diff --git a/.gitignore b/.gitignore
index c3f5396..4e0c552 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@ x86_64
/httpd-2.4.2.tar.bz2
/httpd-2.4.3.tar.bz2
/httpd-2.4.4.tar.bz2
+/httpd-2.4.6.tar.bz2
diff --git a/httpd-2.4.2-r1374214+.patch b/httpd-2.4.2-r1374214+.patch
deleted file mode 100644
index af5d2ab..0000000
--- a/httpd-2.4.2-r1374214+.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-# ./pullrev.sh 1374214 1375445
-
-http://svn.apache.org/viewvc?view=revision&revision=1374214
-http://svn.apache.org/viewvc?view=revision&revision=1375445
-
---- httpd-2.4.2/modules/ssl/ssl_engine_init.c
-+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
-@@ -1381,7 +1381,7 @@
- for (n = 0; n < ncerts; n++) {
- X509_INFO *inf = sk_X509_INFO_value(sk, n);
-
-- if (!inf->x509 || !inf->x_pkey) {
-+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
- sk_X509_INFO_free(sk);
- ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
- "incomplete client cert configured for SSL proxy "
-@@ -1389,6 +1389,15 @@
- ssl_die(s);
- return;
- }
-+
-+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
-+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
-+ APLOGNO(02326) "proxy client certificate and "
-+ "private key do not match");
-+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
-+ ssl_die(s);
-+ return;
-+ }
- }
-
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
-@@ -1401,7 +1410,11 @@
- return;
- }
-
-- /* Load all of the CA certs and construct a chain */
-+ /* If SSLProxyMachineCertificateChainFile is configured, load all
-+ * the CA certs and have OpenSSL attempt to construct a full chain
-+ * from each configured end-entity cert up to a root. This will
-+ * allow selection of the correct cert given a list of root CA
-+ * names in the certificate request from the server. */
- pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
- sctx = X509_STORE_CTX_new();
-
diff --git a/httpd-2.4.4-aarch64.patch b/httpd-2.4.4-aarch64.patch
deleted file mode 100644
index 3b2e72c..0000000
--- a/httpd-2.4.4-aarch64.patch
+++ /dev/null
@@ -1,486 +0,0 @@
-diff -urN httpd-2.4.4/build/config.guess httpd-2.4.4-aarch64/build/config.guess
---- httpd-2.4.4/build/config.guess 2013-02-18 14:28:21.000000000 -0600
-+++ httpd-2.4.4-aarch64/build/config.guess 2013-03-03 05:26:09.407150467 -0600
-@@ -2,9 +2,9 @@
- # Attempt to guess a canonical system name.
- # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
- # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
--# 2011 Free Software Foundation, Inc.
-+# 2011, 2012 Free Software Foundation, Inc.
-
--timestamp='2011-05-11'
-+timestamp='2012-09-25'
-
- # This file is free software; you can redistribute it and/or modify it
- # under the terms of the GNU General Public License as published by
-@@ -17,9 +17,7 @@
- # General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
--# along with this program; if not, write to the Free Software
--# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
--# 02110-1301, USA.
-+# along with this program; if not, see .
- #
- # As a special exception to the GNU General Public License, if you
- # distribute this file as part of a program that contains a
-@@ -57,8 +55,8 @@
-
- Originally written by Per Bothner.
- Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
--2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
--Software Foundation, Inc.
-+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
-+Free Software Foundation, Inc.
-
- This is free software; see the source for copying conditions. There is NO
- warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-@@ -145,7 +143,7 @@
- case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
- *:NetBSD:*:*)
- # NetBSD (nbsd) targets should (where applicable) match one or
-- # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
-+ # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
- # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
- # switched to ELF, *-*-netbsd* would select the old
- # object file format. This provides both forward
-@@ -202,6 +200,10 @@
- # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
- echo "${machine}-${os}${release}"
- exit ;;
-+ *:Bitrig:*:*)
-+ UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
-+ echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
-+ exit ;;
- *:OpenBSD:*:*)
- UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
- echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
-@@ -304,7 +306,7 @@
- arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
- echo arm-acorn-riscix${UNAME_RELEASE}
- exit ;;
-- arm:riscos:*:*|arm:RISCOS:*:*)
-+ arm*:riscos:*:*|arm*:RISCOS:*:*)
- echo arm-unknown-riscos
- exit ;;
- SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
-@@ -792,21 +794,26 @@
- echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
- exit ;;
- *:FreeBSD:*:*)
-- case ${UNAME_MACHINE} in
-- pc98)
-- echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
-+ UNAME_PROCESSOR=`/usr/bin/uname -p`
-+ case ${UNAME_PROCESSOR} in
- amd64)
- echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
- *)
-- echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
-+ echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
- esac
- exit ;;
- i*:CYGWIN*:*)
- echo ${UNAME_MACHINE}-pc-cygwin
- exit ;;
-+ *:MINGW64*:*)
-+ echo ${UNAME_MACHINE}-pc-mingw64
-+ exit ;;
- *:MINGW*:*)
- echo ${UNAME_MACHINE}-pc-mingw32
- exit ;;
-+ i*:MSYS*:*)
-+ echo ${UNAME_MACHINE}-pc-msys
-+ exit ;;
- i*:windows32*:*)
- # uname -m includes "-pc" on this system.
