Projects
Kolab:3.4:Updates
httpd
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Difference Between Revision 5 and
Kolab:3.4
/
httpd
View file
apache2.dsc
Changed
@@ -2,7 +2,7 @@ Source: apache2 Binary: apache2.2-common, apache2.2-bin, apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event, apache2-mpm-itk, apache2-utils, apache2-suexec, apache2-suexec-custom, apache2, apache2-doc, apache2-prefork-dev, apache2-threaded-dev, apache2-dbg Architecture: any all -Version: 2.2.22-13.2+deb7u3 +Version: 2.2.22-13.2+deb7u7 Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Stefan Fritsch <sf@debian.org>, Steinar H. Gunderson <sesse@debian.org>, Arno Töll <arno@debian.org> Homepage: http://httpd.apache.org/
View file
debian.changelog
Changed
@@ -1,3 +1,79 @@ +apache2 (2.2.22-13.2+deb7u7) wheezy-security; urgency=high + + * Non-maintainer upload. + * Merge patches from Debian 2.2.22-13+deb7u7. + + -- Christoph Erhardt <kolab@sicherha.de> Sun, 11 Sep 2016 20:50:48 +0200 + +apache2 (2.2.22-13+deb7u7) wheezy-security; urgency=high + + * Non-maintainer upload. + * CVE-2016-5387: Sets environmental variable based on user supplied Proxy + request header. + Don't pass through HTTP_PROXY in server/util_script.c + + -- Salvatore Bonaccorso <carnil@debian.org> Wed, 20 Jul 2016 07:03:46 +0200 + +apache2 (2.2.22-13.2+deb7u6) wheezy-security; urgency=medium + + * Non-maintainer upload. + * Merge patches from Debian 2.2.22-13+deb7u6. + + -- Christoph Erhardt <kolab@sicherha.de> Tue, 18 Aug 2015 17:15:25 +0200 + +apache2 (2.2.22-13+deb7u6) wheezy-security; urgency=medium + + * Fix regression causing spurious errors when loading certificate chain. + Closes: #794383 + + -- Stefan Fritsch <sf@debian.org> Tue, 18 Aug 2015 11:41:11 +0200 + +apache2 (2.2.22-13.2+deb7u5) wheezy-security; urgency=medium + + * Non-maintainer upload. + * Merge patches from Debian 2.2.22-13+deb7u5. + + -- Christoph Erhardt <kolab@sicherha.de> Wed, 05 Aug 2015 10:10:27 +0200 + +apache2 (2.2.22-13+deb7u5) wheezy-security; urgency=medium + + * CVE-2015-3183: Fix request smuggling via chunked transfer encoding. + Backported by Marc Deslauriers. + * Don't limit default DH parameters to 1024 bits. Closes: #780398 + This may cause problems with some Java based clients. A work-around is to + configure these client not to use DHE key exchange but use ECDHE or RSA + instead. + A server-side work-around that limits the DH parameters to 1024 bits for + all clients is described at + http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh . + * Backport support for adding DH parameters to the SSLCertificateFile. + + -- Stefan Fritsch <sf@debian.org> Sat, 01 Aug 2015 22:08:57 +0200 + +apache2 (2.2.22-13.2+deb7u4) wheezy; urgency=medium + + * Non-maintainer upload. + * Merge patches from Debian 2.2.22-13+deb7u4. + + -- Christoph Erhardt <kolab@sicherha.de> Mon, 12 Jan 2015 13:59:06 +0100 + +apache2 (2.2.22-13+deb7u4) wheezy; urgency=medium + + * CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could + use this flaw to bypass intended mod_headers restrictions, allowing + them to send requests to applications that include headers that should + have been removed by mod_headers. + The new behavior is to not merge trailers into the headers autmatically. + A new directive "MergeTrailers" is introduced to restore the old + behavior. + * Fix hostname comparison with SNI to be case insensitive. Closes: #771199 + * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15). + Closes: #773841 + * Add paragraph about session ticket key life-time and forward secrecy to + README.Debian. Closes: #762619 + + -- Stefan Fritsch <sf@debian.org> Tue, 23 Dec 2014 23:44:24 +0100 + apache2 (2.2.22-13.2+deb7u3) wheezy-security; urgency=high * Non-maintainer upload.
