move macros from /etc/rpm to macros.d (#1074277)
- remove unused patches
This commit is contained in:
		
							parent
							
								
									9f6ae98c27
								
							
						
					
					
						commit
						6228c46ec0
					
				| @ -1,45 +0,0 @@ | ||||
| --- trunk/server/vhost.c	2013/05/11 11:51:28	1481305
 | ||||
| +++ trunk/server/vhost.c	2013/05/11 12:05:24	1481306
 | ||||
| @@ -577,14 +577,21 @@
 | ||||
|       */ | ||||
|   | ||||
|      for (s = main_s->next; s; s = s->next) { | ||||
| +        server_addr_rec *sar_prev = NULL;
 | ||||
|          has_default_vhost_addr = 0; | ||||
|          for (sar = s->addrs; sar; sar = sar->next) { | ||||
|              ipaddr_chain *ic; | ||||
|              char inaddr_any[16] = {0}; /* big enough to handle IPv4 or IPv6 */ | ||||
| -
 | ||||
| +            /* XXX: this treats 0.0.0.0 as a "default" server which matches no-exact-match for IPv6 */
 | ||||
|              if (!memcmp(sar->host_addr->ipaddr_ptr, inaddr_any, sar->host_addr->ipaddr_len)) { | ||||
|                  ic = find_default_server(sar->host_port); | ||||
| -                if (!ic || sar->host_port != ic->sar->host_port) {
 | ||||
| +
 | ||||
| +                if (ic && sar->host_port == ic->sar->host_port) { /* we're a match for an existing "default server"  */
 | ||||
| +                    if (!sar_prev || memcmp(sar_prev->host_addr->ipaddr_ptr, inaddr_any, sar_prev->host_addr->ipaddr_len)) { 
 | ||||
| +                        add_name_vhost_config(p, main_s, s, sar, ic);
 | ||||
| +                    }
 | ||||
| +                }
 | ||||
| +                else { 
 | ||||
|                      /* No default server, or we found a default server but | ||||
|                      ** exactly one of us is a wildcard port, which means we want | ||||
|                      ** two ip-based vhosts not an NVH with two names | ||||
| @@ -592,6 +599,7 @@
 | ||||
|                      ic = new_ipaddr_chain(p, s, sar); | ||||
|                      ic->next = default_list; | ||||
|                      default_list = ic; | ||||
| +                    add_name_vhost_config(p, main_s, s, sar, ic);
 | ||||
|                  } | ||||
|                  has_default_vhost_addr = 1; | ||||
|              } | ||||
| @@ -609,8 +617,9 @@
 | ||||
|                      ic->next = *iphash_table_tail[bucket]; | ||||
|                      *iphash_table_tail[bucket] = ic; | ||||
|                  } | ||||
| +                add_name_vhost_config(p, main_s, s, sar, ic);
 | ||||
|              } | ||||
| -            add_name_vhost_config(p, main_s, s, sar, ic);
 | ||||
| +            sar_prev = sar;
 | ||||
|          } | ||||
|   | ||||
|          /* Ok now we want to set up a server_hostname if the user was | ||||
| @ -1,248 +0,0 @@ | ||||
| # ./pullrev.sh 1332643 1345599 | ||||
| 
 | ||||
| https://bugzilla.redhat.com//show_bug.cgi?id=809599 | ||||
| 
 | ||||
| http://svn.apache.org/viewvc?view=revision&revision=1332643 | ||||
| 
 | ||||
| http://svn.apache.org/viewvc?view=revision&revision=1345599 | ||||
| 
 | ||||
| --- httpd-2.4.4/modules/ssl/mod_ssl.c.r1332643+
 | ||||
| +++ httpd-2.4.4/modules/ssl/mod_ssl.c
 | ||||
| @@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds
 | ||||
|      AP_END_CMD | ||||
|  }; | ||||
|   | ||||
