diff --git a/httpd-2.4.27-fixticketkeys.patch b/httpd-2.4.27-fixticketkeys.patch new file mode 100644 index 0000000..3769da9 --- /dev/null +++ b/httpd-2.4.27-fixticketkeys.patch @@ -0,0 +1,65 @@ +From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 22 Mar 2016 13:09:17 +0000 +Subject: [PATCH] mod_ssl: return non ambigous value in + ssl_callback_SessionTicket() for encryption mode (we used to return 0, + OpenSSL documents returning 1 instead). + +Practically this does not change anything since OpenSSL will only check for +>= 0 return value (non error) for encryption mode (the other possible return +values are only relevant for decryption mode). + +However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb() +states: +" +The return value of the cb function is used by OpenSSL to determine what +further processing will occur. The following return values have meaning: + +2 + This indicates that the ctx and hctx have been set and the session can + continue on those parameters. Additionally it indicates that the session + ticket is in a renewal period and should be replaced. The OpenSSL library + will call cb again with an enc argument of 1 to set the new ticket (see + RFC5077 3.3 paragraph 2). + +1 + This indicates that the ctx and hctx have been set and the session can + continue on those parameters. + +0 + This indicates that it was not possible to set/retrieve a session ticket + and the SSL/TLS session will continue by by negotiating a set of + cryptographic parameters or using the alternate SSL/TLS resumption + mechanism, session ids. + If called with enc equal to 0 the library will call the cb again to get a + new set of parameters. + +less than 0 + This indicates an error. +" + +So 0 is not appropriate in our code, 1 is what we really want (and it won't +break if OpenSSL later changes its checks on the callback return value). + +Reported by: oknet on github, pull request #18. + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_kernel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 91da94c4f58..91d5e926d66 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl, + "TLS session ticket key for %s successfully set, " + "creating new session ticket", sc->vhost_id); + +- return 0; ++ return 1; + } + else if (mode == 0) { + /* diff --git a/httpd.spec b/httpd.spec index 684d071..d0564d3 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.27 -Release: 7%{?dist} +Release: 8%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -71,6 +71,9 @@ Patch59: httpd-2.4.27-CVE-2017-9798.patch Patch60: httpd-2.4.27-r1808230.patch # Security fixes +# https://github.com/apache/httpd/commit/4171fbfcb249e63f934471054d7a0752272fb8ee +Patch61: httpd-2.4.27-fixticketkeys.patch + License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -218,6 +221,8 @@ interface for storing and accessing per-user session data. %patch59 -p4 -b .cve-2017-9798 %patch60 -p1 -b .r1808230 +%patch61 -p1 -b .ticketkeys + # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -696,6 +701,9 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Oct 10 2017 Patrick Uiterwijk - 2.4.27-8 +- Backport patch for fixing ticket key usage + * Mon Oct 9 2017 Joe Orton - 2.4.27-7 - move httpd.service.d, httpd.socket.d dirs to -filesystem - add new content-length filter (upstream PR 61222)