rpms/httpd/devel httpd-2.0.54-ssltrans.patch, NONE, 1.1 httpd-2.0.48-sslheader.patch, 1.5, 1.6 httpd.spec, 1.62, 1.63 ssl.conf, 1.7, 1.8 mod_ssl-Makefile.crl, 1.1, NONE mod_ssl-Makefile.crt, 1.1, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 25 21:35:11 UTC 2005
- Previous message (by thread): rpms/GFS-kernel/devel gfs-kernel-2.6.11.2-20050425.154843.FC4.patch, NONE, 1.1 GFS-kernel.spec, 1.32, 1.33
- Next message (by thread): rpms/libglade-java/devel libglade-java.spec, 1.13, 1.14 libglade-java-examples.patch, 1.1, NONE libglade-java-install.patch, 1.1, NONE libglade-java-run-example.patch, 1.1, NONE libglade-java-signal-connect.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jorton
Update of /cvs/dist/rpms/httpd/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9563
Modified Files:
httpd-2.0.48-sslheader.patch httpd.spec ssl.conf
Added Files:
httpd-2.0.54-ssltrans.patch
Removed Files:
mod_ssl-Makefile.crl mod_ssl-Makefile.crt
Log Message:
* Mon Apr 25 2005 Joe Orton <jorton at redhat.com> 2.0.54-5
- create default dummy cert in /etc/pki/tls
- use a pseudo-random serial number on the dummy cert
- change default ssl.conf to point at /etc/pki/tls
- merge back -suexec subpackage; SELinux policy can now be
used to persistently disable suexec (#155716)
- drop /etc/httpd/conf/ssl.* directories and Makefiles
- unconditionally enable PIE support
- mod_ssl: fix for picking up -shutdown options (upstream #34452)
httpd-2.0.54-ssltrans.patch:
mod_ssl.c | 7 ++++-
ssl_engine_kernel.c | 62 +++++++++++++++++++++-------------------------------
2 files changed, 31 insertions(+), 38 deletions(-)
--- NEW FILE httpd-2.0.54-ssltrans.patch ---
http://svn.apache.org/viewcvs?view=rev&rev=161958
PR: 34452
--- httpd-2.0.54/modules/ssl/ssl_engine_kernel.c.ssltrans
+++ httpd-2.0.54/modules/ssl/ssl_engine_kernel.c
@@ -30,6 +30,8 @@
-- Unknown */
#include "ssl_private.h"
+static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+
/*
* Post Read Request Handler
*/
@@ -81,8 +83,31 @@
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
- if ((ssl = sslconn->ssl)) {
+ ssl = sslconn->ssl;
+ if (!ssl) {
+ return DECLINED;
+ }
SSL_set_app_data2(ssl, r);
+
+ /*
+ * Log information about incoming HTTPS requests
+ */
+ if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
+ "%s HTTPS request received for child %ld (server %s)",
+ (r->connection->keepalives <= 0 ?
+ "Initial (No.1)" :
+ apr_psprintf(r->pool, "Subsequent (No.%d)",
+ r->connection->keepalives+1)),
+ r->connection->id,
+ ssl_util_vhostid(r->pool, r->server));
+ }
+
+ /* SetEnvIf ssl-*-shutdown flags can only be per-server,
+ * so they won't change across keepalive requests
+ */
+ if (sslconn->shutdown_type == SSL_SHUTDOWN_TYPE_UNSET) {
+ ssl_configure_env(r, sslconn);
}
return DECLINED;
@@ -126,41 +151,6 @@
}
/*
- * URL Translation Handler
- */
-int ssl_hook_Translate(request_rec *r)
-{
- SSLConnRec *sslconn = myConnConfig(r->connection);
-
- if (!(sslconn && sslconn->ssl)) {
- return DECLINED;
- }
-
- /*
- * Log information about incoming HTTPS requests
- */
- if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
- "%s HTTPS request received for child %ld (server %s)",
- (r->connection->keepalives <= 0 ?