View file
debian.tar.gz/README.Debian
Changed
@@ -11,6 +11,9 @@ Enabling SSL Creating self-signed certificates SSL workaround for MSIE + ECC keys and ECDH ciphers + Session ticket key life-time and forward secrecy + DH parameters Suexec @@ -246,6 +249,30 @@ A special compatibility fix for older Safari browsers is enabled if using an up-to-date libssl-1.0.0 (version 1.0.1e-2+deb7u8 or newer). +Session ticket key life-time and forward secrecy +------------------------------------------------ + +Apache uses TLS session tickets to improve handshake performance. By default, a +new session key key is (re-)generated at startup and at every graceful restart. +This means that an attacker that somehow gets access to the memory of the +running apache process may decrypt past connections that have used the current +session ticket key. This breaks forward secrecy even if the used cipher would +have provided forward secrecy. There is currently no way to change Apache's +behavior. If you want to mitigate this kind of attack, you should consider +increasing the frequency of graceful restarts by changing the log rotation in +/etc/logrotate.d/apache2 from weekly to daily. + +DH parameters +------------- + +The package in Debian has support for Diffie-Hellman (DH) parameters larger +than 1024 bit and for custom DH parameters backported from Apache 2.2.30. +This may cause connection failures with java clients that only support 1024 +bit DH parameters. A work-around is to configure these client not to use DHE +key exchange but use ECDHE or RSA instead. A server-side work-around that +limits the DH parameters to 1024 bits for all clients is described at +http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh + Suexec ======
View file
debian.tar.gz/patches/CVE-2013-5704_trailers.patch
Added
@@ -0,0 +1,383 @@ +# http://svn,apache.org/r1619489 +# +# *) SECURITY: CVE-2013-5704 (cve.mitre.org) +# core: HTTP trailers could be used to replace HTTP headers +# late during request processing, potentially undoing or +# otherwise confusing modules that examined or modified +# request headers earlier. Adds "MergeTrailers" directive to restore +# legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] +# +Index: apache2/modules/loggers/mod_log_config.c +=================================================================== +--- apache2.orig/modules/loggers/mod_log_config.c ++++ apache2/modules/loggers/mod_log_config.c +@@ -412,6 +412,12 @@ + return ap_escape_logitem(r->pool, apr_table_get(r->headers_in, a)); + } + ++static const char *log_trailer_in(request_rec *r, char *a) ++{ ++ return ap_escape_logitem(r->pool, apr_table_get(r->trailers_in, a)); ++} ++ ++ + static APR_INLINE char *find_multiple_headers(apr_pool_t *pool, + const apr_table_t *table, + const char *key) +@@ -495,6 +501,11 @@ + return ap_escape_logitem(r->pool, cp); + } + ++static const char *log_trailer_out(request_rec *r, char *a) ++{ ++ return ap_escape_logitem(r->pool, apr_table_get(r->trailers_out, a)); ++} ++ + static const char *log_note(request_rec *r, char *a) + { + return ap_escape_logitem(r->pool, apr_table_get(r->notes, a)); +@@ -813,7 +824,7 @@ + static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa) + { + const char *s = *sa; +- ap_log_handler *handler; ++ ap_log_handler *handler = NULL; + + if (*s != '%') { + return parse_log_misc_string(p, it, sa); +@@ -883,7 +894,16 @@ + break; + + default: +- handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1); ++ /* check for '^' + two character format first */ ++ if (*s == '^' && *(s+1) && *(s+2)) { ++ handler = (ap_log_handler *)apr_hash_get(log_hash, s, 3); ++ if (handler) { ++ s += 3; ++ } ++ } ++ if (!handler) { ++ handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1); ++ } + if (!handler) { + char dummy[2]; + +@@ -1389,7 +1409,7 @@ + log_struct->func = handler; + log_struct->want_orig_default = def; + +- apr_hash_set(log_hash, tag, 1, (const void *)log_struct); ++ apr_hash_set(log_hash, tag, strlen(tag), (const void *)log_struct); + } + static ap_log_writer_init* ap_log_set_writer_init(ap_log_writer_init *handle) + { +@@ -1558,6 +1578,9 @@ + log_pfn_register(p, "U", log_request_uri, 1); + log_pfn_register(p, "s", log_status, 1); + log_pfn_register(p, "R", log_handler, 1); ++ ++ log_pfn_register(p, "^ti", log_trailer_in, 0); ++ log_pfn_register(p, "^to", log_trailer_out, 