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
                       "TLS session ticket key for %s successfully set, "
-@@ -2662,7 +2674,13 @@ int ssl_callback_SessionTicket(SSL *ssl,
+@@ -2661,7 +2673,13 @@
         EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
                            ticket_key->aes_key, iv);
@ -399,11 +403,9 @@ index b99dcf19d4..aced92d2d0 100644
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
                       "TLS session ticket key for %s successfully set, "
-diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
+--- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3
-index 7dbbbdb55e..3b3ceacf0a 100644
+++ httpd-2.4.51/modules/ssl/ssl_engine_log.c
--- a/modules/ssl/ssl_engine_log.c
+@@ -78,6 +78,16 @@
 +++ b/modules/ssl/ssl_engine_log.c
@@ -78,6 +78,16 @@ apr_status_t ssl_die(server_rec *s)
     return APR_EGENERAL;
 }
@ -420,7 +422,7 @@ index 7dbbbdb55e..3b3ceacf0a 100644
 /*
  * Prints the SSL library error information.
  */
-@@ -87,7 +97,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
+@@ -87,7 +97,7 @@
     const char *data;
     int flags;
@ -429,10 +431,8 @@ index 7dbbbdb55e..3b3ceacf0a 100644
         const char *annotation;
         char err[256];
-diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+--- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3
-index a6fc7513a2..b091c58c94 100644
+++ httpd-2.4.51/modules/ssl/ssl_private.h
 --- a/modules/ssl/ssl_private.h
 +++ b/modules/ssl/ssl_private.h
@@ -89,6 +89,9 @@
 /* must be defined before including ssl.h */
 #define OPENSSL_NO_SSL_INTERN
@ -459,7 +459,7 @@ index a6fc7513a2..b091c58c94 100644
 #else /* defined(LIBRESSL_VERSION_NUMBER) */
 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
 #endif
-@@ -674,7 +676,11 @@ typedef struct {
+@@ -681,7 +683,11 @@
 typedef struct {
     const char *file_path;
     unsigned char key_name[16];
@ -471,7 +471,7 @@ index a6fc7513a2..b091c58c94 100644
     unsigned char aes_key[16];
 } modssl_ticket_key_t;
 #endif
-@@ -938,8 +944,16 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+@@ -945,8 +951,16 @@
 int          ssl_callback_ClientHello(SSL *, int *, void *);
 #endif
 #ifdef HAVE_TLS_SESSION_TICKETS
@ -490,7 +490,7 @@ index a6fc7513a2..b091c58c94 100644
 #endif
 #ifdef HAVE_TLS_ALPN
-@@ -1112,10 +1126,12 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
+@@ -1124,10 +1138,12 @@
 #endif
--- a/SOURCES/httpd-2.4.51-r1877397.patch
+++ b/SOURCES/httpd-2.4.51-r1877397.patch
@ -1,8 +1,8 @@
 diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index 699bdcd..15f68f9 100644
+index 211ebff..c8cb1af 100644
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1877397
+--- a/modules/ssl/ssl_engine_init.c
-+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
-@@ -871,6 +871,13 @@
+@@ -871,6 +871,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
         SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
     }
 #endif
@ -16,7 +16,7 @@ index 699bdcd..15f68f9 100644
     return APR_SUCCESS;
 }
-@@ -892,6 +899,14 @@
+@@ -892,6 +899,14 @@ static void ssl_init_ctx_session_cache(server_rec *s,
     }
 }
@ -31,8 +31,8 @@ index 699bdcd..15f68f9 100644
 static void ssl_init_ctx_callbacks(server_rec *s,
                                    apr_pool_t *p,
