Date: Sun, 23 Aug 2015 20:29:12 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r395128 - in branches/2015Q3/www/apache22: . files Message-ID: <201508232029.t7NKTCBI098121@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ohauer Date: Sun Aug 23 20:29:11 2015 New Revision: 395128 URL: https://svnweb.freebsd.org/changeset/ports/395128 Log: MFH: r393440 - update to 2.2.31 - remove backports - minor cleanups - always rebuild configure script - add patch for acinclude.m4 [1] Changes with Apache 2.2.31 [2] *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers. [Yann Ylavic, Gregg Smith] Changes with Apache 2.2.30 (not released) *) SECURITY: CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. [Graham Leggett, Yann Ylavic] *) http: Fix LimitRequestBody checks when there is no more bytes to read. [Michael Kaufmann <mail michael-kaufmann.ch>] *) core: Allow spaces after chunk-size for compatibility with implementations using a pre-filled buffer. [Yann Ylavic, Jeff Trawick] *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: no longer send warning-level unrecognized_name(112) alerts. PR 56241. [Kaspar Brand] *) http: Make ap_die() robust against any HTTP error code and not modify response status (finally logged) when nothing is to be done. PR 56035. [Yann Ylavic] *) core, modules: Avoid error response/document handling by the core if some handler or input filter already did it while reading the request (causing a double response body). [Yann Ylavic] *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick, Olli Hauer <ohauer gmx de>] *) mod_proxy: use the original (non absolute) form of the request-line's URI for requests embedded in CONNECT payloads used to connect SSL backends via a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms gmail com>, William Rowe, Yann Ylavic] *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for internationalization. [William Rowe] *) mod_log_config: Implement logging for sub second timestamps and request end time. [Rainer Jung] *) mod_log_config: Ensure that time data is consistent if multiple duration patterns are used in combination, e.g. %D and %{ms}T. [Rainer Jung] *) mod_log_config: Add "%{UNIT}T" format to output request duration in seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us"). [Ben Reser, Rainer Jung] *) In alignment with RFC 7525, the default recommended SSLCipherSuite and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the default recommended SSLProtocol and SSLProxyProtocol directives now exclude SSLv3. Existing configurations must be adjusted by the administrator. [William Rowe] *) core: Avoid potential use of uninitialized (NULL) request data in request line error path. [Yann Ylavic] *) mod_proxy_http: Use the "Connection: close" header for requests to backends not recycling connections (disablereuse), including the default reverse and forward proxies. [Yann Ylavic] *) mod_proxy: Add ap_connection_reusable() for checking if a connection is reusable as of this point in processing. [Jeff Trawick] *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across graceful restarts, even if new workers are added, old ones removed, or the order changes. [Jan Kaluza, Yann Ylavic] *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>, Yann Ylavic] *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by allowing custom parameters to be configured via SSLCertificateFile, and by adding standardized DH parameters for 1024/2048/3072/4096 bits. Unless custom parameters are configured, the standardized parameters are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA