Date: Tue, 31 Jan 2012 22:17:35 -0500 From: "Philip M. Gollucci" <pgollucci@taximagic.com> To: Jason Helfman <jgh@FreeBSD.org> Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Message-ID: <4F28AECF.4060109@taximagic.com> In-Reply-To: <CAMuy=%2Bgy9Z7Ec=-6xQ5roqa9mAELahDRv1mG1ph2bfhy47CRtA@mail.gmail.com> References: <201202010011.q110Btm0002906@freefall.freebsd.org> <4F28A12D.2080504@p6m7g8.com> <CAMuy=%2Bgy9Z7Ec=-6xQ5roqa9mAELahDRv1mG1ph2bfhy47CRtA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/31/12 10:15 PM, Jason Helfman wrote: > > > On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci > <pgollucci@taximagic.com <mailto:pgollucci@taximagic.com>> wrote: > > Do not change this file. You're reverting a local change we've > pulled from trunk svn for security. > > Please commit the rest of the patch with my review / hat. > > > > ==============================__==============================__======= > RCS file: > /home/pcvs/ports/www/apache22/__files/patch-docs__conf__extra____httpd-ssl.conf.in > <http://patch-docs__conf__extra__httpd-ssl.conf.in>,v > retrieving revision 1.3 > diff -u -r1.3 patch-docs__conf__extra____httpd-ssl.conf.in > <http://patch-docs__conf__extra__httpd-ssl.conf.in>; > --- files/patch-docs__conf__extra____httpd-ssl.conf.in > <http://patch-docs__conf__extra__httpd-ssl.conf.in>; 23 Jan > 2012 23:24:38 -0000 1.3 > +++ files/patch-docs__conf__extra____httpd-ssl.conf.in > <http://patch-docs__conf__extra__httpd-ssl.conf.in>; 1 Feb > 2012 00:05:53 -0000 > @@ -1,58 +1,22 @@ > ---- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2008-02-04 > 23:00:07.000000000 +0000 > -+++ ./docs/conf/extra/httpd-ssl.__conf.in > <http://httpd-ssl.conf.in>; 2012-01-23 23 > <tel:2012-01-23%2023>:20:06.446390870 +0000 > -@@ -77,17 +77,35 @@ > +--- ./docs/conf/extra/httpd-ssl.__conf.in.orig 2012-01-31 15 > <tel:2012-01-31%2015>:16:43.000000000 -0800 > ++++ ./docs/conf/extra/httpd-ssl.__conf.in > <http://httpd-ssl.conf.in>; 2012-01-31 15 > <tel:2012-01-31%2015>:17:47.000000000 -0800 > +@@ -77,8 +77,8 @@ > DocumentRoot "@exp_htdocsdir@" > ServerName www.example.com:@@SSLPort@@ > ServerAdmin you@example.com <mailto:you@example.com> > -ErrorLog "@exp_logfiledir@/error_log" > -TransferLog "@exp_logfiledir@/access_log" > -+ErrorLog "@exp_logfiledir@/httpd-error.__log" > -+TransferLog "@exp_logfiledir@/httpd-__access.log" > ++ErrorLog "@exp_logfiledir@/httpd-error___log" > ++TransferLog "@exp_logfiledir@/httpd-__access_log" > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > - SSLEngine on > - > -+# SSL Protocol support: > -+# List the protocol versions which clients are allowed to > -+# connect with. Disable SSLv2 by default (cf. RFC 6176). > -+SSLProtocol all -SSLv2 > -+ > - # SSL Cipher Suite: > - # List the ciphers that the client is permitted to negotiate. > - # See the mod_ssl documentation for a complete list. > --SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+__HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:__+eNULL > -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > -+ > -+# Speed-optimized SSL Cipher configuration: > -+# If speed is your main concern (on busy HTTPS servers e.g.), > -+# you might want to force clients to specific, performance > -+# optimized ciphers. In this case, prepend those ciphers > -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA > -+# (as in the example below), most connections will no longer > -+# have perfect forward secrecy - if the server's key is > -+# compromised, captures of past or future traffic must be > -+# considered compromised, too. > -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:__MEDIUM:!aNULL:!MD5 > -+#SSLHonorCipherOrder on > - > - # Server Certificate: > - # Point SSLCertificateFile at a PEM encoded certificate. If > -@@ -218,14 +236,14 @@ > - # Similarly, one has to force some clients to use HTTP/1.0 > to workaround > - # their broken HTTP/1.1 implementation. Use variables > "downgrade-1.0" and > - # "force-response-1.0" for this. > --BrowserMatch ".*MSIE.*" \ > -+BrowserMatch "MSIE [2-5]" \ > - nokeepalive ssl-unclean-shutdown \ > - downgrade-1.0 force-response-1.0 > - > +@@ -243,7 +243,7 @@ > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > -CustomLog "@exp_logfiledir@/ssl_request___log" \ > -+CustomLog "@exp_logfiledir@/httpd-ssl___request.log" \ > ++CustomLog "@exp_logfiledir@/httpd-ssl___request_log" \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > _________________________________________________ > freebsd-apache@freebsd.org <mailto:freebsd-apache@freebsd.org> > mailing list > http://lists.freebsd.org/__mailman/listinfo/freebsd-__apache > <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>; > To unsubscribe, send any mail to > "freebsd-apache-unsubscribe@__freebsd.org > <mailto:freebsd-apache-unsubscribe@freebsd.org>" > > > > -- > ------------------------------__------------------------------__------------ > 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C > Philip M. Gollucci (pgollucci@p6m7g8.com > <mailto:pgollucci@p6m7g8.com>) c: 703.336.9354 <tel:703.336.9354> > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Operations, Ridecharge Inc. > > Work like you don't need the money, > love like you'll never get hurt, > and dance like nobody's watching. > > > I will be glad to do that, however it didn't patch cleanly. The > additions were in the downloaded source, unless I am mistaken. > Can you please verify? I'm wiped tonight. I'll peak Wednesday am. ping me if you don't hear from me tomorrow. > -jgh
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F28AECF.4060109>