Accepting request 207095 from home:elvigia:branches:Apache
- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes mod_ssl-2.4.x-ekh.diff this new patch is the final form of the rework, merged for 2.4.7. OBS-URL: https://build.opensuse.org/request/show/207095 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=398
This commit is contained in:
parent
738fecb393
commit
8ac24cac75
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Nov 16 00:52:15 UTC 2013 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
|
- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes
|
||||||
|
mod_ssl-2.4.x-ekh.diff this new patch is the final
|
||||||
|
form of the rework, merged for 2.4.7.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Nov 4 20:55:52 UTC 2013 - freek@opensuse.org
|
Mon Nov 4 20:55:52 UTC 2013 - freek@opensuse.org
|
||||||
|
|
||||||
|
@ -163,7 +163,7 @@ Patch70: apache2-implicit-pointer-decl.patch
|
|||||||
Patch109: httpd-2.4.3-mod_systemd.patch
|
Patch109: httpd-2.4.3-mod_systemd.patch
|
||||||
Patch110: http://people.apache.org/~minfrin/httpd-event-ssl.patch
|
Patch110: http://people.apache.org/~minfrin/httpd-event-ssl.patch
|
||||||
Patch111: httpd-visibility.patch
|
Patch111: httpd-visibility.patch
|
||||||
Patch112: mod_ssl-2.4.x-ekh.diff
|
Patch112: httpd-mod_ssl_ephemeralkeyhandling.patch
|
||||||
Url: http://httpd.apache.org/
|
Url: http://httpd.apache.org/
|
||||||
Icon: Apache.xpm
|
Icon: Apache.xpm
|
||||||
Summary: The Apache Web Server Version 2.2
|
Summary: The Apache Web Server Version 2.2
|
||||||
@ -387,7 +387,7 @@ to administrators of web servers in general.
|
|||||||
%patch109 -p1
|
%patch109 -p1
|
||||||
%patch110
|
%patch110
|
||||||
%patch111 -p1
|
%patch111 -p1
|
||||||
%patch112
|
%patch112 -p1
|
||||||
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
|
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
|
||||||
# install READMEs
|
# install READMEs
|
||||||
a=$(basename %{S:22})
|
a=$(basename %{S:22})
|
||||||
|
@ -1,55 +1,87 @@
|
|||||||
[Note: when committing, ssl_engine_dh.c needs to be svn rm'ed,
|
commit 3a14aba1b65f627ab27d2bd4bb10e779635b6bcc
|
||||||
and the following text is meant for the commit message]
|
Author: Jim Jagielski <jim@apache.org>
|
||||||
|
Date: Fri Nov 15 17:06:18 2013 +0000
|
||||||
|
|
||||||
backport r1526168, r1527291, r1527294, r1527295 and r1527926 from trunk
|
Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:
|
||||||
|
|
||||||
|
Streamline ephemeral key handling:
|
||||||
|
|
||||||
|
- drop support for ephemeral RSA keys (only allowed/needed
|
||||||
|
for export ciphers)
|
||||||
|
|
||||||
|
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
|
||||||
|
the temp key generation at startup (unnecessary for DHE/ECDHE)
|
||||||
|
|
||||||
|
- unconditionally disable null and export-grade ciphers by always
|
||||||
|
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
|
||||||
|
|
||||||
|
- do not configure per-connection SSL_tmp_*_callbacks, as it is
|
||||||
|
sufficient to set them for the SSL_CTX
|
||||||
|
|
||||||
|
- set default curve for ECDHE at startup, obviating the need
|
||||||
|
for a per-handshake callback, for the time being (and also
|
||||||
|
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
|
||||||
|
|
||||||
|
For additional background, see
|
||||||
|
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
|
||||||
|
|
||||||
|
|
||||||
|
Follow-up fixes for r1526168:
|
||||||
|
|
||||||
|
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
|
||||||
|
|
||||||
|
- make sure we also disable aNULL, eNULL and EXP ciphers
|
||||||
|
for per-directory SSLCipherSuite directives
|
||||||
|
|
||||||
|
- apply the same treatment to SSLProxyCipherSuite
|
||||||
|
|
||||||
|
|
||||||
|
Increase minimum required OpenSSL version to 0.9.8a (in preparation
|
||||||
|
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
|
||||||
|
functions added in that release):
|
||||||
|
|
||||||
|
- remove obsolete #defines / macros
|
||||||
|
|
||||||
|
- in ssl_private.h, regroup definitions based on whether
|
||||||
|
they depend on TLS extension support or not
|
||||||
|
|
||||||
|
- for ECC and SRP support, set HAVE_X and change the rather awkward
|
||||||
|
#ifndef OPENSSL_NO_X lines accordingly
|
||||||
|
|
||||||
|
For the discussion prior to taking this step, see
|
||||||
|
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E
|
||||||
|
|
||||||
|
|
||||||
|
Improve ephemeral key handling (companion to r1526168):
|
||||||
|
|
||||||
|
- allow to configure custom DHE or ECDHE parameters via the
|
||||||
|
SSLCertificateFile directive, and adapt its documentation
|
||||||
|
accordingly (addresses PR 49559)
|
||||||
|
|
||||||
|
- add standardized DH parameters from RFCs 2409 and 3526,
|
||||||
|
use them based on the length of the certificate's RSA/DSA key,
|
||||||
|
and add a FAQ entry for clients which limit DH support
|
||||||
|
to 1024 bits (such as Java 7 and earlier)
|
||||||
|
|
||||||
|
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
|
||||||
|
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
|
||||||
|
|
||||||
|
- drop ssl_engine_dh.c from mod_ssl
|
||||||
|
|
||||||
|
For the standardized DH parameters, OpenSSL version 0.9.8a
|
||||||
|
or later is required, which was therefore made a new minimum
|
||||||
|
requirement in r1527294.