- echo ${UNAME_MACHINE}-mingw32
-@@ -861,6 +868,13 @@
- i*86:Minix:*:*)
- echo ${UNAME_MACHINE}-pc-minix
- exit ;;
-+ aarch64:Linux:*:*)
-+ echo ${UNAME_MACHINE}-unknown-linux-gnu
-+ exit ;;
-+ aarch64_be:Linux:*:*)
-+ UNAME_MACHINE=aarch64_be
-+ echo ${UNAME_MACHINE}-unknown-linux-gnu
-+ exit ;;
- alpha:Linux:*:*)
- case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
- EV5) UNAME_MACHINE=alphaev5 ;;
-@@ -895,13 +909,16 @@
- echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit ;;
- cris:Linux:*:*)
-- echo cris-axis-linux-gnu
-+ echo ${UNAME_MACHINE}-axis-linux-gnu
- exit ;;
- crisv32:Linux:*:*)
-- echo crisv32-axis-linux-gnu
-+ echo ${UNAME_MACHINE}-axis-linux-gnu
- exit ;;
- frv:Linux:*:*)
-- echo frv-unknown-linux-gnu
-+ echo ${UNAME_MACHINE}-unknown-linux-gnu
-+ exit ;;
-+ hexagon:Linux:*:*)
-+ echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit ;;
- i*86:Linux:*:*)
- LIBC=gnu
-@@ -943,7 +960,7 @@
- test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
- ;;
- or32:Linux:*:*)
-- echo or32-unknown-linux-gnu
-+ echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit ;;
- padre:Linux:*:*)
- echo sparc-unknown-linux-gnu
-@@ -978,13 +995,13 @@
- echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit ;;
- tile*:Linux:*:*)
-- echo ${UNAME_MACHINE}-tilera-linux-gnu
-+ echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit ;;
- vax:Linux:*:*)
- echo ${UNAME_MACHINE}-dec-linux-gnu
- exit ;;
- x86_64:Linux:*:*)
-- echo x86_64-unknown-linux-gnu
-+ echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit ;;
- xtensa*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-gnu
-@@ -1191,6 +1208,9 @@
- BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
- echo i586-pc-haiku
- exit ;;
-+ x86_64:Haiku:*:*)
-+ echo x86_64-unknown-haiku
-+ exit ;;
- SX-4:SUPER-UX:*:*)
- echo sx4-nec-superux${UNAME_RELEASE}
- exit ;;
-@@ -1246,7 +1266,7 @@
- NEO-?:NONSTOP_KERNEL:*:*)
- echo neo-tandem-nsk${UNAME_RELEASE}
- exit ;;
-- NSE-?:NONSTOP_KERNEL:*:*)
-+ NSE-*:NONSTOP_KERNEL:*:*)
- echo nse-tandem-nsk${UNAME_RELEASE}
- exit ;;
- NSR-?:NONSTOP_KERNEL:*:*)
-@@ -1315,11 +1335,11 @@
- i*86:AROS:*:*)
- echo ${UNAME_MACHINE}-pc-aros
- exit ;;
-+ x86_64:VMkernel:*:*)
-+ echo ${UNAME_MACHINE}-unknown-esx
-+ exit ;;
- esac
-
--#echo '(No uname command or uname output not recognized.)' 1>&2
--#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
--
- eval $set_cc_for_build
- cat >$dummy.c <.
- #
- # As a special exception to the GNU General Public License, if you
- # distribute this file as part of a program that contains a
-@@ -76,8 +74,8 @@
- GNU config.sub ($timestamp)
-
- Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
--2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
--Software Foundation, Inc.
-+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
-+Free Software Foundation, Inc.
-
- This is free software; see the source for copying conditions. There is NO
- warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-@@ -125,13 +123,17 @@
- maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
- case $maybe_os in
- nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
-- linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
-+ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
- knetbsd*-gnu* | netbsd*-gnu* | \
- kopensolaris*-gnu* | \
- storm-chaos* | os2-emx* | rtmk-nova*)
- os=-$maybe_os
- basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
- ;;
-+ android-linux)
-+ os=-linux-android
-+ basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
-+ ;;
- *)
- basic_machine=`echo $1 | sed 's/-[^-]*$//'`
- if [ $basic_machine != $1 ]
-@@ -154,7 +156,7 @@
- -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
- -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
- -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-- -apple | -axis | -knuth | -cray | -microblaze)
-+ -apple | -axis | -knuth | -cray | -microblaze*)
- os=
- basic_machine=$1
- ;;
-@@ -223,6 +225,12 @@
- -isc*)
- basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
- ;;
-+ -lynx*178)
-+ os=-lynxos178
-+ ;;
-+ -lynx*5)
-+ os=-lynxos5
-+ ;;
- -lynx*)
- os=-lynxos
- ;;
-@@ -247,20 +255,25 @@
- # Some are omitted here because they have special meanings below.
- 1750a | 580 \
- | a29k \
-+ | aarch64 | aarch64_be \
- | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
- | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
- | am33_2.0 \
- | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
-+ | be32 | be64 \
- | bfin \
- | c4x | clipper \
- | d10v | d30v | dlx | dsp16xx \
-+ | epiphany \
- | fido | fr30 | frv \
- | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-+ | hexagon \
- | i370 | i860 | i960 | ia64 \
- | ip2k | iq2000 \
-+ | le32 | le64 \
- | lm32 \
- | m32c | m32r | m32rle | m68000 | m68k | m88k \
-- | maxq | mb | microblaze | mcore | mep | metag \
-+ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \
- | mips | mipsbe | mipseb | mipsel | mipsle \
- | mips16 \
- | mips64 | mips64el \
-@@ -291,7 +304,7 @@
- | pdp10 | pdp11 | pj | pjl \
- | powerpc | powerpc64 | powerpc64le | powerpcle \
- | pyramid \
-- | rx \
-+ | rl78 | rx \
- | score \
- | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
- | sh64 | sh64le \
-@@ -300,7 +313,7 @@
- | spu \
- | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
- | ubicom32 \
-- | v850 | v850e \
-+ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
- | we32k \
- | x86 | xc16x | xstormy16 | xtensa \
- | z8k | z80)
-@@ -315,8 +328,7 @@
- c6x)
- basic_machine=tic6x-unknown
- ;;
-- m6811 | m68hc11 | m6812 | m68hc12 | picochip)
-- # Motorola 68HC11/12.
-+ m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
- basic_machine=$basic_machine-unknown
- os=-none
- ;;
-@@ -329,7 +341,10 @@
- strongarm | thumb | xscale)
- basic_machine=arm-unknown
- ;;
--
-+ xgate)
-+ basic_machine=$basic_machine-unknown
-+ os=-none
-+ ;;
- xscaleeb)
- basic_machine=armeb-unknown
- ;;
-@@ -352,11 +367,13 @@
- # Recognize the basic CPU types with company name.
- 580-* \
- | a29k-* \
-+ | aarch64-* | aarch64_be-* \
- | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
- | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
- | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
- | arm-* | armbe-* | armle-* | armeb-* | armv*-* \
- | avr-* | avr32-* \
-+ | be32-* | be64-* \
- | bfin-* | bs2000-* \
- | c[123]* | c30-* | [cjt]90-* | c4x-* \
- | clipper-* | craynv-* | cydra-* \
-@@ -365,12 +382,15 @@
- | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
- | h8300-* | h8500-* \
- | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-+ | hexagon-* \
- | i*86-* | i860-* | i960-* | ia64-* \
- | ip2k-* | iq2000-* \
-+ | le32-* | le64-* \
- | lm32-* \
- | m32c-* | m32r-* | m32rle-* \
- | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-- | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
-+ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
-+ | microblaze-* | microblazeel-* \
- | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
- | mips16-* \
- | mips64-* | mips64el-* \
-@@ -400,7 +420,7 @@
- | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
- | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
- | pyramid-* \
-- | romp-* | rs6000-* | rx-* \
-+ | rl78-* | romp-* | rs6000-* | rx-* \
- | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
- | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
- | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
-@@ -408,10 +428,11 @@
- | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
- | tahoe-* \
- | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-- | tile-* | tilegx-* \
-+ | tile*-* \
- | tron-* \
- | ubicom32-* \
-- | v850-* | v850e-* | vax-* \
-+ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
-+ | vax-* \
- | we32k-* \
- | x86-* | x86_64-* | xc16x-* | xps100-* \
- | xstormy16-* | xtensa*-* \
-@@ -711,7 +732,6 @@
- i370-ibm* | ibm*)
- basic_machine=i370-ibm
- ;;
--# I'm not sure what "Sysv32" means. Should this be sysv3.2?