                                    apr_pool_t *ptemp,
-@@ -905,7 +920,13 @@
+@@ -905,7 +920,13 @@ static void ssl_init_ctx_callbacks(server_rec *s,
-     SSL_CTX_set_dh_auto(ctx, 1);
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 #endif
 -    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
@ -46,9 +46,11 @@ index 699bdcd..15f68f9 100644
 #ifdef HAVE_TLS_ALPN
     SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
--- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1877397
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
-+++ httpd-2.4.48/modules/ssl/ssl_engine_io.c
+index 79b9a70..3a0c22a 100644
-@@ -209,11 +209,13 @@
+--- a/modules/ssl/ssl_engine_io.c
 +++ b/modules/ssl/ssl_engine_io.c
@@ -209,11 +209,13 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
     BIO_clear_retry_flags(bio);
@ -62,7 +64,7 @@ index 699bdcd..15f68f9 100644
     ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
                   "bio_filter_out_write: %i bytes", inl);
-@@ -474,11 +476,13 @@
+@@ -474,11 +476,13 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
     BIO_clear_retry_flags(bio);
@ -76,9 +78,11 @@ index 699bdcd..15f68f9 100644
     if (!inctx->bb) {
         inctx->rc = APR_EOF;
--- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1877397
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
-+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c
+index 591f6ae..8416864 100644
-@@ -992,7 +992,7 @@
+--- a/modules/ssl/ssl_engine_kernel.c
 +++ b/modules/ssl/ssl_engine_kernel.c
@@ -992,7 +992,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
             /* Toggle the renegotiation state to allow the new
              * handshake to proceed. */
@ -87,7 +91,7 @@ index 699bdcd..15f68f9 100644
             SSL_renegotiate(ssl);
             SSL_do_handshake(ssl);
-@@ -1019,7 +1019,7 @@
+@@ -1019,7 +1019,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
              */
             SSL_peek(ssl, peekbuf, 0);
@ -96,7 +100,7 @@ index 699bdcd..15f68f9 100644
             if (!SSL_is_init_finished(ssl)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
-@@ -1078,7 +1078,7 @@
+@@ -1078,7 +1078,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
         (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
         int vmode_inplace, vmode_needed;
         int change_vmode = FALSE;
@ -105,7 +109,7 @@ index 699bdcd..15f68f9 100644
         vmode_inplace = SSL_get_verify_mode(ssl);
         vmode_needed = SSL_VERIFY_NONE;
-@@ -1180,8 +1180,6 @@
+@@ -1180,8 +1180,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
                 return HTTP_FORBIDDEN;
             }
@ -114,7 +118,7 @@ index 699bdcd..15f68f9 100644
             modssl_set_app_data2(ssl, r);
             SSL_do_handshake(ssl);
-@@ -1191,7 +1189,6 @@
+@@ -1191,7 +1189,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
              */
             SSL_peek(ssl, peekbuf, 0);
@ -122,7 +126,7 @@ index 699bdcd..15f68f9 100644
             modssl_set_app_data2(ssl, NULL);
             /*
-@@ -2263,8 +2260,8 @@
+@@ -2263,8 +2260,8 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c,
 /*
  * This callback function is executed while OpenSSL processes the SSL
  * handshake and does SSL record layer stuff.  It's used to trap
@ -133,7 +137,7 @@ index 699bdcd..15f68f9 100644
