parent
b52ebeb33d
commit
369db50dd0
@ -1,33 +0,0 @@
|
|||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1109119
|
|
||||||
|
|
||||||
Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
|
|
||||||
|
|
||||||
--- httpd-2.4.33/modules/ssl/ssl_engine_config.c.sslciphdefault
|
|
||||||
+++ httpd-2.4.33/modules/ssl/ssl_engine_config.c
|
|
||||||
@@ -758,8 +758,10 @@
|
|
||||||
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
|
||||||
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
|
|
||||||
|
|
||||||
- /* always disable null and export ciphers */
|
|
||||||
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
|
||||||
+ /* Disable null and export ciphers by default, except for PROFILE=
|
|
||||||
+ * configs where the parser doesn't cope. */
|
|
||||||
+ if (strncmp(arg, "PROFILE=", 8) != 0)
|
|
||||||
+ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
|
||||||
|
|
||||||
if (cmd->path) {
|
|
||||||
dc->szCipherSuite = arg;
|
|
||||||
@@ -1502,8 +1504,10 @@
|
|
||||||
{
|
|
||||||
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
|
|
||||||
|
|
||||||
- /* always disable null and export ciphers */
|
|
||||||
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
|
||||||
+ /* Disable null and export ciphers by default, except for PROFILE=
|
|
||||||
+ * configs where the parser doesn't cope. */
|
|
||||||
+ if (strncmp(arg, "PROFILE=", 8) != 0)
|
|
||||||
+ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
|
||||||
|
|
||||||
dc->proxy->auth.cipher_suite = arg;
|
|
||||||
|
|
@ -1,15 +1,7 @@
|
|||||||
# ./pullrev.sh 1827912 1827924 1827992 1828220 1828222 1828720 1828723 1828790 1828791 1828792
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1827912
|
Pull all changes from upstream integration branch:
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1827924
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1827992
|
svn diff -r1840105:1841219 https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1828220
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1828222
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1828720
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1828723
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1828790
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1828791
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1828792
|
|
||||||
http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|
||||||
|
|
||||||
--- httpd-2.4.34/modules/ssl/mod_ssl.c.r1827912+
|
--- httpd-2.4.34/modules/ssl/mod_ssl.c.r1827912+
|
||||||
+++ httpd-2.4.34/modules/ssl/mod_ssl.c
|
+++ httpd-2.4.34/modules/ssl/mod_ssl.c
|
||||||
@ -65,7 +57,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
|
|
||||||
cfgMergeInt(ocsp_mask);
|
cfgMergeInt(ocsp_mask);
|
||||||
cfgMergeBool(ocsp_force_default);
|
cfgMergeBool(ocsp_force_default);
|
||||||
@@ -761,24 +763,39 @@
|
@@ -761,22 +763,37 @@
|
||||||
|
|
||||||
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
|
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
|
||||||
void *dcfg,
|
void *dcfg,
|
||||||
@ -75,27 +67,20 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||||
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
|
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
|
||||||
|
|
||||||
- /* Disable null and export ciphers by default, except for PROFILE=
|
- /* always disable null and export ciphers */
|
||||||
- * configs where the parser doesn't cope. */
|
|
||||||
- if (strncmp(arg, "PROFILE=", 8) != 0)
|
|
||||||
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
-
|
-
|
||||||
- if (cmd->path) {
|
- if (cmd->path) {
|
||||||
- dc->szCipherSuite = arg;
|
- dc->szCipherSuite = arg;
|
||||||
- }
|
|
||||||
- else {
|
|
||||||
- sc->server->auth.cipher_suite = arg;
|
|
||||||
+ if (arg2 == NULL) {
|
+ if (arg2 == NULL) {
|
||||||
+ arg2 = arg1;
|
+ arg2 = arg1;
|
||||||
+ arg1 = "SSL";
|
+ arg1 = "SSL";
|
||||||
}
|
}
|
||||||
-
|
- else {
|
||||||
- return NULL;