|
||||||
|
|
||||||
|
|
||||||
|
PR 55616 (add missing APLOGNO), part 2
|
||||||
|
Submitted by: kbrand
|
||||||
|
Reviewed/backported by: jim
|
||||||
|
|
||||||
|
|
||||||
|
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
|
||||||
|
|
||||||
Submitted by: kbrand
|
--- httpd-2.4.6.orig/LAYOUT
|
||||||
Reviewed by:
|
+++ httpd-2.4.6/LAYOUT
|
||||||
|
|
||||||
Streamline and improve ephemeral key handling:
|
|
||||||
|
|
||||||
- drop support for ephemeral RSA keys (only allowed/needed
|
|
||||||
for export ciphers)
|
|
||||||
|
|
||||||
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
|
|
||||||
the temp key generation at startup (unnecessary for DHE/ECDHE)
|
|
||||||
|
|
||||||
- unconditionally disable null and export-grade ciphers by always
|
|
||||||
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
|
|
||||||
|
|
||||||
- do not configure per-connection SSL_tmp_*_callbacks, as it is
|
|
||||||
sufficient to set them for the SSL_CTX
|
|
||||||
|
|
||||||
- set default curve for ECDHE at startup, obviating the need
|
|
||||||
for a per-handshake callback, for the time being (and also
|
|
||||||
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
|
|
||||||
|
|
||||||
- increase minimum required OpenSSL version to 0.9.8a, as we
|
|
||||||
now rely on the get_rfcX_prime_Y functions from <openssl/bn.h>
|
|
||||||
|
|
||||||
- in ssl_private.h, regroup definitions based on whether
|
|
||||||
they depend on TLS extension support or not
|
|
||||||
|
|
||||||
- for ECC and SRP support, set HAVE_X and change the rather awkward
|
|
||||||
#ifndef OPENSSL_NO_X lines accordingly
|
|
||||||
|
|
||||||
- allow to configure custom DHE or ECDHE parameters via the
|
|
||||||
SSLCertificateFile directive, and adapt its documentation
|
|
||||||
accordingly (addresses PR 49559)
|
|
||||||
|
|
||||||
- add standardized DH parameters from RFCs 2409 and 3526,
|
|
||||||
use them based on the length of the certificate's RSA/DSA key,
|
|
||||||
and add a FAQ entry for clients which limit DH support
|
|
||||||
to 1024 bits (such as Java 7 and earlier)
|
|
||||||
|
|
||||||
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
|
|
||||||
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
|
|
||||||
|
|
||||||
- drop ssl_engine_dh.c from mod_ssl
|
|
||||||
|
|
||||||
|
|
||||||
--- LAYOUT.orig
|
|
||||||
+++ LAYOUT
|
|
||||||
@@ -108,7 +108,6 @@ modules/ ................ Manditory and
|
@@ -108,7 +108,6 @@ modules/ ................ Manditory and
|
||||||
mod_ssl.c ............... main source file containing API structures
|
mod_ssl.c ............... main source file containing API structures
|
||||||
mod_ssl.h ............... common header file of mod_ssl
|
mod_ssl.h ............... common header file of mod_ssl
|
||||||
@ -58,8 +90,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
ssl_engine_init.c ....... module initialization
|
ssl_engine_init.c ....... module initialization
|
||||||
ssl_engine_io.c ......... I/O support
|
ssl_engine_io.c ......... I/O support
|
||||||
ssl_engine_kernel.c ..... SSL engine kernel
|
ssl_engine_kernel.c ..... SSL engine kernel
|
||||||
--- modules/ssl/config.m4.orig
|
--- httpd-2.4.6.orig/modules/ssl/config.m4
|
||||||
+++ modules/ssl/config.m4
|
+++ httpd-2.4.6/modules/ssl/config.m4
|
||||||
@@ -20,7 +20,6 @@ dnl # list of module object files
|
@@ -20,7 +20,6 @@ dnl # list of module object files
|
||||||
ssl_objs="dnl
|
ssl_objs="dnl
|
||||||
mod_ssl.lo dnl
|
mod_ssl.lo dnl
|
||||||
@ -68,8 +100,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
ssl_engine_init.lo dnl
|
ssl_engine_init.lo dnl
|
||||||
ssl_engine_io.lo dnl
|
ssl_engine_io.lo dnl
|
||||||
ssl_engine_kernel.lo dnl
|
ssl_engine_kernel.lo dnl
|
||||||
--- modules/ssl/mod_ssl.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/mod_ssl.c
|
||||||
+++ modules/ssl/mod_ssl.c
|
+++ httpd-2.4.6/modules/ssl/mod_ssl.c
|
||||||
@@ -148,7 +148,7 @@ static const command_rec ssl_config_cmds
|
@@ -148,7 +148,7 @@ static const command_rec ssl_config_cmds
|
||||||
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