- "Initial (No.1)" :
- apr_psprintf(r->pool, "Subsequent (No.%d)",
- r->connection->keepalives+1)),
- r->connection->id,
- ssl_util_vhostid(r->pool, r->server));
- }
-
- /* SetEnvIf ssl-*-shutdown flags can only be per-server,
- * so they won't change across keepalive requests
- */
- if (sslconn->shutdown_type == SSL_SHUTDOWN_TYPE_UNSET) {
- ssl_configure_env(r, sslconn);
- }
-
- return DECLINED;
-}
-
-/*
* Access Handler
*/
int ssl_hook_Access(request_rec *r)
--- httpd-2.0.54/modules/ssl/mod_ssl.c.ssltrans
+++ httpd-2.0.54/modules/ssl/mod_ssl.c
@@ -391,6 +391,10 @@
static void ssl_register_hooks(apr_pool_t *p)
{
+ /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
+ * run after mod_setenvif's post_read_request hook. */
+ static const char *pre_prr[] = { "mod_setenvif.c", NULL };
+
ssl_io_filter_register(p);
ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
@@ -400,12 +404,11 @@
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST);
ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
ssl_var_register();
httpd-2.0.48-sslheader.patch:
Makefile.in | 2
modules/proxy/mod_proxy.c | 4
modules/ssl/config.m4 | 2
modules/ssl/mod_ssl.c | 1
modules/ssl/mod_ssl.dsp | 4
modules/ssl/mod_ssl.h | 663 -----------------------------------
modules/ssl/ssl_engine_config.c | 2
modules/ssl/ssl_engine_dh.c | 2
modules/ssl/ssl_engine_init.c | 2
modules/ssl/ssl_engine_io.c | 2
modules/ssl/ssl_engine_kernel.c | 2
modules/ssl/ssl_engine_log.c | 2
modules/ssl/ssl_engine_mutex.c | 2
modules/ssl/ssl_engine_pphrase.c | 2
modules/ssl/ssl_engine_rand.c | 2
modules/ssl/ssl_engine_vars.c | 1
modules/ssl/ssl_expr.c | 2
modules/ssl/ssl_expr_eval.c | 2
modules/ssl/ssl_expr_parse.c | 2
modules/ssl/ssl_expr_parse.y | 2
modules/ssl/ssl_expr_scan.c | 2
modules/ssl/ssl_expr_scan.l | 2
modules/ssl/ssl_private.h | 730 +++++++++++++++++++++++++++++++++++++++
modules/ssl/ssl_scache.c | 2
modules/ssl/ssl_scache_dbm.c | 2
modules/ssl/ssl_scache_dc.c | 2
modules/ssl/ssl_scache_shmcb.c | 2
modules/ssl/ssl_util.c | 2
modules/ssl/ssl_util_ssl.c | 2
29 files changed, 763 insertions(+), 686 deletions(-)
Index: httpd-2.0.48-sslheader.patch
===================================================================
RCS file: /cvs/dist/rpms/httpd/devel/httpd-2.0.48-sslheader.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- httpd-2.0.48-sslheader.patch 13 Oct 2004 16:35:07 -0000 1.5
+++ httpd-2.0.48-sslheader.patch 25 Apr 2005 21:35:08 -0000 1.6
@@ -285,7 +285,7 @@
**
--- /dev/null 2003-09-15 14:40:47.000000000 +0100
+++ httpd-2.0.51/modules/ssl/ssl_private.h 2004-09-15 16:30:50.000000000 +0100
-@@ -0,0 +1,731 @@
+@@ -0,0 +1,730 @@
+/* _ _
+** _ __ ___ ___ __| | ___ ___| | mod_ssl
+** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
@@ -890,7 +890,6 @@
+apr_status_t ssl_init_ModuleKill(void *data);
+
+/* Apache API hooks */
-+int ssl_hook_Translate(request_rec *);
+int ssl_hook_Auth(request_rec *);
+int ssl_hook_UserCheck(request_rec *);
+int ssl_hook_Access(request_rec *);
Index: httpd.spec
===================================================================
RCS file: /cvs/dist/rpms/httpd/devel/httpd.spec,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- httpd.spec 18 Apr 2005 10:41:27 -0000 1.62
+++ httpd.spec 25 Apr 2005 21:35:08 -0000 1.63
@@ -7,7 +7,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.0.54
-Release: 4
+Release: 5
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
Source1: index.html
@@ -21,8 +21,6 @@
Source11: ssl.conf
Source12: welcome.conf
Source13: manual.conf
-Source14: mod_ssl-Makefile.crt
-Source15: mod_ssl-Makefile.crl
# Documentation
Source30: migration.xml
Source31: migration.css
@@ -49,6 +47,7 @@
Patch28: httpd-2.0.48-worker.patch
Patch29: httpd-2.0.48-workerhup.patch
Patch30: httpd-2.0.48-davmisc.patch
+Patch31: httpd-2.0.54-ssltrans.patch
# Features/functional changes
Patch70: httpd-2.0.48-release.patch
Patch71: httpd-2.0.40-xfsz.patch
@@ -75,7 +74,7 @@
BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0,
BuildRequires: zlib-devel
Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
-Requires: httpd-suexec
+Obsoletes: httpd-suexec
Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
Prereq: sh-utils, textutils, /usr/sbin/useradd
Provides: webserver
@@ -120,7 +119,7 @@
Summary: SSL/TLS module for the Apache HTTP server
Epoch: 1
BuildRequires: openssl-devel, distcache-devel
-Prereq: openssl, dev, /bin/cat
+Requires(pre): openssl >= 0.9.7f-4, dev, /bin/cat
Requires: httpd = %{version}-%{release}, make, httpd-mmn = %{mmn}
Obsoletes: stronghold-mod_ssl
@@ -129,22 +128,13 @@
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols.