|
- sc->server->auth.cipher_suite = arg;
|
||||||
+
|
+
|
||||||
+ if (!strcmp("SSL", arg1)) {
|
+ if (!strcmp("SSL", arg1)) {
|
||||||
+ /* Disable null and export ciphers by default, except for PROFILE=
|
+ /* always disable null and export ciphers */
|
||||||
+ * configs where the parser doesn't cope. */
|
|
||||||
+ if (strncmp(arg2, "PROFILE=", 8) != 0)
|
|
||||||
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
+ if (cmd->path) {
|
+ if (cmd->path) {
|
||||||
+ dc->szCipherSuite = arg2;
|
+ dc->szCipherSuite = arg2;
|
||||||
@ -104,8 +89,10 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
+ sc->server->auth.cipher_suite = arg2;
|
+ sc->server->auth.cipher_suite = arg2;
|
||||||
+ }
|
+ }
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
+ }
|
}
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
-
|
||||||
|
- return NULL;
|
||||||
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+ else if (!strcmp("TLSv1.3", arg1)) {
|
+ else if (!strcmp("TLSv1.3", arg1)) {
|
||||||
+ if (cmd->path) {
|
+ if (cmd->path) {
|
||||||
+ return "TLSv1.3 ciphers cannot be set inside a directory context";
|
+ return "TLSv1.3 ciphers cannot be set inside a directory context";
|
||||||
@ -118,7 +105,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
}
|
}
|
||||||
|
|
||||||
#define SSL_FLAGS_CHECK_FILE \
|
#define SSL_FLAGS_CHECK_FILE \
|
||||||
@@ -1451,6 +1468,9 @@
|
@@ -1449,6 +1466,9 @@
|
||||||
else if (strcEQ(w, "TLSv1.2")) {
|
else if (strcEQ(w, "TLSv1.2")) {
|
||||||
thisopt = SSL_PROTOCOL_TLSV1_2;
|
thisopt = SSL_PROTOCOL_TLSV1_2;
|
||||||
}
|
}
|
||||||
@ -128,7 +115,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
#endif
|
#endif
|
||||||
else if (strcEQ(w, "all")) {
|
else if (strcEQ(w, "all")) {
|
||||||
thisopt = SSL_PROTOCOL_ALL;
|
thisopt = SSL_PROTOCOL_ALL;
|
||||||
@@ -1512,18 +1532,30 @@
|
@@ -1510,16 +1530,28 @@
|
||||||
|
|
||||||
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
|
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
|
||||||
void *dcfg,
|
void *dcfg,
|
||||||
@ -137,9 +124,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
{
|
{
|
||||||
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
|
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
|
||||||
-
|
-
|
||||||
- /* Disable null and export ciphers by default, except for PROFILE=
|
- /* always disable null and export ciphers */
|
||||||
- * configs where the parser doesn't cope. */
|
|
||||||
- if (strncmp(arg, "PROFILE=", 8) != 0)
|
|
||||||
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
-
|
-
|
||||||
- dc->proxy->auth.cipher_suite = arg;
|
- dc->proxy->auth.cipher_suite = arg;
|
||||||
@ -152,14 +137,12 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (!strcmp("SSL", arg1)) {
|
+ if (!strcmp("SSL", arg1)) {
|
||||||
+ /* Disable null and export ciphers by default, except for PROFILE=
|
+ /* always disable null and export ciphers */
|
||||||
+ * configs where the parser doesn't cope. */
|
|
||||||
+ if (strncmp(arg2, "PROFILE=", 8) != 0)
|
|
||||||
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
+ dc->proxy->auth.cipher_suite = arg2;
|
+ dc->proxy->auth.cipher_suite = arg2;
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
+ }
|
+ }
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+ else if (!strcmp("TLSv1.3", arg1)) {
|
+ else if (!strcmp("TLSv1.3", arg1)) {
|
||||||
+ dc->proxy->auth.tls13_ciphers = arg2;
|
+ dc->proxy->auth.tls13_ciphers = arg2;
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
@ -185,7 +168,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
TLSv1_2_client_method() : /* proxy */
|
TLSv1_2_client_method() : /* proxy */
|
||||||
TLSv1_2_server_method(); /* server */
|
TLSv1_2_server_method(); /* server */
|
||||||
}
|
}
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+ else if (protocol == SSL_PROTOCOL_TLSV1_3) {
|
+ else if (protocol == SSL_PROTOCOL_TLSV1_3) {
|
||||||
+ method = mctx->pkp ?
|
+ method = mctx->pkp ?
