Accepting request 207095 from home:elvigia:branches:Apache

- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes
 mod_ssl-2.4.x-ekh.diff this new patch is the final
  form of the rework, merged for 2.4.7.

OBS-URL: https://build.opensuse.org/request/show/207095
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=398
This commit is contained in:
Cristian Rodríguez 2013-11-16 01:22:18 +00:00 committed by Git OBS Bridge
parent 738fecb393
commit 8ac24cac75
3 changed files with 118 additions and 79 deletions

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Sat Nov 16 00:52:15 UTC 2013 - crrodriguez@opensuse.org
- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes
mod_ssl-2.4.x-ekh.diff this new patch is the final
form of the rework, merged for 2.4.7.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 4 20:55:52 UTC 2013 - freek@opensuse.org Mon Nov 4 20:55:52 UTC 2013 - freek@opensuse.org

View File

@ -163,7 +163,7 @@ Patch70: apache2-implicit-pointer-decl.patch
Patch109: httpd-2.4.3-mod_systemd.patch Patch109: httpd-2.4.3-mod_systemd.patch
Patch110: http://people.apache.org/~minfrin/httpd-event-ssl.patch Patch110: http://people.apache.org/~minfrin/httpd-event-ssl.patch
Patch111: httpd-visibility.patch Patch111: httpd-visibility.patch
Patch112: mod_ssl-2.4.x-ekh.diff Patch112: httpd-mod_ssl_ephemeralkeyhandling.patch
Url: http://httpd.apache.org/ Url: http://httpd.apache.org/
Icon: Apache.xpm Icon: Apache.xpm
Summary: The Apache Web Server Version 2.2 Summary: The Apache Web Server Version 2.2
@ -387,7 +387,7 @@ to administrators of web servers in general.
%patch109 -p1 %patch109 -p1
%patch110 %patch110
%patch111 -p1 %patch111 -p1
%patch112 %patch112 -p1
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
# install READMEs # install READMEs
a=$(basename %{S:22}) a=$(basename %{S:22})

