- fix installation of (moved) man pages

- adjusted SSL template/default config for upstream changes, and added
  MaxRanges example to apache2-server-tuning.conf

OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=359

apache2-default-vhost-ssl.conf

@@ -36,17 +36,17 @@
     #   Enable/Disable SSL for this virtual host.
     SSLEngine on
 
-    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
+    #   SSL Protocol support:
-    SSLProtocol all -SSLv2 -SSLv3
+    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
+    #   List the protocol versions which clients are allowed to
+    #   connect with. Disable SSLv2 by default (cf. RFC 6176).
+    SSLProtocol all -SSLv2
     
     #   SSL Cipher Suite:
     #   List the ciphers that the client is permitted to negotiate.
     #   See the mod_ssl documentation for a complete list.
     #
-        #   formerly, this was set to the following:
+    #   Weak ciphers are disabled by default.
-    #   ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-    #
-    #   We now disable weak ciphers by default.
     #   Please see the documentation via the links above, and
     #   "openssl ciphers -v" for a complete list of ciphers that are
     #   available.
@@ -58,7 +58,20 @@
     # For more information, please have a look at
     # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
     # package.
-    SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+    
+    #   Speed-optimized SSL Cipher configuration:
+    #   If speed is your main concern (on busy HTTPS servers e.g.),
+    #   you might want to force clients to specific, performance
+    #   optimized ciphers. In this case, prepend those ciphers
+    #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+    #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+    #   (as in the example below), most connections will no longer
+    #   have perfect forward secrecy - if the server's key is
+    #   compromised, captures of past or future traffic must be
+    #   considered compromised, too.
+    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+    #SSLHonorCipherOrder on 
     
     #   Server Certificate:
     #   Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -150,10 +163,6 @@
     #     because the extraction step is an expensive operation and is usually
     #     useless for serving static content. So one usually enables the
     #     exportation for CGI and SSI requests only.
-    #   o CompatEnvVars:
-    #     This exports obsolete environment variables for backward compatibility
-    #     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-    #     to provide compatibility to existing CGI scripts.
     #   o StrictRequire:
     #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
     #     under a "Satisfy any" situation, i.e. when it applies access is denied
@@ -161,10 +170,10 @@
     #   o OptRenegotiate:
     #     This enables optimized SSL connection renegotiation handling when SSL
     #     directives are used in per-directory context. 
-    #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
-    </Files>
+    </FilesMatch>
     
     <Directory "/srv/www/cgi-bin">
     SSLOptions +StdEnvVars
@@ -218,12 +227,9 @@
     #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
     #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
     #   "force-response-1.0" for this.
-    #   remark: The below configuration snippet is here for illustration purposes.
+    BrowserMatch "MSIE [2-5]" \
-    #           Browser specific deficiencies exist, but generally all of them
+             nokeepalive ssl-unclean-shutdown \
-    #           should handle SSL/TLS encapsulated connections well.
+             downgrade-1.0 force-response-1.0
-    #SetEnvIf User-Agent ".*MSIE.*" \
-    #	 nokeepalive ssl-unclean-shutdown \
-    #	 downgrade-1.0 force-response-1.0
     
     #   Per-Server Logging:
     #   The home of a custom SSL log file. Use this when you want a

apache2-server-tuning.conf

@@ -90,6 +90,13 @@ MaxKeepAliveRequests 100
 #
 KeepAliveTimeout 15
 
+#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
 #
 # EnableMMAP: Control whether memory-mapping is used to deliver
 # files (assuming that the underlying OS supports it).

apache2-ssl-global.conf

@@ -46,14 +46,12 @@
 	#SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
 	#SSLSessionCache        shmht:/var/lib/apache2/ssl_scache(512000)
 	SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
-	SSLSessionCacheTimeout  600
+	SSLSessionCacheTimeout  300
 
-	#   This configures the SSL engine's semaphore (aka. lock) which is
+	#   Semaphore:
-	#   used for mutual exclusion of operations which have to be done in a
+	#   Configure the path to the mutual exclusion semaphore the
-	#   synchronized way between the pre-forked Apache server processes.
+	#   SSL engine uses internally for inter-process synchronization. 
-	#   "default" tells the SSL Module to pick the default locking
+	SSLMutex  "file:/var/lib/apache2/ssl_mutex"
-	#   implementation as determined by the platform and APR.
-	SSLMutex  default
 
 	#   Pseudo Random Number Generator (PRNG):
 	#   Configure one or more sources to seed the PRNG of the 

apache2-vhost-ssl.template

@@ -40,14 +40,25 @@
 
 	#  SSL protocols
 	#  Supporting TLS only is adequate nowadays
-	SSLProtocol all -SSLv2 -SSLv3
+	SSLProtocol all -SSLv2
 
 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
-	#   We disable weak ciphers by default.
+	#   See the mod_ssl documentation for a complete list.
-	#   See the mod_ssl documentation or "openssl ciphers -v" for a
+	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-	#   complete list.
+
-	SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
+	#   Speed-optimized SSL Cipher configuration:
+	#   If speed is your main concern (on busy HTTPS servers e.g.),
+	#   you might want to force clients to specific, performance
+	#   optimized ciphers. In this case, prepend those ciphers
+	#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+	#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+	#   (as in the example below), most connections will no longer
+	#   have perfect forward secrecy - if the server's key is
+	#   compromised, captures of past or future traffic must be
+	#   considered compromised, too.
+	#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+	#SSLHonorCipherOrder on 
 