0); + } + + /* reset to default conditions */ +Index: apache2/modules/http/http_request.c +=================================================================== +--- apache2.orig/modules/http/http_request.c ++++ apache2/modules/http/http_request.c +@@ -384,8 +384,10 @@ + new->main = r->main; + + new->headers_in = r->headers_in; ++ new->trailers_in = r->trailers_in; + new->headers_out = apr_table_make(r->pool, 12); + new->err_headers_out = r->err_headers_out; ++ new->trailers_out = apr_table_make(r->pool, 5); + new->subprocess_env = rename_original_env(r->pool, r->subprocess_env); + new->notes = apr_table_make(r->pool, 5); + +@@ -495,6 +497,8 @@ + r->headers_out); + r->err_headers_out = apr_table_overlay(r->pool, rr->err_headers_out, + r->err_headers_out); ++ r->trailers_out = apr_table_overlay(r->pool, rr->trailers_out, ++ r->trailers_out); + r->subprocess_env = apr_table_overlay(r->pool, rr->subprocess_env, + r->subprocess_env); + +Index: apache2/modules/http/http_filters.c +=================================================================== +--- apache2.orig/modules/http/http_filters.c ++++ apache2/modules/http/http_filters.c +@@ -206,6 +206,49 @@ + } + + ++static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f, ++ apr_bucket_brigade *b, int merge) ++{ ++ int rv; ++ apr_bucket *e; ++ request_rec *r = f->r; ++ apr_table_t *saved_headers_in = r->headers_in; ++ int saved_status = r->status; ++ ++ r->status = HTTP_OK; ++ r->headers_in = r->trailers_in; ++ apr_table_clear(r->headers_in); ++ ctx->state = BODY_NONE; ++ ap_get_mime_headers(r); ++ ++ if(r->status == HTTP_OK) { ++ r->status = saved_status; ++ e = apr_bucket_eos_create(f->c->bucket_alloc); ++ APR_BRIGADE_INSERT_TAIL(b, e); ++ ctx->eos_sent = 1; ++ rv = APR_SUCCESS; ++ } ++ else { ++ const char *error_notes = apr_table_get(r->notes, ++ "error-notes"); ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, ++ "Error while reading HTTP trailer: %i%s%s", ++ r->status, error_notes ? ": " : "", ++ error_notes ? error_notes : ""); ++ rv = APR_EINVAL; ++ } ++ ++ if(!merge) { ++ r->headers_in = saved_headers_in; ++ } ++ else { ++ r->headers_in = apr_table_overlay(r->pool, saved_headers_in, ++ r->trailers_in); ++ } ++ ++ return rv; ++} ++ + /* This is the HTTP_INPUT filter for HTTP requests and responses from + * proxied servers (mod_proxy). It handles chunked and content-length + * bodies. This can only be inserted/used after the headers +@@ -215,6 +258,7 @@ + ap_input_mode_t mode, apr_read_type_e block, + apr_off_t readbytes) + { ++ core_server_config *conf; + apr_bucket *e; + http_ctx_t *ctx = f->ctx; + apr_status_t rv; +@@ -222,6 +266,9 @@ + int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; + apr_bucket_brigade *bb; + ++ conf = (core_server_config *) ++ ap_get_module_config(f->r->server->module_config, &core_module); ++ + /* just get out of the way of things we don't want. */ + if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { + return ap_get_brigade(f->next, b, mode, block, readbytes); +@@ -395,13 +442,8 @@ + } + + if (!ctx->remaining) { +- /* Handle trailers by calling ap_get_mime_headers again! */ +- ctx->state = BODY_NONE; +- ap_get_mime_headers(f->r); +- e = apr_bucket_eos_create(f->c->bucket_alloc); +- APR_BRIGADE_INSERT_TAIL(b, e); +- ctx->eos_sent = 1; +- return APR_SUCCESS; ++ return read_chunked_trailers(ctx, f, b, ++ conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); + } + } + } +@@ -501,13 +543,8 @@ + } +
View file
debian.tar.gz/patches/CVE-2015-3183.patch
Added
@@ -0,0 +1,801 @@ +Description: fix request smuggling via chunked transfer encoding +Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1687338 +Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1687339 +Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1688936 +Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1689522 + +Index: apache2-2.2.22/modules/http/http_filters.c +=================================================================== +--- apache2-2.2.22.orig/modules/http/http_filters.c 2015-07-24 09:33:00.000000000 -0400 ++++ apache2-2.2.22/modules/http/http_filters.c 2015-07-24 13:06:08.276786883 -0400 +@@ -56,27 +56,33 @@ + #include <unistd.h> + #endif + +-#define INVALID_CHAR -2 +- +-static long get_chunk_size(char *); +- +-typedef struct http_filter_ctx { ++typedef struct http_filter_ctx ++{ + apr_off_t