| +/* Implement 'modssl_run_npn_advertise_protos_hook'. */
 | ||||
| +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
 | ||||
| +    modssl, AP, int, npn_advertise_protos_hook,
 | ||||
| +    (conn_rec *connection, apr_array_header_t *protos),
 | ||||
| +    (connection, protos), OK, DECLINED);
 | ||||
| +
 | ||||
| +/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
 | ||||
| +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
 | ||||
| +    modssl, AP, int, npn_proto_negotiated_hook,
 | ||||
| +    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
 | ||||
| +    (connection, proto_name, proto_name_len), OK, DECLINED);
 | ||||
| +
 | ||||
|  /* | ||||
|   *  the various processing hooks | ||||
|   */ | ||||
| --- httpd-2.4.4/modules/ssl/mod_ssl.h.r1332643+
 | ||||
| +++ httpd-2.4.4/modules/ssl/mod_ssl.h
 | ||||
| @@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
 | ||||
|   | ||||
|  APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); | ||||
|   | ||||
| +/** The npn_advertise_protos optional hook allows other modules to add entries
 | ||||
| + * to the list of protocol names advertised by the server during the Next
 | ||||
| + * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
 | ||||
| + * given the connection and an APR array; it should push one or more char*'s
 | ||||
| + * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
 | ||||
| + * the array and return OK, or do nothing and return DECLINED. */
 | ||||
| +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
 | ||||
| +                          (conn_rec *connection, apr_array_header_t *protos));
 | ||||
| +
 | ||||
| +/** The npn_proto_negotiated optional hook allows other modules to discover the
 | ||||
| + * name of the protocol that was chosen during the Next Protocol Negotiation
 | ||||
| + * (NPN) portion of the SSL handshake.  Note that this may be the empty string
 | ||||
| + * (in which case modules should probably assume HTTP), or it may be a protocol
 | ||||
| + * that was never even advertised by the server.  The hook callee is given the
 | ||||
| + * connection, a non-null-terminated string containing the protocol name, and
 | ||||
| + * the length of the string; it should do something appropriate (i.e. insert or
 | ||||
| + * remove filters) and return OK, or do nothing and return DECLINED. */
 | ||||
| +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
 | ||||
| +                          (conn_rec *connection, const char *proto_name,
 | ||||
| +                           apr_size_t proto_name_len));
 | ||||
| +
 | ||||
|  #endif /* __MOD_SSL_H__ */ | ||||
|  /** @} */ | ||||
| --- httpd-2.4.4/modules/ssl/ssl_engine_init.c.r1332643+
 | ||||
| +++ httpd-2.4.4/modules/ssl/ssl_engine_init.c
 | ||||
| @@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve
 | ||||
|  #endif | ||||
|   | ||||
|      SSL_CTX_set_info_callback(ctx, ssl_callback_Info); | ||||
| +
 | ||||
| +#ifdef HAVE_TLS_NPN
 | ||||
| +    SSL_CTX_set_next_protos_advertised_cb(
 | ||||
| +        ctx, ssl_callback_AdvertiseNextProtos, NULL);
 | ||||
| +#endif
 | ||||
|  } | ||||
|   | ||||
|  static void ssl_init_ctx_verify(server_rec *s, | ||||
| --- httpd-2.4.4/modules/ssl/ssl_engine_io.c.r1332643+
 | ||||
| +++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
 | ||||