|
||||||
+ TLSv1_3_client_method() : /* proxy */
|
+ TLSv1_3_client_method() : /* proxy */
|
||||||
@ -205,19 +188,19 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
/* always disable SSLv2, as per RFC 6176 */
|
/* always disable SSLv2, as per RFC 6176 */
|
||||||
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
|
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
|
||||||
|
|
||||||
@@ -640,9 +651,19 @@
|
@@ -639,10 +650,19 @@
|
||||||
|
if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
|
||||||
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
|
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
|
||||||
}
|
}
|
||||||
#endif
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
|
||||||
+ if (!(protocol & SSL_PROTOCOL_TLSV1_3)) {
|
+ protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
|
||||||
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
|
|
||||||
+ }
|
|
||||||
+#endif
|
+#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
|
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
|
||||||
/* We first determine the maximum protocol version we should provide */
|
/* We first determine the maximum protocol version we should provide */
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+ if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
|
+ if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
|
||||||
+ prot = TLS1_3_VERSION;
|
+ prot = TLS1_3_VERSION;
|
||||||
+ } else
|
+ } else
|
||||||
@ -225,11 +208,11 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
if (protocol & SSL_PROTOCOL_TLSV1_2) {
|
if (protocol & SSL_PROTOCOL_TLSV1_2) {
|
||||||
prot = TLS1_2_VERSION;
|
prot = TLS1_2_VERSION;
|
||||||
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
|
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
|
||||||
@@ -664,6 +685,11 @@
|
@@ -664,6 +684,11 @@
|
||||||
|
|
||||||
/* Next we scan for the minimal protocol version we should provide,
|
/* Next we scan for the minimal protocol version we should provide,
|
||||||
* but we do not allow holes between max and min */
|
* but we do not allow holes between max and min */
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+ if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
|
+ if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
|
||||||
+ prot = TLS1_2_VERSION;
|
+ prot = TLS1_2_VERSION;
|
||||||
+ }
|
+ }
|
||||||
@ -237,12 +220,26 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
|
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
|
||||||
prot = TLS1_1_VERSION;
|
prot = TLS1_1_VERSION;
|
||||||
}
|
}
|
||||||
@@ -888,7 +914,15 @@
|
@@ -736,6 +761,13 @@
|
||||||
|
SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
|
||||||
|
+ /* For OpenSSL >=1.1.1, disable auto-retry mode so it's possible
|
||||||
|
+ * to consume handshake records without blocking for app-data.
|
||||||
|
+ * https://github.com/openssl/openssl/issues/7178 */
|
||||||
|
+ SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return APR_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -888,7 +920,15 @@
|
||||||
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
||||||
return ssl_die(s);
|
return ssl_die(s);
|
||||||
}
|
}
|
||||||
-
|
-
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+ if (mctx->auth.tls13_ciphers
|
+ if (mctx->auth.tls13_ciphers
|
||||||
+ && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
|
+ && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
|
||||||
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
|
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
|
||||||
@ -254,6 +251,20 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
return APR_SUCCESS;
|
return APR_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@@ -1493,6 +1533,13 @@
|
||||||
|
X509_STORE_CTX *sctx;
|
||||||
|
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
|
||||||
|
+ /* For OpenSSL >=1.1.1, turn on client cert support which is
|
||||||
|
+ * otherwise turned off by default (by design).
|
||||||
|
+ * https://github.com/openssl/openssl/issues/6933 */
|
||||||
|
+ SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
|
||||||
|
ssl_callback_proxy_cert);
|
||||||
|
|
||||||
--- httpd-2.4.34/modules/ssl/ssl_engine_kernel.c.r1827912+
|
--- httpd-2.4.34/modules/ssl/ssl_engine_kernel.c.r1827912+
|
||||||
+++ httpd-2.4.34/modules/ssl/ssl_engine_kernel.c
|
+++ httpd-2.4.34/modules/ssl/ssl_engine_kernel.c
|
||||||
@@ -188,6 +188,12 @@
|
@@ -188,6 +188,12 @@
|
||||||
@ -269,77 +280,38 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -424,21 +430,55 @@
|
@@ -424,87 +430,70 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
+static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc,
|
-/*
|
||||||
+ SSLDirConfigRec *dc, SSL *ssl)
|
|
||||||
+{
|
|
||||||
+ /*
|
|
||||||
+ * Finally check for acceptable renegotiation results
|
|
||||||
+ */
|
|
||||||
+ if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
|
|
||||||
+ (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
|
|
||||||
+ BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
|
|
||||||
+ (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
|
|
||||||
+
|
|
||||||
+ if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
|
|
||||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
|
|
||||||
+ "Re-negotiation handshake failed: "
|
|
||||||
+ "Client verification failed");
|
|
||||||
+
|
|
||||||
+ return HTTP_FORBIDDEN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (do_verify) {
|
|
||||||
+ X509 *peercert;
|
|
||||||
+
|
|
||||||
+ if ((peercert = SSL_get_peer_certificate(ssl)) == NULL) {
|
|
||||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
|
|
||||||
+ "Re-negotiation handshake failed: "
|
|
||||||
+ "Client certificate missing");
|
|
||||||
+
|
|
||||||
+ return HTTP_FORBIDDEN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ X509_free(peercert);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
- * Access Handler
|
- * Access Handler
|
||||||
+ * Access Handler, classic flavour, for SSL/TLS up to v1.2
|
- */
|
||||||
+ * where everything can be renegotiated and no one is happy.
