Commit Graph

25 Commits

Author SHA1 Message Date
Joe Orton
e6f5630905 comment-out SSLProtocol, SSLProxyProtocol from ssl.conf in
default configuration; now follow OpenSSL system default (#1468322)
Resolves: rhbz#1468322
2018-09-21 15:22:11 +01:00
Joe Orton
45393c8877 use sscg defaults; append CA cert to generated cert
document httpd-init.service in httpd-init.service(8)
2017-10-03 10:04:03 +01:00
Stephen Gallagher
f0c4143d98 Generate SSL keys on service start
This defers the creation of self-signed SSL certificates to the
first time that httpd starts up. This has several advantages:

* Waiting until the first boot will help avoid some issues with
  limited entropy in the install process.
* The certificates can be regenerated automatically whenever they
  are removed, which helps with tools such as virt-sysprep
* The certificates are now generated by SSCG, which produces a
  limited-trust CA alongside it that can be safely imported by a
  client.

For more information on SSCG, see:
https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2017-10-03 10:04:03 +01:00
Joe Orton
0d708eba11 fix build with OpenSSL 1.1 (#1392900)
- fix typos in ssl.conf (josef randinger, #1379407)
Resolves: rhbz#1392900
Resolves: rhbz#1379407
2016-11-14 10:46:52 +00:00
Joe Orton
60e3fdb529 - sync with upstream. 2016-11-02 11:29:45 +00:00
Joe Orton
91a2788bce update to 2.4.17 (#1271224)
- build, load mod_http2
- don't build mod_asis, mod_file_cache
- load mod_cache_socache, mod_proxy_wstunnel by default
- check every built mod_* is configured
- synch ssl.conf with upstream; disable SSLv3 by default
Resolves: rhbz#1271224
2015-10-14 09:06:30 +01:00
Joe Orton
793563ad40 pull in httpd-filesystem as Requires(pre) (#1128328)
- fix cipher selection in default ssl.conf, depend on new OpenSSL (#1134348)
- require hostname for mod_ssl post script (#1135118)
Resolves: rhbz#1135118
Resolves: rhbz#1134348
Resolves: rhbz#1128328
2014-08-29 14:45:59 +01:00
Joe Orton
4475e3e262 mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119)
- switch default ssl.conf to use PROFILE=SYSTEM (#1109119)
Resolves: rhbz#1109119
2014-08-21 11:32:44 +01:00
Joe Orton
c0bdfa464b mod_ssl: don't use the default OpenSSL cipher suite in ssl.conf (#1109119)
Resolves: rhbz#1109119
2014-06-20 10:54:36 +01:00
Joe Orton
ef68bba83e use /run for default SSL cache 2012-06-07 14:03:09 +01:00
Joe Orton
ea6aac8abd tweak default ssl.conf
- fix restart handling (#814645)
- use graceful restart by default
Resolves: rhbz#814645
2012-04-20 12:38:40 +01:00
Joe Orton
3a44ff7655 update to 2.4.1
- adopt upstream default httpd.conf (almost verbatim)
- split all LoadModules to conf.modules.d/*.conf
- include conf.d/*.conf at end of httpd.conf
- trim %changelog
2012-03-13 09:55:18 +00:00
Jan Kaluza
2673a432a9 fix #707917 - add httpd-ssl-pass-dialog to ask for SSL password using systemd 2011-08-10 08:04:14 +02:00
Joe Orton
0e9583d159 - update default SSLCipherSuite per upstream trunk 2011-01-08 08:41:29 +00:00
jorton
a107994cdf - move AddTypes for SSL cert/CRL types from ssl.conf to httpd.conf
(#449979)
2008-07-15 13:44:47 +00:00
jorton
9f9ccbc5d3 - don't strip C-L from HEAD responses (Greg Ames, #110552)
- load mod_proxy_balancer by default
- add proxy_ajp.conf to load/configure mod_proxy_ajp
- Obsolete mod_jk
- update docs URLs in httpd.conf/ssl.conf
2005-12-05 17:26:03 +00:00
jorton
9d36ace72f - log notice giving SELinux context at startup if enabled
- drop SSLv2 and restrict default cipher suite in default SSL configuration
2005-11-03 16:27:11 +00:00
jorton
06872c83d1 - create default dummy cert in /etc/pki/tls
- use a pseudo-random serial number on the dummy cert
- change default ssl.conf to point at /etc/pki/tls
- merge back -suexec subpackage; SELinux policy can now be used to
    persistently disable suexec (#155716)
- drop /etc/httpd/conf/ssl.* directories and Makefiles
- unconditionally enable PIE support
- mod_ssl: fix for picking up -shutdown options (upstream #34452)
2005-04-25 21:35:08 +00:00
jorton
7c0f3e466d - add security fix for CVE CAN-2004-0942 (memory consumption DoS)
- SELinux: run httpd -t under runcon in configtest (Steven Smalley)
- fix SSLSessionCache comment for distcache in ssl.conf
- restart using SIGHUP not SIGUSR1 after logrotate
- add ap_save_brigade fix (upstream #31247)
- mod_ssl: fix possible segfault in auth hook (upstream #31848)
- add htsslpass(1) and configure as default SSLPassPhraseDialog (#128677)
- apachectl: restore use of $OPTIONS
- apachectl, httpd.init: refuse to restart if $HTTPD -t fails
- apachectl: run $HTTPD -t in user SELinux context for configtest
- update for pcre-5.0 header locations
2004-11-18 11:59:52 +00:00
cvsdist
b895f53cf3 auto-import changelog data from httpd-2.0.49-2.ent.src.rpm
Fri Mar 26 2004 Joe Orton <jorton@redhat.com> 2.0.49-2
- mod_ssl: fix session cache memory leak (Madhu Mathihalli)
- mod_ssl: fix SEGV when trying to shutdown during pool cleanup
- merge the mod_proxy HTTP/1.1-compliance fixes
- apply fix for #118020
2004-09-09 06:18:41 +00:00
cvsdist
6356941d71 auto-import httpd-2.0.48-10 from httpd-2.0.48-10.src.rpm 2004-09-09 06:16:56 +00:00
cvsdist
d48e904fad auto-import httpd-2.0.47-10 from httpd-2.0.47-10.src.rpm 2004-09-09 06:16:14 +00:00
cvsdist
f13b38c6d9 auto-import changelog data from httpd-2.0.40-5.src.rpm
Sun Sep 01 2002 Joe Orton <jorton@redhat.com> 2.0.40-5
- fix SSL session cache (#69699)
- revert addition of LDAP support to apr-util
2004-09-09 06:09:40 +00:00
cvsdist
c70491735f auto-import changelog data from httpd-2.0.40-1.src.rpm
Mon Aug 12 2002 Joe Orton <jorton@redhat.com> 2.0.40-1
- update to 2.0.40
Wed Jul 24 2002 Joe Orton <jorton@redhat.com> 2.0.36-8
- improve comment on use of UserDir in default config (#66886)
2004-09-09 06:08:51 +00:00
cvsdist
3cbd43bfe9 auto-import changelog data from httpd-2.0.36-7.src.rpm
Wed Jul 10 2002 Joe Orton <jorton@redhat.com> 2.0.36-7
- use /sbin/nologin as shell for apache user (#68371)
- add patch from CVS to fix possible infinite loop when processing internal
    redirects
Wed Jun 26 2002 Gary Benson <gbenson@redhat.com> 2.0.36-6
- modify init script to detect 1.3.x httpd.conf's and direct users to the
    migration guide
Tue Jun 25 2002 Gary Benson <gbenson@redhat.com> 2.0.36-5
- patch apachectl to detect 1.3.x httpd.conf's and direct users to the
    migration guide
- ship the migration guide
Fri Jun 21 2002 Joe Orton <jorton@redhat.com>
- move /etc/httpd2 back to /etc/httpd
- add noindex.html page and poweredby logo; tweak default config to load
    noindex.html if no default "/" page is present.
- add patch to prevent mutex errors on graceful restart
Fri Jun 21 2002 Tim Powers <timp@redhat.com> 2.0.36-4
- automated rebuild
Wed Jun 12 2002 Joe Orton <jorton@redhat.com> 2.0.36-3
- add patch to fix SSL mutex handling
Wed Jun 12 2002 Joe Orton <jorton@redhat.com> 2.0.36-2
- improved config directory patch
Mon May 20 2002 Joe Orton <jorton@redhat.com>
- initial build; based heavily on apache.spec and mod_ssl.spec
- fixes: #65214, #58490, #57376, #61265, #65518, #58177, #57245
2004-09-09 06:08:44 +00:00