|
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
|
||||||
"Strict SNI virtual host checking")
|
"Strict SNI virtual host checking")
|
||||||
@ -95,8 +127,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
SSL_set_verify_result(ssl, X509_V_OK);
|
SSL_set_verify_result(ssl, X509_V_OK);
|
||||||
|
|
||||||
ssl_io_filter_init(c, r, ssl);
|
ssl_io_filter_init(c, r, ssl);
|
||||||
--- modules/ssl/mod_ssl.dsp.orig
|
--- httpd-2.4.6.orig/modules/ssl/mod_ssl.dsp
|
||||||
+++ modules/ssl/mod_ssl.dsp
|
+++ httpd-2.4.6/modules/ssl/mod_ssl.dsp
|
||||||
@@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c
|
@@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c
|
||||||
# End Source File
|
# End Source File
|
||||||
# Begin Source File
|
# Begin Source File
|
||||||
@ -108,8 +140,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
SOURCE=.\ssl_engine_init.c
|
SOURCE=.\ssl_engine_init.c
|
||||||
# End Source File
|
# End Source File
|
||||||
# Begin Source File
|
# Begin Source File
|
||||||
--- modules/ssl/ssl_engine_config.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_engine_config.c
|
||||||
+++ modules/ssl/ssl_engine_config.c
|
+++ httpd-2.4.6/modules/ssl/ssl_engine_config.c
|
||||||
@@ -75,8 +75,6 @@ SSLModConfigRec *ssl_config_global_creat
|
@@ -75,8 +75,6 @@ SSLModConfigRec *ssl_config_global_creat
|
||||||
mc->stapling_mutex = NULL;
|
mc->stapling_mutex = NULL;
|
||||||
#endif
|
#endif
|
||||||
@ -202,7 +234,7 @@ Streamline and improve ephemeral key handling:
|
|||||||
|
|
||||||
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
|
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
|
||||||
{
|
{
|
||||||
--- modules/ssl/ssl_engine_dh.c
|
--- httpd-2.4.6.orig/modules/ssl/ssl_engine_dh.c
|
||||||
+++ /dev/null
|
+++ /dev/null
|
||||||
@@ -1,244 +0,0 @@
|
@@ -1,244 +0,0 @@
|
||||||
-#if 0
|
-#if 0
|
||||||
@ -449,8 +481,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
-
|
-
|
||||||
-=pod
|
-=pod
|
||||||
-*/
|
-*/
|
||||||
--- modules/ssl/ssl_engine_init.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_engine_init.c
|
||||||
+++ modules/ssl/ssl_engine_init.c
|
+++ httpd-2.4.6/modules/ssl/ssl_engine_init.c
|
||||||
@@ -35,7 +35,7 @@
|
@@ -35,7 +35,7 @@
|
||||||
** _________________________________________________________________
|
** _________________________________________________________________
|
||||||
*/
|
*/
|
||||||
@ -900,8 +932,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
* Free the non-pool allocated structures
|
* Free the non-pool allocated structures
|
||||||
* in the per-server configurations
|
* in the per-server configurations
|
||||||
*/
|
*/
|
||||||
--- modules/ssl/ssl_engine_io.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_engine_io.c
|
||||||
+++ modules/ssl/ssl_engine_io.c
|
+++ httpd-2.4.6/modules/ssl/ssl_engine_io.c
|
||||||
@@ -1060,7 +1060,7 @@ static apr_status_t ssl_io_filter_handsh
|
@@ -1060,7 +1060,7 @@ static apr_status_t ssl_io_filter_handsh
|
||||||
|
|
||||||
server = sslconn->server;
|
server = sslconn->server;
|
||||||
@ -920,8 +952,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
/*
|
/*
|
||||||
* Enable SNI for backend requests. Make sure we don't do it for
|
* Enable SNI for backend requests. Make sure we don't do it for
|
||||||
* pure SSLv3 connections, and also prevent IP addresses
|
* pure SSLv3 connections, and also prevent IP addresses
|
||||||
--- modules/ssl/ssl_engine_kernel.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_engine_kernel.c
|
||||||
+++ modules/ssl/ssl_engine_kernel.c
|
+++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c
|
||||||
@@ -32,7 +32,7 @@
|
@@ -32,7 +32,7 @@
|
||||||
#include "util_md5.h"
|
#include "util_md5.h"
|
||||||
|
|
||||||
@ -1186,8 +1218,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
|
|
||||||
-#endif /* OPENSSL_NO_SRP */
|
-#endif /* OPENSSL_NO_SRP */
|
||||||
+#endif /* HAVE_SRP */
|
+#endif /* HAVE_SRP */
|
||||||
--- modules/ssl/ssl_engine_pphrase.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_engine_pphrase.c