- i*86v32)
- basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
- os=-sysv32
-@@ -769,9 +789,13 @@
- basic_machine=ns32k-utek
- os=-sysv
- ;;
-- microblaze)
-+ microblaze*)
- basic_machine=microblaze-xilinx
- ;;
-+ mingw64)
-+ basic_machine=x86_64-pc
-+ os=-mingw64
-+ ;;
- mingw32)
- basic_machine=i386-pc
- os=-mingw32
-@@ -808,10 +832,18 @@
- ms1-*)
- basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
- ;;
-+ msys)
-+ basic_machine=i386-pc
-+ os=-msys
-+ ;;
- mvs)
- basic_machine=i370-ibm
- os=-mvs
- ;;
-+ nacl)
-+ basic_machine=le32-unknown
-+ os=-nacl
-+ ;;
- ncr3000)
- basic_machine=i486-ncr
- os=-sysv4
-@@ -1120,13 +1152,8 @@
- basic_machine=t90-cray
- os=-unicos
- ;;
-- # This must be matched before tile*.
-- tilegx*)
-- basic_machine=tilegx-unknown
-- os=-linux-gnu
-- ;;
- tile*)
-- basic_machine=tile-unknown
-+ basic_machine=$basic_machine-unknown
- os=-linux-gnu
- ;;
- tx39)
-@@ -1330,15 +1357,15 @@
- | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
- | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
- | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
-- | -openbsd* | -solidbsd* \
-+ | -bitrig* | -openbsd* | -solidbsd* \
- | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
- | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
- | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
- | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
- | -chorusos* | -chorusrdb* | -cegcc* \
-- | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-- | -mingw32* | -linux-gnu* | -linux-android* \
-- | -linux-newlib* | -linux-uclibc* \
-+ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-+ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
-+ | -linux-newlib* | -linux-musl* | -linux-uclibc* \
- | -uxpv* | -beos* | -mpeix* | -udk* \
- | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
- | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
-@@ -1521,6 +1548,9 @@
- c4x-* | tic4x-*)
- os=-coff
- ;;
-+ hexagon-*)
-+ os=-elf
-+ ;;
- tic54x-*)
- os=-coff
- ;;
-@@ -1548,9 +1578,6 @@
- ;;
- m68000-sun)
- os=-sunos3
-- # This also exists in the configure program, but was not the
-- # default.
-- # os=-sunos4
- ;;
- m68*-cisco)
- os=-aout
diff --git a/httpd-2.4.4-mod_cache-tmppath.patch b/httpd-2.4.4-mod_cache-tmppath.patch
deleted file mode 100644
index 7f70098..0000000
--- a/httpd-2.4.4-mod_cache-tmppath.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/modules/cache/mod_cache.c
-+++ a/modules/cache/mod_cache.c
-@@ -1773,7 +1773,7 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) {
-
- static void * create_cache_config(apr_pool_t *p, server_rec *s)
- {
-- const char *tmppath;
-+ const char *tmppath = NULL;
- cache_server_conf *ps = apr_pcalloc(p, sizeof(cache_server_conf));
-
- /* array of URL prefixes for which caching is enabled */
diff --git a/httpd-2.4.4-mod_unique_id.patch b/httpd-2.4.4-mod_unique_id.patch
new file mode 100644
index 0000000..30bdfe0
--- /dev/null
+++ b/httpd-2.4.4-mod_unique_id.patch
@@ -0,0 +1,239 @@
+--- trunk/modules/metadata/mod_unique_id.c 2011/12/02 23:02:04 1209766
++++ trunk/modules/metadata/mod_unique_id.c 2013/07/10 16:20:31 1501827
+@@ -31,14 +31,11 @@
+ #include "http_log.h"
+ #include "http_protocol.h" /* for ap_hook_post_read_request */
+
+-#if APR_HAVE_UNISTD_H
+-#include /* for getpid() */
+-#endif
++#define ROOT_SIZE 10
+
+ typedef struct {
+ unsigned int stamp;
+- unsigned int in_addr;
+- unsigned int pid;
++ char root[ROOT_SIZE];
+ unsigned short counter;
+ unsigned int thread_index;
+ } unique_id_rec;
+@@ -64,20 +61,15 @@
+ * gethostbyname (gethostname()) is unique across all the machines at the
+ * "site".
+ *
+- * We also further assume that pids fit in 32-bits. If something uses more
+- * than 32-bits, the fix is trivial, but it requires the unrolled uuencoding
+- * loop to be extended. * A similar fix is needed to support multithreaded
+- * servers, using a pid/tid combo.
+- *
+- * Together, the in_addr and pid are assumed to absolutely uniquely identify
+- * this one child from all other currently running children on all servers
+- * (including this physical server if it is running multiple httpds) from each
++ * The root is assumed to absolutely uniquely identify this one child
++ * from all other currently running children on all servers (including
++ * this physical server if it is running multiple httpds) from each
+ * other.
+ *
+- * The stamp and counter are used to distinguish all hits for a particular
+- * (in_addr,pid) pair. The stamp is updated using r->request_time,
+- * saving cpu cycles. The counter is never reset, and is used to permit up to
+- * 64k requests in a single second by a single child.
++ * The stamp and counter are used to distinguish all hits for a
++ * particular root. The stamp is updated using r->request_time,
++ * saving cpu cycles. The counter is never reset, and is used to
++ * permit up to 64k requests in a single second by a single child.
+ *
+ * The 144-bits of unique_id_rec are encoded using the alphabet
+ * [A-Za-z0-9@-], resulting in 24 bytes of printable characters. That is then
+@@ -92,7 +84,7 @@
+ * module change.
+ *
+ * It is highly desirable that identifiers exist for "eternity". But future
+- * needs (such as much faster webservers, moving to 64-bit pids, or moving to a
++ * needs (such as much faster webservers, or moving to a
+ * multithreaded server) may dictate a need to change the contents of
+ * unique_id_rec. Such a future implementation should ensure that the first
+ * field is still a time_t stamp. By doing that, it is possible for a site to
+@@ -100,7 +92,15 @@
+ * wait one entire second, and then start all of their new-servers. This
+ * procedure will ensure that the new space of identifiers is completely unique
+ * from the old space. (Since the first four unencoded bytes always differ.)
