- fix installation of (moved) man pages

- adjusted SSL template/default config for upstream changes, and added MaxRanges example to apache2-server-tuning.conf OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=359
2012-02-18 21:19:08 +00:00 · 2012-02-18 21:19:08 +00:00 · 8877af9243
commit 8877af9243
parent 61c26886ee
6 changed files with 82 additions and 60 deletions
--- a/apache2-default-vhost-ssl.conf
+++ b/apache2-default-vhost-ssl.conf
@ -36,17 +36,17 @@
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

-    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
-    SSLProtocol all -SSLv2 -SSLv3
-
+    #   SSL Protocol support:
+    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
+    #   List the protocol versions which clients are allowed to
+    #   connect with. Disable SSLv2 by default (cf. RFC 6176).
+    SSLProtocol all -SSLv2
+    
    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate.
    #   See the mod_ssl documentation for a complete list.
    #
-        #   formerly, this was set to the following:
-    #   ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-    #
-    #   We now disable weak ciphers by default.
+    #   Weak ciphers are disabled by default.
    #   Please see the documentation via the links above, and
    #   "openssl ciphers -v" for a complete list of ciphers that are
    #   available.
@ -58,8 +58,21 @@
    # For more information, please have a look at
    # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
    # package.
-    SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
-
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+    
+    #   Speed-optimized SSL Cipher configuration:
+    #   If speed is your main concern (on busy HTTPS servers e.g.),
+    #   you might want to force clients to specific, performance
+    #   optimized ciphers. In this case, prepend those ciphers
+    #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+    #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+    #   (as in the example below), most connections will no longer
+    #   have perfect forward secrecy - if the server's key is
+    #   compromised, captures of past or future traffic must be
+    #   considered compromised, too.
+    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+    #SSLHonorCipherOrder on 
+    
    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate.  If
    #   the certificate is encrypted, then you will be prompted for a
@ -150,10 +163,6 @@
    #     because the extraction step is an expensive operation and is usually
    #     useless for serving static content. So one usually enables the
    #     exportation for CGI and SSI requests only.
-    #   o CompatEnvVars:
-    #     This exports obsolete environment variables for backward compatibility
-    #     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-    #     to provide compatibility to existing CGI scripts.
    #   o StrictRequire:
    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    #     under a "Satisfy any" situation, i.e. when it applies access is denied
@ -161,15 +170,15 @@
    #   o OptRenegotiate:
    #     This enables optimized SSL connection renegotiation handling when SSL
    #     directives are used in per-directory context. 
-    #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
-	SSLOptions +StdEnvVars
-    </Files>
-
+    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+    </FilesMatch>
+    
    <Directory "/srv/www/cgi-bin">
-	SSLOptions +StdEnvVars
+    SSLOptions +StdEnvVars
    </Directory>
-
+    
    <Directory "/srv/www/htdocs">
 	AllowOverride None
 	#Options +Indexes +MultiViews +FollowSymLinks
@ -218,13 +227,10 @@
    #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
    #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    #   "force-response-1.0" for this.
-    #   remark: The below configuration snippet is here for illustration purposes.
-    #           Browser specific deficiencies exist, but generally all of them
-    #           should handle SSL/TLS encapsulated connections well.
-    #SetEnvIf User-Agent ".*MSIE.*" \
-    #	 nokeepalive ssl-unclean-shutdown \
-    #	 downgrade-1.0 force-response-1.0
-
+    BrowserMatch "MSIE [2-5]" \
+             nokeepalive ssl-unclean-shutdown \
+             downgrade-1.0 force-response-1.0
+    
    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
--- a/apache2-server-tuning.conf
+++ b/apache2-server-tuning.conf
@ -90,6 +90,13 @@ MaxKeepAliveRequests 100
 #
 KeepAliveTimeout 15

+#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
 #
 # EnableMMAP: Control whether memory-mapping is used to deliver
 # files (assuming that the underlying OS supports it).
--- a/apache2-ssl-global.conf
+++ b/apache2-ssl-global.conf
@ -46,14 +46,12 @@
 	#SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
 	#SSLSessionCache        shmht:/var/lib/apache2/ssl_scache(512000)
 	SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
-	SSLSessionCacheTimeout  600
+	SSLSessionCacheTimeout  300

-	#   This configures the SSL engine's semaphore (aka. lock) which is
-	#   used for mutual exclusion of operations which have to be done in a
-	#   synchronized way between the pre-forked Apache server processes.
-	#   "default" tells the SSL Module to pick the default locking
-	#   implementation as determined by the platform and APR.
-	SSLMutex  default
+	#   Semaphore:
+	#   Configure the path to the mutual exclusion semaphore the
+	#   SSL engine uses internally for inter-process synchronization. 
+	SSLMutex  "file:/var/lib/apache2/ssl_mutex"

 	#   Pseudo Random Number Generator (PRNG):
 	#   Configure one or more sources to seed the PRNG of the 
--- a/apache2-vhost-ssl.template
+++ b/apache2-vhost-ssl.template
@ -40,14 +40,25 @@

