diff --git a/httpd-2.4.62-engine-fallback.patch b/httpd-2.4.62-engine-fallback.patch new file mode 100644 index 0000000..d10d2c5 --- /dev/null +++ b/httpd-2.4.62-engine-fallback.patch @@ -0,0 +1,64 @@ +Index: modules/ssl/ssl_engine_pphrase.c +=================================================================== +--- modules/ssl/ssl_engine_pphrase.c (revision 1920590) ++++ modules/ssl/ssl_engine_pphrase.c (working copy) +@@ -806,6 +806,9 @@ + return APR_SUCCESS; + } + ++/* Tries to load the key and optionally certificate via the ENGINE ++ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an ++ * ENGINE implementation. */ + static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf, + apr_pool_t *ptemp, + const char *vhostid, +@@ -831,7 +834,7 @@ + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + "Init: Unrecognized private key identifier `%s'", + keyid); +- return ssl_die(s); ++ return APR_ENOTIMPL; + } + + scheme = apr_pstrmemdup(ptemp, keyid, c - keyid); +@@ -839,8 +842,8 @@ + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) + "Init: Failed to load engine for private key %s", + keyid); +- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); +- return ssl_die(s); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s); ++ return APR_ENOTIMPL; + } + + if (!ENGINE_init(e)) { +@@ -996,15 +999,21 @@ + X509 **pubkey, EVP_PKEY **privkey) + { + #if MODSSL_HAVE_ENGINE_API +- SSLModConfigRec *mc = myModConfig(s); ++ apr_status_t rv; + +- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE +- * support was not present compile-time, or if it's built but +- * SSLCryptoDevice is not configured. */ +- if (mc->szCryptoDevice) +- return modssl_load_keypair_engine(s, pconf, ptemp, +- vhostid, certid, keyid, +- pubkey, privkey); ++ rv = modssl_load_keypair_engine(s, pconf, ptemp, ++ vhostid, certid, keyid, ++ pubkey, privkey); ++ if (rv == APR_SUCCESS) { ++ return rv; ++ } ++ /* If STORE support is not present, all errors are fatal here; if ++ * STORE is present and the ENGINE could not be loaded, ignore the ++ * error and fall through to try loading via the STORE API. */ ++ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) { ++ return ssl_die(s); ++ } ++ + #endif + #if MODSSL_HAVE_OPENSSL_STORE + return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid, diff --git a/httpd.spec b/httpd.spec index bca1d25..f0c8c12 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.62 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -96,6 +96,8 @@ Patch100: httpd-2.4.43-enable-sslv3.patch Patch101: httpd-2.4.48-full-release.patch # https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 Patch102: httpd-2.4.62-r1919325.patch +# https://issues.redhat.com/browse/RHEL-36755 +Patch103: httpd-2.4.62-engine-fallback.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=... @@ -258,6 +260,7 @@ written in the Lua programming language. %patch100 -p1 -b .enable-sslv3 %patch101 -p1 -b .full-release %patch102 -p1 -b .r1919325 +%patch103 -p0 -b .engine-fallback # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -819,6 +822,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Sep 12 2024 Joe Orton - 2.4.62-2 +- mod_ssl: fix loading keys via ENGINE API + Resolves: RHEL-36755 + * Sat Aug 03 2024 Luboš Uhliarik - 2.4.62-1 - new version 2.4.62 - Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix