diff --git a/apache2.changes b/apache2.changes index be0e673..b3dbe98 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Mon Nov 25 22:15:51 UTC 2013 - crrodriguez@opensuse.org + +- update to apache 2.4.7, important changes: + +* This release requires both apr and apr-util 1.5.x series + and therefore will no longer build in older released products +* mod_ssl: Improve handling of ephemeral DH and ECDH keys + (obsoletes httpd-mod_ssl_ephemeralkeyhandling.patch) +* event MPM: Fix possible crashes +* mod_deflate: Improve error detection +* core: Add open_htaccess hook in conjunction with dirwalk_stat. +* mod_rewrite: Make rewrite websocket-aware to allow proxying. +* mod_ssl: drop support for export-grade ciphers with ephemeral RSA + keys, and unconditionally disable aNULL, eNULL and EXP ciphers + (not overridable via SSLCipherSuite) +* see CHANGES for more details + ------------------------------------------------------------------- Sat Nov 16 00:52:15 UTC 2013 - crrodriguez@opensuse.org diff --git a/apache2.spec b/apache2.spec index fcfcaab..99892e6 100644 --- a/apache2.spec +++ b/apache2.spec @@ -21,9 +21,11 @@ BuildRequires: automake BuildRequires: db-devel BuildRequires: ed BuildRequires: libapr-util1-devel -BuildRequires: libapr1-devel >= 1.4.2 +#Since 2.4.7 the event MPM requires apr 1.5.0 or later. +BuildRequires: libapr1-devel >= 1.5.0 +# BuildRequires: openldap2-devel -BuildRequires: openssl-devel +BuildRequires: openssl-devel >= 0.9.8a BuildRequires: pcre-devel BuildRequires: xz BuildRequires: zlib-devel @@ -91,8 +93,8 @@ BuildRequires: expat-devel # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -%define realver 2.4.6 -Version: 2.4.6 +%define realver 2.4.7 +Version: 2.4.7 Release: 0 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: httpd-%{realver}.tar.bz2 @@ -161,9 +163,7 @@ Patch70: apache2-implicit-pointer-decl.patch #Provides: apache2(mod_ssl+npn) # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration. Patch109: httpd-2.4.3-mod_systemd.patch -Patch110: http://people.apache.org/~minfrin/httpd-event-ssl.patch Patch111: httpd-visibility.patch -Patch112: httpd-mod_ssl_ephemeralkeyhandling.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -385,9 +385,7 @@ to administrators of web servers in general. %patch70 -p1 #%patch108 -p1 %patch109 -p1 -%patch110 %patch111 -p1 -%patch112 -p1 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{S:22}) diff --git a/httpd-2.4.6.tar.bz2 b/httpd-2.4.6.tar.bz2 deleted file mode 100644 index d5e5a19..0000000 --- a/httpd-2.4.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea -size 4949897 diff --git a/httpd-2.4.7.tar.bz2 b/httpd-2.4.7.tar.bz2 new file mode 100644 index 0000000..3f3ebe0 --- /dev/null +++ b/httpd-2.4.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:64368d8301836815ae237f2b62d909711c896c1bd34573771e0ee5ad808ce71b +size 5004719 diff --git a/httpd-event-ssl.patch b/httpd-event-ssl.patch deleted file mode 100644 index 7018d41..0000000 --- a/httpd-event-ssl.patch +++ /dev/null @@ -1,106 +0,0 @@ ---- include/httpd.h.orig -+++ include/httpd.h -@@ -1175,12 +1175,20 @@ typedef enum { - CONN_STATE_LINGER_SHORT /* MPM has started lingering close with short timeout */ - } conn_state_e; - -+typedef enum { -+ CONN_SENSE_DEFAULT, -+ CONN_SENSE_WANT_READ, /* next event must be read */ -+ CONN_SENSE_WANT_WRITE /* next event must be write */ -+} conn_sense_e; -+ - /** - * @brief A structure to contain connection state information - */ - struct conn_state_t { - /** Current state of the connection */ - conn_state_e state; -+ /** Whether to read instead of write, or write instead of read */ -+ conn_sense_e sense; - }; - - /* Per-vhost config... */ ---- modules/ssl/ssl_engine_io.c.orig -+++ modules/ssl/ssl_engine_io.c -@@ -775,6 +775,18 @@ static apr_status_t ssl_filter_write(ap_ - */ - outctx->rc = APR_EAGAIN; - } -+ else if (ssl_err == SSL_ERROR_WANT_READ) { -+ /* -+ * If OpenSSL wants to read during write, and we were -+ * nonblocking, set the sense explicitly to read and -+ * report as an EAGAIN. -+ * -+ * (This is usually the case when the client forces an SSL -+ * renegotiation which is handled implicitly by OpenSSL.) -+ */ -+ outctx->c->cs->sense = CONN_SENSE_WANT_READ; -+ outctx->rc = APR_EAGAIN; -+ } - else if (ssl_err == SSL_ERROR_SYSCALL) { - ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c, APLOGNO(01993) - "SSL output filter write failed."); -@@ -1902,8 +1914,10 @@ void ssl_io_filter_init(conn_rec *c, req - filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); - filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c); - -- /* We insert a clogging input filter. Let the core know. */ -- c->clogging_input_filters = 1; -+ /* write is non blocking for the benefit of async mpm */ -+ if (c->cs) { -+ BIO_set_nbio(filter_ctx->pbioWrite, 1); -+ } - - ssl_io_input_add_filter(filter_ctx, c, r, ssl); - ---- server/mpm/event/event.c.orig -+++ server/mpm/event/event.c -@@ -790,7 +790,10 @@ static int start_lingering_close_common( - apr_atomic_inc32(&lingering_count); - apr_thread_mutex_lock(timeout_mutex); - TO_QUEUE_APPEND(*q, cs); -- cs->pfd.reqevents = APR_POLLIN | APR_POLLHUP | APR_POLLERR; -+ cs->pfd.reqevents = ( -+ cs->pub.sense == CONN_SENSE_WANT_WRITE ? APR_POLLOUT : -+ APR_POLLIN) | APR_POLLHUP | APR_POLLERR; -+ cs->pub.sense = CONN_SENSE_DEFAULT; - rv = apr_pollset_add(event_pollset, &cs->pfd); - apr_thread_mutex_unlock(timeout_mutex); - if (rv != APR_SUCCESS && !APR_STATUS_IS_EEXIST(rv)) { -@@ -938,6 +941,7 @@ static void process_socket(apr_thread_t - */ - cs->pub.state = CONN_STATE_READ_REQUEST_LINE; - -+ cs->pub.sense = CONN_SENSE_DEFAULT; - } - else { - c = cs->c; -@@ -946,9 +950,11 @@ static void process_socket(apr_thread_t - } - - if (c->clogging_input_filters && !c->aborted) { -- /* Since we have an input filter which 'cloggs' the input stream, -- * like mod_ssl, lets just do the normal read from input filters, -- * like the Worker MPM does. -+ /* Since we have an input filter which 'clogs' the input stream, -+ * like mod_ssl used to, lets just do the normal read from input -+ * filters, like the Worker MPM does. Filters that need to write -+ * where they would otherwise read, or read where they would -+ * otherwise write, should set the sense appropriately. - */ - apr_atomic_inc32(&clogged_count); - ap_run_process_connection(c); -@@ -994,7 +1000,10 @@ read_request: - cs->expiration_time = ap_server_conf->timeout + apr_time_now(); - apr_thread_mutex_lock(timeout_mutex); - TO_QUEUE_APPEND(write_completion_q, cs); -- cs->pfd.reqevents = APR_POLLOUT | APR_POLLHUP | APR_POLLERR; -+ cs->pfd.reqevents = ( -+ cs->pub.sense == CONN_SENSE_WANT_READ ? APR_POLLIN : -+ APR_POLLOUT) | APR_POLLHUP | APR_POLLERR; -+ cs->pub.sense = CONN_SENSE_DEFAULT; - rc = apr_pollset_add(event_pollset, &cs->pfd); - apr_thread_mutex_unlock(timeout_mutex); - return; diff --git a/httpd-mod_ssl_ephemeralkeyhandling.patch b/httpd-mod_ssl_ephemeralkeyhandling.patch deleted file mode 100644 index d91fda5..0000000 --- a/httpd-mod_ssl_ephemeralkeyhandling.patch +++ /dev/null @@ -1,1619 +0,0 @@ -commit 3a14aba1b65f627ab27d2bd4bb10e779635b6bcc -Author: Jim Jagielski -Date: Fri Nov 15 17:06:18 2013 +0000 - - Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk: - - Streamline ephemeral key handling: - - - drop support for ephemeral RSA keys (only allowed/needed - for export ciphers) - - - drop pTmpKeys from the per-process SSLModConfigRec, and remove - the temp key generation at startup (unnecessary for DHE/ECDHE) - - - unconditionally disable null and export-grade ciphers by always - prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string - - - do not configure per-connection SSL_tmp_*_callbacks, as it is - sufficient to set them for the SSL_CTX - - - set default curve for ECDHE at startup, obviating the need - for a per-handshake callback, for the time being (and also - configure SSL_OP_SINGLE_ECDH_USE, previously left out) - - For additional background, see - https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E - - - Follow-up fixes for r1526168: - - - drop SSL_TMP_KEY_* constants from ssl_private.h, too - - - make sure we also disable aNULL, eNULL and EXP ciphers - for per-directory SSLCipherSuite directives - - - apply the same treatment to SSLProxyCipherSuite - - - Increase minimum required OpenSSL version to 0.9.8a (in preparation - for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y - functions added in that release): - - - remove obsolete #defines / macros - - - in ssl_private.h, regroup definitions based on whether - they depend on TLS extension support or not - - - for ECC and SRP support, set HAVE_X and change the rather awkward - #ifndef OPENSSL_NO_X lines accordingly - - For the discussion prior to taking this step, see - https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E - - - Improve ephemeral key handling (companion to r1526168): - - - allow to configure custom DHE or ECDHE parameters via the - SSLCertificateFile directive, and adapt its documentation - accordingly (addresses PR 49559) - - - add standardized DH parameters from RFCs 2409 and 3526, - use them based on the length of the certificate's RSA/DSA key, - and add a FAQ entry for clients which limit DH support - to 1024 bits (such as Java 7 and earlier) - - - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to - ssl_util_ssl.c, and add ssl_ec_GetParamFromFile() - - - drop ssl_engine_dh.c from mod_ssl - - For the standardized DH parameters, OpenSSL version 0.9.8a - or later is required, which was therefore made a new minimum - requirement in r1527294. - - - PR 55616 (add missing APLOGNO), part 2 - Submitted by: kbrand - Reviewed/backported by: jim - - - git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68 - ---- httpd-2.4.6.orig/LAYOUT -+++ httpd-2.4.6/LAYOUT -@@ -108,7 +108,6 @@ modules/ ................ Manditory and - mod_ssl.c ............... main source file containing API structures - mod_ssl.h ............... common header file of mod_ssl - ssl_engine_config.c ..... module configuration handling -- ssl_engine_dh.c ......... DSA/DH support - ssl_engine_init.c ....... module initialization - ssl_engine_io.c ......... I/O support - ssl_engine_kernel.c ..... SSL engine kernel ---- httpd-2.4.6.orig/modules/ssl/config.m4 -+++ httpd-2.4.6/modules/ssl/config.m4 -@@ -20,7 +20,6 @@ dnl # list of module object files - ssl_objs="dnl - mod_ssl.lo dnl - ssl_engine_config.lo dnl --ssl_engine_dh.lo dnl - ssl_engine_init.lo dnl - ssl_engine_io.lo dnl - ssl_engine_kernel.lo dnl ---- httpd-2.4.6.orig/modules/ssl/mod_ssl.c -+++ httpd-2.4.6/modules/ssl/mod_ssl.c -@@ -148,7 +148,7 @@ static const command_rec ssl_config_cmds - SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, - "Strict SNI virtual host checking") - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - SSL_CMD_SRV(SRPVerifierFile, TAKE1, - "SRP verifier file " - "('/path/to/file' - created by srptool)") -@@ -471,15 +471,6 @@ int ssl_init_ssl_connection(conn_rec *c, - - sslconn->ssl = ssl; - -- /* -- * Configure callbacks for SSL connection -- */ -- SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); -- SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); --#ifndef OPENSSL_NO_EC -- SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH); --#endif -- - SSL_set_verify_result(ssl, X509_V_OK); - - ssl_io_filter_init(c, r, ssl); ---- httpd-2.4.6.orig/modules/ssl/mod_ssl.dsp -+++ httpd-2.4.6/modules/ssl/mod_ssl.dsp -@@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c - # End Source File - # Begin Source File - --SOURCE=.\ssl_engine_dh.c --# End Source File --# Begin Source File -- - SOURCE=.\ssl_engine_init.c - # End Source File - # Begin Source File ---- httpd-2.4.6.orig/modules/ssl/ssl_engine_config.c -+++ httpd-2.4.6/modules/ssl/ssl_engine_config.c -@@ -75,8 +75,6 @@ SSLModConfigRec *ssl_config_global_creat - mc->stapling_mutex = NULL; - #endif - -- memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); -- - apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY, - apr_pool_cleanup_null, - pool); -@@ -150,7 +148,7 @@ static void modssl_ctx_init(modssl_ctx_t - mctx->stapling_force_url = NULL; - #endif - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - mctx->srp_vfile = NULL; - mctx->srp_unknown_user_seed = NULL; - mctx->srp_vbase = NULL; -@@ -208,7 +206,7 @@ static SSLSrvConfigRec *ssl_config_serve - sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET; - sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET; - sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET; --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; - #endif - #ifdef HAVE_FIPS -@@ -282,7 +280,7 @@ static void modssl_ctx_cfg_merge(modssl_ - cfgMerge(stapling_force_url, NULL); - #endif - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - cfgMergeString(srp_vfile); - cfgMergeString(srp_unknown_user_seed); - #endif -@@ -338,7 +336,7 @@ void *ssl_config_server_merge(apr_pool_t - cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET); - cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET); - cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET); --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); - #endif - #ifdef HAVE_FIPS -@@ -645,6 +643,9 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; - -+ /* always disable null and export ciphers */ -+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); -+ - if (cmd->path) { - dc->szCipherSuite = arg; - } -@@ -1384,6 +1385,9 @@ const char *ssl_cmd_SSLProxyCipherSuite( - { - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - -+ /* always disable null and export ciphers */ -+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); -+ - sc->proxy->auth.cipher_suite = arg; - - return NULL; -@@ -1645,7 +1649,7 @@ const char *ssl_cmd_SSLProxyCheckPeerNam - - const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag) - { --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - - sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; -@@ -1804,7 +1808,7 @@ const char *ssl_cmd_SSLStaplingForceURL( - - #endif /* HAVE_OCSP_STAPLING */ - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - - const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, - const char *arg) -@@ -1828,7 +1832,7 @@ const char *ssl_cmd_SSLSRPUnknownUserSee - return NULL; - } - --#endif /* OPENSSL_NO_SRP */ -+#endif /* HAVE_SRP */ - - void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) - { ---- httpd-2.4.6.orig/modules/ssl/ssl_engine_dh.c -+++ /dev/null -@@ -1,244 +0,0 @@ --#if 0 --=pod --#endif -- --/* Licensed to the Apache Software Foundation (ASF) under one or more -- * contributor license agreements. See the NOTICE file distributed with -- * this work for additional information regarding copyright ownership. -- * The ASF licenses this file to You under the Apache License, Version 2.0 -- * (the "License"); you may not use this file except in compliance with -- * the License. You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ -- --/* _ _ -- * _ __ ___ ___ __| | ___ ___| | mod_ssl -- * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL -- * | | | | | | (_) | (_| | \__ \__ \ | -- * |_| |_| |_|\___/ \__,_|___|___/___/_| -- * |_____| -- * ssl_engine_dh.c -- * Diffie-Hellman Built-in Temporary Parameters -- */ -- --#include "ssl_private.h" -- --/* ----BEGIN GENERATED SECTION-------- */ -- --/* --** Diffie-Hellman-Parameters: (512 bit) --** prime: --** 00:9f:db:8b:8a:00:45:44:f0:04:5f:17:37:d0:ba: --** 2e:0b:27:4c:df:1a:9f:58:82:18:fb:43:53:16:a1: --** 6e:37:41:71:fd:19:d8:d8:f3:7c:39:bf:86:3f:d6: --** 0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70: --** e6:aa:87:10:33 --** generator: 2 (0x2) --** Diffie-Hellman-Parameters: (1024 bit) --** prime: --** 00:d6:7d:e4:40:cb:bb:dc:19:36:d6:93:d3:4a:fd: --** 0a:d5:0c:84:d2:39:a4:5f:52:0b:b8:81:74:cb:98: --** bc:e9:51:84:9f:91:2e:63:9c:72:fb:13:b4:b4:d7: --** 17:7e:16:d5:5a:c1:79:ba:42:0b:2a:29:fe:32:4a: --** 46:7a:63:5e:81:ff:59:01:37:7b:ed:dc:fd:33:16: --** 8a:46:1a:ad:3b:72:da:e8:86:00:78:04:5b:07:a7: --** db:ca:78:74:08:7d:15:10:ea:9f:cc:9d:dd:33:05: --** 07:dd:62:db:88:ae:aa:74:7d:e0:f4:d6:e2:bd:68: --** b0:e7:39:3e:0f:24:21:8e:b3 --** generator: 2 (0x2) --*/ -- --static unsigned char dh512_p[] = { -- 0x9F, 0xDB, 0x8B, 0x8A, 0x00, 0x45, 0x44, 0xF0, 0x04, 0x5F, 0x17, 0x37, -- 0xD0, 0xBA, 0x2E, 0x0B, 0x27, 0x4C, 0xDF, 0x1A, 0x9F, 0x58, 0x82, 0x18, -- 0xFB, 0x43, 0x53, 0x16, 0xA1, 0x6E, 0x37, 0x41, 0x71, 0xFD, 0x19, 0xD8, -- 0xD8, 0xF3, 0x7C, 0x39, 0xBF, 0x86, 0x3F, 0xD6, 0x0E, 0x3E, 0x30, 0x06, -- 0x80, 0xA3, 0x03, 0x0C, 0x6E, 0x4C, 0x37, 0x57, 0xD0, 0x8F, 0x70, 0xE6, -- 0xAA, 0x87, 0x10, 0x33, --}; --static unsigned char dh512_g[] = { -- 0x02, --}; -- --static DH *get_dh512(void) --{ -- DH *dh; -- -- if (!(dh = DH_new())) { -- return NULL; -- } -- -- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -- if (!(dh->p && dh->g)) { -- DH_free(dh); -- return NULL; -- } -- -- return dh; --} -- --static unsigned char dh1024_p[] = { -- 0xD6, 0x7D, 0xE4, 0x40, 0xCB, 0xBB, 0xDC, 0x19, 0x36, 0xD6, 0x93, 0xD3, -- 0x4A, 0xFD, 0x0A, 0xD5, 0x0C, 0x84, 0xD2, 0x39, 0xA4, 0x5F, 0x52, 0x0B, -- 0xB8, 0x81, 0x74, 0xCB, 0x98, 0xBC, 0xE9, 0x51, 0x84, 0x9F, 0x91, 0x2E, -- 0x63, 0x9C, 0x72, 0xFB, 0x13, 0xB4, 0xB4, 0xD7, 0x17, 0x7E, 0x16, 0xD5, -- 0x5A, 0xC1, 0x79, 0xBA, 0x42, 0x0B, 0x2A, 0x29, 0xFE, 0x32, 0x4A, 0x46, -- 0x7A, 0x63, 0x5E, 0x81, 0xFF, 0x59, 0x01, 0x37, 0x7B, 0xED, 0xDC, 0xFD, -- 0x33, 0x16, 0x8A, 0x46, 0x1A, 0xAD, 0x3B, 0x72, 0xDA, 0xE8, 0x86, 0x00, -- 0x78, 0x04, 0x5B, 0x07, 0xA7, 0xDB, 0xCA, 0x78, 0x74, 0x08, 0x7D, 0x15, -- 0x10, 0xEA, 0x9F, 0xCC, 0x9D, 0xDD, 0x33, 0x05, 0x07, 0xDD, 0x62, 0xDB, -- 0x88, 0xAE, 0xAA, 0x74, 0x7D, 0xE0, 0xF4, 0xD6, 0xE2, 0xBD, 0x68, 0xB0, -- 0xE7, 0x39, 0x3E, 0x0F, 0x24, 0x21, 0x8E, 0xB3, --}; --static unsigned char dh1024_g[] = { -- 0x02, --}; -- --static DH *get_dh1024(void) --{ -- DH *dh; -- -- if (!(dh = DH_new())) { -- return NULL; -- } -- -- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); -- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); -- if (!(dh->p && dh->g)) { -- DH_free(dh); -- return NULL; -- } -- -- return dh; --} -- --/* ----END GENERATED SECTION---------- */ -- --DH *ssl_dh_GetTmpParam(int nKeyLen) --{ -- DH *dh; -- -- if (nKeyLen == 512) -- dh = get_dh512(); -- else if (nKeyLen == 1024) -- dh = get_dh1024(); -- else -- dh = get_dh1024(); -- return dh; --} -- --DH *ssl_dh_GetParamFromFile(char *file) --{ -- DH *dh = NULL; -- BIO *bio; -- -- if ((bio = BIO_new_file(file, "r")) == NULL) -- return NULL; -- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -- BIO_free(bio); -- return (dh); --} -- --/* --=cut --## --## Embedded Perl script for generating the temporary DH parameters --## -- --require 5.003; --use strict; -- --# configuration --my $file = $0; --my $begin = '----BEGIN GENERATED SECTION--------'; --my $end = '----END GENERATED SECTION----------'; -- --# read ourself and keep a backup --open(FP, "<$file") || die; --my $source = ''; --$source .= $_ while (); --close(FP); --open(FP, ">$file.bak") || die; --print FP $source; --close(FP); -- --# generate the DH parameters --print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; --my $rand = ''; --foreach $file (qw(/var/log/messages /var/adm/messages -- /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { -- if (-f $file) { -- $rand = $file if ($rand eq ''); -- $rand .= ":$file" if ($rand ne ''); -- } --} --$rand = "-rand $rand" if ($rand ne ''); --system("openssl gendh $rand -out dh512.pem 512"); --system("openssl gendh $rand -out dh1024.pem 1024"); -- --# generate DH param info --my $dhinfo = ''; --open(FP, "openssl dh -noout -text -in dh512.pem |") || die; --$dhinfo .= $_ while (); --close(FP); --open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; --$dhinfo .= $_ while (); --close(FP); --$dhinfo =~ s|^|** |mg; --$dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; -- --my $indent_args = "-i4 -npsl -di0 -br -nce -d0 -cli0 -npcs -nfc1"; -- --# generate C source from DH params --my $dhsource = ''; --open(FP, "openssl dh -noout -C -in dh512.pem | indent $indent_args | expand |") || die; --$dhsource .= $_ while (); --close(FP); --open(FP, "openssl dh -noout -C -in dh1024.pem | indent $indent_args | expand |") || die; --$dhsource .= $_ while (); --close(FP); --$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) --{ -- DH *dh; -- -- if (!(dh = DH_new())) { -- return NULL; -- } -- -- dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL); -- dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL); -- if (!(dh->p && dh->g)) { -- DH_free(dh); -- return NULL; -- } -- -- return dh; --} --|sg; -- --# generate output --my $o = $dhinfo . $dhsource; -- --# insert the generated code at the target location --$source =~ s|(\/\* $begin.+?\n).*\n(.*?\/\* $end)|$1$o$2|s; -- --# and update the source on disk --print "Updating file `$file'\n"; --open(FP, ">$file") || die; --print FP $source; --close(FP); -- --# cleanup --unlink("dh512.pem"); --unlink("dh1024.pem"); -- --=pod --*/ ---- httpd-2.4.6.orig/modules/ssl/ssl_engine_init.c -+++ httpd-2.4.6/modules/ssl/ssl_engine_init.c -@@ -35,7 +35,7 @@ - ** _________________________________________________________________ - */ - --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - #define KEYTYPES "RSA, DSA or ECC" - #else - #define KEYTYPES "RSA or DSA" -@@ -56,180 +56,6 @@ static void ssl_add_version_components(a - modver, AP_SERVER_BASEVERSION, incver); - } - -- --/* -- * Handle the Temporary RSA Keys and DH Params -- */ -- --#define MODSSL_TMP_KEY_FREE(mc, type, idx) \ -- if (mc->pTmpKeys[idx]) { \ -- type##_free((type *)mc->pTmpKeys[idx]); \ -- mc->pTmpKeys[idx] = NULL; \ -- } -- --#define MODSSL_TMP_KEYS_FREE(mc, type) \ -- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \ -- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024) -- --static void ssl_tmp_keys_free(server_rec *s) --{ -- SSLModConfigRec *mc = myModConfig(s); -- -- MODSSL_TMP_KEYS_FREE(mc, RSA); -- MODSSL_TMP_KEYS_FREE(mc, DH); --#ifndef OPENSSL_NO_EC -- MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256); --#endif --} -- --static int ssl_tmp_key_init_rsa(server_rec *s, -- int bits, int idx) --{ -- SSLModConfigRec *mc = myModConfig(s); -- --#ifdef HAVE_FIPS -- -- if (FIPS_mode() && bits < 1024) { -- mc->pTmpKeys[idx] = NULL; -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01877) -- "Init: Skipping generating temporary " -- "%d bit RSA private key in FIPS mode", bits); -- return OK; -- } -- --#endif --#ifdef HAVE_GENERATE_EX -- { -- RSA *tkey; -- BIGNUM *bn_f4; -- if (!(tkey = RSA_new()) -- || !(bn_f4 = BN_new()) -- || !BN_set_word(bn_f4, RSA_F4) -- || !RSA_generate_key_ex(tkey, bits, bn_f4, NULL)) -- { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01878) -- "Init: Failed to generate temporary " -- "%d bit RSA private key", bits); -- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); -- return !OK; -- } -- BN_free(bn_f4); -- mc->pTmpKeys[idx] = tkey; -- } --#else -- if (!(mc->pTmpKeys[idx] = -- RSA_generate_key(bits, RSA_F4, NULL, NULL))) -- { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01879) -- "Init: Failed to generate temporary " -- "%d bit RSA private key", bits); -- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); -- return !OK; -- } --#endif -- -- return OK; --} -- --static int ssl_tmp_key_init_dh(server_rec *s, -- int bits, int idx) --{ -- SSLModConfigRec *mc = myModConfig(s); -- --#ifdef HAVE_FIPS -- -- if (FIPS_mode() && bits < 1024) { -- mc->pTmpKeys[idx] = NULL; -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01880) -- "Init: Skipping generating temporary " -- "%d bit DH parameters in FIPS mode", bits); -- return OK; -- } -- --#endif -- -- if (!(mc->pTmpKeys[idx] = -- ssl_dh_GetTmpParam(bits))) -- { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01881) -- "Init: Failed to generate temporary " -- "%d bit DH parameters", bits); -- return !OK; -- } -- -- return OK; --} -- --#ifndef OPENSSL_NO_EC --static int ssl_tmp_key_init_ec(server_rec *s, -- int bits, int idx) --{ -- SSLModConfigRec *mc = myModConfig(s); -- EC_KEY *ecdh = NULL; -- -- /* XXX: Are there any FIPS constraints we should enforce? */ -- -- if (bits != 256) { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02298) -- "Init: Failed to generate temporary " -- "%d bit EC parameters, only 256 bits supported", bits); -- return !OK; -- } -- -- if ((ecdh = EC_KEY_new()) == NULL || -- EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1) -- { -- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02299) -- "Init: Failed to generate temporary " -- "%d bit EC parameters", bits); -- return !OK; -- } -- -- mc->pTmpKeys[idx] = ecdh; -- return OK; --} -- --#define MODSSL_TMP_KEY_INIT_EC(s, bits) \ -- ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits) -- --#endif -- --#define MODSSL_TMP_KEY_INIT_RSA(s, bits) \ -- ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits) -- --#define MODSSL_TMP_KEY_INIT_DH(s, bits) \ -- ssl_tmp_key_init_dh(s, bits, SSL_TMP_KEY_DH_##bits) -- --static int ssl_tmp_keys_init(server_rec *s) --{ -- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, -- "Init: Generating temporary RSA private keys (512/1024 bits)"); -- -- if (MODSSL_TMP_KEY_INIT_RSA(s, 512) || -- MODSSL_TMP_KEY_INIT_RSA(s, 1024)) { -- return !OK; -- } -- -- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, -- "Init: Generating temporary DH parameters (512/1024 bits)"); -- -- if (MODSSL_TMP_KEY_INIT_DH(s, 512) || -- MODSSL_TMP_KEY_INIT_DH(s, 1024)) { -- return !OK; -- } -- --#ifndef OPENSSL_NO_EC -- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, -- "Init: Generating temporary EC parameters (256 bits)"); -- -- if (MODSSL_TMP_KEY_INIT_EC(s, 256)) { -- return !OK; -- } --#endif -- -- return OK; --} -- - /* - * Per-module initialization - */ -@@ -367,10 +193,6 @@ int ssl_init_Module(apr_pool_t *p, apr_p - */ - ssl_pphrase_Handle(base_server, ptemp); - -- if (ssl_tmp_keys_init(base_server)) { -- return !OK; -- } -- - /* - * initialize the mutex handling - */ -@@ -481,7 +303,7 @@ static void ssl_init_server_check(server - */ - if (mctx->pks->certs[SSL_AIDX_RSA] || - mctx->pks->certs[SSL_AIDX_DSA] --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - || mctx->pks->certs[SSL_AIDX_ECC] - #endif - ) -@@ -493,7 +315,7 @@ static void ssl_init_server_check(server - } - } - --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - static void ssl_init_ctx_tls_extensions(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -527,7 +349,7 @@ static void ssl_init_ctx_tls_extensions( - } - #endif - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - /* - * TLS-SRP support - */ -@@ -660,7 +482,7 @@ static void ssl_init_ctx_protocol(server - #ifdef SSL_OP_NO_COMPRESSION - /* OpenSSL >= 1.0 only */ - SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); --#elif