Backport patch for fixing ticket key usage

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

httpd-2.4.27-fixticketkeys.patch

@@ -0,0 +1,65 @@
+From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Tue, 22 Mar 2016 13:09:17 +0000
+Subject: [PATCH] mod_ssl: return non ambigous value in
+ ssl_callback_SessionTicket() for encryption mode (we used to return 0,
+ OpenSSL documents returning 1 instead).
+
+Practically this does not change anything since OpenSSL will only check for
+>= 0 return value (non error) for encryption mode (the other possible return
+values are only relevant for decryption mode).
+
+However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
+states:
+"
+The return value of the cb function is used by OpenSSL to determine what
+further processing will occur. The following return values have meaning:
+
+2
+    This indicates that the ctx and hctx have been set and the session can
+    continue on those parameters. Additionally it indicates that the session
+    ticket is in a renewal period and should be replaced. The OpenSSL library
+    will call cb again with an enc argument of 1 to set the new ticket (see
+    RFC5077 3.3 paragraph 2).
+
+1
+    This indicates that the ctx and hctx have been set and the session can
+    continue on those parameters.
+
+0
+    This indicates that it was not possible to set/retrieve a session ticket
+    and the SSL/TLS session will continue by by negotiating a set of
+    cryptographic parameters or using the alternate SSL/TLS resumption
+    mechanism, session ids.
+    If called with enc equal to 0 the library will call the cb again to get a
+    new set of parameters.
+
+less than 0
+    This indicates an error.
+"
+
+So 0 is not appropriate in our code, 1 is what we really want (and it won't
+break if OpenSSL later changes its checks on the callback return value).
+
+Reported by: oknet on github, pull request #18.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/ssl/ssl_engine_kernel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index 91da94c4f58..91d5e926d66 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
+                       "TLS session ticket key for %s successfully set, "
+                       "creating new session ticket", sc->vhost_id);
+ 
+-        return 0;
++        return 1;
+     }
+     else if (mode == 0) {
+         /* 

httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.28
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -76,6 +76,9 @@ Patch58: httpd-2.4.25-r1738878.patch
 Patch60: httpd-2.4.27-r1808230.patch
 # Security fixes
 
+# https://github.com/apache/httpd/commit/4171fbfcb249e63f934471054d7a0752272fb8ee
+Patch61: httpd-2.4.27-fixticketkeys.patch
+
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -221,6 +224,8 @@ interface for storing and accessing per-user session data.
 %patch58 -p1 -b .r1738878
 %patch60 -p1 -b .r1808230
 
+%patch61 -p1 -b .ticketkeys
+
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
 
@@ -687,6 +692,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Oct 10 2017 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.4.28-2
+- Backport patch for fixing ticket key usage
+
 * Fri Oct 06 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.28-1
 - new version 2.4.28