 	#  SSL protocols
 	#  Supporting TLS only is adequate nowadays
-	SSLProtocol all -SSLv2 -SSLv3
+	SSLProtocol all -SSLv2

 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
-	#   We disable weak ciphers by default.
-	#   See the mod_ssl documentation or "openssl ciphers -v" for a
-	#   complete list.
-	SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
+	#   See the mod_ssl documentation for a complete list.
+	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+	#   Speed-optimized SSL Cipher configuration:
+	#   If speed is your main concern (on busy HTTPS servers e.g.),
+	#   you might want to force clients to specific, performance
+	#   optimized ciphers. In this case, prepend those ciphers
+	#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+	#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+	#   (as in the example below), most connections will no longer
+	#   have perfect forward secrecy - if the server's key is
+	#   compromised, captures of past or future traffic must be
+	#   considered compromised, too.
+	#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+	#SSLHonorCipherOrder on 

 	#   Server Certificate:
 	#   Point SSLCertificateFile at a PEM encoded certificate.  If
@ -139,10 +150,6 @@
 	#     because the extraction step is an expensive operation and is usually
 	#     useless for serving static content. So one usually enables the
 	#     exportation for CGI and SSI requests only.
-	#   o CompatEnvVars:
-	#     This exports obsolete environment variables for backward compatibility
-	#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-	#     to provide compatibility to existing CGI scripts.
 	#   o StrictRequire:
 	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 	#     under a "Satisfy any" situation, i.e. when it applies access is denied
@ -150,10 +157,10 @@
 	#   o OptRenegotiate:
 	#     This enables optimized SSL connection renegotiation handling when SSL
 	#     directives are used in per-directory context. 
-	#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
 	    SSLOptions +StdEnvVars
-	</Files>
+	</FilesMatch>
 	<Directory "/srv/www/cgi-bin">
 	    SSLOptions +StdEnvVars
 	</Directory>
@ -182,7 +189,7 @@
 	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 	#   "force-response-1.0" for this.
-	SetEnvIf User-Agent ".*MSIE [1-5].*" \
+	BrowserMatch "MSIE [2-5]" \
 		 nokeepalive ssl-unclean-shutdown \
 		 downgrade-1.0 force-response-1.0

--- a/apache2.changes
+++ b/apache2.changes
@ -1,5 +1,5 @@
 -------------------------------------------------------------------
-Sat Feb 18 16:24:35 UTC 2012 - poeml@cmdline.net
+Sat Feb 18 21:15:08 UTC 2012 - poeml@cmdline.net

 - update to 2.2.22
  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
@ -43,6 +43,9 @@ Sat Feb 18 16:24:35 UTC 2012 - poeml@cmdline.net
  *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
     of "0"). 
  *) mod_substitute: Fix buffer overrun. 
+- adjusted SSL template/default config for upstream changes, and added
+  MaxRanges example to apache2-server-tuning.conf
+- fixed installation of (moved) man pages

 -------------------------------------------------------------------
 Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com
--- a/apache2.spec
+++ b/apache2.spec
@ -852,10 +852,10 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 %defattr(-,root,root)
 %doc INSTALL READM* LICENSE ABOUT_APACHE CHANGES
 %doc support/SHA1
-%doc %{_mandir}/man8/apachectl%{vers}.8.*
-%doc %{_mandir}/man8/htcacheclean%{vers}.8.*
-%doc %{_mandir}/man8/%{httpd}.8.*
-%doc %{_mandir}/man8/apxs%{vers}.8.*
+%doc %{_mandir}/man?/apachectl%{vers}.?.*
+%doc %{_mandir}/man?/htcacheclean%{vers}.?.*
+%doc %{_mandir}/man?/%{httpd}.?.*
+%doc %{_mandir}/man?/apxs%{vers}.?.*
 %doc robots.txt
 %doc printenv
 %doc test-cgi
@ -978,14 +978,15 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .

 %files utils
 %defattr(-,root,root)
-%doc %{_mandir}/man8/ab%{vers}.8.*
-%doc %{_mandir}/man1/dbmmanage%{vers}.1.*
-%doc %{_mandir}/man1/htdbm%{vers}.1.*
-%doc %{_mandir}/man1/htdigest%{vers}.1.*
-%doc %{_mandir}/man1/htpasswd%{vers}.1.*
-%doc %{_mandir}/man8/logresolve%{vers}.8.*
-%doc %{_mandir}/man8/rotatelogs%{vers}.8.*
-%doc %{_mandir}/man8/suexec%{vers}.8.*
+%doc %{_mandir}/man?/ab%{vers}.?.*
+%doc %{_mandir}/man?/dbmmanage%{vers}.?.*
+%doc %{_mandir}/man?/htdbm%{vers}.?.*
+%doc %{_mandir}/man?/htdigest%{vers}.?.*
+%doc %{_mandir}/man?/htpasswd%{vers}.?.*
+%doc %{_mandir}/man?/httxt2dbm%{vers}.?.*
+%doc %{_mandir}/man?/logresolve%{vers}.?.*
+%doc %{_mandir}/man?/rotatelogs%{vers}.?.*
+%doc %{_mandir}/man?/suexec%{vers}.?.*
 %{_bindir}/check_forensic%{vers}
 %{_bindir}/dbmmanage%{vers}
 %{_bindir}/gensslcert