| @@ -28,6 +28,7 @@
 | ||||
|                                    core keeps dumping.'' | ||||
|                                              -- Unknown    */ | ||||
|  #include "ssl_private.h" | ||||
| +#include "mod_ssl.h"
 | ||||
|  #include "apr_date.h" | ||||
|   | ||||
|  /*  _________________________________________________________________ | ||||
| @@ -297,6 +298,7 @@ typedef struct {
 | ||||
|      apr_pool_t *pool; | ||||
|      char buffer[AP_IOBUFSIZE]; | ||||
|      ssl_filter_ctx_t *filter_ctx; | ||||
| +    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
 | ||||
|  } bio_filter_in_ctx_t; | ||||
|   | ||||
|  /* | ||||
| @@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input(
 | ||||
|          APR_BRIGADE_INSERT_TAIL(bb, bucket); | ||||
|      } | ||||
|   | ||||
| +#ifdef HAVE_TLS_NPN
 | ||||
| +    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
 | ||||
| +     * our version of OpenSSL supports it).  If we haven't already, find out
 | ||||
| +     * which protocol was decided upon and inform other modules by calling
 | ||||
| +     * npn_proto_negotiated_hook. */
 | ||||
| +    if (!inctx->npn_finished) {
 | ||||
| +        const unsigned char *next_proto = NULL;
 | ||||
| +        unsigned next_proto_len = 0;
 | ||||
| +
 | ||||
| +        SSL_get0_next_proto_negotiated(
 | ||||
| +            inctx->ssl, &next_proto, &next_proto_len);
 | ||||
| +        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
 | ||||
| +                      APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
 | ||||
| +                      next_proto_len, (const char*)next_proto);
 | ||||
| +        modssl_run_npn_proto_negotiated_hook(
 | ||||
| +            f->c, (const char*)next_proto, next_proto_len);
 | ||||
| +        inctx->npn_finished = 1;
 | ||||
| +    }
 | ||||
| +#endif
 | ||||
| +
 | ||||
|      return APR_SUCCESS; | ||||
|  } | ||||
|   | ||||
| @@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_
 | ||||
|      inctx->block = APR_BLOCK_READ; | ||||
|      inctx->pool = c->pool; | ||||
|      inctx->filter_ctx = filter_ctx; | ||||
| +    inctx->npn_finished = 0;
 | ||||
|  } | ||||
|   | ||||
|  /* The request_rec pointer is passed in here only to ensure that the | ||||
| --- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c.r1332643+
 | ||||
| +++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
 | ||||
| @@ -29,6 +29,7 @@
 | ||||
|                                    time I was too famous.'' | ||||
|                                              -- Unknown                */ | ||||
|  #include "ssl_private.h" | ||||
| +#include "mod_ssl.h"
 | ||||
|  #include "util_md5.h" | ||||
|   | ||||
|  static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); | ||||
| @@ -2161,6 +2162,90 @@ int ssl_callback_SessionTicket(SSL *ssl,
 | ||||
|  } | ||||
|  #endif /* HAVE_TLS_SESSION_TICKETS */ | ||||
|   | ||||
| +#ifdef HAVE_TLS_NPN
 | ||||
| +/*
 | ||||
| + * This callback function is executed when SSL needs to decide what protocols
 | ||||
| + * to advertise during Next Protocol Negotiation (NPN).  It must produce a
 | ||||
| + * string in wire format -- a sequence of length-prefixed strings -- indicating
 | ||||
| + * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
 | ||||
| + * in OpenSSL for reference.
