diff --git a/apache2.changes b/apache2.changes index 7e3f64e..be0e673 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sat Nov 16 00:52:15 UTC 2013 - crrodriguez@opensuse.org + +- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes + mod_ssl-2.4.x-ekh.diff this new patch is the final + form of the rework, merged for 2.4.7. + ------------------------------------------------------------------- Mon Nov 4 20:55:52 UTC 2013 - freek@opensuse.org diff --git a/apache2.spec b/apache2.spec index 43aaddd..fcfcaab 100644 --- a/apache2.spec +++ b/apache2.spec @@ -163,7 +163,7 @@ Patch70: apache2-implicit-pointer-decl.patch Patch109: httpd-2.4.3-mod_systemd.patch Patch110: http://people.apache.org/~minfrin/httpd-event-ssl.patch Patch111: httpd-visibility.patch -Patch112: mod_ssl-2.4.x-ekh.diff +Patch112: httpd-mod_ssl_ephemeralkeyhandling.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -387,7 +387,7 @@ to administrators of web servers in general. %patch109 -p1 %patch110 %patch111 -p1 -%patch112 +%patch112 -p1 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{S:22}) diff --git a/mod_ssl-2.4.x-ekh.diff b/httpd-mod_ssl_ephemeralkeyhandling.patch similarity index 91% rename from mod_ssl-2.4.x-ekh.diff rename to httpd-mod_ssl_ephemeralkeyhandling.patch index 632aef7..d91fda5 100644 --- a/mod_ssl-2.4.x-ekh.diff +++ b/httpd-mod_ssl_ephemeralkeyhandling.patch @@ -1,55 +1,87 @@ -[Note: when committing, ssl_engine_dh.c needs to be svn rm'ed, -and the following text is meant for the commit message] +commit 3a14aba1b65f627ab27d2bd4bb10e779635b6bcc +Author: Jim Jagielski +Date: Fri Nov 15 17:06:18 2013 +0000 -backport r1526168, r1527291, r1527294, r1527295 and r1527926 from trunk + Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk: + + Streamline ephemeral key handling: + + - drop support for ephemeral RSA keys (only allowed/needed + for export ciphers) + + - drop pTmpKeys from the per-process SSLModConfigRec, and remove + the temp key generation at startup (unnecessary for DHE/ECDHE) + + - unconditionally disable null and export-grade ciphers by always + prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string + + - do not configure per-connection SSL_tmp_*_callbacks, as it is + sufficient to set them for the SSL_CTX + + - set default curve for ECDHE at startup, obviating the need + for a per-handshake callback, for the time being (and also + configure SSL_OP_SINGLE_ECDH_USE, previously left out) + + For additional background, see + https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E + + + Follow-up fixes for r1526168: + + - drop SSL_TMP_KEY_* constants from ssl_private.h, too + + - make sure we also disable aNULL, eNULL and EXP ciphers + for per-directory SSLCipherSuite directives + + - apply the same treatment to SSLProxyCipherSuite + + + Increase minimum required OpenSSL version to 0.9.8a (in preparation + for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y + functions added in that release): + + - remove obsolete #defines / macros + + - in ssl_private.h, regroup definitions based on whether + they depend on TLS extension support or not + + - for ECC and SRP support, set HAVE_X and change the rather awkward + #ifndef OPENSSL_NO_X lines accordingly + + For the discussion prior to taking this step, see + https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E + + + Improve ephemeral key handling (companion to r1526168): + + - allow to configure custom DHE or ECDHE parameters via the + SSLCertificateFile directive, and adapt its documentation + accordingly (addresses PR 49559) + + - add standardized DH parameters from RFCs 2409 and 3526, + use them based on the length of the certificate's RSA/DSA key, + and add a FAQ entry for clients which limit DH support + to 1024 bits (such as Java 7 and earlier) + + - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to + ssl_util_ssl.c, and add