  */
 void ssl_callback_Info(const SSL *ssl, int where, int rc)
 {
-@@ -2276,14 +2273,12 @@
+@@ -2276,14 +2273,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
         return;
     }
@ -154,7 +158,7 @@ index 699bdcd..15f68f9 100644
     {
         SSLConnRec *sslconn;
-@@ -2308,6 +2303,7 @@
+@@ -2308,6 +2303,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
             sslconn->reneg_state = RENEG_REJECT;
         }
     }
@ -162,9 +166,11 @@ index 699bdcd..15f68f9 100644
     s = mySrvFromConn(c);
     if (s && APLOGdebug(s)) {
--- httpd-2.4.48/modules/ssl/ssl_private.h.r1877397
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
-+++ httpd-2.4.48/modules/ssl/ssl_private.h
+index a329d99..7666c31 100644
-@@ -512,6 +512,16 @@
+--- a/modules/ssl/ssl_private.h
 +++ b/modules/ssl/ssl_private.h
@@ -512,6 +512,16 @@ typedef struct {
     apr_time_t     source_mtime;
 } ssl_asn1_t;
@ -181,7 +187,7 @@ index 699bdcd..15f68f9 100644
 /**
  * Define the mod_ssl per-module configuration structure
  * (i.e. the global configuration for each httpd process)
-@@ -544,18 +554,13 @@
+@@ -543,18 +553,13 @@ typedef struct {
         NON_SSL_SET_ERROR_MSG  /* Need to set the error message */
     } non_ssl_request;
@ -207,7 +213,7 @@ index 699bdcd..15f68f9 100644
     server_rec *server;
     SSLDirConfigRec *dc;
-@@ -1160,6 +1165,9 @@
+@@ -1158,6 +1163,9 @@ int ssl_is_challenge(conn_rec *c, const char *servername,
  * the configured ENGINE. */
 int modssl_is_engine_id(const char *name);
@ -217,9 +223,11 @@ index 699bdcd..15f68f9 100644
 #endif /* SSL_PRIVATE_H */
 /** @} */
--- httpd-2.4.48/modules/ssl/ssl_util_ssl.c.r1877397
+diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
-+++ httpd-2.4.48/modules/ssl/ssl_util_ssl.c
+index 38079a9..dafb833 100644
-@@ -589,3 +589,19 @@
+--- a/modules/ssl/ssl_util_ssl.c
 +++ b/modules/ssl/ssl_util_ssl.c
@@ -589,3 +589,19 @@ cleanup:
     }
     return rv;
 }
--- a/SOURCES/httpd-2.4.51.tar.bz2.asc
+++ b/SOURCES/httpd-2.4.51.tar.bz2.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 Comment: GPGTools - https://gpgtools.org
 iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmFe8kEACgkQ03fJ59GU
 TGatthAAtWzeOD1TCIEvf5f9bAIZDK9vjEEnBZDeYMMrH1wVJGNJm48XP08O/Kbq
 qhvc9201RUwkAtWEUX811ZBAYd5A8lAqetfmIuCSHerYSOU0CbhvBjKsuIJVIKWD
 Wo1uPUDWk068V0HBquQtW6AEB4oo16fKPMEr1aOOxFpR+F806daJN1gt3ubPzkNJ
 rZd4E6dV00eEymeUIfk0BjDqSWKHmUr+08/dtWqc7kGYGcnJzu0e5pr6cc0hOV2o
 mqYm28F7eMSe5JCnAOd1LnnqtOwV81mZLxiAxR40PoFhV7IoBLo0zAJ99AHxJfA2
 9RjCmZ/WYtleeDT7mC1cdATHKOPRaubklzK6Ntf7tMaRIO07hnIfIRXQveKG7h+G
 Og6PGtfR9bwDGrg2f5Dr+R2fwUJO7EL31IxTYQFBUDe2Q82aNIWpdIFdte93nc+S
 HqjWq3w6zq+jdSm3xvyLB0LLSOguXhcjj5VEqV+aExZPASbf+Q8bG51mSbMQhkaq
 fEheFcdhu3Sm0x5xQXvEM3gX5XUr8vmrPWaacayPYfS7MinWukV0hXe5/DoYkFTt
 a1pt6bHcyVfR0tB0Q3bvm59EeaxLVfogb6Eq74RlrfYiCU/Qx7bMUs3tSeIkHGmY
 cNhpxzc/36i4Cf+fBDPKuJroXYV5wFoQmpnXVLAqRd6jWZcOizY=
 =f5dx
 -----END PGP SIGNATURE-----
--- a/SOURCES/httpd.conf
+++ b/SOURCES/httpd.conf
@ -38,8 +38,10 @@ ServerRoot "/etc/httpd"
 # ports, instead of the default. See also the <VirtualHost>
 # directive.
 #
-# Change this to Listen on specific IP addresses as shown below to 
+# Change this to Listen on a specific IP address, but note that if
-# prevent Apache from glomming onto all bound IP addresses.