|
|
||||||
*/
|
|
||||||
-int ssl_hook_Access(request_rec *r)
|
-int ssl_hook_Access(request_rec *r)
|
||||||
+static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
|
+static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc,
|
||||||
+ SSLConnRec *sslconn, SSL *ssl)
|
+ SSLDirConfigRec *dc, SSLConnRec *sslconn,
|
||||||
|
+ SSL *ssl)
|
||||||
{
|
{
|
||||||
- SSLDirConfigRec *dc = myDirConfig(r);
|
- SSLDirConfigRec *dc = myDirConfig(r);
|
||||||
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
|
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
|
||||||
- SSLConnRec *sslconn = myConnConfig(r->connection);
|
- SSLConnRec *sslconn = myConnConfig(r->connection);
|
||||||
- SSL *ssl = sslconn ? sslconn->ssl : NULL;
|
- SSL *ssl = sslconn ? sslconn->ssl : NULL;
|
||||||
server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
|
- server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
|
||||||
SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
|
- SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
|
||||||
SSL_CTX *ctx = NULL;
|
- SSL_CTX *ctx = NULL;
|
||||||
apr_array_header_t *requires;
|
- apr_array_header_t *requires;
|
||||||
ssl_require_t *ssl_requires;
|
- ssl_require_t *ssl_requires;
|
||||||
- int ok, i;
|
- int ok, i;
|
||||||
+ int ok, i, rc;
|
- BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
|
||||||
BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
|
|
||||||
X509 *cert;
|
X509 *cert;
|
||||||
X509 *peercert;
|
- X509 *peercert;
|
||||||
@@ -446,66 +486,9 @@
|
- X509_STORE *cert_store = NULL;
|
||||||
X509_STORE_CTX *cert_store_ctx;
|
- X509_STORE_CTX *cert_store_ctx;
|
||||||
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
|
- STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
|
||||||
const SSL_CIPHER *cipher = NULL;
|
- const SSL_CIPHER *cipher = NULL;
|
||||||
- int depth, verify_old, verify, n, is_slave = 0;
|
- int depth, verify_old, verify, n, is_slave = 0;
|
||||||
+ int depth, verify_old, verify, n;
|
- const char *ncipher_suite;
|
||||||
const char *ncipher_suite;
|
-
|
||||||
|
|
||||||
- /* On a slave connection, we do not expect to have an SSLConnRec, but
|
- /* On a slave connection, we do not expect to have an SSLConnRec, but
|
||||||
- * our master connection might have one. */
|
- * our master connection might have one. */
|
||||||
- if (!(sslconn && ssl) && r->connection->master) {
|
- if (!(sslconn && ssl) && r->connection->master) {
|
||||||
@ -349,7 +321,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
- hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
|
- hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
|
||||||
- is_slave = 1;
|
- is_slave = 1;
|
||||||
- }
|
- }
|
||||||
-
|
|
||||||
- if (ssl) {
|
- if (ssl) {
|
||||||
- /*
|
- /*
|
||||||
- * We should have handshaken here (on handshakeserver),
|
- * We should have handshaken here (on handshakeserver),
|
||||||
@ -360,13 +332,23 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
- */
|
- */
|
||||||
- if (!SSL_is_init_finished(ssl)) {
|
- if (!SSL_is_init_finished(ssl)) {
|
||||||
- return HTTP_FORBIDDEN;
|
- return HTTP_FORBIDDEN;
|
||||||
- }
|
+ /*
|
||||||
|
+ * Remember the peer certificate's DN
|
||||||
|
+ */
|
||||||
|
+ if ((cert = SSL_get_peer_certificate(ssl))) {
|
||||||
|
+ if (sslconn->client_cert) {
|
||||||
|
+ X509_free(sslconn->client_cert);
|
||||||
|
}
|
||||||
- ctx = SSL_get_SSL_CTX(ssl);
