From a97f2e349c41c1599563dfb88056b807b5627e47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Tue, 24 Jan 2023 16:50:25 +0100
Subject: [PATCH] prevent sscg writing /dhparams.pem

---
 httpd-init.service | 1 +
 httpd-ssl-gencerts | 1 +
 httpd.spec         | 7 +++++--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/httpd-init.service b/httpd-init.service
index 3074778..704c314 100644
--- a/httpd-init.service
+++ b/httpd-init.service
@@ -8,5 +8,6 @@ ConditionPathExists=|!/etc/pki/tls/private/localhost.key
 [Service]
 Type=oneshot
 RemainAfterExit=no
+PrivateTmp=true
 
 ExecStart=/usr/libexec/httpd-ssl-gencerts
diff --git a/httpd-ssl-gencerts b/httpd-ssl-gencerts
index 350f5b5..5c271f7 100755
--- a/httpd-ssl-gencerts
+++ b/httpd-ssl-gencerts
@@ -33,6 +33,7 @@ sscg -q                                                             \
      --cert-file           /etc/pki/tls/certs/localhost.crt         \
      --cert-key-file       /etc/pki/tls/private/localhost.key       \
      --ca-file             /etc/pki/tls/certs/localhost.crt         \
+     --dhparams-file       /tmp/dhparams.pem                        \
      --lifetime            365                                      \
      --hostname            $FQDN                                    \
      --email               root@$FQDN
diff --git a/httpd.spec b/httpd.spec
index 24b1365..d398834 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -24,7 +24,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.54
-Release: 11%{?dist}
+Release: 12%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -194,7 +194,7 @@ Epoch: 1
 BuildRequires: openssl-devel
 Requires(pre): httpd-filesystem
 Requires: httpd-core = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
-Requires: sscg >= 2.2.0, /usr/bin/hostname
+Requires: sscg >= 3.0.0-7, /usr/bin/hostname
 # Require an OpenSSL which supports PROFILE=SYSTEM
 Conflicts: openssl-libs < 1:1.0.1h-4
 # mod_ssl/mod_nss cannot both be loaded simultaneously
@@ -854,6 +854,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Jan 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-12
+- prevent sscg writing /dhparams.pem
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.54-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild