From e86bea8079d9fb9fffff035e9464dd809c45c536578e533a5287f15603db3896 Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.com>
Date: Thu, 1 Nov 2018 14:07:47 +0000
Subject: [PATCH] Accepting request 644712 from home:adkorte:branches:Apache

- the "event" MPM is fully supported since 2.4
- configure an OCSP stapling cache by default (still requires enabling
  SSLUseStapling in vhost)

OBS-URL: https://build.opensuse.org/request/show/644712
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=572
---
 apache2-ssl-global.conf    | 23 +++++++++++++++++++----
 apache2-vhost-ssl.template |  4 ++++
 apache2.changes            |  7 +++++++
 apache2.spec               |  3 +--
 4 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/apache2-ssl-global.conf b/apache2-ssl-global.conf
index 8a886d8..cf1e27f 100644
--- a/apache2-ssl-global.conf
+++ b/apache2-ssl-global.conf
@@ -46,12 +46,27 @@
 	#SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
 	#</IfModule>
 
-        <IfModule mod_socache_shmcb.c>
+	<IfModule mod_socache_shmcb.c>
 	SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
-        </IfModule>
+	</IfModule>
 
 	SSLSessionCacheTimeout  300
 
+	#   Configures the cache used to store OCSP responses which get included in
+	#   the TLS handshake if SSLUseStapling is enabled. Configuration of a cache
+	#   is mandatory for OCSP stapling. With the exception of none and nonenotnull,
+	#   the same storage types are supported as with SSLSessionCache.
+	#<IfModule mod_socache_dbm.c>
+	#SSLStaplingCache       dbm:/var/lib/apache2/ssl_stapling
+	#</IfModule>
+
+	<IfModule mod_socache_shmcb.c>
+	SSLStaplingCache        shmcb:/var/lib/apache2/ssl_stapling(64000)
+	</IfModule>
+
+	SSLStaplingStandardCacheTimeout         86400
+	SSLStaplingErrorCacheTimeout            300
+	SSLStaplingReturnResponderErrors        Off
 
 	#   Pseudo Random Number Generator (PRNG):
 	#   Configure one or more sources to seed the PRNG of the 
@@ -72,13 +87,13 @@
 
 	# SSL protocols
 	# Allow TLS version 1.2 only, which is a recommended default these days
-    # by international information security standards.
+	# by international information security standards.
 	SSLProtocol TLSv1.2
 
 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
 	#   See the mod_ssl documentation for a complete list.
-        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
 	#   SSLHonorCipherOrder
 	#   If SSLHonorCipherOrder is disabled, then the client's preferences
diff --git a/apache2-vhost-ssl.template b/apache2-vhost-ssl.template
index a80aa1a..d298de5 100644
--- a/apache2-vhost-ssl.template
+++ b/apache2-vhost-ssl.template
@@ -35,6 +35,10 @@
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
 
+	#   OCSP Stapling:
+	#   Enable/Disable OCSP for this virtual host.
+	SSLUseStapling  on
+
 	#   You can use per vhost certificates if SNI is supported.
 	SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt
 	SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key
diff --git a/apache2.changes b/apache2.changes
index 7b4bf53..1e4542d 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Oct 25 17:28:42 UTC 2018 - Arjen de Korte <suse+build@de-korte.org>
+
+- the "event" MPM is fully supported since 2.4
+- configure an OCSP stapling cache by default (still requires enabling
+  SSLUseStapling in vhost)
+
 -------------------------------------------------------------------
 Thu Oct 18 20:41:02 UTC 2018 - Manu Maier <mmanu84@outlook.de>
 
diff --git a/apache2.spec b/apache2.spec
index 27e26b8..c1df922 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -264,8 +264,7 @@ maximum stability because each server runs in its own process. If a
 process dies it will not affect other servers.
 
 %description event
-The event MPM (multi-Processing Module) is experimental, so it may or
-may not work as expected.
+"event" MPM (multi-Processing Module)
 
 It uses a separate thread to handle Keep Alive requests and accepting
 connections. Keep Alive requests have traditionally required httpd to