OPENSSL_VERSION_NUMBER >= 0x00908000L -+#else - sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); - #endif - } -@@ -678,6 +500,9 @@ static void ssl_init_ctx_protocol(server - * Configure additional context ingredients - */ - SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); -+#ifdef HAVE_ECC -+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); -+#endif - - #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION - /* -@@ -718,11 +543,7 @@ static void ssl_init_ctx_callbacks(serve - { - SSL_CTX *ctx = mctx->ssl_ctx; - -- SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); - SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); --#ifndef OPENSSL_NO_EC -- SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH); --#endif - - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); - } -@@ -818,14 +639,16 @@ static void ssl_init_ctx_cipher_suite(se - modssl_ctx_t *mctx) - { - SSL_CTX *ctx = mctx->ssl_ctx; -- const char *suite = mctx->auth.cipher_suite; -+ const char *suite; - - /* -- * Configure SSL Cipher Suite -+ * Configure SSL Cipher Suite. Always disable NULL and export ciphers, -+ * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). -+ * OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL, -+ * so only prepend !EXP in this case. - */ -- if (!suite) { -- return; -- } -+ suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : -+ apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL); - - ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, - "Configuring permitted SSL ciphers [%s]", -@@ -988,7 +811,7 @@ static void ssl_init_ctx(server_rec *s, - if (mctx->pks) { - /* XXX: proxy support? */ - ssl_init_ctx_cert_chain(s, p, ptemp, mctx); --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); - #endif - } -@@ -1001,7 +824,7 @@ static int ssl_server_import_cert(server - { - SSLModConfigRec *mc = myModConfig(s); - ssl_asn1_t *asn1; -- MODSSL_D2I_X509_CONST unsigned char *ptr; -+ const unsigned char *ptr; - const char *type = ssl_asn1_keystr(idx); - X509 *cert; - -@@ -1048,12 +871,12 @@ static int ssl_server_import_key(server_ - { - SSLModConfigRec *mc = myModConfig(s); - ssl_asn1_t *asn1; -- MODSSL_D2I_PrivateKey_CONST unsigned char *ptr; -+ const unsigned char *ptr; - const char *type = ssl_asn1_keystr(idx); - int pkey_type; - EVP_PKEY *pkey; - --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - if (idx == SSL_AIDX_ECC) - pkey_type = EVP_PKEY_EC; - else -@@ -1157,30 +980,34 @@ static void ssl_init_server_certs(server - modssl_ctx_t *mctx) - { - const char *rsa_id, *dsa_id; --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - const char *ecc_id; -+ EC_GROUP *ecparams; -+ int nid; -+ EC_KEY *eckey; - #endif - const char *vhost_id = mctx->sc->vhost_id; - int i; - int have_rsa, have_dsa; --#ifndef OPENSSL_NO_EC -+ DH *dhparams; -+#ifdef HAVE_ECC - int have_ecc; - #endif - - rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); - dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); - #endif - - have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); - have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); - #endif - - if (!(have_rsa || have_dsa --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - || have_ecc - #endif - )) { -@@ -1196,12 +1023,12 @@ static void ssl_init_server_certs(server - - have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA); - have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA); --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC); - #endif - - if (!(have_rsa || have_dsa --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - || have_ecc - #endif - )) { -@@ -1209,6 +1036,40 @@ static void ssl_init_server_certs(server - "Oops, no " KEYTYPES " server private key found?!"); - ssl_die(s); - } -+ -+ /* -+ * Try to read DH parameters from the (first) SSLCertificateFile -+ */ -+ if ((mctx->pks->cert_files[0] != NULL) && -+ (dhparams = ssl_dh_GetParamFromFile(mctx->pks->cert_files[0]))) { -+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) -+ "Custom DH parameters (%d bits) for %s loaded from %s", -+ BN_num_bits(dhparams->p), vhost_id, -+ mctx->pks->cert_files[0]); -+ } -+ -+#ifdef HAVE_ECC -+ /* -+ * Similarly, try to read the ECDH curve name from SSLCertificateFile... -+ */ -+ if ((mctx->pks->cert_files[0] != NULL) && -+ (ecparams = ssl_ec_GetParamFromFile(mctx->pks->cert_files[0])) && -+ (nid = EC_GROUP_get_curve_name(ecparams)) && -+ (eckey = EC_KEY_new_by_curve_name(nid))) { -+ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541) -+ "ECDH curve %s for %s specified in %s", -+ OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]); -+ } -+ /* -+ * ...otherwise, configure NIST P-256 (required to enable ECDHE) -+ */ -+ else { -+ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, -+ EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); -+ } -+#endif - } - - #ifdef HAVE_TLS_SESSION_TICKETS -@@ -1516,7 +1377,7 @@ void ssl_init_CheckServers(server_rec *b - klen = strlen(key); - - if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { --#ifdef OPENSSL_NO_TLSEXT -+#ifndef HAVE_TLSEXT - int level = APLOG_WARNING; - const char *problem = "conflict"; - #else -@@ -1540,7 +1401,7 @@ void ssl_init_CheckServers(server_rec *b - } - - if (conflict) { --#ifdef OPENSSL_NO_TLSEXT -+#ifndef HAVE_TLSEXT - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) - "Init: You should not use name-based " - "virtual hosts in conjunction with SSL!!"); -@@ -1689,7 +1550,7 @@ static void ssl_init_ctx_cleanup(modssl_ - { - MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx); - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - if (mctx->srp_vbase != NULL) { - SRP_VBASE_free(mctx->srp_vbase); - mctx->srp_vbase = NULL; -@@ -1745,11 +1606,6 @@ apr_status_t ssl_init_ModuleKill(void *d - ssl_scache_kill(base_server); - - /* -- * Destroy the temporary keys and params -- */ -- ssl_tmp_keys_free(base_server); -- -- /* - * Free the non-pool allocated structures - * in the per-server configurations - */ ---- httpd-2.4.6.orig/modules/ssl/ssl_engine_io.c -+++ httpd-2.4.6/modules/ssl/ssl_engine_io.c -@@ -1060,7 +1060,7 @@ static apr_status_t ssl_io_filter_handsh - - server = sslconn->server; - if (sslconn->is_proxy) { --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - apr_ipsubnet_t *ip; - #endif - const char *hostname_note = apr_table_get(c->notes, -@@ -1068,7 +1068,7 @@ static apr_status_t ssl_io_filter_handsh - BOOL proxy_ssl_check_peer_ok = TRUE; - sc = mySrvConfig(server); - --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - /* - * Enable SNI for backend requests. Make sure we don't do it for - * pure SSLv3 connections, and also prevent IP addresses ---- httpd-2.4.6.orig/modules/ssl/ssl_engine_kernel.c -+++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c -@@ -32,7 +32,7 @@ - #include "util_md5.