 | ||||
| + */
 | ||||
| +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
 | ||||
| +                                     unsigned int *size_out, void *arg)
 | ||||
| +{
 | ||||
| +    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
 | ||||
| +    apr_array_header_t *protos;
 | ||||
| +    int num_protos;
 | ||||
| +    unsigned int size;
 | ||||
| +    int i;
 | ||||
| +    unsigned char *data;
 | ||||
| +    unsigned char *start;
 | ||||
| +
 | ||||
| +    *data_out = NULL;
 | ||||
| +    *size_out = 0;
 | ||||
| +
 | ||||
| +    /* If the connection object is not available, then there's nothing for us
 | ||||
| +     * to do. */
 | ||||
| +    if (c == NULL) {
 | ||||
| +        return SSL_TLSEXT_ERR_OK;
 | ||||
| +    }
 | ||||
| +
 | ||||
| +    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
 | ||||
| +     * add alternate protocol names to advertise. */
 | ||||
| +    protos = apr_array_make(c->pool, 0, sizeof(char*));
 | ||||
| +    modssl_run_npn_advertise_protos_hook(c, protos);
 | ||||
| +    num_protos = protos->nelts;
 | ||||
| +
 | ||||
| +    /* We now have a list of null-terminated strings; we need to concatenate
 | ||||
| +     * them together into a single string, where each protocol name is prefixed
 | ||||
| +     * by its length.  First, calculate how long that string will be. */
 | ||||
| +    size = 0;
 | ||||
| +    for (i = 0; i < num_protos; ++i) {
 | ||||
| +        const char *string = APR_ARRAY_IDX(protos, i, const char*);
 | ||||
| +        unsigned int length = strlen(string);
 | ||||
| +        /* If the protocol name is too long (the length must fit in one byte),
 | ||||
| +         * then log an error and skip it. */
 | ||||
| +        if (length > 255) {
 | ||||
| +            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
 | ||||
| +                          "SSL NPN protocol name too long (length=%u): %s",
 | ||||
| +                          length, string);
 | ||||
| +            continue;
 | ||||
| +        }
 | ||||
| +        /* Leave room for the length prefix (one byte) plus the protocol name
 | ||||
| +         * itself. */
 | ||||
| +        size += 1 + length;
 | ||||
| +    }
 | ||||
| +
 | ||||
| +    /* If there is nothing to advertise (either because no modules added
 | ||||
| +     * anything to the protos array, or because all strings added to the array
 | ||||
| +     * were skipped), then we're done. */
 | ||||
| +    if (size == 0) {
 | ||||
| +        return SSL_TLSEXT_ERR_OK;
 | ||||
| +    }
 | ||||
| +
 | ||||
| +    /* Now we can build the string.  Copy each protocol name string into the
 | ||||
| +     * larger string, prefixed by its length. */
 | ||||
| +    data = apr_palloc(c->pool, size * sizeof(unsigned char));
 | ||||
| +    start = data;
 | ||||
| +    for (i = 0; i < num_protos; ++i) {
 | ||||
| +        const char *string = APR_ARRAY_IDX(protos, i, const char*);
 | ||||
| +        apr_size_t length = strlen(string);
 | ||||
| +        if (length > 255)
 | ||||
| +            continue;
 | ||||
| +        *start = (unsigned char)length;
 | ||||
| +        ++start;
 | ||||
| +        memcpy(start, string, length * sizeof(unsigned char));
 | ||||
| +        start += length;
 | ||||
| +    }
 | ||||
| +
 | ||||
| +    /* Success. */
 | ||||
| +    *data_out = data;
 | ||||
| +    *size_out = size;
 | ||||
| +    return SSL_TLSEXT_ERR_OK;
 | ||||
| +}
 | ||||
| +
 | ||||
| +#endif /* HAVE_TLS_NPN */
 | ||||
| +
 | ||||
|  #ifndef OPENSSL_NO_SRP | ||||
|   | ||||
|  int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) | ||||
| --- httpd-2.4.4/modules/ssl/ssl_private.h.r1332643+
 | ||||
| +++ httpd-2.4.4/modules/ssl/ssl_private.h
 | ||||
| @@ -139,6 +139,11 @@
 | ||||
|  #define HAVE_FIPS | ||||