keys, and unconditionally disable aNULL, eNULL and EXP ciphers (not overridable via SSLCipherSuite). [Kaspar Brand] *) mod_ssl: Add support for configuring persistent TLS session ticket encryption/decryption keys (useful for clustered environments). [Paul Querna, Kaspar Brand] *) SSLProtocol and SSLCipherSuite recommendations in the example/default conf/extra/httpd-ssl.conf file are now global in scope, affecting all VirtualHosts (matching 2.4 default configuration). [William Rowe] *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the selected DB engine. PR 46421. [Jan Kaluza]. *) Turn static function get_server_name_for_url() into public ap_get_server_name_for_url() and use it where appropriate. This fixes mod_rewrite generating invalid URLs for redirects to IPv6 literal addresses. PR 52831 [Stefan Fritsch] *) dav_validate_request: avoid validating locks and ETags when there are no If headers providing them on a resource we aren't modifying. [Ben Reser] *) mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket creation uses a random key created during web server startup and recreated during restarts. No other key recreation mechanism is available currently. Therefore using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. [Rainer Jung] *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to compile against APR-1.2.x (minimum required version). [Yann Ylavic] *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts computed for subsequent requests. PR 56729. [Eric Covener] [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=58126 [2] http://www.apache.org/dist/httpd/CHANGES_2.2.31 With Head apache@ Approved by: ports-secteam (delphij@) Deleted: branches/2015Q3/www/apache22/files/patch-CVE-2015-3183 branches/2015Q3/www/apache22/files/patch-configure branches/2015Q3/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c Modified: branches/2015Q3/www/apache22/Makefile branches/2015Q3/www/apache22/Makefile.modules branches/2015Q3/www/apache22/distinfo branches/2015Q3/www/apache22/files/patch-acinclude.m4 branches/2015Q3/www/apache22/files/patch-configure.in branches/2015Q3/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/www/apache22/Makefile ============================================================================== --- branches/2015Q3/www/apache22/Makefile Sun Aug 23 20:27:29 2015 (r395127) +++ branches/2015Q3/www/apache22/Makefile Sun Aug 23 20:29:11 2015 (r395128) @@ -1,8 +1,8 @@ # $FreeBSD$ PORTNAME= apache22 -PORTVERSION= 2.2.29 -PORTREVISION?= 6 +PORTVERSION= 2.2.31 +PORTREVISION?= 0 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} @@ -20,10 +20,10 @@ CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.4.* apache24-*-2.4.* USE_APACHE= common22 -USES= tar:bzip2 iconv perl5 libtool cpe autoreconf +USES= autoreconf cpe iconv libtool perl5 tar:bzip2 USE_PERL5= run -GNU_CONFIGURE= yes USE_RC_SUBR= apache22 htcacheclean +GNU_CONFIGURE= yes CPE_VENDOR= apache CPE_PRODUCT= http_server @@ -33,6 +33,10 @@ PORTDOCS= * USERS= www GROUPS= www +# XXX: before running makepatch please run the command +# `$SED -e 's/PATCH_PATH_SEPARATOR=/PATCH_PATH_SEPARATOR?