update to 2.4.9

This commit is contained in:
Jan Kaluza 2014-03-18 07:55:27 +01:00
parent 8efab6ad85
commit 9f6ae98c27
6 changed files with 97 additions and 86 deletions

1
.gitignore vendored
View File

@ -16,3 +16,4 @@ x86_64
/httpd-2.4.4.tar.bz2
/httpd-2.4.6.tar.bz2
/httpd-2.4.7.tar.bz2
/httpd-2.4.9.tar.bz2

View File

@ -1,76 +0,0 @@
--- httpd-2.4.7/modules/ssl/ssl_engine_config.c.sslsninotreq
+++ httpd-2.4.7/modules/ssl/ssl_engine_config.c
@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_creat
mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
mc->pPool = pool;
mc->bFixed = FALSE;
+ mc->sni_required = FALSE;
/*
* initialize per-module configuration
--- httpd-2.4.7/modules/ssl/ssl_engine_init.c.sslsninotreq
+++ httpd-2.4.7/modules/ssl/ssl_engine_init.c
@@ -234,7 +234,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p
/*
* Configuration consistency checks
*/
- ssl_init_CheckServers(base_server, ptemp);
+ ssl_init_CheckServers(mc, base_server, ptemp);
/*
* Announce mod_ssl and SSL library in HTTP Server field
@@ -1322,7 +1322,7 @@ void ssl_init_ConfigureServer(server_rec
}
}
-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
{
server_rec *s, *ps;
SSLSrvConfigRec *sc;
@@ -1404,6 +1404,7 @@ void ssl_init_CheckServers(server_rec *b
}
if (conflict) {
+ mc->sni_required = TRUE;
#ifndef HAVE_TLSEXT
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
"Init: You should not use name-based "
--- httpd-2.4.7/modules/ssl/ssl_engine_kernel.c.sslsninotreq
+++ httpd-2.4.7/modules/ssl/ssl_engine_kernel.c
@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
}
#ifdef HAVE_TLSEXT
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+ if (myModConfig(r->server)->sni_required) {
char *host, *scope_id;
apr_port_t port;
apr_status_t rv;
@@ -205,6 +206,7 @@ int ssl_hook_ReadReq(request_rec *r)
" virtual host");
return HTTP_FORBIDDEN;
}
+ }
#endif
SSL_set_app_data2(ssl, r);
--- httpd-2.4.7/modules/ssl/ssl_private.h.sslsninotreq
+++ httpd-2.4.7/modules/ssl/ssl_private.h
@@ -520,6 +520,7 @@ typedef struct {
struct {
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
} rCtx;
+ BOOL sni_required;
} SSLModConfigRec;
/** Structure representing configured filenames for certs and keys for
@@ -765,7 +766,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void ssl_init_Engine(server_rec *, apr_pool_t *);
void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
-void ssl_init_CheckServers(server_rec *, apr_pool_t *);
+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
STACK_OF(X509_NAME)
*ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
void ssl_init_Child(apr_pool_t *, server_rec *);

View File

@ -1,5 +1,7 @@
--- httpd-2.4.3/support/apxs.in.apxs
+++ httpd-2.4.3/support/apxs.in
diff --git a/support/apxs.in b/support/apxs.in
index ad1287f..efcfcf6 100644
--- a/support/apxs.in
+++ b/support/apxs.in
@@ -25,7 +25,18 @@ package apxs;
my %config_vars = ();
@ -53,4 +55,4 @@
+include %LIBDIR%/httpd/build/special.mk
# the used tools
APXS=apxs
APACHECTL=apachectl

View File

@ -0,0 +1,83 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 19ba733..28caefd 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
mc->pPool = pool;
mc->bFixed = FALSE;
+ mc->sni_required = FALSE;
/*
* initialize per-module configuration
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index b1741b8..8e0c4bc 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -244,7 +244,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
/*
* Configuration consistency checks
*/
- if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
+ if ((rv = ssl_init_CheckServers(mc, base_server, ptemp)) != APR_SUCCESS) {
return rv;
}
@@ -1398,7 +1398,7 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
return APR_SUCCESS;
}
-apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
{
server_rec *s, *ps;
SSLSrvConfigRec *sc;
@@ -1480,6 +1480,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
}
if (conflict) {
+ mc->sni_required = TRUE;
#ifndef HAVE_TLSEXT
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
"Init: You should not use name-based "
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index c60f0a6..232be86 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -165,6 +165,7 @@ int ssl_hook_ReadReq(request_rec *r)
#ifdef HAVE_TLSEXT
if (r->proxyreq != PROXYREQ_PROXY) {
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+ if (myModConfig(r->server)->sni_required) {
char *host, *scope_id;
apr_port_t port;
apr_status_t rv;
@@ -216,6 +217,7 @@ int ssl_hook_ReadReq(request_rec *r)
return HTTP_FORBIDDEN;
}
}
+ }
#endif
SSL_set_app_data2(ssl, r);
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 516d7e6..624bf7a 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -489,6 +489,7 @@ typedef struct {
ap_socache_instance_t *stapling_cache_context;
apr_global_mutex_t *stapling_mutex;
#endif
+ BOOL sni_required;
} SSLModConfigRec;
/** Structure representing configured filenames for certs and keys for
@@ -738,7 +739,7 @@ apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_re
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
apr_array_header_t *);
-apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
STACK_OF(X509_NAME)
*ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
void ssl_init_Child(apr_pool_t *, server_rec *);

View File

@ -13,8 +13,8 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.7
Release: 6%{?dist}
Version: 2.4.9
Release: 1%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@ -48,7 +48,7 @@ Source40: htcacheclean.service
Source41: htcacheclean.sysconf
# build/scripts patches
Patch1: httpd-2.4.1-apctl.patch
Patch2: httpd-2.4.3-apxs.patch
Patch2: httpd-2.4.9-apxs.patch
Patch3: httpd-2.4.1-deplibs.patch
Patch5: httpd-2.4.3-layout.patch
Patch6: httpd-2.4.3-apctl-systemd.patch
@ -63,10 +63,9 @@ Patch30: httpd-2.4.4-cachehardmax.patch
Patch31: httpd-2.4.6-sslmultiproxy.patch
Patch32: httpd-2.4.7-r1537535.patch
# Bug fixes
Patch51: httpd-2.4.7-sslsninotreq.patch
Patch51: httpd-2.4.9-sslsninotreq.patch
Patch55: httpd-2.4.4-malformed-host.patch
Patch56: httpd-2.4.4-mod_unique_id.patch
Patch58: httpd-2.4.6-r1534321.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -193,7 +192,6 @@ interface for storing and accessing per-user session data.
%patch51 -p1 -b .sslsninotreq
%patch55 -p1 -b .malformedhost
%patch56 -p1 -b .uniqueid
%patch58 -p1 -b .r1534321
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -626,6 +624,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
* Mon Mar 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.9-1
- update to 2.4.9
* Fri Feb 28 2014 Joe Orton <jorton@redhat.com> - 2.4.7-6
- use 2048-bit RSA key with SHA-256 signature in dummy certificate

View File

@ -1 +1 @@
170d7fb6fe5f28b87d1878020a9ab94e httpd-2.4.7.tar.bz2
2ef4e65353497606b24fa9bb3e5a3c40 httpd-2.4.9.tar.bz2