|
- ctx = SSL_get_SSL_CTX(ssl);
|
||||||
- }
|
+ sslconn->client_cert = cert;
|
||||||
|
+ sslconn->client_dn = NULL;
|
||||||
|
}
|
||||||
-
|
-
|
||||||
- /*
|
+
|
||||||
|
/*
|
||||||
- * Support for SSLRequireSSL directive
|
- * Support for SSLRequireSSL directive
|
||||||
- */
|
+ * Finally check for acceptable renegotiation results
|
||||||
|
*/
|
||||||
- if (dc->bSSLRequired && !ssl) {
|
- if (dc->bSSLRequired && !ssl) {
|
||||||
- if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) {
|
- if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) {
|
||||||
- /* This vhost was configured for optional SSL, just tell the
|
- /* This vhost was configured for optional SSL, just tell the
|
||||||
@ -374,20 +356,40 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
- */
|
- */
|
||||||
- apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
|
- apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
|
||||||
- apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
|
- apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
|
||||||
-
|
+ if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
|
||||||
|
+ (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
|
||||||
|
+ BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
|
||||||
|
+ (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
|
||||||
|
+
|
||||||
|
+ if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
|
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
|
||||||
|
+ "Re-negotiation handshake failed: "
|
||||||
|
+ "Client verification failed");
|
||||||
|
|
||||||
- return HTTP_UPGRADE_REQUIRED;
|
- return HTTP_UPGRADE_REQUIRED;
|
||||||
- }
|
+ return HTTP_FORBIDDEN;
|
||||||
-
|
}
|
||||||
|
|
||||||
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
|
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
|
||||||
- "access to %s failed, reason: %s",
|
- "access to %s failed, reason: %s",
|
||||||
- r->filename, "SSL connection required");
|
- r->filename, "SSL connection required");
|
||||||
-
|
-
|
||||||
- /* remember forbidden access for strict require option */
|
- /* remember forbidden access for strict require option */
|
||||||
- apr_table_setn(r->notes, "ssl-access-forbidden", "1");
|
- apr_table_setn(r->notes, "ssl-access-forbidden", "1");
|
||||||
-
|
+ if (do_verify) {
|
||||||
|
+ if (cert == NULL) {
|
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
|
||||||
|
+ "Re-negotiation handshake failed: "
|
||||||
|
+ "Client certificate missing");
|
||||||
|
|
||||||
- return HTTP_FORBIDDEN;
|
- return HTTP_FORBIDDEN;
|
||||||
- }
|
+ return HTTP_FORBIDDEN;
|
||||||
-
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+ return OK;
|
||||||
|
+}
|
||||||
|
|
||||||
- /*
|
- /*
|
||||||
- * Check to see whether SSL is in use; if it's not, then no
|
- * Check to see whether SSL is in use; if it's not, then no
|
||||||
- * further access control checks are relevant. (the test for
|
- * further access control checks are relevant. (the test for
|
||||||
@ -396,11 +398,28 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
- if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
|
- if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
|
||||||
- return DECLINED;
|
- return DECLINED;
|
||||||
- }
|
- }
|
||||||
-
|
+/*
|
||||||
|
+ * Access Handler, classic flavour, for SSL/TLS up to v1.2
|
||||||
|
+ * where everything can be renegotiated and no one is happy.