|
||||||
+++ modules/ssl/ssl_engine_pphrase.c
|
+++ httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c
|
||||||
@@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int
|
@@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int
|
||||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966)
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966)
|
||||||
"Init: Failed to create pass phrase pipe '%s'",
|
"Init: Failed to create pass phrase pipe '%s'",
|
||||||
@ -1215,8 +1247,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
memset(buf, 0, (unsigned int)bufsize);
|
memset(buf, 0, (unsigned int)bufsize);
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
--- modules/ssl/ssl_engine_vars.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_engine_vars.c
|
||||||
+++ modules/ssl/ssl_engine_vars.c
|
+++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c
|
||||||
@@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool
|
@@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool
|
||||||
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
|
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
|
||||||
result = ssl_var_lookup_ssl_compress_meth(ssl);
|
result = ssl_var_lookup_ssl_compress_meth(ssl);
|
||||||
@ -1253,8 +1285,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
SSL_SESSION *pSession = SSL_get_session(ssl);
|
SSL_SESSION *pSession = SSL_get_session(ssl);
|
||||||
|
|
||||||
if (pSession) {
|
if (pSession) {
|
||||||
--- modules/ssl/ssl_private.h.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_private.h
|
||||||
+++ modules/ssl/ssl_private.h
|
+++ httpd-2.4.6/modules/ssl/ssl_private.h
|
||||||
@@ -105,65 +105,55 @@
|
@@ -105,65 +105,55 @@
|
||||||
#include <openssl/engine.h>
|
#include <openssl/engine.h>
|
||||||
#endif
|
#endif
|
||||||
@ -1504,8 +1536,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
|
|
||||||
unsigned char *ssl_asn1_table_set(apr_hash_t *table,
|
unsigned char *ssl_asn1_table_set(apr_hash_t *table,
|
||||||
const char *key,
|
const char *key,
|
||||||
--- modules/ssl/ssl_scache.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_scache.c
|
||||||
+++ modules/ssl/ssl_scache.c
|
+++ httpd-2.4.6/modules/ssl/ssl_scache.c
|
||||||
@@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_
|
@@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_
|
||||||
SSLModConfigRec *mc = myModConfig(s);
|
SSLModConfigRec *mc = myModConfig(s);
|
||||||
unsigned char dest[SSL_SESSION_MAX_DER];
|
unsigned char dest[SSL_SESSION_MAX_DER];
|
||||||
@ -1515,8 +1547,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
apr_status_t rv;
|
apr_status_t rv;
|
||||||
|
|
||||||
if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
|
if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
|
||||||
--- modules/ssl/ssl_util.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_util.c
|
||||||
+++ modules/ssl/ssl_util.c
|
+++ httpd-2.4.6/modules/ssl/ssl_util.c
|
||||||
@@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
|
@@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
|
||||||
case EVP_PKEY_DSA:
|
case EVP_PKEY_DSA:
|
||||||
t = SSL_ALGO_DSA;
|
t = SSL_ALGO_DSA;
|
||||||
@ -1544,8 +1576,8 @@ Streamline and improve ephemeral key handling:
|
|||||||
static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
|
static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
|
||||||
#else
|
#else
|
||||||
static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
|
static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
|
||||||
--- modules/ssl/ssl_util_ssl.c.orig
|
--- httpd-2.4.6.orig/modules/ssl/ssl_util_ssl.c
|
||||||
+++ modules/ssl/ssl_util_ssl.c
|
+++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c
|
||||||
@@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t
|
@@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t
|
||||||
|
|
||||||
/* _________________________________________________________________
|
/* _________________________________________________________________
|
Loading…
Reference in New Issue
Block a user