From 4c4d7554f09ca7c44e193cf3eadebb462735280f Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Thu, 30 May 2024 13:36:11 +0100 Subject: [PATCH] mod_ssl: restore SSL_OP_NO_RENEGOTIATE support Related: RHEL-14668 --- httpd-2.4.48-ssl-proxy-chains.patch | 79 ----------------------------- httpd.spec | 8 ++- 2 files changed, 7 insertions(+), 80 deletions(-) delete mode 100644 httpd-2.4.48-ssl-proxy-chains.patch diff --git a/httpd-2.4.48-ssl-proxy-chains.patch b/httpd-2.4.48-ssl-proxy-chains.patch deleted file mode 100644 index 95c31c8..0000000 --- a/httpd-2.4.48-ssl-proxy-chains.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index 15f68f9..e67c81d 100644 ---- a/modules/ssl/ssl_engine_init.c -+++ b/modules/ssl/ssl_engine_init.c -@@ -1682,6 +1682,10 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, - STACK_OF(X509) *chain; - X509_STORE_CTX *sctx; - X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx); -+ int addl_chain = 0; /* non-zero if additional chain certs were -+ * added to store */ -+ -+ ap_assert(store != NULL); /* safe to assume always non-NULL? */ - - #if OPENSSL_VERSION_NUMBER >= 0x1010100fL - /* For OpenSSL >=1.1.1, turn on client cert support which is -@@ -1707,20 +1711,28 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, - ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk); - } - -- if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { -- sk_X509_INFO_free(sk); -- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206) -- "no client certs found for SSL proxy"); -- return APR_SUCCESS; -- } -- - /* Check that all client certs have got certificates and private -- * keys. */ -- for (n = 0; n < ncerts; n++) { -+ * keys. Note the number of certs in the stack may decrease -+ * during the loop. */ -+ for (n = 0; n < sk_X509_INFO_num(sk); n++) { - X509_INFO *inf = sk_X509_INFO_value(sk, n); -+ int has_privkey = inf->x_pkey && inf->x_pkey->dec_pkey; - -- if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey || -- inf->enc_data) { -+ /* For a lone certificate in the file, trust it as a -+ * CA/intermediate certificate. */ -+ if (inf->x509 && !has_privkey && !inf->enc_data) { -+ ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509, -+ APLOGNO(10261) "Trusting non-leaf certificate"); -+ X509_STORE_add_cert(store, inf->x509); /* increments inf->x509 */ -+ /* Delete from the stack and iterate again. */ -+ X509_INFO_free(inf); -+ sk_X509_INFO_delete(sk, n); -+ n--; -+ addl_chain = 1; -+ continue; -+ } -+ -+ if (!has_privkey || inf->enc_data) { - sk_X509_INFO_free(sk); - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) - "incomplete client cert configured for SSL proxy " -@@ -1737,13 +1749,21 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, - } - } - -+ if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { -+ sk_X509_INFO_free(sk); -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206) -+ "no client certs found for SSL proxy"); -+ return APR_SUCCESS; -+ } -+ - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207) - "loaded %d client certs for SSL proxy", - ncerts); - pkp->certs = sk; - -- -- if (!pkp->ca_cert_file || !store) { -+ /* If any chain certs are configured, build the ->ca_certs chains -+ * corresponding to the loaded keypairs. */ -+ if (!pkp->ca_cert_file && !addl_chain) { - return APR_SUCCESS; - } - diff --git a/httpd.spec b/httpd.spec index 34b0e3d..06dbef9 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.59 -Release: 5%{?dist} +Release: 6%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -99,6 +99,7 @@ Patch100: httpd-2.4.43-enable-sslv3.patch Patch101: httpd-2.4.48-full-release.patch Patch102: httpd-2.4.59-r1916863.patch Patch103: httpd-2.4.59-engine-finish.patch +Patch104: httpd-2.4.51-r1877397.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=... @@ -264,6 +265,7 @@ written in the Lua programming language. %patch101 -p1 -b .full-release %patch102 -p1 -b .r1916863 %patch103 -p1 -b .engine-cleanup +%patch104 -p1 -b .r1877397 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -825,6 +827,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu May 30 2024 Joe Orton - 2.4.59-6 +- mod_ssl: restore SSL_OP_NO_RENEGOTIATE support + Related: RHEL-14668 + * Tue May 21 2024 Joe Orton - 2.4.59-5 - mod_ssl: defer ENGINE_finish() calls to a cleanup Resolves: RHEL-36755