=/' Mk/bsd.port.mk +PATCH_PATH_SEPARATOR= __ + # for slave ports .if !defined(MASTERDIR) APACHEDIR= ${.CURDIR} @@ -130,27 +134,30 @@ pre-everything:: post-extract: # remove possible leftover .svn directories in the sources - @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -rf + @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r # limit grep results ... ${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' -o -name '*.vbs' -o -name '*.wsf' \) -delete +# make sure the configure script contains our patches, +# preserve the original script for comparsion + -${MV} ${WRKSRC}/configure ${WRKSRC}/configure.upstream -# make qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set -# use RMDIR in case upstream ever place some files into this dirs +# make stage-qa script happy, it complains on empty dirs even 'PORTDOCS=*' is set +# use RMDIR in case upstream ever place some files into this directories .for d in xsl/util xsl lang -${RMDIR} ${WRKSRC}/docs/manual/style/${d} .endfor post-patch: - @${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c -# IPv4_mapping fix: https://issues.apache.org/bugzilla/show_bug.cgi?id=53824 - @${REINPLACE_CMD} -e 's|freebsd5|freebsd|' \ - -e 's|^perlbin=.*|perlbin=${PERL}|' \ - ${WRKSRC}/configure.in ${WRKSRC}/configure - @${RM} -f ${WRKSRC}/docs/docroot/*.bak + ${REINPLACE_CMD} -e 's," PLATFORM ",FreeBSD,' ${WRKSRC}/server/core.c + ${REINPLACE_CMD} -e 's|logs/error_log|/var/log/httpd-error.log|' \ + ${WRKSRC}/include/httpd.h + ${REINPLACE_CMD} -e 's|perlbin=.*|perlbin=${PERL}|' \ + ${WRKSRC}/configure.in + ${RM} ${WRKSRC}/docs/docroot/*.bak ${INSTALL_DATA} ${WRKSRC}/NOTICE ${WRKSRC}/docs/manual # we use devel/apr and devel/pcre - @${RM} -rf ${WRKSRC}/srclib - @${REINPLACE_CMD} -e 's/srclib//' ${WRKSRC}/Makefile.in + ${RM} -r ${WRKSRC}/srclib + ${REINPLACE_CMD} -e 's/srclib//' ${WRKSRC}/Makefile.in pre-configure:: @${ECHO_MSG} "" @@ -171,14 +178,8 @@ pre-configure:: post-configure: @FTPUSERS=`${EGREP} -v '^#' /etc/ftpusers| ${TR} -s "\n" " "` ;\ ${REINPLACE_CMD} -e "s,%%FTPUSERS%%,$${FTPUSERS}," ${WRKSRC}/docs/conf/extra/httpd-userdir.conf - @${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf - @${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std - -pre-build: -.if ${PORT_OPTIONS:MSSL} - @${ECHO_MSG} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)" - (cd ${WRKSRC}/modules/ssl && ${SETENV} HOME=${WRKDIR} ${PERL} ssl_engine_dh.c) -.endif + ${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf + ${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std post-install: @${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|} Modified: branches/2015Q3/www/apache22/Makefile.modules ============================================================================== --- branches/2015Q3/www/apache22/Makefile.modules Sun Aug 23 20:27:29 2015 (r395127) +++ branches/2015Q3/www/apache22/Makefile.modules Sun Aug 23 20:29:11 2015 (r395128) @@ -9,7 +9,7 @@ # Maintainer note for OPTION handling: # To set additional option use # PORT_OPTIONS+= -# To unset an OPTION, even the OPTION is set in OPTIONSFILE use +# To unset an OPTION, even the OPTION is set in OPTIONS_FILE use # WITHOUT_MODULES+= # Using OPTIONS_EXCLUDE and OPTIONS_OVERRIDE do not work as expected # if the OPTION is enabled by the user, therefore we calculate Modified: branches/2015Q3/www/apache22/distinfo ============================================================================== --- branches/2015Q3/www/apache22/distinfo Sun Aug 23 20:27:29 2015 (r395127) +++ branches/2015Q3/www/apache22/distinfo Sun Aug 23 20:29:11 2015 (r395128) @@ -1,2 +1,2 @@ -SHA256 (apache22/httpd-2.2.29.tar.bz2) = 574b4f994b99178dfd5160bcb14025402e2ce381be9889b83e4be0ffbf5839a4 -SIZE (apache22/httpd-2.2.29.tar.bz2) = 5625498 +SHA256 (apache22/httpd-2.2.31.tar.bz2) = f32f9d19f535dac63b06cb55dfc023b40dcd28196b785f79f9346779e22f26ac +SIZE (apache22/httpd-2.2.31.tar.bz2) = 5610489 Modified: branches/2015Q3/www/apache22/files/patch-acinclude.m4 ============================================================================== --- branches/2015Q3/www/apache22/files/patch-acinclude.m4 