-%package suexec
-Group: System Environment/Daemons
-Summary: suexec binary for the Apache HTTP server
-Requires(pre): httpd = %{version}-%{release}
-
-%description suexec
-This package includes the /usr/sbin/suexec binary which can be installed
-to allow the Apache HTTP server to run CGI programs (and any programs
-executed by SSI pages) as a user other than the 'apache' user.
-
%prep
%setup -q
%patch1 -p1 -b .apctl
%patch2 -p1 -b .apxs
%patch3 -p1 -b .linkmods
%patch4 -p1 -b .deplibs
+%patch5 -p1 -b .pie
%patch6 -p1 -b .syspcre
%patch8 -p1 -b .vpathinc
%patch9 -p1 -b .apctlopts
@@ -161,6 +151,7 @@
%patch28 -p1 -b .worker
%patch29 -p1 -b .workerhup
%patch30 -p1 -b .davmisc
+%patch31 -p1 -b .ssltrans
%patch71 -p0 -b .xfsz
%patch72 -p1 -b .pod
@@ -194,15 +185,6 @@
exit 1
fi
-# Conditionally enable PIE support
-if echo 'static int foo[30000]; int main () { return 0; }' |
- gcc -pie -fpie -O2 -xc - -o pietest &&
- ./pietest; then
-%patch5 -p1 -b .pie
- : PIE support enabled
-else
- : WARNING: PIE support not enabled
-fi
: Building for '%{distro}' with MMN %{mmn} and vendor string '%{vstring}'
@@ -310,16 +292,7 @@
install -m 644 $RPM_SOURCE_DIR/httpd.sysconf \
$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/httpd
-# mod_ssl bits
-for suffix in crl crt csr key prm; do
- mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/ssl.${suffix}
-done
-
# Makefiles for certificate management
-for ext in crt crl; do
- install -m 644 $RPM_SOURCE_DIR/mod_ssl-Makefile.${ext} \
- $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/ssl.${ext}/Makefile.${ext}
-done
ln -s ../../../usr/share/ssl/certs/Makefile $RPM_BUILD_ROOT/etc/httpd/conf
# for holding mod_dav lock database
@@ -445,11 +418,14 @@
/sbin/chkconfig --del httpd
fi
+%define certdir %{_sysconfdir}/pki/ssl/certs
+%define keydir %{_sysconfdir}/pki/ssl/private
+
%post -n mod_ssl
umask 077
-if [ ! -f %{_sysconfdir}/httpd/conf/ssl.key/server.key ] ; then
-%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{_sysconfdir}/httpd/conf/ssl.key/server.key 2> /dev/null
+if [ ! -f %{keydir}/localhost.key ] ; then
+%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{keydir}/localhost.key 2> /dev/null
fi
FQDN=`hostname`
@@ -457,8 +433,10 @@
FQDN=localhost.localdomain
fi
-if [ ! -f %{_sysconfdir}/httpd/conf/ssl.crt/server.crt ] ; then
-cat << EOF | %{_bindir}/openssl req -new -key %{_sysconfdir}/httpd/conf/ssl.key/server.key -x509 -days 365 -out %{_sysconfdir}/httpd/conf/ssl.crt/server.crt 2>/dev/null
+if [ ! -f %{certdir}/localhost.crt ] ; then
+cat << EOF | %{_bindir}/openssl req -new -key %{keydir}/localhost.key \
+ -x509 -days 365 -set_serial $RANDOM \
+ -out %{certdir}/localhost.crt 2>/dev/null
--
SomeState
SomeCity
@@ -517,6 +495,7 @@
%{_sbindir}/httpd.worker
%{_sbindir}/apachectl
%{_sbindir}/rotatelogs
+%attr(4510,root,%{suexec_caller}) %{_sbindir}/suexec
%dir %{_libdir}/httpd
%dir %{_libdir}/httpd/modules
@@ -541,7 +520,6 @@
%{_mandir}/man?/*
%exclude %{_mandir}/man8/apxs.8*
-%exclude %{_mandir}/man8/suexec.8*
%files manual
%defattr(-,root,root)
@@ -552,9 +530,6 @@
%defattr(-,root,root)
%{_libdir}/httpd/modules/mod_ssl.so
%config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
-%attr(0700,root,root) %dir %{_sysconfdir}/httpd/conf/ssl.*
-%config %{_sysconfdir}/httpd/conf/Makefile
-%config %{_sysconfdir}/httpd/conf/ssl.*/*
%attr(0700,apache,root) %dir %{_localstatedir}/cache/mod_ssl
%attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.dir
%attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.pag
@@ -571,12 +546,17 @@
%{_libdir}/httpd/build/instdso.sh
%{_libdir}/httpd/build/libtool
-%files suexec
-%defattr(-,root,root)
-%attr(4510,root,%{suexec_caller}) %{_sbindir}/suexec
-%{_mandir}/man8/suexec.8*
-
%changelog
+* Mon Apr 25 2005 Joe Orton <jorton at redhat.com> 2.0.54-5
+- create default dummy cert in /etc/pki/tls
+- use a pseudo-random serial number on the dummy cert
+- change default ssl.conf to point at /etc/pki/tls
+- merge back -suexec subpackage; SELinux policy can now be
+ used to persistently disable suexec (#155716)
+- drop /etc/httpd/conf/ssl.* directories and Makefiles
+- unconditionally enable PIE support
+- mod_ssl: fix for picking up -shutdown options (upstream #34452)
+
* Mon Apr 18 2005 Joe Orton <jorton at redhat.com> 2.0.54-4
- replace PreReq with Requires(pre)
Index: ssl.conf
===================================================================
RCS file: /cvs/dist/rpms/httpd/devel/ssl.conf,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- ssl.conf 18 Nov 2004 11:59:52 -0000 1.7
+++ ssl.conf 25 Apr 2005 21:35:08 -0000 1.8
@@ -107,21 +107,16 @@
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
-# pass phrase. Note that a kill -HUP will prompt again. A test
-# certificate can be generated with `make certificate' under
-# built time. Keep in mind that if you've both a RSA and a DSA
-# certificate you can configure both in parallel (to also allow
-# the use of DSA ciphers, etc.)
-SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
-#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
+# pass phrase. Note that a kill -HUP will prompt again. A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
-#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@@ -130,27 +125,13 @@
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
-#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
-# Note: Inside SSLCACertificatePath you need hash symlinks
-# to point to the certificate files. Use the provided
-# Makefile to update the hash symlinks after changes.
-#SSLCACertificatePath /etc/httpd/conf/ssl.crt
-#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
-
-# Certificate Revocation Lists (CRL):
-# Set the CA revocation path where to find CA CRLs for client
-# authentication or alternatively one huge file containing all
-# of them (file must be PEM encoded)
-# Note: Inside SSLCARevocationPath you need hash symlinks
-# to point to the certificate files. Use the provided
-# Makefile to update the hash symlinks after changes.
-#SSLCARevocationPath /etc/httpd/conf/ssl.crl
-#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
@@ -202,7 +183,7 @@
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
-#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
--- mod_ssl-Makefile.crl DELETED ---
--- mod_ssl-Makefile.crt DELETED ---
- Previous message (by thread): rpms/GFS-kernel/devel gfs-kernel-2.6.11.2-20050425.154843.FC4.patch, NONE, 1.1 GFS-kernel.spec, 1.32, 1.33
- Next message (by thread): rpms/libglade-java/devel libglade-java.spec, 1.13, 1.14 libglade-java-examples.patch, 1.1, NONE libglade-java-install.patch, 1.1, NONE libglade-java-run-example.patch, 1.1, NONE libglade-java-signal-connect.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list