|
||||||
|
+ */
|
||||||
|
+static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
|
||||||
|
+ SSLConnRec *sslconn, SSL *ssl)
|
||||||
|
+{
|
||||||
|
+ server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
|
||||||
|
+ SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
|
||||||
|
+ SSL_CTX *ctx = NULL;
|
||||||
|
+ BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
|
||||||
|
+ X509 *peercert;
|
||||||
|
+ X509_STORE *cert_store = NULL;
|
||||||
|
+ X509_STORE_CTX *cert_store_ctx;
|
||||||
|
+ STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
|
||||||
|
+ const SSL_CIPHER *cipher = NULL;
|
||||||
|
+ int depth, verify_old, verify, n, rc;
|
||||||
|
+ const char *ncipher_suite;
|
||||||
|
|
||||||
#ifdef HAVE_SRP
|
#ifdef HAVE_SRP
|
||||||
/*
|
/*
|
||||||
* Support for per-directory reconfigured SSL connection parameters
|
@@ -581,7 +570,7 @@
|
||||||
@@ -581,7 +564,7 @@
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* configure new state */
|
/* configure new state */
|
||||||
@ -409,7 +428,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
/* TODO: this categorically fails changed cipher suite settings
|
/* TODO: this categorically fails changed cipher suite settings
|
||||||
* on slave connections. We could do better by
|
* on slave connections. We could do better by
|
||||||
* - create a new SSL* from our SSL_CTX and set cipher suite there,
|
* - create a new SSL* from our SSL_CTX and set cipher suite there,
|
||||||
@@ -659,7 +642,7 @@
|
@@ -659,7 +648,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
if (renegotiate) {
|
if (renegotiate) {
|
||||||
@ -418,7 +437,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
/* The request causes renegotiation on a slave connection.
|
/* The request causes renegotiation on a slave connection.
|
||||||
* This is not allowed since we might have concurrent requests
|
* This is not allowed since we might have concurrent requests
|
||||||
* on this connection.
|
* on this connection.
|
||||||
@@ -732,7 +715,7 @@
|
@@ -732,7 +721,7 @@
|
||||||
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
|
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
|
||||||
{
|
{
|
||||||
renegotiate = TRUE;
|
renegotiate = TRUE;
|
||||||
@ -427,8 +446,29 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
/* The request causes renegotiation on a slave connection.
|
/* The request causes renegotiation on a slave connection.
|
||||||
* This is not allowed since we might have concurrent requests
|
* This is not allowed since we might have concurrent requests
|
||||||
* on this connection.
|
* on this connection.
|
||||||
@@ -1050,30 +1033,8 @@
|
@@ -885,6 +874,7 @@
|
||||||
|
|
||||||
|
if (renegotiate_quick) {
|
||||||
|
STACK_OF(X509) *cert_stack;
|
||||||
|
+ X509 *cert;
|
||||||
|
|
||||||
|
/* perform just a manual re-verification of the peer */
|
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02258)
|
||||||
|
@@ -1037,43 +1027,10 @@
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
- * Remember the peer certificate's DN
|
||||||
|
- */
|
||||||
|
- if ((cert = SSL_get_peer_certificate(ssl))) {
|
||||||
|
- if (sslconn->client_cert) {
|
||||||
|
- X509_free(sslconn->client_cert);
|
||||||
|
- }
|
||||||
|
- sslconn->client_cert = cert;
|
||||||
|
- sslconn->client_dn = NULL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /*
|
||||||
* Finally check for acceptable renegotiation results
|
* Finally check for acceptable renegotiation results
|
||||||
*/
|
*/
|
||||||
- if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
|
- if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
|
||||||
@ -455,16 +495,19 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
-
|
-
|
||||||
- X509_free(peercert);
|
- X509_free(peercert);
|
||||||
- }
|
- }
|
||||||
+ if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, ssl))) {
|
+ if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
|
||||||
+ return rc;
|
+ return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1167,6 +1128,195 @@
|
@@ -1096,6 +1053,215 @@
|
||||||
return DECLINED;
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+ return DECLINED;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+/*
|
+/*
|
||||||
+ * Access Handler, modern flavour, for SSL/TLS v1.3 and onward.
|
+ * Access Handler, modern flavour, for SSL/TLS v1.3 and onward.
|
||||||
+ * Only client certificates can be requested, everything else stays.
|
+ * Only client certificates can be requested, everything else stays.