++ *
++ * Note: previous implementations used 32-bits of IP address plus pid
++ * in place of the PRNG output in the "root" field. This was
++ * insufficient for IPv6-only hosts, required working DNS to determine
++ * a unique IP address (fragile), and needed a [0, 1) second sleep
++ * call at startup to avoid pid reuse. Use of the PRNG avoids all
++ * these issues.
+ */
++
+ /*
+ * Sun Jun 7 05:43:49 CEST 1998 -- Alvaro
+ * More comments:
+@@ -116,8 +116,6 @@
+ * htonl/ntohl. Well, this shouldn't be a problem till year 2106.
+ */
+
+-static unsigned global_in_addr;
+-
+ /*
+ * XXX: We should have a per-thread counter and not use cur_unique_id.counter
+ * XXX: in all threads, because this is bad for performance on multi-processor
+@@ -129,7 +127,7 @@
+ /*
+ * Number of elements in the structure unique_id_rec.
+ */
+-#define UNIQUE_ID_REC_MAX 5
++#define UNIQUE_ID_REC_MAX 4
+
+ static unsigned short unique_id_rec_offset[UNIQUE_ID_REC_MAX],
+ unique_id_rec_size[UNIQUE_ID_REC_MAX],
+@@ -138,113 +136,32 @@
+
+ static int unique_id_global_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server)
+ {
+- char str[APRMAXHOSTLEN + 1];
+- apr_status_t rv;
+- char *ipaddrstr;
+- apr_sockaddr_t *sockaddr;
+-
+ /*
+ * Calculate the sizes and offsets in cur_unique_id.
+ */
+ unique_id_rec_offset[0] = APR_OFFSETOF(unique_id_rec, stamp);
+ unique_id_rec_size[0] = sizeof(cur_unique_id.stamp);
+- unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, in_addr);
+- unique_id_rec_size[1] = sizeof(cur_unique_id.in_addr);
+- unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, pid);
+- unique_id_rec_size[2] = sizeof(cur_unique_id.pid);
+- unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, counter);
+- unique_id_rec_size[3] = sizeof(cur_unique_id.counter);
+- unique_id_rec_offset[4] = APR_OFFSETOF(unique_id_rec, thread_index);
+- unique_id_rec_size[4] = sizeof(cur_unique_id.thread_index);
++ unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, root);
++ unique_id_rec_size[1] = sizeof(cur_unique_id.root);
++ unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, counter);
++ unique_id_rec_size[2] = sizeof(cur_unique_id.counter);
++ unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, thread_index);
++ unique_id_rec_size[3] = sizeof(cur_unique_id.thread_index);
+ unique_id_rec_total_size = unique_id_rec_size[0] + unique_id_rec_size[1] +
+- unique_id_rec_size[2] + unique_id_rec_size[3] +
+- unique_id_rec_size[4];
++ unique_id_rec_size[2] + unique_id_rec_size[3];
+
+ /*
+ * Calculate the size of the structure when encoded.
+ */
+ unique_id_rec_size_uu = (unique_id_rec_total_size*8+5)/6;
+
+- /*
+- * Now get the global in_addr. Note that it is not sufficient to use one
+- * of the addresses from the main_server, since those aren't as likely to
+- * be unique as the physical address of the machine
+- */
+- if ((rv = apr_gethostname(str, sizeof(str) - 1, p)) != APR_SUCCESS) {
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01563)
+- "unable to find hostname of the server");
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+-
+- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p)) == APR_SUCCESS) {
+- global_in_addr = sockaddr->sa.sin.sin_addr.s_addr;
+- }
+- else {
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01564)
+- "unable to find IPv4 address of \"%s\"", str);
+-#if APR_HAVE_IPV6
+- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET6, 0, 0, p)) == APR_SUCCESS) {
+- memcpy(&global_in_addr,
+- (char *)sockaddr->ipaddr_ptr + sockaddr->ipaddr_len - sizeof(global_in_addr),
+- sizeof(global_in_addr));
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01565)
+- "using low-order bits of IPv6 address "
+- "as if they were unique");
+- }
+- else
+-#endif
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+-
+- apr_sockaddr_ip_get(&ipaddrstr, sockaddr);
+- ap_log_error(APLOG_MARK, APLOG_INFO, 0, main_server, APLOGNO(01566) "using ip addr %s",
+- ipaddrstr);
+-
+- /*
+- * If the server is pummelled with restart requests we could possibly end
+- * up in a situation where we're starting again during the same second
+- * that has been used in previous identifiers. Avoid that situation.
+- *
+- * In truth, for this to actually happen not only would it have to restart
+- * in the same second, but it would have to somehow get the same pids as
+- * one of the other servers that was running in that second. Which would
+- * mean a 64k wraparound on pids ... not very likely at all.
+- *
+- * But protecting against it is relatively cheap. We just sleep into the
+- * next second.
+- */
+- apr_sleep(apr_time_from_sec(1) - apr_time_usec(apr_time_now()));
+ return OK;
+ }
+
+ static void unique_id_child_init(apr_pool_t *p, server_rec *s)
+ {
+- pid_t pid;
+-
+- /*
+- * Note that we use the pid because it's possible that on the same
+- * physical machine there are multiple servers (i.e. using Listen). But
+- * it's guaranteed that none of them will share the same pids between
+- * children.
+- *
+- * XXX: for multithread this needs to use a pid/tid combo and probably
+- * needs to be expanded to 32 bits
+- */
+- pid = getpid();
+- cur_unique_id.pid = pid;
+-
+- /*
+- * Test our assumption that the pid is 32-bits. It's possible that
+- * 64-bit machines will declare pid_t to be 64 bits but only use 32
+- * of them. It would have been really nice to test this during
+- * global_init ... but oh well.
+- */
+- if ((pid_t)cur_unique_id.pid != pid) {
+- ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(01567)
+- "oh no! pids are greater than 32-bits! I'm broken!");
+- }
+-
+- cur_unique_id.in_addr = global_in_addr;
++ ap_random_insecure_bytes(&cur_unique_id.root,
++ sizeof(cur_unique_id.root));
+
+ /*
+ * If we use 0 as the initial counter we have a little less protection
+@@ -253,13 +170,6 @@
+ */
+ ap_random_insecure_bytes(&cur_unique_id.counter,
+ sizeof(cur_unique_id.counter));
+-
+- /*
+- * We must always use network ordering for these bytes, so that
+- * identifiers are comparable between machines of different byte
+- * orderings. Note in_addr is already in network order.
