diff --git a/.gitignore b/.gitignore index 4e0c552..28521d6 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ x86_64 /httpd-2.4.3.tar.bz2 /httpd-2.4.4.tar.bz2 /httpd-2.4.6.tar.bz2 +/httpd-2.4.7.tar.bz2 diff --git a/httpd-2.4.3-sslsninotreq.patch b/httpd-2.4.3-sslsninotreq.patch deleted file mode 100644 index 6e158c6..0000000 --- a/httpd-2.4.3-sslsninotreq.patch +++ /dev/null @@ -1,83 +0,0 @@ -diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c -index 15993f1..53ed6f1 100644 ---- a/modules/ssl/ssl_engine_config.c -+++ b/modules/ssl/ssl_engine_config.c -@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s) - mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc)); - mc->pPool = pool; - mc->bFixed = FALSE; -+ mc->sni_required = FALSE; - - /* - * initialize per-module configuration -diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index bf1f0e4..a7523de 100644 ---- a/modules/ssl/ssl_engine_init.c -+++ b/modules/ssl/ssl_engine_init.c -@@ -409,7 +409,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, - /* - * Configuration consistency checks - */ -- ssl_init_CheckServers(base_server, ptemp); -+ ssl_init_CheckServers(mc, base_server, ptemp); - - /* - * Announce mod_ssl and SSL library in HTTP Server field -@@ -1475,7 +1475,7 @@ void ssl_init_ConfigureServer(server_rec *s, - } - } - --void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) -+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p) - { - server_rec *s, *ps; - SSLSrvConfigRec *sc; -@@ -1557,6 +1557,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) - } - - if (conflict) { -+ mc->sni_required = TRUE; - #ifdef OPENSSL_NO_TLSEXT - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) - "Init: You should not use name-based " -diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c -index bc9e26b..2460f01 100644 ---- a/modules/ssl/ssl_engine_kernel.c -+++ b/modules/ssl/ssl_engine_kernel.c -@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r) - return DECLINED; - } - #ifndef OPENSSL_NO_TLSEXT -+ if (myModConfig(r->server)->sni_required) { - if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - char *host, *scope_id; - apr_port_t port; -@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r) - " virtual host"); - return HTTP_FORBIDDEN; - } -+ } - #endif - SSL_set_app_data2(ssl, r); - -diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h -index 75fc0e3..31dbfa9 100644 ---- a/modules/ssl/ssl_private.h -+++ b/modules/ssl/ssl_private.h -@@ -554,6 +554,7 @@ typedef struct { - struct { - void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; - } rCtx; -+ BOOL sni_required; - } SSLModConfigRec; - - /** Structure representing configured filenames for certs and keys for -@@ -786,7 +787,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); - int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); - void ssl_init_Engine(server_rec *, apr_pool_t *); - void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); --void ssl_init_CheckServers(server_rec *, apr_pool_t *); -+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *); - STACK_OF(X509_NAME) - *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); - void ssl_init_Child(apr_pool_t *, server_rec *); diff --git a/httpd-2.4.6-r1332643+.patch b/httpd-2.4.6-r1332643+.patch deleted file mode 100644 index d2e5565..0000000 --- a/httpd-2.4.6-r1332643+.patch +++ /dev/null @@ -1,313 +0,0 @@ -# ./pullrev.sh 1332643 1345599 1487772 - -https://bugzilla.redhat.com//show_bug.cgi?id=809599 - -http://svn.apache.org/viewvc?view=revision&revision=1332643 -http://svn.apache.org/viewvc?view=revision&revision=1345599 -http://svn.apache.org/viewvc?view=revision&revision=1487772 - ---- httpd-2.4.6/modules/ssl/mod_ssl.c.r1332643+ -+++ httpd-2.4.6/modules/ssl/mod_ssl.c -@@ -413,6 +413,37 @@ int ssl_engine_disable(conn_rec *c) - return 