From 91a2788bcecc45df329bd121a15ea7ec86285d82 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 14 Oct 2015 09:06:30 +0100 Subject: [PATCH] update to 2.4.17 (#1271224) - build, load mod_http2 - don't build mod_asis, mod_file_cache - load mod_cache_socache, mod_proxy_wstunnel by default - check every built mod_* is configured - synch ssl.conf with upstream; disable SSLv3 by default Resolves: rhbz#1271224 --- .gitignore | 1 + 00-base.conf | 2 ++ 00-optional.conf | 1 + 00-proxy.conf | 1 + httpd-2.4.10-sslciphdefault.patch | 20 ------------------- httpd-2.4.17-sslciphdefault.patch | 33 +++++++++++++++++++++++++++++++ httpd.spec | 27 ++++++++++++++++++++----- sources | 2 +- ssl.conf | 31 ++++++++++++----------------- 9 files changed, 74 insertions(+), 44 deletions(-) delete mode 100644 httpd-2.4.10-sslciphdefault.patch create mode 100644 httpd-2.4.17-sslciphdefault.patch diff --git a/.gitignore b/.gitignore index 654f469..2abdf3f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ x86_64 /httpd-2.4.10.tar.bz2 /httpd-2.4.12.tar.bz2 /httpd-2.4.16.tar.bz2 +/httpd-2.4.17.tar.bz2 diff --git a/00-base.conf b/00-base.conf index 964de69..c109de6 100644 --- a/00-base.conf +++ b/00-base.conf @@ -25,6 +25,7 @@ LoadModule authz_user_module modules/mod_authz_user.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule cache_module modules/mod_cache.so LoadModule cache_disk_module modules/mod_cache_disk.so +LoadModule cache_socache_module modules/mod_cache_socache.so LoadModule data_module modules/mod_data.so LoadModule dbd_module modules/mod_dbd.so LoadModule deflate_module modules/mod_deflate.so @@ -36,6 +37,7 @@ LoadModule expires_module modules/mod_expires.so LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule filter_module modules/mod_filter.so LoadModule headers_module modules/mod_headers.so +LoadModule http2_module modules/mod_http2.so LoadModule include_module modules/mod_include.so LoadModule info_module modules/mod_info.so LoadModule log_config_module modules/mod_log_config.so diff --git a/00-optional.conf b/00-optional.conf index b8c43c6..208a48e 100644 --- a/00-optional.conf +++ b/00-optional.conf @@ -11,6 +11,7 @@ #LoadModule dialup_module modules/mod_dialup.so #LoadModule charset_lite_module modules/mod_charset_lite.so #LoadModule log_debug_module modules/mod_log_debug.so +#LoadModule log_forensic_module modules/mod_log_forensic.so #LoadModule ratelimit_module modules/mod_ratelimit.so #LoadModule reflector_module modules/mod_reflector.so #LoadModule sed_module modules/mod_sed.so diff --git a/00-proxy.conf b/00-proxy.conf index a446822..cc0bca0 100644 --- a/00-proxy.conf +++ b/00-proxy.conf @@ -13,3 +13,4 @@ LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_scgi_module modules/mod_proxy_scgi.so +LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so diff --git a/httpd-2.4.10-sslciphdefault.patch b/httpd-2.4.10-sslciphdefault.patch deleted file mode 100644 index 37a74e3..0000000 --- a/httpd-2.4.10-sslciphdefault.patch +++ /dev/null @@ -1,20 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=1109119 - -Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. - ---- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault -+++ httpd-2.4.10/modules/ssl/ssl_engine_config.c -@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; - -- /* always disable null and export ciphers */ -- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); -+ /* Disable null and export ciphers by default, except for PROFILE= -+ * configs where the parser doesn't cope. */ -+ if (strncmp(arg, "PROFILE=", 8) != 0) -+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); - - if (cmd->path) { - dc->szCipherSuite = arg; diff --git a/httpd-2.4.17-sslciphdefault.patch b/httpd-2.4.17-sslciphdefault.patch new file mode 100644 index 0000000..8efc461 --- /dev/null +++ b/httpd-2.4.17-sslciphdefault.patch @@ -0,0 +1,33 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=1109119 + +Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. + +--- httpd-2.4.17/modules/ssl/ssl_engine_config.c.sslciphdefault ++++ httpd-2.4.17/modules/ssl/ssl_engine_config.c +@@ -708,8 +708,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; + +- /* always disable null and export ciphers */ +- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); ++ /* Disable null and export ciphers by default, except for PROFILE= ++ * configs where the parser doesn't cope. */ ++ if (strncmp(arg, "PROFILE=", 8) != 0) ++ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); + + if (cmd->path) { + dc->szCipherSuite = arg; +@@ -1428,8 +1430,10 @@ const char *ssl_cmd_SSLProxyCipherSuite( + { + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + +- /* always disable null and export ciphers */ +- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); ++ /* Disable null and export ciphers by default, except for PROFILE= ++ * configs where the parser doesn't cope. */ ++ if (strncmp(arg, "PROFILE=", 8) != 0) ++ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); + + sc->proxy->auth.cipher_suite = arg; + diff --git a/httpd.spec b/httpd.spec index 1d62390..8f10cd4 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,7 +7,7 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.16 +Version: 2.4.17 Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -61,7 +61,7 @@ Patch29: httpd-2.4.10-mod_systemd.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.6-sslmultiproxy.patch Patch34: httpd-2.4.9-socket-activation.patch -Patch35: httpd-2.4.10-sslciphdefault.patch +Patch35: httpd-2.4.17-sslciphdefault.patch # Bug fixes Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch @@ -73,7 +73,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: autoconf, perl, pkgconfig, findutils, xmlto BuildRequires: zlib-devel, libselinux-devel, lua-devel BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0 -BuildRequires: systemd-devel +BuildRequires: systemd-devel, libnghttp2-devel Requires: /etc/mime.types, system-logos-httpd Obsoletes: httpd-suexec Provides: webserver @@ -204,7 +204,7 @@ interface for storing and accessing per-user session data. %patch29 -p1 -b .systemd %patch30 -p1 -b .cachehardmax %patch31 -p1 -b .sslmultiproxy -%patch34 -p1 -b .socketactivation +#patch34 -p1 -b .socketactivation %patch35 -p1 -b .sslciphdefault %patch55 -p1 -b .malformedhost @@ -278,7 +278,8 @@ export LYNX_PATH=/usr/bin/links --enable-ldap --enable-authnz-ldap \ --enable-cgid --enable-cgi \ --enable-authn-anon --enable-authn-alias \ - --disable-imagemap \ + --disable-imagemap --disable-file-cache \ + --disable-asis $* make %{?_smp_mflags} @@ -529,6 +530,14 @@ if readelf -d $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so | grep TEXTREL; then : modules contain non-relocatable code exit 1 fi +# Ensure every mod_* that's built is loaded. +for f in $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so; do + m=${f##*/} + if ! grep -q $m $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/*.conf; then + echo ERROR: Module $m not configured. Disable it, or load it. + exit 1 + fi +done %clean rm -rf $RPM_BUILD_ROOT @@ -665,6 +674,14 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Oct 13 2015 Joe Orton - 2.4.17-1 +- update to 2.4.17 (#1271224) +- build, load mod_http2 +- don't build mod_asis, mod_file_cache +- load mod_cache_socache, mod_proxy_wstunnel by default +- check every built mod_* is configured +- synch ssl.conf with upstream; disable SSLv3 by default + * Wed Jul 15 2015 Jan Kaluza - 2.4.12-4 - update to 2.4.16 diff --git a/sources b/sources index 820ee71..c7410a8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2b19cd338fd526dd5a63c57b1e9bfee2 httpd-2.4.16.tar.bz2 +cf4dfee11132cde836022f196611a8b7 httpd-2.4.17.tar.bz2 diff --git a/ssl.conf b/ssl.conf index 9dba7c9..e8e6c97 100644 --- a/ssl.conf +++ b/ssl.conf @@ -69,31 +69,26 @@ LogLevel warn # Enable/Disable SSL for this virtual host. SSLEngine on -# SSL Protocol support: -# List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# List the protocol versions which clients are allowed to connect with. +# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be +# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 +# protocol or later should remain in use. +SSLProtocol all -SSLv3 +SSLProxyProtocol all -SSLv3 + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # The OpenSSL system profile is configured by default. See # update-crypto-policies(8) for more details. -#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLCipherSuite PROFILE=SYSTEM - -# Speed-optimized SSL Cipher configuration: -# If speed is your main concern (on busy HTTPS servers e.g.), -# you might want to force clients to specific, performance -# optimized ciphers. In this case, prepend those ciphers -# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. -# Caveat: by giving precedence to RC4-SHA and AES128-SHA -# (as in the example below), most connections will no longer -# have perfect forward secrecy - if the server's key is -# compromised, captures of past or future traffic must be -# considered compromised, too. -#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 -#SSLHonorCipherOrder on +SSLProxyCipherSuite PROFILE=SYSTEM # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If