remaining; + apr_off_t limit; + apr_off_t limit_used; +- enum { +- BODY_NONE, +- BODY_LENGTH, +- BODY_CHUNK, +- BODY_CHUNK_PART ++ apr_int32_t chunk_used; ++ apr_int32_t chunk_bws; ++ apr_int32_t chunkbits; ++ enum ++ { ++ BODY_NONE, /* streamed data */ ++ BODY_LENGTH, /* data constrained by content length */ ++ BODY_CHUNK, /* chunk expected */ ++ BODY_CHUNK_PART, /* chunk digits */ ++ BODY_CHUNK_EXT, /* chunk extension */ ++ BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */ ++ BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */ ++ BODY_CHUNK_DATA, /* data constrained by chunked encoding */ ++ BODY_CHUNK_END, /* chunked data terminating CRLF */ ++ BODY_CHUNK_END_LF, /* got CR after data, expect LF */ ++ BODY_CHUNK_TRAILER /* trailers */ + } state; +- int eos_sent; +- char chunk_ln[32]; +- char *pos; +- apr_off_t linesize; ++ unsigned int eos_sent :1; + apr_bucket_brigade *bb; + } http_ctx_t; + ++/* bail out if some error in the HTTP input filter happens */ + static apr_status_t bail_out_on_error(http_ctx_t *ctx, + ap_filter_t *f, + int http_error) +@@ -92,119 +98,162 @@ + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + ctx->eos_sent = 1; ++ /* If chunked encoding / content-length are corrupt, we may treat parts ++ * of this request's body as the next one's headers. ++ * To be safe, disable keep-alive. ++ */ ++ f->r->connection->keepalive = AP_CONN_CLOSE; + return ap_pass_brigade(f->r->output_filters, bb); + } + +-static apr_status_t get_remaining_chunk_line(http_ctx_t *ctx, +- apr_bucket_brigade *b, +- int linelimit) ++/** ++ * Parse a chunk line with optional extension, detect overflow. ++ * There are two error cases: ++ * 1) If the conversion would require too many bits, APR_EGENERAL is returned. ++ * 2) If the conversion used the correct number of bits, but an overflow ++ * caused only the sign bit to flip, then APR_ENOSPC is returned. ++ * In general, any negative number can be considered an overflow error. ++ */ ++static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer, ++ apr_size_t len, int linelimit) + { +- apr_status_t rv; +- apr_off_t brigade_length; +- apr_bucket *e; +- const char *lineend; +- apr_size_t len; ++ apr_size_t i = 0; + +- /* +- * As the brigade b should have been requested in mode AP_MODE_GETLINE +- * all buckets in this brigade are already some type of memory +- * buckets (due to the needed scanning for LF in mode AP_MODE_GETLINE) +- * or META buckets. +- */ +- rv = apr_brigade_length(b, 0, &brigade_length); +- if (rv != APR_SUCCESS) { +- return rv; +- } +- /* Sanity check. Should never happen. See above. */ +- if (brigade_length == -1) { +- return APR_EGENERAL; +- } +- if (!brigade_length) { +- return APR_EAGAIN; +- } +- ctx->linesize += brigade_length; +- if (ctx->linesize > linelimit) { +- return APR_ENOSPC; +- } +- /* +- * As all buckets are already some type of memory buckets or META buckets +- * (see above), we only need to check the last byte in the last data bucket. +- */ +- for (e = APR_BRIGADE_LAST(b); +- e != APR_BRIGADE_SENTINEL(b); +- e = APR_BUCKET_PREV(e)) { ++ while (i < len) { ++ char c = buffer[i]; ++ ++ ap_xlate_proto_from_ascii(&c, 1); + +- if (APR_BUCKET_IS_METADATA(e)) { ++ /* handle CRLF after the chunk */ ++ if (ctx->state == BODY_CHUNK_END ++ || ctx->state == BODY_CHUNK_END_LF) { ++ if (c == LF) { ++ ctx->state = BODY_CHUNK; ++ } ++ else if (c == CR && ctx->state == BODY_CHUNK_END) { ++ ctx->state = BODY_CHUNK_END_LF; ++ } ++ else { ++ /* ++ * LF expected. ++ */ ++ return APR_EINVAL; ++ } ++ i++; + continue; + } +- rv = apr_bucket_read(e, &lineend, &len, APR_BLOCK_READ); +- if (rv != APR_SUCCESS) { +- return rv; ++ ++ /* handle start of the chunk */ ++ if (ctx->state == BODY_CHUNK) { ++ if (!apr_isxdigit(c)) { ++ /* ++ * Detect invalid character at beginning. This also works for ++ * empty chunk size lines. ++ */ ++ return APR_EINVAL; ++ } ++ else { ++ ctx->state = BODY_CHUNK_PART; ++ } ++ ctx->remaining = 0; ++ ctx->chunkbits = sizeof(apr_off_t) * 8; ++ ctx->chunk_used = 0; ++ ctx->chunk_bws = 0; + } +- if (len > 0) { +- break; /* we got the data we want */ ++ ++ if (c == LF) { ++ if (ctx->remaining) { ++ ctx->state = BODY_CHUNK_DATA; ++ } ++ else { ++ ctx->state = BODY_CHUNK_TRAILER; ++ } + } +- /* If we got a zero-length data bucket, we try the next one */ +- } +- /* We had no data in this brigade */ +- if (!len || e == APR_BRIGADE_SENTINEL(b)) { +- return APR_EAGAIN; +- } +- if (lineend[len - 1] != APR_ASCII_LF) { +- return APR_EAGAIN; +- } +- /* Line is complete. So reset ctx->linesize for next round. */ +- ctx->linesize = 0; +- return APR_SUCCESS; +-} ++ else if (ctx->state == BODY_CHUNK_LF) { ++ /* ++ * LF expected. ++ */ ++ return APR_EINVAL; ++ } ++ else if (c == CR) { ++ ctx->state = BODY_CHUNK_LF; ++ } ++ else if (c == ';') { ++ ctx->state = BODY_CHUNK_EXT;