|  #endif | ||||
|   | ||||
| +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
 | ||||
| +    && !defined(OPENSSL_NO_TLSEXT)
 | ||||
| +#define HAVE_TLS_NPN
 | ||||
| +#endif
 | ||||
| +
 | ||||
|  #if (OPENSSL_VERSION_NUMBER >= 0x10000000) | ||||
|  #define MODSSL_SSL_CIPHER_CONST const | ||||
|  #define MODSSL_SSL_METHOD_CONST const | ||||
| @@ -840,6 +845,7 @@ int          ssl_callback_ServerNameIndi
 | ||||
|  int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, | ||||
|                                         EVP_CIPHER_CTX *, HMAC_CTX *, int); | ||||
|  #endif | ||||
| +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
 | ||||
|   | ||||
|  /**  Session Cache Support  */ | ||||
|  void         ssl_scache_init(server_rec *, apr_pool_t *); | ||||
| @ -1,15 +0,0 @@ | ||||
| # ./pullrev.sh 1534321 | ||||
| 
 | ||||
| http://svn.apache.org/viewvc?view=revision&revision=1534321 | ||||
| 
 | ||||
| --- httpd-2.4.6/modules/proxy/mod_proxy_http.c
 | ||||
| +++ httpd-2.4.6/modules/proxy/mod_proxy_http.c
 | ||||
| @@ -710,7 +710,7 @@
 | ||||
|          force10 = 0; | ||||
|      } | ||||
|   | ||||
| -    header_brigade = apr_brigade_create(p, origin->bucket_alloc);
 | ||||
| +    header_brigade = apr_brigade_create(p, bucket_alloc);
 | ||||
|      rv = ap_proxy_create_hdrbrgd(p, header_brigade, r, p_conn, | ||||
|                                   worker, conf, uri, url, server_portstr, | ||||
|                                   &old_cl_val, &old_te_val); | ||||
| @ -1,75 +0,0 @@ | ||||
| --- httpd-2.4.7/modules/ssl/ssl_engine_config.c.sninotreq
 | ||||
| +++ httpd-2.4.7/modules/ssl/ssl_engine_config.c
 | ||||
| @@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_creat
 | ||||
|      mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc)); | ||||
|      mc->pPool = pool; | ||||
|      mc->bFixed = FALSE; | ||||
| +    mc->sni_required = FALSE;
 | ||||
|   | ||||
|      /* | ||||
|       * initialize per-module configuration | ||||
| --- httpd-2.4.7/modules/ssl/ssl_engine_init.c.sninotreq
 | ||||
| +++ httpd-2.4.7/modules/ssl/ssl_engine_init.c
 | ||||
| @@ -234,7 +234,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p
 | ||||
|      /* | ||||
|       * Configuration consistency checks | ||||
|       */ | ||||
| -    ssl_init_CheckServers(base_server, ptemp);
 | ||||
| +    ssl_init_CheckServers(mc, base_server, ptemp);
 | ||||
|   | ||||
|      /* | ||||
|       *  Announce mod_ssl and SSL library in HTTP Server field | ||||
| @@ -1327,7 +1327,7 @@ void ssl_init_ConfigureServer(server_rec
 | ||||
|      } | ||||
|  } | ||||
|   | ||||
| -void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
 | ||||
| +void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
 | ||||
|  { | ||||
|      server_rec *s, *ps; | ||||
|      SSLSrvConfigRec *sc; | ||||
| @@ -1409,6 +1409,7 @@ void ssl_init_CheckServers(server_rec *b
 | ||||
|      } | ||||
|   | ||||
|      if (conflict) { | ||||
| +        mc->sni_required = TRUE;
 | ||||
|  #ifndef HAVE_TLSEXT | ||||
|          ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) | ||||
|                       "Init: You should not use name-based " | ||||
| --- httpd-2.4.7/modules/ssl/ssl_engine_kernel.c.sninotreq
 | ||||
| +++ httpd-2.4.7/modules/ssl/ssl_engine_kernel.c
 | ||||
| @@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
 | ||||
|      } | ||||
|  #ifdef HAVE_TLSEXT | ||||
|      if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { | ||||
| +    if (myModConfig(r->server)->sni_required) {
 | ||||
|          char *host, *scope_id; | ||||
|          apr_port_t port; | ||||
|          apr_status_t rv; | ||||
| @@ -205,6 +206,7 @@ int ssl_hook_ReadReq(request_rec *r)
 | ||||
|                       " virtual host"); | ||||
