Accepting request 66521 from home:lnussel:branches:Apache

we need a new mkcert script. Ok.

OBS-URL: https://build.opensuse.org/request/show/66521
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=330

apache2-vhost-ssl.template

@@ -11,22 +11,13 @@
 # This is the Apache server configuration file providing SSL support.
 # It contains the configuration directives to instruct the server how to
 # serve pages over an https connection. For detailing information about these 
-# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>
+# directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
 #
-#   For the moment, see <URL:http://www.modssl.org/docs/> for this info. 
-#   The documents are still being prepared from material donated by the
-#   modssl project.
-# 
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
 # consult the online docs. You have been warned.  
 #
 
-#   Until documentation is completed, please check http://www.modssl.org/
-#   for additional config examples and module docmentation.  Directives
-#   and features of mod_ssl are largely unchanged from the mod_ssl project
-#   for Apache 1.3.
-
 <IfDefine SSL>
 <IfDefine !NOSSL>
 
@@ -47,10 +38,16 @@
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
 
+	#  SSL protocols
+	#  Supporting TLS only is adequate nowadays
+	SSLProtocol all -SSLv2 -SSLv3
+
 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
-	#   See the mod_ssl documentation for a complete list.
-	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+	#   We disable weak ciphers by default.
+	#   See the mod_ssl documentation or "openssl ciphers -v" for a
+	#   complete list.
+	SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
 
 	#   Server Certificate:
 	#   Point SSLCertificateFile at a PEM encoded certificate.  If

apache2.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Apr  8 13:41:48 UTC 2011 - lnussel@suse.de
+
+- set sane default cipher string in apache2-vhost-ssl.template
+- remove useless example snakeoil certs
+- remove broken mkcert script
+
 -------------------------------------------------------------------
 Thu Feb 17 12:39:06 CET 2011 - werner@suse.de
 

apache2.spec

@@ -77,8 +77,6 @@ Source1:        apache2.changes
 Source10:       SUSE-NOTICE
 Source11:       rc.%{pname}
 Source13:       sysconfig.%{pname}
-Source16:       certificate.sh
-Source17:       mkcert.sh.gz
 Source18:       robots.txt
 Source20:       favicon.ico
 Source22:       apache2-README.QUICKSTART
@@ -319,14 +317,6 @@ Obsoletes:      apache-example-pages
 Some Example pages for Apache that show information about the installed
 server.
 
-%package example-certificates
-License:        ASLv..
-Summary:        Example certificates for the Apache 2 Web Server
-Group:          Productivity/Networking/Web/Servers
-
-%description example-certificates
-Snakeoil example certificates for Apache.
-
 %package utils
 License:        ASLv..
 Summary:        Apache 2 utilities
@@ -353,8 +343,6 @@ to administrators of web servers in general.
 #
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 #
-cp -p %{S:16} %{S:17} .; gunzip mkcert.sh.gz
-#
 # replace PLATFORM string that's seen in the "Server:" header
 #
 sed 's,(" PLATFORM "),(%platform_string),' server/core.c > tmp_file && mv tmp_file server/core.c
@@ -597,8 +585,7 @@ install -m 644 %{S:48} $RPM_BUILD_ROOT%{_datadir}/omc/svcinfo.d/
 #
 # ssl stuff
 install -m 755 %{S:25} $RPM_BUILD_ROOT/%{_bindir}/
-chmod 755 certificate.sh mkcert.sh
-tar xjf $RPM_SOURCE_DIR/apache-ssl-stuff.tar.bz2 -C $RPM_BUILD_ROOT/%{sysconfdir}
+tar xjf %{SOURCE29} -C $RPM_BUILD_ROOT/%{sysconfdir}
 #
 # init script and friends
 mkdir -p $RPM_BUILD_ROOT/etc/init.d
@@ -619,8 +606,9 @@ install -m 755 $RPM_SOURCE_DIR/a2enmod $RPM_BUILD_ROOT/%{_sbindir}
 ln -s a2enmod $RPM_BUILD_ROOT/%{_sbindir}/a2dismod
 #
 # directories for files from other packages and other configuration
-mkdir -p $RPM_BUILD_ROOT/%{sysconfdir}/vhosts.d
-mkdir -p $RPM_BUILD_ROOT/%{sysconfdir}/sysconfig.d
+for i in vhosts.d sysconfig.d; do
+	mkdir -p $RPM_BUILD_ROOT/%{sysconfdir}/$i
+done
 #
 # make list of all modules, and install sysconfig template
 for i in $(find $RPM_BUILD_ROOT/%{libexecdir}-%{default_mpm} -name "*.so" | sort); do
@@ -824,8 +812,6 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 %defattr(-,root,root)
 %doc INSTALL READM* LICENSE ABOUT_APACHE CHANGES
 %doc support/SHA1
-%doc %attr(755,root,root) certificate.sh
-%doc %attr(755,root,root) mkcert.sh
 %doc %{_mandir}/man8/apachectl%{vers}.8.*
 %doc %{_mandir}/man8/htcacheclean%{vers}.8.*
 %doc %{_mandir}/man8/%{httpd}.8.*
@@ -851,11 +837,7 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 %dir %{sysconfdir}/ssl.csr
 %dir %attr(700,root,root) %{sysconfdir}/ssl.key
 %dir %{sysconfdir}/ssl.prm
-	%{sysconfdir}/ssl.*/README*
-%config %{sysconfdir}/ssl.*/Makefile
-%config(noreplace) %{sysconfdir}/ssl.crt/server.crt
-%config(noreplace) %{sysconfdir}/ssl.csr/server.csr
-%config(noreplace) %{sysconfdir}/ssl.key/server.key
+%{sysconfdir}/ssl.*/README*
 %dir %{sysconfdir}/conf.d
 %dir %{sysconfdir}/vhosts.d
 %dir %{sysconfdir}/sysconfig.d
@@ -946,11 +928,6 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 %config(noreplace) %{htdocsdir}/favicon.ico
 %config(noreplace) %{htdocsdir}/robots.txt
 
-%files example-certificates
-%defattr(-,root,root)
-%{sysconfdir}/ssl.*/snakeoil*
-%{sysconfdir}/ssl.*/*.0
-
 %files utils
 %defattr(-,root,root)
 %doc %{_mandir}/man8/ab%{vers}.8.*

certificate.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-
-./mkcert.sh make --no-print-directory /usr/bin/openssl /usr/sbin/ test
-

mkcert.sh.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:90308cef136bdc2ad7501647a19ab321f9645f34a87bf2c496a334098915eef2
-size 4601