+# httpd.service is enabled to run at boot time, the address may not be
 # available when the service starts.  See the httpd.service(8) man
 # page for more information.
 #
 #Listen 12.34.56.78:80
 Listen 80
--- a/SOURCES/ssl.conf
+++ b/SOURCES/ssl.conf
@ -23,22 +23,6 @@ SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
 SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
 SSLSessionCacheTimeout  300
 #   Pseudo Random Number Generator (PRNG):
 #   Configure one or more sources to seed the PRNG of the 
 #   SSL library. The seed data should be of good random quality.
 #   WARNING! On some platforms /dev/random blocks if not enough entropy
 #   is available. This means you then cannot use the /dev/random device
 #   because it would lead to very long connection times (as long as
 #   it requires to make more entropy available). But usually those
 #   platforms additionally provide a /dev/urandom device which doesn't
 #   block. So, if available, use this one instead. Read the mod_ssl User
 #   Manual for more details.
 SSLRandomSeed startup file:/dev/urandom  256
 SSLRandomSeed connect builtin
 #SSLRandomSeed startup file:/dev/random  512
 #SSLRandomSeed connect file:/dev/random  512
 #SSLRandomSeed connect file:/dev/urandom 512
 #
 # Use "SSLCryptoDevice" to enable any supported hardware
 # accelerators. Use "openssl engine -v" to list supported
@ -70,7 +54,7 @@ LogLevel warn
 SSLEngine on
 #   List the protocol versions which clients are allowed to connect with.
-#   The OpenSSL system profile is configured by default.  See
+#   The OpenSSL system profile is used by default.  See
 #   update-crypto-policies(8) for more details.
 #SSLProtocol all -SSLv3
 #SSLProxyProtocol all -SSLv3
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -12,8 +12,8 @@
 Summary: Apache HTTP Server
 Name: httpd
-Version: 2.4.48
+Version: 2.4.51
-Release: 17%{?dist}
+Release: 2%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -76,7 +76,6 @@ Patch25: httpd-2.4.43-selinux.patch
 Patch26: httpd-2.4.43-gettid.patch
 Patch27: httpd-2.4.43-icons.patch
 Patch30: httpd-2.4.43-cachehardmax.patch
 Patch32: httpd-2.4.48-r1869842.patch
 Patch34: httpd-2.4.43-socket-activation.patch
 Patch38: httpd-2.4.43-sslciphdefault.patch
 Patch39: httpd-2.4.43-sslprotdefault.patch
@ -91,6 +90,8 @@ Patch47: httpd-2.4.43-pr37355.patch
 Patch48: httpd-2.4.46-freebind.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1950021
 Patch49: httpd-2.4.48-ssl-proxy-chains.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2004143
 Patch50: httpd-2.4.48-r1825120.patch
 # Bug fixes
@ -99,11 +100,11 @@ Patch60: httpd-2.4.43-enable-sslv3.patch
 Patch61: httpd-2.4.46-htcacheclean-dont-break.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1986822
 # https://bugzilla.redhat.com/show_bug.cgi?id=1976080
-Patch62: httpd-2.4.48-openssl3.patch
+Patch62: httpd-2.4.51-openssl3.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1932442
 Patch64: httpd-2.4.48-full-release.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1950011
-Patch65: httpd-2.4.48-r1877397.patch
+Patch65: httpd-2.4.51-r1877397.patch
 # Security fixes
@ -242,7 +243,6 @@ written in the Lua programming language.
 %patch26 -p1 -b .gettid
 %patch27 -p1 -b .icons
 %patch30 -p1 -b .cachehardmax
 %patch32 -p1 -b .r1869842
 %patch34 -p1 -b .socketactivation
 %patch38 -p1 -b .sslciphdefault
 %patch39 -p1 -b .sslprotdefault
@ -254,6 +254,7 @@ written in the Lua programming language.
 %patch47 -p1 -b .pr37355
 %patch48 -p1 -b .freebind
 %patch49 -p1 -b .ssl-proxy-chains
 %patch50 -p1 -b .r1825120
 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .htcacheclean-dont-break
@ -806,6 +807,19 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Mon Nov 08 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-2
 - Resolves: #2005416 - httpd default configuration changes
 * Tue Oct 19 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-1
 - new version 2.4.51 (#2011090)
 * Fri Sep 17 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1
 - new version 2.4.49 (#2005339)
 * Wed Sep 15 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-18
 - Resolves: #2004143 - RFE: mod_ssl: allow sending multiple CA names which
  differ only in case
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-17
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
`@ -1,2 +1,2 @@`
	`SOURCES/apache-poweredby.png`	`SOURCES/apache-poweredby.png`
	`SOURCES/httpd-2.4.48.tar.bz2`	`SOURCES/httpd-2.4.51.tar.bz2`
`@ -1,2 +1,2 @@`
	`3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png`	`3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png`
	`834876db80fc290e531f0e088d255434828b81b5 SOURCES/httpd-2.4.48.tar.bz2`	`d8ae02630f836d7cf60e24f4676e633518f16e2b SOURCES/httpd-2.4.51.tar.bz2`