View File

@ -1,55 +1,87 @@
[Note: when committing, ssl_engine_dh.c needs to be svn rm'ed, commit 3a14aba1b65f627ab27d2bd4bb10e779635b6bcc
and the following text is meant for the commit message] Author: Jim Jagielski <jim@apache.org>
Date: Fri Nov 15 17:06:18 2013 +0000
backport r1526168, r1527291, r1527294, r1527295 and r1527926 from trunk Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:
Streamline ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
Follow-up fixes for r1526168:
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite
Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):
- remove obsolete #defines / macros
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC and SRP support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
PR 55616 (add missing APLOGNO), part 2
Submitted by: kbrand
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
Submitted by: kbrand --- httpd-2.4.6.orig/LAYOUT
Reviewed by: +++ httpd-2.4.6/LAYOUT
Streamline and improve ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
- increase minimum required OpenSSL version to 0.9.8a, as we
now rely on the get_rfcX_prime_Y functions from <openssl/bn.h>
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC and SRP support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
--- LAYOUT.orig
+++ LAYOUT
@@ -108,7 +108,6 @@ modules/ ................ Manditory and @@ -108,7 +108,6 @@ modules/ ................ Manditory and
mod_ssl.c ............... main source file containing API structures mod_ssl.c ............... main source file containing API structures
mod_ssl.h ............... common header file of mod_ssl mod_ssl.h ............... common header file of mod_ssl
@ -58,8 +90,8 @@ Streamline and improve ephemeral key handling:
ssl_engine_init.c ....... module initialization ssl_engine_init.c ....... module initialization
ssl_engine_io.c ......... I/O support ssl_engine_io.c ......... I/O support
ssl_engine_kernel.c ..... SSL engine kernel ssl_engine_kernel.c ..... SSL engine kernel
--- modules/ssl/config.m4.orig --- httpd-2.4.6.orig/modules/ssl/config.m4
+++ modules/ssl/config.m4 +++ httpd-2.4.6/modules/ssl/config.m4
@@ -20,7 +20,6 @@ dnl # list of module object files @@ -20,7 +20,6 @@ dnl # list of module object files
ssl_objs="dnl ssl_objs="dnl
mod_ssl.lo dnl mod_ssl.lo dnl
@ -68,8 +100,8 @@ Streamline and improve ephemeral key handling:
ssl_engine_init.lo dnl ssl_engine_init.lo dnl
ssl_engine_io.lo dnl ssl_engine_io.lo dnl
ssl_engine_kernel.lo dnl ssl_engine_kernel.lo dnl
--- modules/ssl/mod_ssl.c.orig --- httpd-2.4.6.orig/modules/ssl/mod_ssl.c
+++ modules/ssl/mod_ssl.c +++ httpd-2.4.6/modules/ssl/mod_ssl.c
@@ -148,7 +148,7 @@ static const command_rec ssl_config_cmds @@ -148,7 +148,7 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
"Strict SNI virtual host checking") "Strict SNI virtual host checking")
@ -95,8 +127,8 @@ Streamline and improve ephemeral key handling:
SSL_set_verify_result(ssl, X509_V_OK); SSL_set_verify_result(ssl, X509_V_OK);
ssl_io_filter_init(c, r, ssl); ssl_io_filter_init(c, r, ssl);
--- modules/ssl/mod_ssl.dsp.orig --- httpd-2.4.6.orig/modules/ssl/mod_ssl.dsp
+++ modules/ssl/mod_ssl.dsp +++ httpd-2.4.6/modules/ssl/mod_ssl.dsp
@@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c @@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c
# End Source File # End Source File
# Begin Source File # Begin Source File
@ -108,8 +140,8 @@ Streamline and improve ephemeral key handling:
SOURCE=.\ssl_engine_init.c SOURCE=.\ssl_engine_init.c
# End Source File # End Source File
# Begin Source File # Begin Source File
--- modules/ssl/ssl_engine_config.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_engine_config.c
+++ modules/ssl/ssl_engine_config.c +++ httpd-2.4.6/modules/ssl/ssl_engine_config.c
@@ -75,8 +75,6 @@ SSLModConfigRec *ssl_config_global_creat @@ -75,8 +75,6 @@ SSLModConfigRec *ssl_config_global_creat
mc->stapling_mutex = NULL; mc->stapling_mutex = NULL;
#endif #endif
@ -202,7 +234,7 @@ Streamline and improve ephemeral key handling:
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{ {
--- modules/ssl/ssl_engine_dh.c --- httpd-2.4.6.orig/modules/ssl/ssl_engine_dh.c
+++ /dev/null +++ /dev/null
@@ -1,244 +0,0 @@ @@ -1,244 +0,0 @@
-#if 0 -#if 0
@ -449,8 +481,8 @@ Streamline and improve ephemeral key handling:
- -
-=pod -=pod
-*/ -*/
--- modules/ssl/ssl_engine_init.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_engine_init.c
+++ modules/ssl/ssl_engine_init.c +++ httpd-2.4.6/modules/ssl/ssl_engine_init.c
@@ -35,7 +35,7 @@ @@ -35,7 +35,7 @@
** _________________________________________________________________ ** _________________________________________________________________
*/ */