+- */
+- cur_unique_id.pid = htonl(cur_unique_id.pid);
+ }
+
+ /* NOTE: This is *NOT* the same encoding used by base64encode ... the last two
+@@ -291,10 +201,8 @@
+ unsigned short counter;
+ int i,j,k;
+
+- new_unique_id.in_addr = cur_unique_id.in_addr;
+- new_unique_id.pid = cur_unique_id.pid;
++ memcpy(&new_unique_id.root, &cur_unique_id.root, ROOT_SIZE);
+ new_unique_id.counter = cur_unique_id.counter;
+-
+ new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time));
+ new_unique_id.thread_index = htonl((unsigned int)r->connection->id);
+
diff --git a/httpd-2.4.4-r1476674.patch b/httpd-2.4.4-r1476674.patch
deleted file mode 100644
index d93945f..0000000
--- a/httpd-2.4.4-r1476674.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-Index: support/passwd_common.c
-===================================================================
---- a/support/passwd_common.c (revision 1476673)
-+++ b/support/passwd_common.c (working copy)
-@@ -113,17 +113,17 @@
-
- int get_password(struct passwd_ctx *ctx)
- {
-+ char buf[MAX_STRING_LEN + 1];
- if (ctx->passwd_src == PW_STDIN) {
-- char *buf = ctx->out;
- apr_file_t *file_stdin;
- apr_size_t nread;
- if (apr_file_open_stdin(&file_stdin, ctx->pool) != APR_SUCCESS) {
- ctx->errstr = "Unable to read from stdin.";
- return ERR_GENERAL;
- }
-- if (apr_file_read_full(file_stdin, buf, ctx->out_len - 1,
-+ if (apr_file_read_full(file_stdin, buf, sizeof(buf) - 1,
- &nread) != APR_EOF
-- || nread == ctx->out_len - 1) {
-+ || nread == sizeof(buf) - 1) {
- goto err_too_long;
- }
- buf[nread] = '\0';
-@@ -133,21 +133,24 @@
- buf[nread-2] = '\0';
- }
- apr_file_close(file_stdin);
-+ ctx->passwd = apr_pstrdup(ctx->pool, buf);
- }
- else {
-- char buf[MAX_STRING_LEN + 1];
- apr_size_t bufsize = sizeof(buf);
-- if (apr_password_get("New password: ", ctx->out, &ctx->out_len) != 0)
-+ if (apr_password_get("New password: ", buf, &bufsize) != 0)
- goto err_too_long;
-+ ctx->passwd = apr_pstrdup(ctx->pool, buf);
-+ bufsize = sizeof(buf);
-+ buf[0] = '\0';
- apr_password_get("Re-type new password: ", buf, &bufsize);
-- if (strcmp(ctx->out, buf) != 0) {
-+ if (strcmp(ctx->passwd, buf) != 0) {
- ctx->errstr = "password verification error";
-- memset(ctx->out, '\0', ctx->out_len);
-+ memset(ctx->passwd, '\0', strlen(ctx->passwd));
- memset(buf, '\0', sizeof(buf));
- return ERR_PWMISMATCH;
- }
-- memset(buf, '\0', sizeof(buf));
- }
-+ memset(buf, '\0', sizeof(buf));
- return 0;
-
- err_too_long:
-@@ -164,7 +167,6 @@
- int mkhash(struct passwd_ctx *ctx)
- {
- char *pw;
-- char pwin[MAX_STRING_LEN];
- char salt[16];
- apr_status_t rv;
- int ret = 0;
-@@ -177,14 +179,11 @@
- "Warning: Ignoring -C argument for this algorithm." NL);
- }
-
-- if (ctx->passwd != NULL) {
-- pw = ctx->passwd;
-- }
-- else {
-+ if (ctx->passwd == NULL) {
- if ((ret = get_password(ctx)) != 0)
- return ret;
-- pw = pwin;
- }
-+ pw = ctx->passwd;
-
- switch (ctx->alg) {
- case ALG_APSHA:
-@@ -224,7 +223,7 @@
-
- apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1);
- if (strlen(pw) > 8) {
-- char *truncpw = strdup(pw);
-+ char *truncpw = apr_pstrdup(ctx->pool, pw);
- truncpw[8] = '\0';
- if (!strcmp(ctx->out, crypt(truncpw, salt))) {
- apr_file_printf(errfile, "Warning: Password truncated to 8 "
-Index: support/htpasswd.c
-===================================================================
---- a/support/htpasswd.c (revision 1476673)
-+++ b/support/htpasswd.c (working copy)
-@@ -253,7 +253,6 @@
- int main(int argc, const char * const argv[])
- {
- apr_file_t *fpw = NULL;
-- const char *errstr = NULL;
- char line[MAX_STRING_LEN];
- char *pwfilename = NULL;
- char *user = NULL;
-@@ -345,7 +344,7 @@
- if (!(mask & APHTP_DELUSER)) {
- i = mkrecord(&ctx, user);
- if (i != 0) {
-- apr_file_printf(errfile, "%s: %s" NL, argv[0], errstr);
-+ apr_file_printf(errfile, "%s: %s" NL, argv[0], ctx.errstr);
- exit(i);
- }
- if (mask & APHTP_NOFILE) {
diff --git a/httpd-2.4.4-sslmultiproxy.patch b/httpd-2.4.4-sslmultiproxy.patch
deleted file mode 100644
index 7b912a0..0000000
--- a/httpd-2.4.4-sslmultiproxy.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
-index 6ea367c..3cbd08f 100644
---- a/modules/ssl/mod_ssl.c
-+++ b/modules/ssl/mod_ssl.c
-@@ -378,6 +378,9 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
- return sslconn;
- }
-
-+static typeof(ssl_proxy_enable) *othermod_proxy_enable;
-+static typeof(ssl_engine_disable) *othermod_engine_disable;
-+
- int ssl_proxy_enable(conn_rec *c)
- {
- SSLSrvConfigRec *sc;
-@@ -386,6 +389,12 @@ int ssl_proxy_enable(conn_rec *c)
- sc = mySrvConfig(sslconn->server);
-
- if (!sc->proxy_enabled) {
-+ if (othermod_proxy_enable) {
-+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
-+ "mod_ssl proxy not configured, passing through to other module.");
-+ return othermod_proxy_enable(c);
-+ }
-+
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
- "SSL Proxy requested for %s but not enabled "
- "[Hint: SSLProxyEngine]", sc->vhost_id);
-@@ -405,6 +414,10 @@ int ssl_engine_disable(conn_rec *c)
-
- SSLConnRec *sslconn = myConnConfig(c);
-
-+ if (othermod_engine_disable) {
-+ othermod_engine_disable(c);
-+ }
-+
- if (sslconn) {
- sc = mySrvConfig(sslconn->server);
- }
-@@ -590,6 +603,9 @@ static void ssl_register_hooks(apr_pool_t *p)
- ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
-
- ssl_var_register(p);
-+
-+ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
-+ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
-
- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
-diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
-index 536e6b1..c508fff 100644
---- a/modules/ssl/ssl_engine_vars.c
-+++ b/modules/ssl/ssl_engine_vars.c
-@@ -53,10 +53,15 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algk
- static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
- static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
-
-+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
-+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
-+