|
||||||
@ -557,7 +600,15 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "verify client post handshake");
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "verify client post handshake");
|
||||||
+
|
+
|
||||||
+ SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
|
+ SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
|
||||||
+ SSL_verify_client_post_handshake(ssl);
|
+
|
||||||
|
+ if (SSL_verify_client_post_handshake(ssl) != 1) {
|
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158)
|
||||||
|
+ "cannot perform post-handshake authentication");
|
||||||
|
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
|
||||||
|
+ apr_table_setn(r->notes, "error-notes",
|
||||||
|
+ "Reason: Cannot perform Post-Handshake Authentication.<br />");
|
||||||
|
+ return HTTP_FORBIDDEN;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ old_state = sslconn->reneg_state;
|
+ old_state = sslconn->reneg_state;
|
||||||
+ sslconn->reneg_state = RENEG_ALLOW;
|
+ sslconn->reneg_state = RENEG_ALLOW;
|
||||||
@ -576,7 +627,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
+ /*
|
+ /*
|
||||||
+ * Finally check for acceptable renegotiation results
|
+ * Finally check for acceptable renegotiation results
|
||||||
+ */
|
+ */
|
||||||
+ if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, ssl))) {
|
+ if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
|
||||||
+ return rc;
|
+ return rc;
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
@ -592,6 +643,9 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
|
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
|
||||||
+ SSLConnRec *sslconn = myConnConfig(r->connection);
|
+ SSLConnRec *sslconn = myConnConfig(r->connection);
|
||||||
+ SSL *ssl = sslconn ? sslconn->ssl : NULL;
|
+ SSL *ssl = sslconn ? sslconn->ssl : NULL;
|
||||||
|
+ apr_array_header_t *requires;
|
||||||
|
+ ssl_require_t *ssl_requires;
|
||||||
|
+ int ok, i, ret;
|
||||||
+
|
+
|
||||||
+ /* On a slave connection, we do not expect to have an SSLConnRec, but
|
+ /* On a slave connection, we do not expect to have an SSLConnRec, but
|
||||||
+ * our master connection might have one. */
|
+ * our master connection might have one. */
|
||||||
@ -643,20 +697,26 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
+ return DECLINED;
|
+ return DECLINED;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
+#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
+ /* TLSv1.3+ is less complicated here. Branch off into a new codeline
|
+ /* TLSv1.3+ is less complicated here. Branch off into a new codeline
|
||||||
+ * and avoid messing with the past. */
|
+ * and avoid messing with the past. */
|
||||||
+ if (SSL_version(ssl) >= TLS1_3_VERSION) {
|
+ if (SSL_version(ssl) >= TLS1_3_VERSION) {
|
||||||
+ return ssl_hook_Access_modern(r, sc, dc, sslconn, ssl);
|
+ ret = ssl_hook_Access_modern(r, sc, dc, sslconn, ssl);
|
||||||
+ }
|
+ }
|
||||||
|
+ else
|
||||||
+#endif
|
+#endif
|
||||||
+ return ssl_hook_Access_classic(r, sc, dc, sslconn, ssl);
|
+ {
|
||||||
+}
|
+ ret = ssl_hook_Access_classic(r, sc, dc, sslconn, ssl);
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
/*
|
+ if (ret != DECLINED) {
|
||||||
* Authentication Handler:
|
+ return ret;
|
||||||
* Fake a Basic authentication from the X509 client certificate.
|
+ }
|
||||||
@@ -2080,31 +2230,43 @@
|
+
|
||||||
|
/* If we're trying to have the user name set from a client
|
||||||
|
* certificate then we need to set it here. This should be safe as
|
||||||
|
* the user name probably isn't important from an auth checking point
|
||||||
|
@@ -2080,31 +2246,43 @@
|
||||||
{
|
{
|
||||||
conn_rec *c;
|
conn_rec *c;
|
||||||
server_rec *s;
|
server_rec *s;
|
||||||
@ -680,6 +740,10 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
+#endif
|
+#endif
|
||||||
+ {
|
+ {
|
||||||
+ SSLConnRec *sslconn;
|
+ SSLConnRec *sslconn;
|
||||||
|
+
|
||||||
|
+ if ((sslconn = myConnConfig(c)) == NULL) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
|
||||||
- /* If the reneg state is to reject renegotiations, check the SSL
|
- /* If the reneg state is to reject renegotiations, check the SSL
|
||||||
- * state machine and move to ABORT if a Client Hello is being
|
- * state machine and move to ABORT if a Client Hello is being
|
||||||
@ -688,10 +752,6 @@ http://svn.apache.org/viewvc?view=revision&revision=1833588