ssl_ec_GetParamFromFile() + + - drop ssl_engine_dh.c from mod_ssl + + For the standardized DH parameters, OpenSSL version 0.9.8a + or later is required, which was therefore made a new minimum + requirement in r1527294. + + + PR 55616 (add missing APLOGNO), part 2 + Submitted by: kbrand + Reviewed/backported by: jim + + + git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68 -Submitted by: kbrand -Reviewed by: - -Streamline and improve ephemeral key handling: - -- drop support for ephemeral RSA keys (only allowed/needed - for export ciphers) - -- drop pTmpKeys from the per-process SSLModConfigRec, and remove - the temp key generation at startup (unnecessary for DHE/ECDHE) - -- unconditionally disable null and export-grade ciphers by always - prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string - -- do not configure per-connection SSL_tmp_*_callbacks, as it is - sufficient to set them for the SSL_CTX - -- set default curve for ECDHE at startup, obviating the need - for a per-handshake callback, for the time being (and also - configure SSL_OP_SINGLE_ECDH_USE, previously left out) - -- increase minimum required OpenSSL version to 0.9.8a, as we - now rely on the get_rfcX_prime_Y functions from - -- in ssl_private.h, regroup definitions based on whether - they depend on TLS extension support or not - -- for ECC and SRP support, set HAVE_X and change the rather awkward - #ifndef OPENSSL_NO_X lines accordingly - -- allow to configure custom DHE or ECDHE parameters via the - SSLCertificateFile directive, and adapt its documentation - accordingly (addresses PR 49559) - -- add standardized DH parameters from RFCs 2409 and 3526, - use them based on the length of the certificate's RSA/DSA key, - and add a FAQ entry for clients which limit DH support - to 1024 bits (such as Java 7 and earlier) - -- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to - ssl_util_ssl.c, and add ssl_ec_GetParamFromFile() - -- drop ssl_engine_dh.c from mod_ssl - - ---- LAYOUT.orig -+++ LAYOUT +--- httpd-2.4.6.orig/LAYOUT ++++ httpd-2.4.6/LAYOUT @@ -108,7 +108,6 @@ modules/ ................ Manditory and mod_ssl.c ............... main source file containing API structures mod_ssl.h ............... common header file of mod_ssl @@ -58,8 +90,8 @@ Streamline and improve ephemeral key handling: ssl_engine_init.c ....... module initialization ssl_engine_io.c ......... I/O support ssl_engine_kernel.c ..... SSL engine kernel ---- modules/ssl/config.m4.orig -+++ modules/ssl/config.m4 +--- httpd-2.4.6.orig/modules/ssl/config.m4 ++++ httpd-2.4.6/modules/ssl/config.m4 @@ -20,7 +20,6 @@ dnl # list of module object files ssl_objs="dnl mod_ssl.lo dnl @@ -68,8 +100,8 @@ Streamline and improve ephemeral key handling: ssl_engine_init.lo dnl ssl_engine_io.lo dnl ssl_engine_kernel.lo dnl ---- modules/ssl/mod_ssl.c.orig -+++ modules/ssl/mod_ssl.c +--- httpd-2.4.6.orig/modules/ssl/mod_ssl.c ++++ httpd-2.4.6/modules/ssl/mod_ssl.c @@ -148,7 +148,7 @@ static const command_rec ssl_config_cmds SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, "Strict SNI virtual host checking") @@ -95,8 +127,8 @@ Streamline and improve ephemeral key handling: SSL_set_verify_result(ssl, X509_V_OK); ssl_io_filter_init(c, r, ssl); ---- modules/ssl/mod_ssl.dsp.orig -+++ modules/ssl/mod_ssl.dsp +--- httpd-2.4.6.orig/modules/ssl/mod_ssl.dsp ++++ httpd-2.4.6/modules/ssl/mod_ssl.dsp @@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c # End Source File # Begin Source File @@ -108,8 +140,8 @@ Streamline and improve ephemeral key handling: SOURCE=.