1; - } - -+static int modssl_register_npn(conn_rec *c, -+ ssl_npn_advertise_protos advertisefn, -+ ssl_npn_proto_negotiated negotiatedfn) -+{ -+#ifdef HAVE_TLS_NPN -+ SSLConnRec *sslconn = myConnConfig(c); -+ -+ if (!sslconn) { -+ return DECLINED; -+ } -+ -+ if (!sslconn->npn_advertfns) { -+ sslconn->npn_advertfns = -+ apr_array_make(c->pool, 5, sizeof(ssl_npn_advertise_protos)); -+ sslconn->npn_negofns = -+ apr_array_make(c->pool, 5, sizeof(ssl_npn_proto_negotiated)); -+ } -+ -+ if (advertisefn) -+ APR_ARRAY_PUSH(sslconn->npn_advertfns, ssl_npn_advertise_protos) = -+ advertisefn; -+ if (negotiatedfn) -+ APR_ARRAY_PUSH(sslconn->npn_negofns, ssl_npn_proto_negotiated) = -+ negotiatedfn; -+ -+ return OK; -+#else -+ return DECLINED; -+#endif -+} -+ - int ssl_init_ssl_connection(conn_rec *c, request_rec *r) - { - SSLSrvConfigRec *sc; -@@ -584,6 +615,7 @@ static void ssl_register_hooks(apr_pool_ - - APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); - APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); -+ APR_REGISTER_OPTIONAL_FN(modssl_register_npn); - - ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl", - AUTHZ_PROVIDER_VERSION, ---- httpd-2.4.6/modules/ssl/mod_ssl.h.r1332643+ -+++ httpd-2.4.6/modules/ssl/mod_ssl.h -@@ -63,5 +63,40 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e - - APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); - -+/** The npn_advertise_protos callback allows another modules to add -+ * entries to the list of protocol names advertised by the server -+ * during the Next Protocol Negotiation (NPN) portion of the SSL -+ * handshake. The callback is given the connection and an APR array; -+ * it should push one or more char*'s pointing to NUL-terminated -+ * strings (such as "http/1.1" or "spdy/2") onto the array and return -+ * OK. To prevent further processing of (other modules') callbacks, -+ * return DONE. */ -+typedef int (*ssl_npn_advertise_protos)(conn_rec *connection, -+ apr_array_header_t *protos); -+ -+/** The npn_proto_negotiated callback allows other modules to discover -+ * the name of the protocol that was chosen during the Next Protocol -+ * Negotiation (NPN) portion of the SSL handshake. Note that this may -+ * be the empty string (in which case modules should probably assume -+ * HTTP), or it may be a protocol that was never even advertised by -+ * the server. The callback is given the connection, a -+ * non-NUL-terminated string containing the protocol name, and the -+ * length of the string; it should do something appropriate -+ * (i.e. insert or remove filters) and return OK. To prevent further -+ * processing of (other modules') callbacks, return DONE. */ -+typedef int (*ssl_npn_proto_negotiated)(conn_rec *connection, -+ const char *proto_name, -+ apr_size_t proto_name_len); -+ -+/* An optional function which can be used to register a pair of -+ * callbacks for NPN handling. This optional function should be -+ * invoked from a pre_connection hook which runs *after* mod_ssl.c's -+ * pre_connection hook. The function returns OK if the callbacks are -+ * register, or DECLINED otherwise (for example if mod_ssl does not -+l * support NPN). */ -+APR_DECLARE_OPTIONAL_FN(int, modssl_register_npn, (conn_rec *conn, -+ ssl_npn_advertise_protos advertisefn, -+ ssl_npn_proto_negotiated negotiatedfn)); -+ - #endif /* __MOD_SSL_H__ */ - /** @} */ ---- httpd-2.4.6/modules/ssl/ssl_engine_init.c.r1332643+ -+++ httpd-2.4.6/modules/ssl/ssl_engine_init.c -@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(serve - #endif - - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); -+ -+#ifdef HAVE_TLS_NPN -+ SSL_CTX_set_next_protos_advertised_cb( -+ ctx, ssl_callback_AdvertiseNextProtos, NULL); -+#endif - } - - static void ssl_init_ctx_verify(server_rec *s, ---- httpd-2.4.6/modules/ssl/ssl_engine_io.c.r1332643+ -+++ httpd-2.4.6/modules/ssl/ssl_engine_io.c -@@ -297,6 +297,7 @@ typedef struct { - apr_pool_t *pool; - char buffer[AP_IOBUFSIZE]; - ssl_filter_ctx_t *filter_ctx; -+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ - } bio_filter_in_ctx_t; - - /* -@@ -1400,6 +1401,37 @@ static apr_status_t ssl_io_filter_input( - APR_BRIGADE_INSERT_TAIL(bb, bucket); - } - -+#ifdef HAVE_TLS_NPN -+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if -+ * our version of OpenSSL supports it). If we haven't already, find out -+ * which protocol was decided upon and inform other modules by calling -+ * npn_proto_negotiated_hook. */ -+ if (!inctx->npn_finished) { -+ SSLConnRec *sslconn = myConnConfig(f->c); -+ const unsigned char *next_proto = NULL; -+ unsigned next_proto_len = 0; -+ int n; -+ -+ if (sslconn->npn_negofns) { -+ SSL_get0_next_proto_negotiated( -+ inctx->ssl, &next_proto, &next_proto_len); -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, -+ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'", -+ next_proto_len, (const char*)next_proto); -+ -+ for (n = 0; n < sslconn->npn_negofns->nelts; n++) { -+ ssl_npn_proto_negotiated fn = -+ APR_ARRAY_IDX(sslconn->npn_negofns, n, ssl_npn_proto_negotiated); -+ -+ if (fn(f->c, (const char *)next_proto, next_proto_len) == DONE) -+ break; -+ } -+ } -+ -+ inctx->npn_finished = 1; -+ } -+#endif -+ - return APR_SUCCESS; - } - -@@ -1881,6 +1913,7 @@ static void ssl_io_input_add_filter(ssl_ - inctx->block = APR_BLOCK_READ; - inctx->pool = c->pool; - inctx->filter_ctx = filter_ctx; -+ inctx->npn_finished = 0; - } - - /* The request_rec pointer is passed in here only to ensure that the ---- httpd-2.4.6/modules/ssl/ssl_engine_kernel.c.r1332643+ -+++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c -@@ -2161,6 +2161,97 @@ int ssl_callback_SessionTicket(SSL *ssl, - } - #endif /* HAVE_TLS_SESSION_TICKETS */ - -+#ifdef HAVE_TLS_NPN -+/* -+ * This callback function is executed when SSL needs to decide what protocols -+ * to advertise during Next Protocol Negotiation (NPN). It must produce a -+ * string in wire format -- a sequence of length-prefixed strings -- indicating -+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb -+ * in OpenSSL for reference. -+ */ -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, -+ unsigned int *size_out, void *arg) -+{ -+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); -+ SSLConnRec *sslconn = myConnConfig(c); -+ apr_array_header_t *protos; -+ int num_protos; -+ unsigned int size; -+ int i; -+ unsigned char *data; -+ unsigned char *start; -+ -+ *data_out = NULL; -+ *size_out = 0; -+ -+ /* If the connection object is not available, or there are no NPN -+ * hooks registered, then there's nothing for us to do. */ -+ if (c == NULL || sslconn->npn_advertfns == NULL) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to -+ * add alternate protocol names to advertise. */ -+ protos = apr_array_make(c->pool, 0, sizeof(char *)); -+ for (i = 0; i < sslconn->npn_advertfns->nelts; i++) { -+ ssl_npn_advertise_protos fn = -+ APR_ARRAY_IDX(sslconn->npn_advertfns, i, ssl_npn_advertise_protos); -+ -+ if (fn(c, protos) == DONE) -+ break; -+ } -+ num_protos = protos->nelts; -+ -+ /* We now have a list of null-terminated strings; we need to concatenate -+ * them together into a single string, where each protocol name is prefixed -+ * by its length. First, calculate how long that string will be. */ -+ size = 0; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ unsigned int length = strlen(string); -+ /* If the protocol name is too long (the length must fit in one byte), -+ * then log an error and skip it. */ -+ if (length > 255) { -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307) -+ "SSL NPN protocol name too long (length=%u): %s", -+ length, string); -+ continue; -+ } -+ /* Leave room for the length prefix (one byte) plus the protocol name -+ * itself. */ -+ size += 1 + length; -+ } -+ -+ /* If there is nothing to advertise (either because no modules added -+ * anything to the protos array, or because all strings added to the array -+ * were skipped), then we're done. */ -+ if (size == 0) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Now we can build the string. Copy each protocol name string into the -+ * larger string, prefixed by its length. */ -+ data = apr_palloc(c->pool, size * sizeof(unsigned char)); -+ start = data; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ apr_size_t length = strlen(string); -+ if (length > 255) -+ continue; -+ *start = (unsigned char)length; -+ ++start; -+ memcpy(start, string, length * sizeof(unsigned char)); -+ start += length; -+ } -+ -+ /* Success. */ -+ *data_out = data; -+ *size_out = size; -+ return SSL_TLSEXT_ERR_OK; -+} -+ -+#endif /* HAVE_TLS_NPN */ -+ - #ifndef OPENSSL_NO_SRP - - int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) ---- httpd-2.4.6/modules/ssl/ssl_private.h.r1332643+ -+++ httpd-2.4.6/modules/ssl/ssl_private.h -@@ -98,6 +98,8 @@ - #include - #include - -+#include "mod_ssl.h" -+ - /* Avoid tripping over an engine build installed globally and detected - * when the user points at an explicit non-engine flavor of OpenSSL - */ -@@ -139,6 +141,11 @@ - #define HAVE_FIPS - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ -+ && !defined(OPENSSL_NO_TLSEXT) -+#define HAVE_TLS_NPN -+#endif -+ - #if (OPENSSL_VERSION_NUMBER >= 0x10000000) - #define MODSSL_SSL_CIPHER_CONST const - #define MODSSL_SSL_METHOD_CONST const -@@ -487,6 +494,12 @@ typedef struct { - * connection */ - } reneg_state; - -+#ifdef HAVE_TLS_NPN -+ /* Poor man's inter-module optional hooks for NPN. */ -+ apr_array_header_t *npn_advertfns; /* list of ssl_npn_advertise_protos callbacks */ -+ apr_array_header_t *npn_negofns; /* list of ssl_npn_proto_negotiated callbacks. */ -+#endif -+ - server_rec *server; - } SSLConnRec; - -@@ -842,6 +855,7 @@ int ssl_callback_ServerNameIndi - int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, - EVP_CIPHER_CTX *, HMAC_CTX *, int); - #endif -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); - - /** Session Cache Support */ - void ssl_scache_init(server_rec *, apr_pool_t *); diff --git a/httpd-2.4.6-r1530793.patch b/httpd-2.4.6-r1530793.patch deleted file mode 100644 index 6e6ad30..0000000 --- a/httpd-2.4.6-r1530793.patch +++ /dev/null @@ -1,17 +0,0 @@ -# ./pullrev.sh 1530793 - -http://svn.apache.org/viewvc?view=revision&revision=1530793 - ---- httpd-2.4.6/server/core_filters.c -+++ httpd-2.4.6/server/core_filters.c -@@ -779,7 +779,9 @@ - pollset.reqevents = APR_POLLOUT; - pollset.desc.s = s; - apr_socket_timeout_get(s, &timeout); -- rv = apr_poll(&pollset, 1, &nsds, timeout); -+ do { -+ rv = apr_poll(&pollset, 1, &nsds, timeout); -+ } while (APR_STATUS_IS_EINTR(rv)); - if (rv != APR_SUCCESS) { - break; - } diff --git a/httpd-2.4.6-r1537535.patch b/httpd-2.4.6-r1537535.patch deleted file mode 100644 index dc2c6c9..0000000 --- a/httpd-2.4.6-r1537535.patch +++ /dev/null @@ -1,38 +0,0 @@ -# ./pullrev.sh 1537535 - -http://svn.apache.org/viewvc?view=revision&revision=1537535 - ---- httpd-2.4.6/modules/ssl/ssl_engine_config.c.r1537535 -+++ httpd-2.4.6/modules/ssl/ssl_engine_config.c -@@ -198,7 +198,7 @@ static SSLSrvConfigRec *ssl_config_serve - SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc)); - - sc->mc = NULL; -- sc->enabled = SSL_ENABLED_FALSE; -+ sc->enabled = SSL_ENABLED_UNSET; - sc->proxy_enabled = UNSET; - sc->vhost_id = NULL; /* set during module init */ - sc->vhost_id_len = 0; /* set during module init */ ---- httpd-2.4.6/modules/ssl/ssl_engine_init.c.r1537535 -+++ httpd-2.4.6/modules/ssl/ssl_engine_init.c -@@ -289,13 +289,16 @@ int