|
|||||||
- (where & SSL_CB_HANDSHAKE_START) &&
|
- (where & SSL_CB_HANDSHAKE_START) &&
|
||||||
- scr->reneg_state == RENEG_REJECT) {
|
- scr->reneg_state == RENEG_REJECT) {
|
||||||
- scr->reneg_state = RENEG_ABORT;
|
- scr->reneg_state = RENEG_ABORT;
|
||||||
+ if ((sslconn = myConnConfig(c)) == NULL) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* If the reneg state is to reject renegotiations, check the SSL
|
+ /* If the reneg state is to reject renegotiations, check the SSL
|
||||||
+ * state machine and move to ABORT if a Client Hello is being
|
+ * state machine and move to ABORT if a Client Hello is being
|
||||||
+ * read. */
|
+ * read. */
|
||||||
|
34
httpd-2.4.34-sslciphdefault.patch
Normal file
34
httpd-2.4.34-sslciphdefault.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1109119
|
||||||
|
|
||||||
|
Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
|
||||||
|
|
||||||
|
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslciphdefault
|
||||||
|
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
|
||||||
|
@@ -774,9 +774,11 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!strcmp("SSL", arg1)) {
|
||||||
|
- /* always disable null and export ciphers */
|
||||||
|
- arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
|
if (cmd->path) {
|
||||||
|
+ /* Disable null and export ciphers by default, except for PROFILE=
|
||||||
|
+ * configs where the parser doesn't cope. */
|
||||||
|
+ if (strncmp(arg2, "PROFILE=", 8) != 0)
|
||||||
|
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
|
dc->szCipherSuite = arg2;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
@@ -1540,8 +1542,10 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!strcmp("SSL", arg1)) {
|
||||||
|
- /* always disable null and export ciphers */
|
||||||
|
- arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
|
+ /* Disable null and export ciphers by default, except for PROFILE=
|
||||||
|
+ * configs where the parser doesn't cope. */
|
||||||
|
+ if (strncmp(arg2, "PROFILE=", 8) != 0)
|
||||||
|
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
|
||||||
|
dc->proxy->auth.cipher_suite = arg2;
|
||||||
|
return NULL;
|
||||||
|
}
|
@ -13,7 +13,7 @@
|
|||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.34
|
Version: 2.4.34
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
URL: https://httpd.apache.org/
|
URL: https://httpd.apache.org/
|
||||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source1: index.html
|
Source1: index.html
|
||||||
@ -73,9 +73,9 @@ Patch29: httpd-2.4.33-systemd.patch
|
|||||||
Patch30: httpd-2.4.4-cachehardmax.patch
|
Patch30: httpd-2.4.4-cachehardmax.patch
|
||||||
Patch31: httpd-2.4.33-sslmultiproxy.patch
|
Patch31: httpd-2.4.33-sslmultiproxy.patch
|
||||||
Patch34: httpd-2.4.17-socket-activation.patch
|
Patch34: httpd-2.4.17-socket-activation.patch
|
||||||
Patch35: httpd-2.4.33-sslciphdefault.patch
|
|
||||||
Patch36: httpd-2.4.33-r1830819+.patch
|
Patch36: httpd-2.4.33-r1830819+.patch
|
||||||
Patch37: httpd-2.4.34-r1827912+.patch
|
Patch37: httpd-2.4.34-r1827912+.patch
|
||||||
|
Patch38: httpd-2.4.34-sslciphdefault.patch
|
||||||
|
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
|
||||||
@ -235,9 +235,9 @@ interface for storing and accessing per-user session data.
|
|||||||
%patch30 -p1 -b .cachehardmax
|
%patch30 -p1 -b .cachehardmax
|
||||||
#patch31 -p1 -b .sslmultiproxy
|
#patch31 -p1 -b .sslmultiproxy
|
||||||
%patch34 -p1 -b .socketactivation
|
%patch34 -p1 -b .socketactivation
|
||||||
%patch35 -p1 -b .sslciphdefault
|
|
||||||
%patch36 -p1 -b .r1830819+
|
%patch36 -p1 -b .r1830819+
|
||||||
%patch37 -p1 -b .r1827912+
|
%patch37 -p1 -b .r1827912+
|
||||||
|
%patch38 -p1 -b .sslciphdefault
|
||||||
|
|
||||||
%patch58 -p1 -b .r1738878
|
%patch58 -p1 -b .r1738878
|
||||||
%patch59 -p1 -b .r1555631
|
%patch59 -p1 -b .r1555631
|
||||||
@ -729,6 +729,9 @@ exit $rv
|
|||||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 18 2018 Joe Orton <jorton@redhat.com> - 2.4.34-6
|
||||||
|
- mod_ssl: more TLSv1.3 fixes (#1619389)
|
||||||
|
|
||||||
* Tue Aug 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-5
|
* Tue Aug 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-5
|
||||||
- mod_ssl: further TLSv1.3 fix (#1619389)
|
- mod_ssl: further TLSv1.3 fix (#1619389)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user