- static int ssl_is_https(conn_rec *c)
- {
- SSLConnRec *sslconn = myConnConfig(c);
-- return sslconn && sslconn->ssl;
-+
-+ return (sslconn && sslconn->ssl)
-+ || (othermod_is_https && othermod_is_https(c));
- }
-
- static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
-@@ -106,6 +111,9 @@ void ssl_var_register(apr_pool_t *p)
- {
- char *cp, *cp2;
-
-+ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
-+ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
-+
- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
- APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
- APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
-@@ -241,6 +249,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
- */
- if (result == NULL && c != NULL) {
- SSLConnRec *sslconn = myConnConfig(c);
-+
-+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
-+ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
-+ /* For an SSL_* variable, if mod_ssl is not enabled for
-+ * this connection and another SSL module is present, pass
-+ * through to that module. */
-+ return othermod_var_lookup(p, s, c, r, var);
-+ }
-+
- if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
- && sslconn && sslconn->ssl)
- result = ssl_var_lookup_ssl(p, c, r, var+4);
diff --git a/httpd-2.4.6-r1332643+.patch b/httpd-2.4.6-r1332643+.patch
new file mode 100644
index 0000000..d2e5565
--- /dev/null
+++ b/httpd-2.4.6-r1332643+.patch
@@ -0,0 +1,313 @@
+# ./pullrev.sh 1332643 1345599 1487772
+
+https://bugzilla.redhat.com//show_bug.cgi?id=809599
+
+http://svn.apache.org/viewvc?view=revision&revision=1332643
+http://svn.apache.org/viewvc?view=revision&revision=1345599
+http://svn.apache.org/viewvc?view=revision&revision=1487772
+
+--- httpd-2.4.6/modules/ssl/mod_ssl.c.r1332643+
++++ httpd-2.4.6/modules/ssl/mod_ssl.c
+@@ -413,6 +413,37 @@ int ssl_engine_disable(conn_rec *c)
+ return 1;
+ }
+
++static int modssl_register_npn(conn_rec *c,
++ ssl_npn_advertise_protos advertisefn,
++ ssl_npn_proto_negotiated negotiatedfn)
++{
++#ifdef HAVE_TLS_NPN
++ SSLConnRec *sslconn = myConnConfig(c);
++
++ if (!sslconn) {
++ return DECLINED;
++ }
++
++ if (!sslconn->npn_advertfns) {
++ sslconn->npn_advertfns =
++ apr_array_make(c->pool, 5, sizeof(ssl_npn_advertise_protos));
++ sslconn->npn_negofns =
++ apr_array_make(c->pool, 5, sizeof(ssl_npn_proto_negotiated));
++ }
++
++ if (advertisefn)
++ APR_ARRAY_PUSH(sslconn->npn_advertfns, ssl_npn_advertise_protos) =
++ advertisefn;
++ if (negotiatedfn)
++ APR_ARRAY_PUSH(sslconn->npn_negofns, ssl_npn_proto_negotiated) =
++ negotiatedfn;
++
++ return OK;
++#else
++ return DECLINED;
++#endif
++}
++
+ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
+ {
+ SSLSrvConfigRec *sc;
+@@ -584,6 +615,7 @@ static void ssl_register_hooks(apr_pool_
+
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
++ APR_REGISTER_OPTIONAL_FN(modssl_register_npn);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
+ AUTHZ_PROVIDER_VERSION,
+--- httpd-2.4.6/modules/ssl/mod_ssl.h.r1332643+
++++ httpd-2.4.6/modules/ssl/mod_ssl.h
+@@ -63,5 +63,40 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
+
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
++/** The npn_advertise_protos callback allows another modules to add
++ * entries to the list of protocol names advertised by the server
++ * during the Next Protocol Negotiation (NPN) portion of the SSL
++ * handshake. The callback is given the connection and an APR array;
++ * it should push one or more char*'s pointing to NUL-terminated
++ * strings (such as "http/1.1" or "spdy/2") onto the array and return
++ * OK. To prevent further processing of (other modules') callbacks,
++ * return DONE. */
++typedef int (*ssl_npn_advertise_protos)(conn_rec *connection,
++ apr_array_header_t *protos);
++
++/** The npn_proto_negotiated callback allows other modules to discover
++ * the name of the protocol that was chosen during the Next Protocol
++ * Negotiation (NPN) portion of the SSL handshake. Note that this may
++ * be the empty string (in which case modules should probably assume
++ * HTTP), or it may be a protocol that was never even advertised by
++ * the server. The callback is given the connection, a
++ * non-NUL-terminated string containing the protocol name, and the
++ * length of the string; it should do something appropriate
++ * (i.e. insert or remove filters) and return OK. To prevent further
++ * processing of (other modules') callbacks, return DONE. */
++typedef int (*ssl_npn_proto_negotiated)(conn_rec *connection,
++ const char *proto_name,
++ apr_size_t proto_name_len);
++
++/* An optional function which can be used to register a pair of
++ * callbacks for NPN handling. This optional function should be
++ * invoked from a pre_connection hook which runs *after* mod_ssl.c's
++ * pre_connection hook. The function returns OK if the callbacks are
++ * register, or DECLINED otherwise (for example if mod_ssl does not
++l * support NPN). */
++APR_DECLARE_OPTIONAL_FN(int, modssl_register_npn, (conn_rec *conn,
++ ssl_npn_advertise_protos advertisefn,
++ ssl_npn_proto_negotiated negotiatedfn));
++
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+--- httpd-2.4.6/modules/ssl/ssl_engine_init.c.r1332643+
++++ httpd-2.4.6/modules/ssl/ssl_engine_init.c
+@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve
+ #endif
+
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
++
++#ifdef HAVE_TLS_NPN
++ SSL_CTX_set_next_protos_advertised_cb(
++ ctx, ssl_callback_AdvertiseNextProtos, NULL);
++#endif
+ }
+
+ static void ssl_init_ctx_verify(server_rec *s,
+--- httpd-2.4.6/modules/ssl/ssl_engine_io.c.r1332643+
++++ httpd-2.4.6/modules/ssl/ssl_engine_io.c
+@@ -297,6 +297,7 @@ typedef struct {
+ apr_pool_t *pool;
+ char buffer[AP_IOBUFSIZE];
+ ssl_filter_ctx_t *filter_ctx;
++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
+ } bio_filter_in_ctx_t;
+
+ /*
+@@ -1400,6 +1401,37 @@ static apr_status_t ssl_io_filter_input(
+ APR_BRIGADE_INSERT_TAIL(bb, bucket);
+ }
+
++#ifdef HAVE_TLS_NPN
