Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2018-11-06 15:34:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Tue Nov 6 15:34:28 2018 rev:151 rq:645904 version:2.4.37 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2018-10-29 14:56:51.245716852 +0100 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2018-11-06 15:34:39.335678254 +0100 @@ -1,0 +2,7 @@ +Thu Oct 25 17:28:42 UTC 2018 - Arjen de Korte <[email protected]> + +- the "event" MPM is fully supported since 2.4 +- configure an OCSP stapling cache by default (still requires enabling + SSLUseStapling in vhost) + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.wXf5Po/_old 2018-11-06 15:34:41.395675133 +0100 +++ /var/tmp/diff_new_pack.wXf5Po/_new 2018-11-06 15:34:41.399675127 +0100 @@ -264,8 +264,7 @@ process dies it will not affect other servers. %description event -The event MPM (multi-Processing Module) is experimental, so it may or -may not work as expected. +"event" MPM (multi-Processing Module) It uses a separate thread to handle Keep Alive requests and accepting connections. Keep Alive requests have traditionally required httpd to ++++++ apache2-ssl-global.conf ++++++ --- /var/tmp/diff_new_pack.wXf5Po/_old 2018-11-06 15:34:41.723674636 +0100 +++ /var/tmp/diff_new_pack.wXf5Po/_new 2018-11-06 15:34:41.723674636 +0100 @@ -46,12 +46,27 @@ #SSLSessionCache dbm:/var/lib/apache2/ssl_scache #</IfModule> - <IfModule mod_socache_shmcb.c> + <IfModule mod_socache_shmcb.c> SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000) - </IfModule> + </IfModule> SSLSessionCacheTimeout 300 + # Configures the cache used to store OCSP responses which get included in + # the TLS handshake if SSLUseStapling is enabled. Configuration of a cache + # is mandatory for OCSP stapling. With the exception of none and nonenotnull, + # the same storage types are supported as with SSLSessionCache. + #<IfModule mod_socache_dbm.c> + #SSLStaplingCache dbm:/var/lib/apache2/ssl_stapling + #</IfModule> + + <IfModule mod_socache_shmcb.c> + SSLStaplingCache shmcb:/var/lib/apache2/ssl_stapling(64000) + </IfModule> + + SSLStaplingStandardCacheTimeout 86400 + SSLStaplingErrorCacheTimeout 300 + SSLStaplingReturnResponderErrors Off # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the @@ -72,13 +87,13 @@ # SSL protocols # Allow TLS version 1.2 only, which is a recommended default these days - # by international information security standards. + # by international information security standards. SSLProtocol TLSv1.2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # SSLHonorCipherOrder # If SSLHonorCipherOrder is disabled, then the client's preferences ++++++ apache2-vhost-ssl.template ++++++ --- /var/tmp/diff_new_pack.wXf5Po/_old 2018-11-06 15:34:41.739674612 +0100 +++ /var/tmp/diff_new_pack.wXf5Po/_new 2018-11-06 15:34:41.743674606 +0100 @@ -35,6 +35,10 @@ # Enable/Disable SSL for this virtual host. SSLEngine on + # OCSP Stapling: + # Enable/Disable OCSP for this virtual host. + SSLUseStapling on + # You can use per vhost certificates if SNI is supported. SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key