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); - #endif - -@@ -119,7 +119,7 @@ int ssl_hook_ReadReq(request_rec *r) - SSLSrvConfigRec *sc = mySrvConfig(r->server); - SSLConnRec *sslconn; - const char *upgrade; --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - const char *servername; - #endif - SSL *ssl; -@@ -162,7 +162,7 @@ int ssl_hook_ReadReq(request_rec *r) - if (!ssl) { - return DECLINED; - } --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - char *host, *scope_id; - apr_port_t port; -@@ -329,7 +329,7 @@ int ssl_hook_Access(request_rec *r) - return DECLINED; - } - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - /* - * Support for per-directory reconfigured SSL connection parameters - * -@@ -1101,7 +1101,7 @@ static const char *ssl_hook_Fixup_vars[] - "SSL_SERVER_A_SIG", - "SSL_SESSION_ID", - "SSL_SESSION_RESUMED", --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - "SSL_SRP_USER", - "SSL_SRP_USERINFO", - #endif -@@ -1115,7 +1115,7 @@ int ssl_hook_Fixup(request_rec *r) - SSLDirConfigRec *dc = myDirConfig(r); - apr_table_t *env = r->subprocess_env; - char *var, *val = ""; --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - const char *servername; - #endif - STACK_OF(X509) *peer_certs; -@@ -1144,7 +1144,7 @@ int ssl_hook_Fixup(request_rec *r) - /* the always present HTTPS (=HTTP over SSL) flag! */ - apr_table_setn(env, "HTTPS", "on"); - --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - /* add content of SNI TLS extension (if supplied with ClientHello) */ - if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - apr_table_set(env, "SSL_TLS_SNI", servername); -@@ -1287,117 +1287,70 @@ const authz_provider ssl_authz_provider_ - */ - - /* -- * Handle out temporary RSA private keys on demand -- * -- * The background of this as the TLSv1 standard explains it: -- * -- * | D.1. Temporary RSA keys -- * | -- * | US Export restrictions limit RSA keys used for encryption to 512 -- * | bits, but do not place any limit on lengths of RSA keys used for -- * | signing operations. Certificates often need to be larger than 512 -- * | bits, since 512-bit RSA keys are not secure enough for high-value -- * | transactions or for applications requiring long-term security. Some -- * | certificates are also designated signing-only, in which case they -- * | cannot be used for key exchange. -- * | -- * | When the public key in the certificate cannot be used for encryption, -- * | the server signs a temporary RSA key, which is then exchanged. In -- * | exportable applications, the temporary RSA key should be the maximum -- * | allowable length (i.e., 512 bits). Because 512-bit RSA keys are -- * | relatively insecure, they should be changed often. For typical -- * | electronic commerce applications, it is suggested that keys be -- * | changed daily or every 500 transactions, and more often if possible. -- * | Note that while it is acceptable to use the same temporary key for -- * | multiple transactions, it must be signed each time it is used. -- * | -- * | RSA key generation is a time-consuming process. In many cases, a -- * | low-priority process can be assigned the task of key generation. -- * | Whenever a new key is completed, the existing temporary key can be -- * | replaced with the new one. -- * -- * XXX: base on comment above, if thread support is enabled, -- * we should spawn a low-priority thread to generate new keys -- * on the fly. -- * -- * So we generated 512 and 1024 bit temporary keys on startup -- * which we now just hand out on demand.... -+ * Grab well-defined DH parameters from OpenSSL, see -+ * (get_rfc*) for all available primes. - */ -- --RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen) --{ -- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -- SSLModConfigRec *mc = myModConfigFromConn(c); -- int idx; -- -- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, -- "handing out temporary %d bit RSA key", keylen); -- -- /* doesn't matter if export flag is on, -- * we won't be asked for keylen > 512 in that case. -- * if we are asked for a keylen > 1024, it is too expensive -- * to generate on the fly. -- * XXX: any reason not to generate 2048 bit keys at startup? -- */ -- -- switch (keylen) { -- case 512: -- idx = SSL_TMP_KEY_RSA_512; -- break; -- -- case 1024: -- default: -- idx = SSL_TMP_KEY_RSA_1024; -- } -- -- return (RSA *)mc->pTmpKeys[idx]; -+#define make_get_dh(rfc,size,gen) \ -+static DH *get_dh##size(void) \ -+{ \ -+ DH *dh; \ -+ if (!(dh = DH_new())) { \ -+ return NULL; \ -+ } \ -+ dh->p = get_##rfc##_prime_##size(NULL); \ -+ BN_dec2bn(&dh->g, #gen); \ -+ if (!dh->p || !dh->g) { \ -+ DH_free(dh); \ -+ return NULL; \ -+ } \ -+ return dh; \ - } - - /* -- * Hand out the already generated DH parameters... -+ * Prepare DH parameters from 1024 to 4096 bits, in 1024-bit increments -+ */ -+make_get_dh(rfc2409, 1024, 2) -+make_get_dh(rfc3526, 2048, 2) -+make_get_dh(rfc3526, 3072, 2) -+make_get_dh(rfc3526, 4096, 2) -+ -+/* -+ * Hand out standard DH parameters, based on the authentication strength - */ - DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) - { - conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -- SSLModConfigRec *mc = myModConfigFromConn(c); -- int idx; -- -- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, -- "handing out temporary %d bit DH key", keylen); -+ EVP_PKEY *pkey = SSL_get_privatekey(ssl); -+ int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; - -- switch (keylen) { -- case 512: -- idx = SSL_TMP_KEY_DH_512; -- break; -- -- case 1024: -- default: -- idx = SSL_TMP_KEY_DH_1024; -+ /* -+ * OpenSSL will call us with either keylen == 512 or keylen == 1024 -+ * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). -+ * Adjust the DH parameter length according to the size of the -+ * RSA/DSA private key used for the current connection, and always -+ * use at least 1024-bit parameters. -+ * Note: This may cause interoperability issues with implementations -+ * which limit their DH support to 1024 bit - e.g. Java 7 and earlier. -+ * In this case, SSLCertificateFile can be used to specify fixed -+ * 1024-bit DH parameters (with the effect that OpenSSL skips this -+ * callback). -+ */ -+ if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) { -+ keylen = EVP_PKEY_bits(pkey); - } - -- return (DH *)mc->pTmpKeys[idx]; --} -- --#ifndef OPENSSL_NO_EC --EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen) --{ -- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -- SSLModConfigRec *mc = myModConfigFromConn(c); -- int idx; -- -- /* XXX Uses 256-bit key for now. TODO: support other sizes. */ - ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, -- "handing out temporary 256 bit ECC key"); -+ "handing out built-in DH parameters for %d-bit authenticated connection", keylen); - -- switch (keylen) { -- case 256: -- default: -- idx = SSL_TMP_KEY_EC_256; -- } -- -- return (EC_KEY *)mc->pTmpKeys[idx]; -+ if (keylen >= 4096) -+ return get_dh4096(); -+ else if (keylen >= 3072) -+ return get_dh3072(); -+ else if (keylen >= 2048) -+ return get_dh2048(); -+ else -+ return get_dh1024(); - } --#endif - - /* - * This OpenSSL callback function is called when OpenSSL -@@ -1938,7 +1891,7 @@ void ssl_callback_Info(const SSL *ssl, i - } - } - --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - /* - * This callback function is executed when OpenSSL encounters an extended - * client hello with a server name indication extension ("SNI", cf. RFC 4366). -@@ -2089,7 +2042,7 @@ static int ssl_find_vhost(void *serverna - - return 0; - } --#endif /* OPENSSL_NO_TLSEXT */ -+#endif /* HAVE_TLSEXT */ - - #ifdef HAVE_TLS_SESSION_TICKETS - /* -@@ -2161,7 +2114,7 @@ int ssl_callback_SessionTicket(SSL *ssl, - } - #endif /* HAVE_TLS_SESSION_TICKETS */ - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - - int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) - { -@@ -2185,4 +2138,4 @@ int ssl_callback_SRPServerParams(SSL *ss - return SSL_ERROR_NONE; - } - --#endif /* OPENSSL_NO_SRP */ -+#endif /* HAVE_SRP */ ---- httpd-2.4.6.orig/modules/ssl/ssl_engine_pphrase.c -+++ httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c -@@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966) - "Init: Failed to create pass phrase pipe '%s'", - sc->server->pphrase_dialog_path); -- PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); -+ PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); - memset(buf, 0, (unsigned int)bufsize); - return (-1); - } -@@ -718,7 +718,7 @@ int ssl_pphrase_Handle_CB(char *buf, int - } - else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */ - #ifdef WIN32 -- PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); -+ PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); - memset(buf, 0, (unsigned int)bufsize); - return (-1); - #else -@@ -769,7 +769,7 @@ int ssl_pphrase_Handle_CB(char *buf, int - i = EVP_read_pw_string(buf, bufsize, "", FALSE); - } - if (i != 0) { -- PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); -+ PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); - memset(buf, 0, (unsigned int)bufsize); - return (-1); - } ---- httpd-2.4.6.orig/modules/ssl/ssl_engine_vars.c -+++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c -@@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool - else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { - result = ssl_var_lookup_ssl_compress_meth(ssl); - } --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { - result = apr_pstrdup(p, SSL_get_servername(ssl, - TLSEXT_NAMETYPE_host_name)); -@@ -395,7 +395,7 @@ static char *ssl_var_lookup_ssl(apr_pool - #endif - result = apr_pstrdup(p, flag ? "true" : "false"); - } --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - else if (ssl != NULL && strcEQ(var, "SRP_USER")) { - if ((result = SSL_get_srp_username(ssl)) != NULL) { - result = apr_pstrdup(p, result); -@@ -879,7 +879,7 @@ void modssl_var_extract_dns(apr_table_t - * success and writes the string to the given bio. */ - static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) - { -- MODSSL_D2I_ASN1_type_bytes_CONST unsigned char *pp = str->data; -+ const unsigned char *pp = str->data; - ASN1_STRING *ret = ASN1_STRING_new(); - int rv = 0; - -@@ -975,7 +975,7 @@ apr_array_header_t *ssl_ext_list(apr_poo - static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) - { - char *result = "NULL"; --#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP) -+#ifndef OPENSSL_NO_COMP - SSL_SESSION *pSession = SSL_get_session(ssl); - - if (pSession) { ---- httpd-2.4.6.orig/modules/ssl/ssl_private.h -+++ httpd-2.4.6/modules/ssl/ssl_private.h -@@ -105,65 +105,55 @@ - #include - #endif - --#if (OPENSSL_VERSION_NUMBER < 0x0090700f) --#error mod_ssl requires OpenSSL 0.9.7 or later --#endif -- --/* ...shifting sands of OpenSSL... */ --#if (OPENSSL_VERSION_NUMBER >= 0x0090707f) --#define MODSSL_D2I_SSL_SESSION_CONST const --#else --#define MODSSL_D2I_SSL_SESSION_CONST --#endif -- --#if (OPENSSL_VERSION_NUMBER >= 0x00908000) --#define HAVE_GENERATE_EX --#define MODSSL_D2I_ASN1_type_bytes_CONST const --#define MODSSL_D2I_PrivateKey_CONST const --#define MODSSL_D2I_X509_CONST const --#else --#define MODSSL_D2I_ASN1_type_bytes_CONST --#define MODSSL_D2I_PrivateKey_CONST --#define MODSSL_D2I_X509_CONST --#endif -- --#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \ -- && !defined(OPENSSL_NO_TLSEXT) --#define HAVE_OCSP_STAPLING --#if (OPENSSL_VERSION_NUMBER < 0x10000000) --#define sk_OPENSSL_STRING_pop sk_pop --#endif --#endif -- --#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS) --#define HAVE_FIPS -+#if (OPENSSL_VERSION_NUMBER < 0x0090801f) -+#error mod_ssl requires OpenSSL 0.9.8a or later - #endif - -+/** -+ * ...shifting sands of OpenSSL... -+ * Note: when adding support for new OpenSSL features, avoid explicit -+ * version number checks whenever possible, and use "feature-based" -+ * detection instead (check for definitions of constants or functions) -+ */ - #if (OPENSSL_VERSION_NUMBER >= 0x10000000) - #define MODSSL_SSL_CIPHER_CONST const - #define MODSSL_SSL_METHOD_CONST const - #else - #define MODSSL_SSL_CIPHER_CONST - #define MODSSL_SSL_METHOD_CONST --/* ECC support came along in OpenSSL 1.0.0 */ --#define OPENSSL_NO_EC - #endif - --#ifndef PEM_F_DEF_CALLBACK --#ifdef PEM_F_PEM_DEF_CALLBACK --/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ --#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK -+#if defined(OPENSSL_FIPS) -+#define HAVE_FIPS - #endif -+ -+#if defined(SSL_OP_NO_TLSv1_2) -+#define HAVE_TLSV1_X - #endif - --#ifndef OPENSSL_NO_TLSEXT --#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME --#define OPENSSL_NO_TLSEXT -+/** -+ * The following features all depend on TLS extension support. -+ * Within this block, check again for features (not version numbers). -+ */ -+#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) -+ -+#define HAVE_TLSEXT -+ -+/* ECC: make sure we have at least 1.0.0 */ -+#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) -+#define HAVE_ECC -+#endif -+ -+/* OCSP stapling */ -+#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) -+#define HAVE_OCSP_STAPLING -+#ifndef sk_OPENSSL_STRING_pop -+#define sk_OPENSSL_STRING_pop sk_pop - #endif - #endif - --#ifndef OPENSSL_NO_TLSEXT --#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB -+/* TLS session tickets */ -+#if defined(SSL_CTX_set_tlsext_ticket_key_cb) - #define HAVE_TLS_SESSION_TICKETS - #define TLSEXT_TICKET_KEY_LEN 48 - #ifndef tlsext_tick_md -@@ -174,26 +164,15 @@ - #endif - #endif - #endif --#endif - --#ifdef SSL_OP_NO_TLSv1_2 --#define HAVE_TLSV1_X --#endif -- --#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ -- && OPENSSL_VERSION_NUMBER < 0x00908000L --#define OPENSSL_NO_COMP --#endif -- --/* SRP support came in OpenSSL 1.0.1 */ --#ifndef OPENSSL_NO_SRP --#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB -+/* Secure Remote Password */ -+#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB) -+#define HAVE_SRP - #include --#else --#define OPENSSL_NO_SRP --#endif - #endif - -+#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ -+ - /* mod_ssl headers */ - #include "ssl_util_ssl.h" - -@@ -287,7 +266,7 @@ typedef int ssl_algo_t; - #define SSL_ALGO_UNKNOWN (0) - #define SSL_ALGO_RSA (1<<0) - #define SSL_ALGO_DSA (1<<1) --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - #define SSL_ALGO_ECC (1<<2) - #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) - #else -@@ -296,29 +275,13 @@ typedef int ssl_algo_t; - - #define SSL_AIDX_RSA (0) - #define SSL_AIDX_DSA (1) --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - #define SSL_AIDX_ECC (2) - #define SSL_AIDX_MAX (3) - #else - #define SSL_AIDX_MAX (2) - #endif - -- --/** -- * Define IDs for the temporary RSA keys and DH params -- */ -- --#define SSL_TMP_KEY_RSA_512 (0) --#define SSL_TMP_KEY_RSA_1024 (1) --#define SSL_TMP_KEY_DH_512 (2) --#define SSL_TMP_KEY_DH_1024 (3) --#ifndef OPENSSL_NO_EC --#define SSL_TMP_KEY_EC_256 (4) --#define SSL_TMP_KEY_MAX (5) --#else --#define SSL_TMP_KEY_MAX (4) --#endif -- - /** - * Define the SSL options - */ -@@ -534,7 +497,6 @@ typedef struct { - apr_global_mutex_t *pMutex; - apr_array_header_t *aRandSeed; - apr_hash_t *tVHostKeys; -- void *pTmpKeys[SSL_TMP_KEY_MAX]; - - /* Two hash tables of pointers to ssl_asn1_t structures. The - * structures are used to store certificates and private keys -@@ -656,7 +618,7 @@ typedef struct { - const char *stapling_force_url; - #endif - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - char *srp_vfile; - char *srp_unknown_user_seed; - SRP_VBASE *srp_vbase; -@@ -688,7 +650,7 @@ struct SSLSrvConfigRec { - ssl_enabled_t proxy_ssl_check_peer_expire; - ssl_enabled_t proxy_ssl_check_peer_cn; - ssl_enabled_t proxy_ssl_check_peer_name; --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - ssl_enabled_t strict_sni_vhost_check; - #endif - #ifdef HAVE_FIPS -@@ -792,7 +754,7 @@ const char *ssl_cmd_SSLOCSPResponseMaxAg - const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); - const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); - --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); - const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); - #endif -@@ -823,11 +785,7 @@ extern const authz_provider ssl_authz_pr - extern const authz_provider ssl_authz_provider_verify_client; - - /** OpenSSL callbacks */ --RSA *ssl_callback_TmpRSA(SSL *, int, int); - DH *ssl_callback_TmpDH(SSL *, int, int); --#ifndef OPENSSL_NO_EC --EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); --#endif - int ssl_callback_SSLVerify(int, X509_STORE_CTX *); - int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); - int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); -@@ -835,7 +793,7 @@ int ssl_callback_NewSessionCach - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); - void ssl_callback_Info(const SSL *, int, int); --#ifndef OPENSSL_NO_TLSEXT -+#ifdef HAVE_TLSEXT - int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); - #endif - #ifdef HAVE_TLS_SESSION_TICKETS -@@ -873,7 +831,7 @@ void modssl_init_stapling(server - void ssl_stapling_ex_init(void); - int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); - #endif --#ifndef OPENSSL_NO_SRP -+#ifdef HAVE_SRP - int ssl_callback_SRPServerParams(SSL *, int *, void *); - #endif - -@@ -906,8 +864,10 @@ int ssl_init_ssl_connection(con - void ssl_pphrase_Handle(server_rec *, apr_pool_t *); - - /** Diffie-Hellman Parameter Support */ --DH *ssl_dh_GetTmpParam(int); --DH *ssl_dh_GetParamFromFile(char *); -+DH *ssl_dh_GetParamFromFile(const char *); -+#ifdef HAVE_ECC -+EC_GROUP *ssl_ec_GetParamFromFile(const char *); -+#endif - - unsigned char *ssl_asn1_table_set(apr_hash_t *table, - const char *key, ---- httpd-2.4.6.orig/modules/ssl/ssl_scache.c -+++ httpd-2.4.6/modules/ssl/ssl_scache.c -@@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_ - SSLModConfigRec *mc = myModConfig(s); - unsigned char dest[SSL_SESSION_MAX_DER]; - unsigned int destlen = SSL_SESSION_MAX_DER; -- MODSSL_D2I_SSL_SESSION_CONST unsigned char *ptr; -+ const unsigned char *ptr; - apr_status_t rv; - - if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) { ---- httpd-2.4.6.orig/modules/ssl/ssl_util.c -+++ httpd-2.4.6/modules/ssl/ssl_util.c -@@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe - case EVP_PKEY_DSA: - t = SSL_ALGO_DSA; - break; --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - case EVP_PKEY_EC: - t = SSL_ALGO_ECC; - break; -@@ -177,7 +177,7 @@ char *ssl_util_algotypestr(ssl_algo_t t) - case SSL_ALGO_DSA: - cp = "DSA"; - break; --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - case SSL_ALGO_ECC: - cp = "ECC"; - break; -@@ -253,7 +253,7 @@ void ssl_asn1_table_unset(apr_hash_t *ta - apr_hash_set(table, key, klen, NULL); - } - --#ifndef OPENSSL_NO_EC -+#ifdef HAVE_ECC - static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; - #else - static const char *ssl_asn1_key_types[] = {"RSA", "DSA"}; ---- httpd-2.4.6.orig/modules/ssl/ssl_util_ssl.c -+++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c -@@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t - - /* _________________________________________________________________ - ** -+** Custom (EC)DH parameter support -+** _________________________________________________________________ -+*/ -+ -+DH *ssl_dh_GetParamFromFile(const char *file) -+{ -+ DH *dh = NULL; -+ BIO *bio; -+ -+ if ((bio = BIO_new_file(file, "r")) == NULL) -+ return NULL; -+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ return (dh); -+} -+ -+#ifdef HAVE_ECC -+EC_GROUP *ssl_ec_GetParamFromFile(const char *file) -+{ -+ EC_GROUP *group = NULL; -+ BIO *bio; -+ -+ if ((bio = BIO_new_file(file, "r")) == NULL) -+ return NULL; -+ group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ return (group); -+} -+#endif -+ -+/* _________________________________________________________________ -+** - ** Extra Server Certificate Chain Support - ** _________________________________________________________________ - */