++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
++ * our version of OpenSSL supports it). If we haven't already, find out
++ * which protocol was decided upon and inform other modules by calling
++ * npn_proto_negotiated_hook. */
++ if (!inctx->npn_finished) {
++ SSLConnRec *sslconn = myConnConfig(f->c);
++ const unsigned char *next_proto = NULL;
++ unsigned next_proto_len = 0;
++ int n;
++
++ if (sslconn->npn_negofns) {
++ SSL_get0_next_proto_negotiated(
++ inctx->ssl, &next_proto, &next_proto_len);
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
++ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
++ next_proto_len, (const char*)next_proto);
++
++ for (n = 0; n < sslconn->npn_negofns->nelts; n++) {
++ ssl_npn_proto_negotiated fn =
++ APR_ARRAY_IDX(sslconn->npn_negofns, n, ssl_npn_proto_negotiated);
++
++ if (fn(f->c, (const char *)next_proto, next_proto_len) == DONE)
++ break;
++ }
++ }
++
++ inctx->npn_finished = 1;
++ }
++#endif
++
+ return APR_SUCCESS;
+ }
+
+@@ -1881,6 +1913,7 @@ static void ssl_io_input_add_filter(ssl_
+ inctx->block = APR_BLOCK_READ;
+ inctx->pool = c->pool;
+ inctx->filter_ctx = filter_ctx;
++ inctx->npn_finished = 0;
+ }
+
+ /* The request_rec pointer is passed in here only to ensure that the
+--- httpd-2.4.6/modules/ssl/ssl_engine_kernel.c.r1332643+
++++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c
+@@ -2161,6 +2161,97 @@ int ssl_callback_SessionTicket(SSL *ssl,
+ }
+ #endif /* HAVE_TLS_SESSION_TICKETS */
+
++#ifdef HAVE_TLS_NPN
++/*
++ * This callback function is executed when SSL needs to decide what protocols
++ * to advertise during Next Protocol Negotiation (NPN). It must produce a
++ * string in wire format -- a sequence of length-prefixed strings -- indicating
++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
++ * in OpenSSL for reference.
++ */
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
++ unsigned int *size_out, void *arg)
++{
++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
++ SSLConnRec *sslconn = myConnConfig(c);
++ apr_array_header_t *protos;
++ int num_protos;
++ unsigned int size;
++ int i;
++ unsigned char *data;
++ unsigned char *start;
++
++ *data_out = NULL;
++ *size_out = 0;
++
++ /* If the connection object is not available, or there are no NPN
++ * hooks registered, then there's nothing for us to do. */
++ if (c == NULL || sslconn->npn_advertfns == NULL) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
++ * add alternate protocol names to advertise. */
++ protos = apr_array_make(c->pool, 0, sizeof(char *));
++ for (i = 0; i < sslconn->npn_advertfns->nelts; i++) {
++ ssl_npn_advertise_protos fn =
++ APR_ARRAY_IDX(sslconn->npn_advertfns, i, ssl_npn_advertise_protos);
++
++ if (fn(c, protos) == DONE)
++ break;
++ }
++ num_protos = protos->nelts;
++
++ /* We now have a list of null-terminated strings; we need to concatenate
++ * them together into a single string, where each protocol name is prefixed
++ * by its length. First, calculate how long that string will be. */
++ size = 0;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ unsigned int length = strlen(string);
++ /* If the protocol name is too long (the length must fit in one byte),
++ * then log an error and skip it. */
++ if (length > 255) {
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
++ "SSL NPN protocol name too long (length=%u): %s",
++ length, string);
++ continue;
++ }
++ /* Leave room for the length prefix (one byte) plus the protocol name
++ * itself. */
++ size += 1 + length;
++ }
++
++ /* If there is nothing to advertise (either because no modules added
++ * anything to the protos array, or because all strings added to the array
++ * were skipped), then we're done. */
++ if (size == 0) {
++ return SSL_TLSEXT_ERR_OK;
++ }
++
++ /* Now we can build the string. Copy each protocol name string into the
++ * larger string, prefixed by its length. */
++ data = apr_palloc(c->pool, size * sizeof(unsigned char));
++ start = data;
++ for (i = 0; i < num_protos; ++i) {
++ const char *string = APR_ARRAY_IDX(protos, i, const char*);
++ apr_size_t length = strlen(string);
++ if (length > 255)
++ continue;
++ *start = (unsigned char)length;
++ ++start;
++ memcpy(start, string, length * sizeof(unsigned char));
++ start += length;
++ }
++
++ /* Success. */
++ *data_out = data;
++ *size_out = size;
++ return SSL_TLSEXT_ERR_OK;
++}
++
++#endif /* HAVE_TLS_NPN */
++
+ #ifndef OPENSSL_NO_SRP
+
+ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+--- httpd-2.4.6/modules/ssl/ssl_private.h.r1332643+
++++ httpd-2.4.6/modules/ssl/ssl_private.h
+@@ -98,6 +98,8 @@
+ #include
+ #include
+
++#include "mod_ssl.h"
++
+ /* Avoid tripping over an engine build installed globally and detected
+ * when the user points at an explicit non-engine flavor of OpenSSL
+ */
+@@ -139,6 +141,11 @@
+ #define HAVE_FIPS
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
++ && !defined(OPENSSL_NO_TLSEXT)
++#define HAVE_TLS_NPN
++#endif
++
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
+ #define MODSSL_SSL_CIPHER_CONST const
+ #define MODSSL_SSL_METHOD_CONST const
+@@ -487,6 +494,12 @@ typedef struct {
+ * connection */
+ } reneg_state;
+
++#ifdef HAVE_TLS_NPN
++ /* Poor man's inter-module optional hooks for NPN. */
++ apr_array_header_t *npn_advertfns; /* list of ssl_npn_advertise_protos callbacks */
++ apr_array_header_t *npn_negofns; /* list of ssl_npn_proto_negotiated callbacks. */
++#endif
++
+ server_rec *server;
+ } SSLConnRec;
+
+@@ -842,6 +855,7 @@ int ssl_callback_ServerNameIndi
+ int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+ EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
+
+ /** Session Cache Support */
+ void ssl_scache_init(server_rec *, apr_pool_t *);
diff --git a/httpd-2.4.6-sslmultiproxy.patch b/httpd-2.4.6-sslmultiproxy.patch
new file mode 100644
index 0000000..f8a3b4b
--- /dev/null
+++ b/httpd-2.4.6-sslmultiproxy.patch
@@ -0,0 +1,94 @@
+
+Ugly hack to enable mod_ssl and mod_nss to "share" hooks.
