mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119)

- switch default ssl.conf to use PROFILE=SYSTEM (#1109119)
Resolves: rhbz#1109119

httpd-2.4.10-sslciphdefault.patch

@@ -0,0 +1,20 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1109119
+
+Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
+
+--- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault
++++ httpd-2.4.10/modules/ssl/ssl_engine_config.c
+@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ 
+-    /* always disable null and export ciphers */
+-    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
++    /* Disable null and export ciphers by default, except for PROFILE=
++     * configs where the parser doesn't cope. */
++    if (strncmp(arg, "PROFILE=", 8) != 0)
++        arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+ 
+     if (cmd->path) {
+         dc->szCipherSuite = arg;

httpd.spec

@@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.10
-Release: 5%{?dist}
+Release: 6%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -65,6 +65,7 @@ Patch29: httpd-2.4.3-mod_systemd.patch
 Patch30: httpd-2.4.4-cachehardmax.patch
 Patch31: httpd-2.4.6-sslmultiproxy.patch
 Patch34: httpd-2.4.9-socket-activation.patch
+Patch35: httpd-2.4.10-sslciphdefault.patch
 # Bug fixes
 Patch55: httpd-2.4.4-malformed-host.patch
 Patch56: httpd-2.4.4-mod_unique_id.patch
@@ -202,6 +203,7 @@ interface for storing and accessing per-user session data.
 %patch30 -p1 -b .cachehardmax
 %patch31 -p1 -b .sslmultiproxy
 %patch34 -p1 -b .socketactivation
+%patch35 -p1 -b .sslciphdefault
 
 %patch55 -p1 -b .malformedhost
 %patch56 -p1 -b .uniqueid
@@ -659,6 +661,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu Aug 21 2014 Joe Orton <jorton@redhat.com> - 2.4.10-6
+- mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119)
+- switch default ssl.conf to use PROFILE=SYSTEM (#1109119)
+
 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.10-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
 

ssl.conf

@@ -77,9 +77,10 @@ SSLProtocol all -SSLv2
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-# By leaving this directive commented out, the system-wide OpenSSL
+# The OpenSSL system profile is configured by default.  See
-# default is used.  See update-crypto-policies(8) for more details.
+# update-crypto-policies(8) for more details.
 #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLCipherSuite PROFILE=DEFAULT
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),