- added patch 26 from:

author matik <matik@pld-linux.org>

Wed, 6 Jan 2010 18:06:33 +0000 (18:06 +0000)

committer cvs2git <feedback@pld-linux.org>

Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
author matik <matik@pld-linux.org>
Wed, 6 Jan 2010 18:06:33 +0000 (18:06 +0000)
committer cvs2git <feedback@pld-linux.org>
Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
diff --git a/apache.spec b/apache.spec

index 54c91ccec775fb6446bc07e103db6f3305405ab6..7d1a1856988722b6912a116047dcb0b7002bb503 100644 (file)
--- a/apache.spec
+++ b/apache.spec
@@ -41,7 +41,7 @@ Summary(ru.UTF-8):    Самый популярный веб-сервер
  Summary(tr.UTF-8):     Lider WWW tarayıcı
  Name:          apache
  Version:       2.2.14
-Release:       12
+Release:       13
  License:       Apache v2.0
  Group:         Networking/Daemons/HTTP
  Source0:       http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
@@ -97,6 +97,8 @@ Patch23:      %{name}-suexec_fcgi.patch
  Patch24:       %{name}-bug-48094.patch
  # http://marc.info/?l=apache-httpd-dev&m=125712658610440&w=2
  Patch25:       %{name}-shutdown-sockets.patch
+# http://scripts.mit.edu/trac/browser/trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch?rev=1348
+Patch26:       httpd-2.2.x-mod_ssl-sessioncaching.patch
  URL:           http://httpd.apache.org/
  BuildRequires: apr-devel >= 1:1.2
  BuildRequires: apr-util-devel >= 1:1.3
@@ -1754,6 +1756,7 @@ Dwa programy testowe/przykładowe cgi: test-cgi and print-env.
  %patch23 -p1
  %patch24 -p1
  %patch25 -p1
+%patch26 -p1
  
  # using system apr, apr-util and pcre
  rm -rf srclib/{apr,apr-util,pcre}
diff --git a/httpd-2.2.x-mod_ssl-sessioncaching.patch b/httpd-2.2.x-mod_ssl-sessioncaching.patch

new file mode 100644 (file)

index 0000000..142af62
--- /dev/null
+++ b/httpd-2.2.x-mod_ssl-sessioncaching.patch
@@ -0,0 +1,176 @@
+Index: httpd-2.2.x/modules/ssl/ssl_private.h
+===================================================================
+--- httpd-2.2.x/modules/ssl/ssl_private.h      (revision 833672)
++++ httpd-2.2.x/modules/ssl/ssl_private.h      (working copy)
+@@ -395,6 +395,9 @@ typedef struct {
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+     const char     *szCryptoDevice;
+ #endif
++#ifndef OPENSSL_NO_TLSEXT
++    ssl_enabled_t  session_tickets_enabled;
++#endif
+     struct {
+         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
+     } rCtx;
+@@ -545,6 +548,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
+ const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
++const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
+ 
+ const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
+ const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
+Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
+===================================================================
+--- httpd-2.2.x/modules/ssl/ssl_engine_init.c  (revision 833672)
++++ httpd-2.2.x/modules/ssl/ssl_engine_init.c  (working copy)
+@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
+         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+         ssl_die();
+     }
++
++    /*
++     * Session tickets (stateless resumption)
++     */
++    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++                     "Disabling TLS session ticket support");
++        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
++    }
+ }
+ #endif
+ 
+@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
+ 
+     BOOL conflict = FALSE;
+ 
++#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
++    unsigned char *tlsext_tick_keys = NULL;
++    long tick_keys_len;
++#endif
++
+     /*
+      * Give out warnings when a server has HTTPS configured
+      * for the HTTP port or vice versa
+@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
+                          ssl_util_vhostid(p, s),
+                          DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
+         }
++
++#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
++        /*
++         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
++         * the same ticket encryption parameters for every SSL_CTX (workaround
++         * for SNI+SessionTicket extension interoperability issue in these versions)
++         */
++        if ((sc->enabled == SSL_ENABLED_TRUE) ||
++            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
++            if (!tlsext_tick_keys) {
++                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
++                                                               (-1),(NULL));
++                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
++                RAND_bytes(tlsext_tick_keys, tick_keys_len);
++            }
++            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
++                                           (tick_keys_len),(tlsext_tick_keys));
++        }
++#endif
+     }
+ 
+     /*
+Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
+===================================================================
+--- httpd-2.2.x/modules/ssl/ssl_engine_config.c        (revision 833672)
++++ httpd-2.2.x/modules/ssl/ssl_engine_config.c        (working copy)
+@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+     mc->szCryptoDevice         = NULL;
+ #endif
++#ifndef OPENSSL_NO_TLSEXT
++    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
++#endif
+ 
+     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
+ 
+@@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
+ #endif
+ }
+ 
++const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
++{
++#ifndef OPENSSL_NO_TLSEXT
++    const char *err;
++    SSLModConfigRec *mc = myModConfig(cmd->server);
++
++    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
++        return err;
++    }
++
++    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
++
++    return NULL;
++#else
++    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
++           "for TLS extensions. Refer to the documentation, and build "
++           "a compatible version of OpenSSL.";
++#endif
++}
++
+ void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
+ {
+     if (!ap_exists_config_define("DUMP_CERTS")) {
+Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
+===================================================================
+--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c        (revision 833672)
++++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c        (working copy)
+@@ -29,6 +29,7 @@
+                                   time I was too famous.''
+                                             -- Unknown                */
+ #include "ssl_private.h"
++#include "util_md5.h"
+ 
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+ #ifndef OPENSSL_NO_TLSEXT
+@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
+     apr_array_header_t *names;
+     int i;
+     SSLConnRec *sslcon;
++    char *sid_ctx;
+ 
+     /* check ServerName */
+     if (!strcasecmp(servername, s->server_hostname)) {
+@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
+             SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
+                            SSL_CTX_get_verify_callback(ssl->ctx));
+         }
++        /*
++         * Adjust the session id context. ssl_init_ssl_connection()
++         * always picks the configuration of the first vhost when
++         * calling SSL_new(), but we want to tie the session to the
++         * vhost we have just switched to. Again, we have to make sure
++         * that we're not overwriting a session id context which was
++         * possibly set in ssl_hook_Access(), before triggering
++         * a renegotation.
++         */
++        if (!SSL_num_renegotiations(ssl)) {
++            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
++                                    sc->vhost_id_len);
++            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
++                                       APR_MD5_DIGESTSIZE*2);
++        }
+ 
+         /*
+          * Save the found server into our SSLConnRec for later
+Index: httpd-2.2.x/modules/ssl/mod_ssl.c
+===================================================================
+--- httpd-2.2.x/modules/ssl/mod_ssl.c  (revision 833672)
++++ httpd-2.2.x/modules/ssl/mod_ssl.c  (working copy)
+@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
+     SSL_CMD_SRV(RandomSeed, TAKE23,
+                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
+                 "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
++    SSL_CMD_SRV(SessionTicketExtension, FLAG,
++                "TLS Session Ticket extension support")
+ 
+     /*
+      * Per-server context configuration directives
author	matik <matik@pld-linux.org>
	Wed, 6 Jan 2010 18:06:33 +0000 (18:06 +0000)
committer	cvs2git <feedback@pld-linux.org>
	Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
apache.spec		patch \| blob \| blame \| history
httpd-2.2.x-mod_ssl-sessioncaching.patch	[new file with mode: 0644]	patch \| blob