ssl_init_Module(apr_pool_t *p, apr_p - sc->vhost_id = ssl_util_vhostid(p, s); - sc->vhost_id_len = strlen(sc->vhost_id); - -- if (ap_get_server_protocol(s) && -- strcmp("https", ap_get_server_protocol(s)) == 0) { -+ /* Default to enabled if SSLEngine is not set explicitly, and -+ * the protocol is https. */ -+ if (ap_get_server_protocol(s) -+ && strcmp("https", ap_get_server_protocol(s)) == 0 -+ && sc->enabled == SSL_ENABLED_UNSET) { - sc->enabled = SSL_ENABLED_TRUE; - } - -- /* If sc->enabled is UNSET, then SSL is optional on this vhost */ -- /* Fix up stuff that may not have been set */ -+ /* Fix up stuff that may not have been set. If sc->enabled is -+ * UNSET, then SSL is disabled on this vhost. */ - if (sc->enabled == SSL_ENABLED_UNSET) { - sc->enabled = SSL_ENABLED_FALSE; - } diff --git a/httpd-2.4.7-r1537535.patch b/httpd-2.4.7-r1537535.patch new file mode 100644 index 0000000..8e51302 --- /dev/null +++ b/httpd-2.4.7-r1537535.patch @@ -0,0 +1,38 @@ +# ./pullrev.sh 1537535 + +http://svn.apache.org/viewvc?view=revision&revision=1537535 + +--- httpd-2.4.7/modules/ssl/ssl_engine_config.c.r1537535 ++++ httpd-2.4.7/modules/ssl/ssl_engine_config.c +@@ -196,7 +196,7 @@ static SSLSrvConfigRec *ssl_config_serve + SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc)); + + sc->mc = NULL; +- sc->enabled = SSL_ENABLED_FALSE; ++ sc->enabled = SSL_ENABLED_UNSET; + sc->proxy_enabled = UNSET; + sc->vhost_id = NULL; /* set during module init */ + sc->vhost_id_len = 0; /* set during module init */ +--- httpd-2.4.7/modules/ssl/ssl_engine_init.c.r1537535 ++++ httpd-2.4.7/modules/ssl/ssl_engine_init.c +@@ -115,13 +115,16 @@ int ssl_init_Module(apr_pool_t *p, apr_p + sc->vhost_id = ssl_util_vhostid(p, s); + sc->vhost_id_len = strlen(sc->vhost_id); + +- if (ap_get_server_protocol(s) && +- strcmp("https", ap_get_server_protocol(s)) == 0) { ++ /* Default to enabled if SSLEngine is not set explicitly, and ++ * the protocol is https. */ ++ if (ap_get_server_protocol(s) ++ && strcmp("https", ap_get_server_protocol(s)) == 0 ++ && sc->enabled == SSL_ENABLED_UNSET) { + sc->enabled = SSL_ENABLED_TRUE; + } + +- /* If sc->enabled is UNSET, then SSL is optional on this vhost */ +- /* Fix up stuff that may not have been set */ ++ /* Fix up stuff that may not have been set. If sc->enabled is ++ * UNSET, then SSL is disabled on this vhost. */ + if (sc->enabled == SSL_ENABLED_UNSET) { + sc->enabled = SSL_ENABLED_FALSE; + } diff --git a/httpd-2.4.7-sninotreq.patch b/httpd-2.4.7-sninotreq.patch new file mode 100644 index 0000000..bb1f3d1 --- /dev/null +++ b/httpd-2.4.7-sninotreq.patch @@ -0,0 +1,75 @@ +--- httpd-2.4.7/modules/ssl/ssl_engine_config.c.sninotreq ++++ httpd-2.4.7/modules/ssl/ssl_engine_config.c +@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_creat + mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc)); + mc->pPool = pool; + mc->bFixed = FALSE; ++ mc->sni_required = FALSE; + + /* + * initialize per-module configuration +--- httpd-2.4.7/modules/ssl/ssl_engine_init.c.sninotreq ++++ httpd-2.4.7/modules/ssl/ssl_engine_init.c +@@ -234,7 +234,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p + /* + * Configuration consistency checks + */ +- ssl_init_CheckServers(base_server, ptemp); ++ ssl_init_CheckServers(mc, base_server, ptemp); + + /* + * Announce mod_ssl and SSL library in HTTP Server field +@@ -1327,7 +1327,7 @@ void ssl_init_ConfigureServer(server_rec + } + } + +-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) ++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p) + { + server_rec *s, *ps; + SSLSrvConfigRec *sc; +@@ -1409,6 +1409,7 @@ void ssl_init_CheckServers(server_rec *b + } + + if (conflict) { ++ mc->sni_required = TRUE; + #ifndef HAVE_TLSEXT + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) + "Init: You should not use name-based " +--- httpd-2.4.7/modules/ssl/ssl_engine_kernel.c.sninotreq ++++ httpd-2.4.7/modules/ssl/ssl_engine_kernel.c +@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r) + } + #ifdef HAVE_TLSEXT + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { ++ if (myModConfig(r->server)->sni_required) { + char *host, *scope_id; + apr_port_t port; + apr_status_t rv; +@@ -205,6 +206,7 @@ int ssl_hook_ReadReq(request_rec *r) + " virtual host"); + return HTTP_FORBIDDEN; + } ++ } + #endif + SSL_set_app_data2(ssl, r); + +--- httpd-2.4.7/modules/ssl/ssl_private.h.sninotreq ++++ httpd-2.4.7/modules/ssl/ssl_private.h +@@ -533,6 +533,7 @@ typedef struct { + struct { + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; + } rCtx; ++ BOOL sni_required; + } SSLModConfigRec; + + /** Structure representing configured filenames for certs and keys for +@@ -778,7 +779,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c + int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); + void ssl_init_Engine(server_rec *, apr_pool_t *); + void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); +-void ssl_init_CheckServers(server_rec *, apr_pool_t *); ++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *); + STACK_OF(X509_NAME) + *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); + void ssl_init_Child(apr_pool_t *, server_rec *); diff --git a/httpd-2.4.7-sslsninotreq.patch b/httpd-2.4.7-sslsninotreq.patch new file mode 100644 index 0000000..a5d124b --- /dev/null +++ b/httpd-2.4.7-sslsninotreq.patch @@ -0,0 +1,2 @@ +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 15993f1..53ed6f1 100644 diff --git a/httpd.spec b/httpd.spec index 83b109c..c448ddc 100644 --- a/httpd.spec +++ b/httpd.spec @@ -14,8 +14,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.6 -Release: 10%{?dist} +Version: 2.4.7 +Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -59,23 +59,21 @@ Patch24: httpd-2.4.1-corelimit.patch Patch25: httpd-2.4.1-selinux.patch Patch26: httpd-2.4.4-r1337344+.patch Patch27: httpd-2.4.2-icons.patch -Patch28: httpd-2.4.6-r1332643+.patch Patch29: httpd-2.4.3-mod_systemd.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.6-sslmultiproxy.patch -Patch32: httpd-2.4.6-r1537535.patch +Patch32: httpd-2.4.7-r1537535.patch # Bug fixes -Patch51: httpd-2.4.3-sslsninotreq.patch +Patch51: httpd-2.4.7-sslsninotreq.patch Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch -Patch57: httpd-2.4.6-r1530793.patch Patch58: httpd-2.4.6-r1534321.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: autoconf, perl, pkgconfig, findutils, xmlto BuildRequires: zlib-devel, libselinux-devel, lua-devel -BuildRequires: apr-devel >= 1.4.0, apr-util-devel >= 1.2.0, pcre-devel >= 5.0 +BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.2.0, pcre-devel >= 5.0 BuildRequires: systemd-devel Requires: /etc/mime.types, system-logos-httpd Obsoletes: httpd-suexec @@ -187,7 +185,6 @@ interface for storing and accessing per-user session data. %patch25 -p1 -b .selinux %patch26 -p1 -b .r1337344+ %patch27 -p1 -b .icons -%patch28 -p1 -b .r1332643+ %patch29 -p1 -b .systemd %patch30 -p1 -b .cachehardmax %patch31 -p1 -b .sslmultiproxy @@ -196,7 +193,6 @@ interface for storing and accessing per-user session data. %patch51 -p1 -b .sninotreq %patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid -%patch57 -p1 -b .r1530793 %patch58 -p1 -b .r1534321 # Patch in the vendor string @@ -624,6 +620,9 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Wed Nov 27 2013 Joe Orton - 2.4.7-1 +- update to 2.4.7 (#1034071) + * Fri Nov 22 2013 Joe Orton - 2.4.6-10 - switch to requiring system-logos-httpd (#1031288) diff --git a/sources b/sources index 35e4d06..f460c94 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ea5e361ca37b8d7853404419dd502efe httpd-2.4.6.tar.bz2 +170d7fb6fe5f28b87d1878020a9ab94e httpd-2.4.7.tar.bz2