 	#   Server Certificate:
 	#   Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -139,10 +150,6 @@
 	#     because the extraction step is an expensive operation and is usually
 	#     useless for serving static content. So one usually enables the
 	#     exportation for CGI and SSI requests only.
-	#   o CompatEnvVars:
-	#     This exports obsolete environment variables for backward compatibility
-	#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-	#     to provide compatibility to existing CGI scripts.
 	#   o StrictRequire:
 	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 	#     under a "Satisfy any" situation, i.e. when it applies access is denied
@@ -150,10 +157,10 @@
 	#   o OptRenegotiate:
 	#     This enables optimized SSL connection renegotiation handling when SSL
 	#     directives are used in per-directory context. 
-	#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
 	    SSLOptions +StdEnvVars
-	</Files>
+	</FilesMatch>
 	<Directory "/srv/www/cgi-bin">
 	    SSLOptions +StdEnvVars
 	</Directory>
@@ -182,7 +189,7 @@
 	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 	#   "force-response-1.0" for this.
-	SetEnvIf User-Agent ".*MSIE [1-5].*" \
+	BrowserMatch "MSIE [2-5]" \
 		 nokeepalive ssl-unclean-shutdown \
 		 downgrade-1.0 force-response-1.0
 

apache2.changes

@@ -1,5 +1,5 @@
 -------------------------------------------------------------------
-Sat Feb 18 16:24:35 UTC 2012 - poeml@cmdline.net
+Sat Feb 18 21:15:08 UTC 2012 - poeml@cmdline.net
 
 - update to 2.2.22
   *) SECURITY: CVE-2011-3368 (cve.mitre.org)
@@ -43,6 +43,9 @@ Sat Feb 18 16:24:35 UTC 2012 - poeml@cmdline.net
   *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
      of "0"). 
   *) mod_substitute: Fix buffer overrun. 
+- adjusted SSL template/default config for upstream changes, and added
+  MaxRanges example to apache2-server-tuning.conf
+- fixed installation of (moved) man pages
 
 -------------------------------------------------------------------
 Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com

apache2.spec

@@ -852,10 +852,10 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 %defattr(-,root,root)
 %doc INSTALL READM* LICENSE ABOUT_APACHE CHANGES
 %doc support/SHA1
-%doc %{_mandir}/man8/apachectl%{vers}.8.*
+%doc %{_mandir}/man?/apachectl%{vers}.?.*
-%doc %{_mandir}/man8/htcacheclean%{vers}.8.*
+%doc %{_mandir}/man?/htcacheclean%{vers}.?.*
-%doc %{_mandir}/man8/%{httpd}.8.*
+%doc %{_mandir}/man?/%{httpd}.?.*
-%doc %{_mandir}/man8/apxs%{vers}.8.*
+%doc %{_mandir}/man?/apxs%{vers}.?.*
 %doc robots.txt
 %doc printenv
 %doc test-cgi
@@ -978,14 +978,15 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 
 %files utils
 %defattr(-,root,root)
-%doc %{_mandir}/man8/ab%{vers}.8.*
+%doc %{_mandir}/man?/ab%{vers}.?.*
-%doc %{_mandir}/man1/dbmmanage%{vers}.1.*
+%doc %{_mandir}/man?/dbmmanage%{vers}.?.*
-%doc %{_mandir}/man1/htdbm%{vers}.1.*
+%doc %{_mandir}/man?/htdbm%{vers}.?.*
-%doc %{_mandir}/man1/htdigest%{vers}.1.*
+%doc %{_mandir}/man?/htdigest%{vers}.?.*
-%doc %{_mandir}/man1/htpasswd%{vers}.1.*
+%doc %{_mandir}/man?/htpasswd%{vers}.?.*
-%doc %{_mandir}/man8/logresolve%{vers}.8.*
+%doc %{_mandir}/man?/httxt2dbm%{vers}.?.*
-%doc %{_mandir}/man8/rotatelogs%{vers}.8.*
+%doc %{_mandir}/man?/logresolve%{vers}.?.*
-%doc %{_mandir}/man8/suexec%{vers}.8.*
+%doc %{_mandir}/man?/rotatelogs%{vers}.?.*
+%doc %{_mandir}/man?/suexec%{vers}.?.*
 %{_bindir}/check_forensic%{vers}
 %{_bindir}/dbmmanage%{vers}
 %{_bindir}/gensslcert