|          return HTTP_FORBIDDEN; | ||||
|      } | ||||
| +    }
 | ||||
|  #endif | ||||
|      SSL_set_app_data2(ssl, r); | ||||
|   | ||||
| --- httpd-2.4.7/modules/ssl/ssl_private.h.sninotreq
 | ||||
| +++ httpd-2.4.7/modules/ssl/ssl_private.h
 | ||||
| @@ -533,6 +533,7 @@ typedef struct {
 | ||||
|      struct { | ||||
|          void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; | ||||
|      } rCtx; | ||||
| +    BOOL            sni_required;
 | ||||
|  } SSLModConfigRec; | ||||
|   | ||||
|  /** Structure representing configured filenames for certs and keys for | ||||
| @@ -778,7 +779,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
 | ||||
|  int          ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); | ||||
|  void         ssl_init_Engine(server_rec *, apr_pool_t *); | ||||
|  void         ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); | ||||
| -void         ssl_init_CheckServers(server_rec *, apr_pool_t *);
 | ||||
| +void         ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
 | ||||
|  STACK_OF(X509_NAME) | ||||
|              *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); | ||||
|  void         ssl_init_Child(apr_pool_t *, server_rec *); | ||||
| @ -1,83 +0,0 @@ | ||||
| diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
 | ||||
| index 19ba733..28caefd 100644
 | ||||
| --- a/modules/ssl/ssl_engine_config.c
 | ||||
| +++ b/modules/ssl/ssl_engine_config.c
 | ||||
| @@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
 | ||||
|      mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc)); | ||||
|      mc->pPool = pool; | ||||
|      mc->bFixed = FALSE; | ||||
| +    mc->sni_required = FALSE;
 | ||||
|   | ||||
|      /* | ||||
|       * initialize per-module configuration | ||||
| diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
 | ||||
| index b1741b8..8e0c4bc 100644
 | ||||
| --- a/modules/ssl/ssl_engine_init.c
 | ||||
| +++ b/modules/ssl/ssl_engine_init.c
 | ||||
| @@ -244,7 +244,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
 | ||||
|      /* | ||||
|       * Configuration consistency checks | ||||
|       */ | ||||
| -    if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
 | ||||
| +    if ((rv = ssl_init_CheckServers(mc, base_server, ptemp)) != APR_SUCCESS) {
 | ||||
|          return rv; | ||||
|      } | ||||
|   | ||||
| @@ -1398,7 +1398,7 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
 | ||||
|      return APR_SUCCESS; | ||||
|  } | ||||
|   | ||||
| -apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
 | ||||
| +apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
 | ||||
|  { | ||||
|      server_rec *s, *ps; | ||||
|      SSLSrvConfigRec *sc; | ||||
| @@ -1480,6 +1480,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
 | ||||
|      } | ||||
|   | ||||
|      if (conflict) { | ||||
| +        mc->sni_required = TRUE;
 | ||||
|  #ifndef HAVE_TLSEXT | ||||
|          ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) | ||||
|                       "Init: You should not use name-based " | ||||
| diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
 | ||||
| index c60f0a6..232be86 100644
 | ||||
| --- a/modules/ssl/ssl_engine_kernel.c
 | ||||
| +++ b/modules/ssl/ssl_engine_kernel.c
 | ||||
| @@ -165,6 +165,7 @@ int ssl_hook_ReadReq(request_rec *r)
 | ||||
|  #ifdef HAVE_TLSEXT | ||||
|      if (r->proxyreq != PROXYREQ_PROXY) { | ||||
|          if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { | ||||
| +        if (myModConfig(r->server)->sni_required) {
 | ||||
|              char *host, *scope_id; | ||||
|              apr_port_t port; | ||||
|              apr_status_t rv; | ||||
| @@ -216,6 +217,7 @@ int ssl_hook_ReadReq(request_rec *r)
 | ||||
