Author: matik Date: Wed Jan 6 18:06:39 2010 GMT Module: packages Tag: HEAD ---- Log message: - added patch 26 from: http://mail-archives.apache.org/mod_mbox/httpd-dev/200911.mbox/%[email protected]%3e - rel 13
---- Files affected: packages/apache: apache.spec (1.590 -> 1.591) , httpd-2.2.x-mod_ssl-sessioncaching.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/apache/apache.spec diff -u packages/apache/apache.spec:1.590 packages/apache/apache.spec:1.591 --- packages/apache/apache.spec:1.590 Tue Jan 5 11:01:25 2010 +++ packages/apache/apache.spec Wed Jan 6 19:06:33 2010 @@ -42,7 +42,7 @@ Summary(tr.UTF-8): Lider WWW tarayıcı Name: apache Version: 2.2.14 -Release: 12 +Release: 13 License: Apache v2.0 Group: Networking/Daemons/HTTP Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz @@ -98,6 +98,8 @@ Patch24: %{name}-bug-48094.patch # http://marc.info/?l=apache-httpd-dev&m=125712658610440&w=2 Patch25: %{name}-shutdown-sockets.patch +# http://scripts.mit.edu/trac/browser/trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch?rev=1348 +Patch26: httpd-2.2.x-mod_ssl-sessioncaching.patch URL: http://httpd.apache.org/ BuildRequires: apr-devel >= 1:1.2 BuildRequires: apr-util-devel >= 1:1.3 @@ -1755,6 +1757,7 @@ %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 # using system apr, apr-util and pcre rm -rf srclib/{apr,apr-util,pcre} @@ -2736,6 +2739,11 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.591 2010/01/06 18:06:33 matik +- added patch 26 from: + http://mail-archives.apache.org/mod_mbox/httpd-dev/200911.mbox/%[email protected]%3e +- rel 13 + Revision 1.590 2010/01/05 10:01:25 psz - More secure SSL Cipher Suite - SSL virtual hosting fixes ================================================================ Index: packages/apache/httpd-2.2.x-mod_ssl-sessioncaching.patch diff -u /dev/null packages/apache/httpd-2.2.x-mod_ssl-sessioncaching.patch:1.1 --- /dev/null Wed Jan 6 19:06:39 2010 +++ packages/apache/httpd-2.2.x-mod_ssl-sessioncaching.patch Wed Jan 6 19:06:33 2010 @@ -0,0 +1,176 @@ +Index: httpd-2.2.x/modules/ssl/ssl_private.h +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_private.h (revision 833672) ++++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) +@@ -395,6 +395,9 @@ typedef struct { + #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) + const char *szCryptoDevice; + #endif ++#ifndef OPENSSL_NO_TLSEXT ++ ssl_enabled_t session_tickets_enabled; ++#endif + struct { + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; + } rCtx; +@@ -545,6 +548,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm + const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); + const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); + const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); ++const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag); + + const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); + const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); +Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672) ++++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) +@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions( + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_die(); + } ++ ++ /* ++ * Session tickets (stateless resumption) ++ */ ++ if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Disabling TLS session ticket support"); ++ SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET); ++ } + } + #endif + +@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b + + BOOL conflict = FALSE; + ++#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 ++ unsigned char *tlsext_tick_keys = NULL; ++ long tick_keys_len; ++#endif ++ + /* + * Give out warnings when a server has HTTPS configured + * for the HTTP port or vice versa +@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b + ssl_util_vhostid(p, s), + DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT); + } ++ ++#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 ++ /* ++ * When using OpenSSL versions 0.9.8f through 0.9.8l, configure ++ * the same ticket encryption parameters for every SSL_CTX (workaround ++ * for SNI+SessionTicket extension interoperability issue in these versions) ++ */ ++ if ((sc->enabled == SSL_ENABLED_TRUE) || ++ (sc->enabled == SSL_ENABLED_OPTIONAL)) { ++ if (!tlsext_tick_keys) { ++ tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, ++ (-1),(NULL)); ++ tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len); ++ RAND_bytes(tlsext_tick_keys, tick_keys_len); ++ } ++ SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, ++ (tick_keys_len),(tlsext_tick_keys)); ++ } ++#endif + } + + /* +Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672) ++++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy) +@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat + #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) + mc->szCryptoDevice = NULL; + #endif ++#ifndef OPENSSL_NO_TLSEXT ++ mc->session_tickets_enabled = SSL_ENABLED_UNSET; ++#endif + + memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); + +@@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh + #endif + } + ++const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag) ++{ ++#ifndef OPENSSL_NO_TLSEXT ++ const char *err; ++ SSLModConfigRec *mc = myModConfig(cmd->server); ++ ++ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { ++ return err; ++ } ++ ++ mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; ++ ++ return NULL; ++#else ++ return "SSLSessionTicketExtension failed; OpenSSL is not built with support " ++ "for TLS extensions. Refer to the documentation, and build " ++ "a compatible version of OpenSSL."; ++#endif ++} ++ + void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) + { + if (!ap_exists_config_define("DUMP_CERTS")) { +Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672) ++++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) +@@ -29,6 +29,7 @@ + time I was too famous.'' + -- Unknown */ + #include "ssl_private.h" ++#include "util_md5.h" + + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); + #ifndef OPENSSL_NO_TLSEXT +@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna + apr_array_header_t *names; + int i; + SSLConnRec *sslcon; ++ char *sid_ctx; + + /* check ServerName */ + if (!strcasecmp(servername, s->server_hostname)) { +@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna + SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), + SSL_CTX_get_verify_callback(ssl->ctx)); + } ++ /* ++ * Adjust the session id context. ssl_init_ssl_connection() ++ * always picks the configuration of the first vhost when ++ * calling SSL_new(), but we want to tie the session to the ++ * vhost we have just switched to. Again, we have to make sure ++ * that we're not overwriting a session id context which was ++ * possibly set in ssl_hook_Access(), before triggering ++ * a renegotation. ++ */ ++ if (!SSL_num_renegotiations(ssl)) { ++ sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id, ++ sc->vhost_id_len); ++ SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx, ++ APR_MD5_DIGESTSIZE*2); ++ } + + /* + * Save the found server into our SSLConnRec for later +Index: httpd-2.2.x/modules/ssl/mod_ssl.c +=================================================================== +--- httpd-2.2.x/modules/ssl/mod_ssl.c (revision 833672) ++++ httpd-2.2.x/modules/ssl/mod_ssl.c (working copy) +@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds + SSL_CMD_SRV(RandomSeed, TAKE23, + "SSL Pseudo Random Number Generator (PRNG) seeding source " + "(`startup|connect builtin|file:/path|exec:/path [bytes]')") ++ SSL_CMD_SRV(SessionTicketExtension, FLAG, ++ "TLS Session Ticket extension support") + + /* + * Per-server context configuration directives ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/apache/apache.spec?r1=1.590&r2=1.591&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