Sun Aug 23 20:27:29 2015 (r395127) +++ branches/2015Q3/www/apache22/files/patch-acinclude.m4 Sun Aug 23 20:29:11 2015 (r395128) @@ -1,12 +1,140 @@ ---- acinclude.m4.orig 2012-07-06 15:23:21 UTC +https://issues.apache.org/bugzilla/show_bug.cgi?id=58126 +============================================================== +--- acinclude.m4.orig 2015-07-11 23:38:52 UTC +++ acinclude.m4 -@@ -455,6 +455,9 @@ if test "x$ap_ssltk_configured" = "x"; t - AC_CHECK_HEADERS([openssl/engine.h]) - AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines]) -+ dnl PR 196256, https://issues.apache.org/bugzilla/show_bug.cgi?id=57395 -+ AC_CHECK_FUNCS([SSL_CTX_use_certificate_chain]) -+ AC_CHECK_LIB(crypto, RAND_egd, AC_DEFINE(HAVE_SSL_RAND_EGD, 1, [Define if the libcrypto has RAND_egd])) +@@ -4,25 +4,25 @@ dnl Autoconf 2.50 can not handle substr + dnl AC_HELP_STRING, so let's try to call it if we can. + dnl Note: this define must be on one line so that it can be properly returned + dnl as the help string. +-AC_DEFUN(APACHE_HELP_STRING,[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl ++AC_DEFUN([APACHE_HELP_STRING],[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl + + dnl APACHE_SUBST(VARIABLE) + dnl Makes VARIABLE available in generated files + dnl (do not use @variable@ in Makefiles, but $(variable)) +-AC_DEFUN(APACHE_SUBST,[ ++AC_DEFUN([APACHE_SUBST],[ + APACHE_VAR_SUBST="$APACHE_VAR_SUBST $1" + AC_SUBST($1) + ]) + + dnl APACHE_FAST_OUTPUT(FILENAME) + dnl Perform substitutions on FILENAME (Makefiles only) +-AC_DEFUN(APACHE_FAST_OUTPUT,[ ++AC_DEFUN([APACHE_FAST_OUTPUT],[ + APACHE_FAST_OUTPUT_FILES="$APACHE_FAST_OUTPUT_FILES $1" + ]) + + dnl APACHE_GEN_CONFIG_VARS + dnl Creates config_vars.mk +-AC_DEFUN(APACHE_GEN_CONFIG_VARS,[ ++AC_DEFUN([APACHE_GEN_CONFIG_VARS],[ + APACHE_SUBST(abs_srcdir) + APACHE_SUBST(bindir) + APACHE_SUBST(sbindir) +@@ -111,14 +111,14 @@ AC_DEFUN(APACHE_GEN_CONFIG_VARS,[ + + dnl APACHE_GEN_MAKEFILES + dnl Creates Makefiles +-AC_DEFUN(APACHE_GEN_MAKEFILES,[ ++AC_DEFUN([APACHE_GEN_MAKEFILES],[ + $SHELL $srcdir/build/fastgen.sh $srcdir $ac_cv_mkdir_p $BSD_MAKEFILE $APACHE_FAST_OUTPUT_FILES + ]) + + dnl ## APACHE_OUTPUT(file) + dnl ## adds "file" to the list of files generated by AC_OUTPUT + dnl ## This macro can be used several times. +-AC_DEFUN(APACHE_OUTPUT, [ ++AC_DEFUN([APACHE_OUTPUT], [ + APACHE_OUTPUT_FILES="$APACHE_OUTPUT_FILES $1" + ]) + +@@ -127,7 +127,7 @@ dnl APACHE_TYPE_RLIM_T + dnl + dnl If rlim_t is not defined, define it to int + dnl +-AC_DEFUN(APACHE_TYPE_RLIM_T, [ ++AC_DEFUN([APACHE_TYPE_RLIM_T], [ + AC_CACHE_CHECK([for rlim_t], ac_cv_type_rlim_t, [ + AC_TRY_COMPILE([ + #include <sys/types.h> +@@ -145,7 +145,7 @@ AC_DEFUN(APACHE_TYPE_RLIM_T, [ + ]) + + dnl APACHE_MODPATH_INIT(modpath) +-AC_DEFUN(APACHE_MODPATH_INIT,[ ++AC_DEFUN([APACHE_MODPATH_INIT],[ + current_dir=$1 + modpath_current=modules/$1 + modpath_static= +@@ -154,7 +154,7 @@ AC_DEFUN(APACHE_MODPATH_INIT,[ + > $modpath_current/modules.mk + ])dnl + dnl +-AC_DEFUN(APACHE_MODPATH_FINISH,[ ++AC_DEFUN([APACHE_MODPATH_FINISH],[ + echo "DISTCLEAN_TARGETS = modules.mk" >> $modpath_current/modules.mk + echo "static = $modpath_static" >> $modpath_current/modules.mk + echo "shared = $modpath_shared" >> $modpath_current/modules.mk +@@ -167,7 +167,7 @@ AC_DEFUN(APACHE_MODPATH_FINISH,[ + ])dnl + dnl + dnl APACHE_MODPATH_ADD(name[, shared[, objects [, ldflags[, libs]]]]) +-AC_DEFUN(APACHE_MODPATH_ADD,[ ++AC_DEFUN([APACHE_MODPATH_ADD],[ + if test -z "$3"; then + objects="mod_$1.lo" else - AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS(SSL_set_state) +@@ -211,7 +211,7 @@ dnl basically: yes/no is a hard setting. + dnl setting. otherwise, fall under the "all" setting. + dnl explicit yes/no always overrides. + dnl +-AC_DEFUN(APACHE_MODULE,[ ++AC_DEFUN([APACHE_MODULE],[ + AC_MSG_CHECKING(whether to enable mod_$1) + define([optname],[--]ifelse($5,yes,disable,enable)[-]translit($1,_,-))dnl + AC_ARG_ENABLE(translit($1,_,-),APACHE_HELP_STRING(optname(),$2),,enable_$1=ifelse($5,,maybe-all,$5)) +@@ -284,7 +284,7 @@ AC_DEFUN(APACHE_MODULE,[ + dnl + dnl APACHE_ENABLE_MODULES + dnl +-AC_DEFUN(APACHE_ENABLE_MODULES,[ ++AC_DEFUN([APACHE_ENABLE_MODULES],[ + module_selection=default + module_default=yes + +@@ -314,7 +314,7 @@ AC_DEFUN(APACHE_ENABLE_MODULES,[ + ]) + ]) + +-AC_DEFUN(APACHE_REQUIRE_CXX,[ ++AC_DEFUN([APACHE_REQUIRE_CXX],[ + if test -z "$apache_cxx_done"; then + AC_PROG_CXX + AC_PROG_CXXCPP +@@ -328,7 +328,7 @@ dnl + dnl Configure for the detected openssl/ssl-c toolkit installation, giving + dnl preference to "--with-ssl=<path>" if it was specified. + dnl +-AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[ ++AC_DEFUN([APACHE_CHECK_SSL_TOOLKIT],[ + if test "x$ap_ssltk_configured" = "x"; then + dnl initialise the variables we use + ap_ssltk_base="" +@@ -486,14 +486,14 @@ dnl Export (via APACHE_SUBST) the variou + dnl apache will use while generating scripts like autoconf and apxs and + dnl the default config file. + +-AC_DEFUN(APACHE_SUBST_EXPANDED_ARG,[ ++AC_DEFUN([APACHE_SUBST_EXPANDED_ARG],[ + APR_EXPAND_VAR(exp_$1, [$]$1) + APACHE_SUBST(exp_$1) + APR_PATH_RELATIVE(rel_$1, [$]exp_$1, ${prefix}) + APACHE_SUBST(rel_$1) + ]) + +-AC_DEFUN(APACHE_EXPORT_ARGUMENTS,[ ++AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[ + APACHE_SUBST_EXPANDED_ARG(exec_prefix) + APACHE_SUBST_EXPANDED_ARG(bindir) + APACHE_SUBST_EXPANDED_ARG(sbindir) Modified: branches/2015Q3/www/apache22/files/patch-configure.in ============================================================================== --- branches/2015Q3/www/apache22/files/patch-configure.in Sun Aug 23 20:27:29 2015 (r395127) +++ branches/2015Q3/www/apache22/files/patch-configure.in Sun Aug 23 20:29:11 2015 (r395128) @@ -37,18 +37,6 @@ [--enable-layout=*|\'--enable-layout=*]) dnl We must be the last to build and the first to be cleaned AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util" -@@ -480,7 +490,10 @@ AC_ARG_ENABLE(v4-mapped,APACHE_HELP_STRI - ], - [ - case $host in -- *freebsd5*|*netbsd*|*openbsd*) -+ *freebsd[[1234]].*) -+ v4mapped=yes -+ ;; -+ *freebsd*|*netbsd*|*openbsd*) - v4mapped=no - ;; - *mingw*) @@ -678,8 +691,14 @@ AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_pre [Root directory of the Apache install area]) AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", Modified: branches/2015Q3/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in ============================================================================== --- branches/2015Q3/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in Sun Aug 23 20:27:29 2015 (r395127) +++ branches/2015Q3/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in Sun Aug 23 20:29:11 2015 (r395128) @@ -1,50 +1,6 @@ ---- docs/conf/extra/httpd-ssl.conf.in.orig 2013-11-11 14:00:57 UTC +--- docs/conf/extra/httpd-ssl.conf.in.orig 2015-05-27 18:59:59 UTC +++ docs/conf/extra/httpd-ssl.conf.in -@@ -49,6 +49,43 @@ Listen @@SSLPort@@ - AddType application/x-x509-ca-cert .crt - AddType application/x-pkcs7-crl .crl - -+# SSL Cipher Suite: -+# List the ciphers that the client is permitted to negotiate, -+# and that httpd will