Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 31 Jan 2012 21:19:25 -0500
From:      "Philip M. Gollucci" <pgollucci@taximagic.com>
To:        Jason Helfman <jgh@freebsd.org>
Cc:        FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org
Subject:   Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports)
Message-ID:  <4F28A12D.2080504@p6m7g8.com>
In-Reply-To: <201202010011.q110Btm0002906@freefall.freebsd.org>
References:  <201202010011.q110Btm0002906@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Do not change this file.  You're reverting a local change we've pulled 
from trunk svn for security.

Please commit the rest of the patch with my review / hat.



> ===================================================================
> RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v
> retrieving revision 1.3
> diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in
> --- files/patch-docs__conf__extra__httpd-ssl.conf.in	23 Jan 2012 23:24:38 -0000	1.3
> +++ files/patch-docs__conf__extra__httpd-ssl.conf.in	1 Feb 2012 00:05:53 -0000
> @@ -1,58 +1,22 @@
> ---- ./docs/conf/extra/httpd-ssl.conf.in.orig	2008-02-04 23:00:07.000000000 +0000
> -+++ ./docs/conf/extra/httpd-ssl.conf.in	2012-01-23 23:20:06.446390870 +0000
> -@@ -77,17 +77,35 @@
> +--- ./docs/conf/extra/httpd-ssl.conf.in.orig	2012-01-31 15:16:43.000000000 -0800
> ++++ ./docs/conf/extra/httpd-ssl.conf.in	2012-01-31 15:17:47.000000000 -0800
> +@@ -77,8 +77,8 @@
>    DocumentRoot "@exp_htdocsdir@"
>    ServerName www.example.com:@@SSLPort@@
>    ServerAdmin you@example.com
>   -ErrorLog "@exp_logfiledir@/error_log"
>   -TransferLog "@exp_logfiledir@/access_log"
> -+ErrorLog "@exp_logfiledir@/httpd-error.log"
> -+TransferLog "@exp_logfiledir@/httpd-access.log"
> ++ErrorLog "@exp_logfiledir@/httpd-error_log"
> ++TransferLog "@exp_logfiledir@/httpd-access_log"
>
>    #   SSL Engine Switch:
>    #   Enable/Disable SSL for this virtual host.
> - SSLEngine on
> -
> -+#   SSL Protocol support:
> -+#   List the protocol versions which clients are allowed to
> -+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
> -+SSLProtocol all -SSLv2
> -+
> - #   SSL Cipher Suite:
> - #   List the ciphers that the client is permitted to negotiate.
> - #   See the mod_ssl documentation for a complete list.
> --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
> -+
> -+#   Speed-optimized SSL Cipher configuration:
> -+#   If speed is your main concern (on busy HTTPS servers e.g.),
> -+#   you might want to force clients to specific, performance
> -+#   optimized ciphers. In this case, prepend those ciphers
> -+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
> -+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
> -+#   (as in the example below), most connections will no longer
> -+#   have perfect forward secrecy - if the server's key is
> -+#   compromised, captures of past or future traffic must be
> -+#   considered compromised, too.
> -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
> -+#SSLHonorCipherOrder on
> -
> - #   Server Certificate:
> - #   Point SSLCertificateFile at a PEM encoded certificate.  If
> -@@ -218,14 +236,14 @@
> - #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
> - #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
> - #   "force-response-1.0" for this.
> --BrowserMatch ".*MSIE.*" \
> -+BrowserMatch "MSIE [2-5]" \
> -          nokeepalive ssl-unclean-shutdown \
> -          downgrade-1.0 force-response-1.0
> -
> +@@ -243,7 +243,7 @@
>    #   Per-Server Logging:
>    #   The home of a custom SSL log file. Use this when you want a
>    #   compact non-error SSL logfile on a virtual host basis.
>   -CustomLog "@exp_logfiledir@/ssl_request_log" \
> -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \
> ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \
>              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>    </VirtualHost>
> _______________________________________________
> freebsd-apache@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-apache
> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org"
>


-- 
------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
Member,                           Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Director Operations,              Ridecharge Inc.

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F28A12D.2080504>