\ssl_engine_init.c # End Source File # Begin Source File ---- modules/ssl/ssl_engine_config.c.orig -+++ modules/ssl/ssl_engine_config.c +--- httpd-2.4.6.orig/modules/ssl/ssl_engine_config.c ++++ httpd-2.4.6/modules/ssl/ssl_engine_config.c @@ -75,8 +75,6 @@ SSLModConfigRec *ssl_config_global_creat mc->stapling_mutex = NULL; #endif @@ -202,7 +234,7 @@ Streamline and improve ephemeral key handling: void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) { ---- modules/ssl/ssl_engine_dh.c +--- httpd-2.4.6.orig/modules/ssl/ssl_engine_dh.c +++ /dev/null @@ -1,244 +0,0 @@ -#if 0 @@ -449,8 +481,8 @@ Streamline and improve ephemeral key handling: - -=pod -*/ ---- modules/ssl/ssl_engine_init.c.orig -+++ modules/ssl/ssl_engine_init.c +--- httpd-2.4.6.orig/modules/ssl/ssl_engine_init.c ++++ httpd-2.4.6/modules/ssl/ssl_engine_init.c @@ -35,7 +35,7 @@ ** _________________________________________________________________ */ @@ -900,8 +932,8 @@ Streamline and improve ephemeral key handling: * Free the non-pool allocated structures * in the per-server configurations */ ---- modules/ssl/ssl_engine_io.c.orig -+++ modules/ssl/ssl_engine_io.c +--- httpd-2.4.6.orig/modules/ssl/ssl_engine_io.c ++++ httpd-2.4.6/modules/ssl/ssl_engine_io.c @@ -1060,7 +1060,7 @@ static apr_status_t ssl_io_filter_handsh server = sslconn->server; @@ -920,8 +952,8 @@ Streamline and improve ephemeral key handling: /* * Enable SNI for backend requests. Make sure we don't do it for * pure SSLv3 connections, and also prevent IP addresses ---- modules/ssl/ssl_engine_kernel.c.orig -+++ modules/ssl/ssl_engine_kernel.c +--- httpd-2.4.6.orig/modules/ssl/ssl_engine_kernel.c ++++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c @@ -32,7 +32,7 @@ #include "util_md5.h" @@ -1186,8 +1218,8 @@ Streamline and improve ephemeral key handling: -#endif /* OPENSSL_NO_SRP */ +#endif /* HAVE_SRP */ ---- modules/ssl/ssl_engine_pphrase.c.orig -+++ modules/ssl/ssl_engine_pphrase.c +--- httpd-2.4.6.orig/modules/ssl/ssl_engine_pphrase.c ++++ httpd-2.4.6/modules/ssl/ssl_engine_pphrase.c @@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966) "Init: Failed to create pass phrase pipe '%s'", @@ -1215,8 +1247,8 @@ Streamline and improve ephemeral key handling: memset(buf, 0, (unsigned int)bufsize); return (-1); } ---- modules/ssl/ssl_engine_vars.c.orig -+++ modules/ssl/ssl_engine_vars.c +--- httpd-2.4.6.orig/modules/ssl/ssl_engine_vars.c ++++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c @@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { result = ssl_var_lookup_ssl_compress_meth(ssl); @@ -1253,8 +1285,8 @@ Streamline and improve ephemeral key handling: SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { ---- modules/ssl/ssl_private.h.orig -+++ modules/ssl/ssl_private.h +--- httpd-2.4.6.orig/modules/ssl/ssl_private.h ++++ httpd-2.4.6/modules/ssl/ssl_private.h @@ -105,65 +105,55 @@ #include #endif @@ -1504,8 +1536,8 @@ Streamline and improve ephemeral key handling: unsigned char *ssl_asn1_table_set(apr_hash_t *table, const char *key, ---- modules/ssl/ssl_scache.c.orig -+++ modules/ssl/ssl_scache.c +--- httpd-2.4.6.orig/modules/ssl/ssl_scache.c ++++ httpd-2.4.6/modules/ssl/ssl_scache.c @@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_ SSLModConfigRec *mc = myModConfig(s); unsigned char dest[SSL_SESSION_MAX_DER]; @@ -1515,8 +1547,8 @@ Streamline and improve ephemeral key handling: apr_status_t rv; if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) { ---- modules/ssl/ssl_util.c.orig -+++ modules/ssl/ssl_util.c +--- httpd-2.4.6.orig/modules/ssl/ssl_util.c ++++ httpd-2.4.6/modules/ssl/ssl_util.c @@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe case EVP_PKEY_DSA: t = SSL_ALGO_DSA; @@ -1544,8 +1576,8 @@ Streamline and improve ephemeral key handling: static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; #else static const char *ssl_asn1_key_types[] = {"RSA", "DSA"}; ---- modules/ssl/ssl_util_ssl.c.orig -+++ modules/ssl/ssl_util_ssl.c +--- httpd-2.4.6.orig/modules/ssl/ssl_util_ssl.c ++++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c @@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t /* _________________________________________________________________