+
+--- httpd-2.4.6/modules/ssl/mod_ssl.c.sslmultiproxy
++++ httpd-2.4.6/modules/ssl/mod_ssl.c
+@@ -369,6 +369,9 @@ static SSLConnRec *ssl_init_connection_c
+ return sslconn;
+ }
+
++static typeof(ssl_proxy_enable) *othermod_proxy_enable;
++static typeof(ssl_engine_disable) *othermod_engine_disable;
++
+ int ssl_proxy_enable(conn_rec *c)
+ {
+ SSLSrvConfigRec *sc;
+@@ -377,6 +380,12 @@ int ssl_proxy_enable(conn_rec *c)
+ sc = mySrvConfig(sslconn->server);
+
+ if (!sc->proxy_enabled) {
++ if (othermod_proxy_enable) {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "mod_ssl proxy not configured, passing through to other module.");
++ return othermod_proxy_enable(c);
++ }
++
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: SSLProxyEngine]", sc->vhost_id);
+@@ -396,6 +405,10 @@ int ssl_engine_disable(conn_rec *c)
+
+ SSLConnRec *sslconn = myConnConfig(c);
+
++ if (othermod_engine_disable) {
++ othermod_engine_disable(c);
++ }
++
+ if (sslconn) {
+ sc = mySrvConfig(sslconn->server);
+ }
+@@ -612,6 +625,9 @@ static void ssl_register_hooks(apr_pool_
+ ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+
+ ssl_var_register(p);
++
++ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+--- httpd-2.4.6/modules/ssl/ssl_engine_vars.c.sslmultiproxy
++++ httpd-2.4.6/modules/ssl/ssl_engine_vars.c
+@@ -53,10 +53,15 @@ static void ssl_var_lookup_ssl_cipher_b
+ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
+
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
++
+ static int ssl_is_https(conn_rec *c)
+ {
+ SSLConnRec *sslconn = myConnConfig(c);
+- return sslconn && sslconn->ssl;
++
++ return (sslconn && sslconn->ssl)
++ || (othermod_is_https && othermod_is_https(c));
+ }
+
+ static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
+@@ -106,6 +111,9 @@ void ssl_var_register(apr_pool_t *p)
+ {
+ char *cp, *cp2;
+
++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
+ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+ APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+ APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
+@@ -241,6 +249,15 @@ char *ssl_var_lookup(apr_pool_t *p, serv
+ */
+ if (result == NULL && c != NULL) {
+ SSLConnRec *sslconn = myConnConfig(c);
++
++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++ /* For an SSL_* variable, if mod_ssl is not enabled for
++ * this connection and another SSL module is present, pass
++ * through to that module. */
++ return othermod_var_lookup(p, s, c, r, var);
++ }
++
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+ && sslconn && sslconn->ssl)
+ result = ssl_var_lookup_ssl(p, c, r, var+4);
diff --git a/httpd.spec b/httpd.spec
index 7647e82..ec3d24a 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,8 +13,8 @@
Summary: Apache HTTP Server
Name: httpd
-Version: 2.4.4
-Release: 11%{?dist}
+Version: 2.4.6
+Release: 2%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -51,24 +51,20 @@ Patch2: httpd-2.4.3-apxs.patch
Patch3: httpd-2.4.1-deplibs.patch
Patch5: httpd-2.4.3-layout.patch
Patch6: httpd-2.4.3-apctl-systemd.patch
-Patch7: httpd-2.4.4-aarch64.patch
# Features/functional changes
Patch23: httpd-2.4.4-export.patch
Patch24: httpd-2.4.1-corelimit.patch
Patch25: httpd-2.4.1-selinux.patch
Patch26: httpd-2.4.4-r1337344+.patch
Patch27: httpd-2.4.2-icons.patch
-Patch28: httpd-2.4.4-r1332643+.patch
+Patch28: httpd-2.4.6-r1332643+.patch
Patch29: httpd-2.4.3-mod_systemd.patch
Patch30: httpd-2.4.4-cachehardmax.patch
-Patch31: httpd-2.4.4-sslmultiproxy.patch
+Patch31: httpd-2.4.6-sslmultiproxy.patch
# Bug fixes
-Patch50: httpd-2.4.2-r1374214+.patch
Patch51: httpd-2.4.3-sslsninotreq.patch
-Patch52: httpd-2.4.4-r1476674.patch
-Patch53: httpd-2.4.4-mod_cache-tmppath.patch
-Patch54: httpd-2.4.4-dump-vhost-twice.patch
Patch55: httpd-2.4.4-malformed-host.patch
+Patch56: httpd-2.4.4-mod_unique_id.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -180,7 +176,6 @@ interface for storing and accessing per-user session data.
%patch3 -p1 -b .deplibs
%patch5 -p1 -b .layout
%patch6 -p1 -b .apctlsystemd
-%patch7 -p1 -b .aarch64
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
@@ -190,14 +185,11 @@ interface for storing and accessing per-user session data.
%patch28 -p1 -b .r1332643+
%patch29 -p1 -b .systemd
%patch30 -p1 -b .cachehardmax
-%patch31 -p1 -b .sslmulti
+%patch31 -p1 -b .sslmultiproxy
-%patch50 -p1 -b .r1374214+
%patch51 -p1 -b .sninotreq
-%patch52 -p1 -b .r1476674
-%patch53 -p1 -b .tmppath
-%patch54 -p1 -b .vhosttwice
%patch55 -p1 -b .malformedhost
+%patch56 -p1 -b .uniqueid
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -621,6 +613,17 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
+* Wed Jul 31 2013 Jan Kaluza - 2.4.6-2
+- revert fix for dumping vhosts twice
+
+* Mon Jul 22 2013 Joe Orton - 2.4.6-1
+- update to 2.4.6
+- mod_ssl: use revised NPN API (r1487772)
+
+* Thu Jul 11 2013 Jan Kaluza - 2.4.4-12
+- mod_unique_id: replace use of hostname + pid with PRNG output (#976666)
+- apxs: mention -p option in manpage
+
* Tue Jul 2 2013 Joe Orton - 2.4.4-11
- add patch for aarch64 (Dennis Gilmore, #925558)
diff --git a/sources b/sources
index a228990..35e4d06 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-0e712ee2119cd798c8ae39d5f11a9206 httpd-2.4.4.tar.bz2
+ea5e361ca37b8d7853404419dd502efe httpd-2.4.6.tar.bz2