negotiate as the client of a proxied server. -+# See the OpenSSL documentation for a complete list of ciphers, and -+# ensure these follow appropriate best practices for this deployment. -+# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, -+# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. -+SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 -+SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 -+ -+# By the end of 2016, only TLSv1.2 ciphers should remain in use. -+# Older ciphers should be disallowed as soon as possible, while the -+# kRSA ciphers do not offer forward secrecy. These changes inhibit -+# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy -+# non-browser tooling) from successfully connecting. -+# -+# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable -+# those protocols which do not support forward secrecy, replace -+# the SSLCipherSuite and SSLProxyCipherSuite directives above with -+# the following two directives, as soon as practical. -+# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA -+# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA -+ -+# User agents such as web browsers are not configured for the user's -+# own preference of either security or performance, therefore this -+# must be the prerogative of the web server administrator who manages -+# cpu load versus confidentiality, so enforce the server's cipher order. -+SSLHonorCipherOrder on -+ -+# SSL Protocol support: -+# List the protocol versions which clients are allowed to connect with. -+# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) -+# should be disabled as quickly as practical. By the end of 2016, only -+# the TLSv1.2 protocol or later should remain in use. -+SSLProtocol all -SSLv2 -SSLv3 -+SSLProxyProtocol all -SSLv2 -SSLv3 -+ - # Pass Phrase Dialog: - # Configure the pass phrase gathering process. - # The filtering dialog program (`builtin' is a internal -@@ -77,36 +114,13 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut +@@ -114,8 +114,8 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut DocumentRoot "@exp_htdocsdir@" ServerName www.example.com:@@SSLPort@@ ServerAdmin you@example.com @@ -55,35 +11,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. - SSLEngine on - --# SSL Protocol support: --# List the protocol versions which clients are allowed to --# connect with. Disable SSLv2 by default (cf. RFC 6176). --SSLProtocol all -SSLv2 -- --# SSL Cipher Suite: --# List the ciphers that the client is permitted to negotiate. --# See the mod_ssl documentation for a complete list. --SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 -- --# Speed-optimized SSL Cipher configuration: --# If speed is your main concern (on busy HTTPS servers e.g.), --# you might want to force clients to specific, performance --# optimized ciphers. In this case, prepend those ciphers --# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. --# Caveat: by giving precedence to RC4-SHA and AES128-SHA --# (as in the example below), most connections will no longer --# have perfect forward secrecy - if the server's key is --# compromised, captures of past or future traffic must be --# considered compromised, too. --#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 --#SSLHonorCipherOrder on -- - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If - # the certificate is encrypted, then you will be prompted for a -@@ -249,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \ +@@ -263,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \ # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508232029.t7NKTCBI098121>