|              return HTTP_FORBIDDEN; | ||||
|          } | ||||
|      } | ||||
| +    }
 | ||||
|  #endif | ||||
|      SSL_set_app_data2(ssl, r); | ||||
|   | ||||
| diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
 | ||||
| index 516d7e6..624bf7a 100644
 | ||||
| --- a/modules/ssl/ssl_private.h
 | ||||
| +++ b/modules/ssl/ssl_private.h
 | ||||
| @@ -489,6 +489,7 @@ typedef struct {
 | ||||
|      ap_socache_instance_t *stapling_cache_context; | ||||
|      apr_global_mutex_t   *stapling_mutex; | ||||
|  #endif | ||||
| +    BOOL            sni_required;
 | ||||
|  } SSLModConfigRec; | ||||
|   | ||||
|  /** Structure representing configured filenames for certs and keys for | ||||
| @@ -738,7 +739,7 @@ apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_re
 | ||||
|  apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *); | ||||
|  apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, | ||||
|                                        apr_array_header_t *); | ||||
| -apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
 | ||||
| +apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
 | ||||
|  STACK_OF(X509_NAME) | ||||
|              *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); | ||||
|  void         ssl_init_Child(apr_pool_t *, server_rec *); | ||||
							
								
								
									
										14
									
								
								httpd.spec
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								httpd.spec
									
									
									
									
									
								
							| @ -14,7 +14,7 @@ | ||||
| Summary: Apache HTTP Server | ||||
| Name: httpd | ||||
| Version: 2.4.9 | ||||
| Release: 1%{?dist} | ||||
| Release: 2%{?dist} | ||||
| URL: http://httpd.apache.org/ | ||||
| Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 | ||||
| Source1: index.html | ||||
| @ -63,7 +63,6 @@ Patch30: httpd-2.4.4-cachehardmax.patch | ||||
| Patch31: httpd-2.4.6-sslmultiproxy.patch | ||||
| Patch32: httpd-2.4.7-r1537535.patch | ||||
| # Bug fixes | ||||
| Patch51: httpd-2.4.9-sslsninotreq.patch | ||||
| Patch55: httpd-2.4.4-malformed-host.patch | ||||
| Patch56: httpd-2.4.4-mod_unique_id.patch | ||||
| License: ASL 2.0 | ||||
| @ -189,7 +188,6 @@ interface for storing and accessing per-user session data. | ||||
| %patch31 -p1 -b .sslmultiproxy | ||||
| %patch32 -p1 -b .r1537535 | ||||
| 
 | ||||
| %patch51 -p1 -b .sslsninotreq | ||||
| %patch55 -p1 -b .malformedhost | ||||
| %patch56 -p1 -b .uniqueid | ||||
| 
 | ||||
| @ -335,8 +333,8 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/httpd \ | ||||
| 
 | ||||
| # Make the MMN accessible to module packages | ||||
| echo %{mmnisa} > $RPM_BUILD_ROOT%{_includedir}/httpd/.mmn | ||||
| mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rpm | ||||
| cat > $RPM_BUILD_ROOT%{_sysconfdir}/rpm/macros.httpd <<EOF | ||||
| mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d | ||||
| cat > $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d/macros.httpd <<EOF | ||||
| %%_httpd_mmn %{mmnisa} | ||||
| %%_httpd_apxs %%{_bindir}/apxs | ||||
| %%_httpd_modconfdir %%{_sysconfdir}/httpd/conf.modules.d | ||||
| @ -621,9 +619,13 @@ rm -rf $RPM_BUILD_ROOT | ||||
| %dir %{_libdir}/httpd/build | ||||
| %{_libdir}/httpd/build/*.mk | ||||
| %{_libdir}/httpd/build/*.sh | ||||
| %{_sysconfdir}/rpm/macros.httpd | ||||
| %{_rpmconfigdir}/macros.d/macros.httpd | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Mar 27 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.9-2 | ||||
| - move macros from /etc/rpm to macros.d (#1074277) | ||||
| - remove unused patches | ||||
| 
 | ||||
| * Mon Mar 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.9-1 | ||||
| - update to 2.4.9 | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user