@ -900,8 +932,8 @@ Streamline and improve ephemeral key handling:
* Free the non-pool allocated structures * Free the non-pool allocated structures
* in the per-server configurations * in the per-server configurations
*/ */
--- modules/ssl/ssl_engine_io.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_engine_io.c
+++ modules/ssl/ssl_engine_io.c +++ httpd-2.4.6/modules/ssl/ssl_engine_io.c
@@ -1060,7 +1060,7 @@ static apr_status_t ssl_io_filter_handsh @@ -1060,7 +1060,7 @@ static apr_status_t ssl_io_filter_handsh
server = sslconn->server; server = sslconn->server;
@ -920,8 +952,8 @@ Streamline and improve ephemeral key handling:
/* /*
* Enable SNI for backend requests. Make sure we don't do it for * Enable SNI for backend requests. Make sure we don't do it for
* pure SSLv3 connections, and also prevent IP addresses * pure SSLv3 connections, and also prevent IP addresses
--- modules/ssl/ssl_engine_kernel.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_engine_kernel.c
+++ modules/ssl/ssl_engine_kernel.c +++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c
@@ -32,7 +32,7 @@ @@ -32,7 +32,7 @@
#include "util_md5.h" #include "util_md5.h"
@ -1186,8 +1218,8 @@ Streamline and improve ephemeral key handling:
-#endif /* OPENSSL_NO_SRP */ -#endif /* OPENSSL_NO_SRP */
+#endif /* HAVE_SRP */ +#endif /* HAVE_SRP */
--- modules/ssl/ssl_engine_pphrase.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_engine_pphrase.c
+++ modules/ssl/ssl_engine_pphrase.c +++ httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c
@@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int @@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966)
"Init: Failed to create pass phrase pipe '%s'", "Init: Failed to create pass phrase pipe '%s'",
@ -1215,8 +1247,8 @@ Streamline and improve ephemeral key handling:
memset(buf, 0, (unsigned int)bufsize); memset(buf, 0, (unsigned int)bufsize);
return (-1); return (-1);
} }
--- modules/ssl/ssl_engine_vars.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_engine_vars.c
+++ modules/ssl/ssl_engine_vars.c +++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c
@@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool @@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl); result = ssl_var_lookup_ssl_compress_meth(ssl);
@ -1253,8 +1285,8 @@ Streamline and improve ephemeral key handling:
SSL_SESSION *pSession = SSL_get_session(ssl); SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) { if (pSession) {
--- modules/ssl/ssl_private.h.orig --- httpd-2.4.6.orig/modules/ssl/ssl_private.h
+++ modules/ssl/ssl_private.h +++ httpd-2.4.6/modules/ssl/ssl_private.h
@@ -105,65 +105,55 @@ @@ -105,65 +105,55 @@
#include <openssl/engine.h> #include <openssl/engine.h>
#endif #endif
@ -1504,8 +1536,8 @@ Streamline and improve ephemeral key handling:
unsigned char *ssl_asn1_table_set(apr_hash_t *table, unsigned char *ssl_asn1_table_set(apr_hash_t *table,
const char *key, const char *key,
--- modules/ssl/ssl_scache.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_scache.c
+++ modules/ssl/ssl_scache.c +++ httpd-2.4.6/modules/ssl/ssl_scache.c
@@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_ @@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_
SSLModConfigRec *mc = myModConfig(s); SSLModConfigRec *mc = myModConfig(s);
unsigned char dest[SSL_SESSION_MAX_DER]; unsigned char dest[SSL_SESSION_MAX_DER];
@ -1515,8 +1547,8 @@ Streamline and improve ephemeral key handling:
apr_status_t rv; apr_status_t rv;
if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) { if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
--- modules/ssl/ssl_util.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_util.c
+++ modules/ssl/ssl_util.c +++ httpd-2.4.6/modules/ssl/ssl_util.c
@@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe @@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
case EVP_PKEY_DSA: case EVP_PKEY_DSA:
t = SSL_ALGO_DSA; t = SSL_ALGO_DSA;
@ -1544,8 +1576,8 @@ Streamline and improve ephemeral key handling:
static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
#else #else
static const char *ssl_asn1_key_types[] = {"RSA", "DSA"}; static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
--- modules/ssl/ssl_util_ssl.c.orig --- httpd-2.4.6.orig/modules/ssl/ssl_util_ssl.c
+++ modules/ssl/ssl_util_ssl.c +++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c
@@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t @@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t
/* _________________________________________________________________ /* _________________________________________________________________