View file
debian.tar.gz/patches/CVE-2016-5387.patch
Added
@@ -0,0 +1,17 @@ +--- a/server/util_script.c ++++ b/server/util_script.c +@@ -180,6 +180,14 @@ AP_DECLARE(void) ap_add_common_vars(requ + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them
View file
debian.tar.gz/patches/DH-SSLCertificateFile.patch
Added
@@ -0,0 +1,1373 @@ +# DP: backport support for adding DH parameters to the SSLCertificateFile + +--- a/docs/manual/mod/mod_ssl.html.en ++++ b/docs/manual/mod/mod_ssl.html.en +@@ -388,12 +388,47 @@ SSLCertificateChainFile /usr/local/apach + <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> + </table> + <p> +-This directive points to the PEM-encoded Certificate file for the server and +-optionally also to the corresponding RSA or DSA Private Key file for it +-(contained in the same file). If the contained Private Key is encrypted the +-Pass Phrase dialog is forced at startup time. This directive can be used up to +-two times (referencing different filenames) when both a RSA and a DSA based +-server certificate is used in parallel.</p> ++This directive points to a file with certificate data in PEM format. ++At a minimum, the file must include an end-entity (leaf) certificate. ++The directive can be used up to three times (referencing different filenames) ++when an RSA, a DSA, and an ECC based server certificate is used in parallel. ++</p> ++ ++<p> ++Custom DH parameters and an EC curve name for ephemeral keys, ++can be added to end of the first file configured using ++<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>. ++Such parameters can be generated using the commands ++<code>openssl dhparam</code> and <code>openssl ecparam</code>. ++The parameters can be added as-is to the end of the first ++certificate file. Only the first file can be used for custom ++parameters, as they are applied independently of the authentication ++algorithm type. ++</p> ++ ++<p> ++Finally the the end-entity certificate's private key can also be ++added to the certificate file instead of using a separate ++<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> ++directive. This practice is highly discouraged. If the private ++key is encrypted, the pass phrase dialog is forced at startup time. ++</p> ++ ++<div class="note"> ++<h3>DH parameter interoperability with primes > 1024 bit</h3> ++<p> ++Beginning with version 2.2.30, mod_ssl makes use of ++standardized DH parameters with prime lengths of 2048, 3072, 4096, 6144 and ++8192 bits (from <a href="http://www.ietf.org/rfc/rfc3526.txt">RFC 3526</a>), ++and hands them out to clients based on the length of the certificate's RSA/DSA ++key. ++With Java-based clients in particular (Java 7 or earlier), this may lead ++to handshake failures - see this ++<a href="../ssl/ssl_faq.html#javadh">FAQ answer</a> for working around ++such issues. ++</p> ++</div> ++ + <div class="example"><h3>Example</h3><p><code> + SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt + </code></p></div> +@@ -409,18 +444,22 @@ SSLCertificateFile /usr/local/apache2/co + <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> + </table> + <p> +-This directive points to the PEM-encoded Private Key file for the +-server. If the Private Key is not combined with the Certificate in the +-<code class="directive">SSLCertificateFile</code>, use this additional directive to +-point to the file with the stand-alone Private Key. When +-<code class="directive">SSLCertificateFile</code> is used and the file +-contains both the Certificate and the Private Key this directive need +-not be used. But we strongly discourage this practice. Instead we +-recommend you to separate the Certificate and the Private Key. If the +-contained Private Key is encrypted, the Pass Phrase dialog is forced +-at startup time. This directive can be used up to two times +-(referencing different filenames) when both a RSA and a DSA based +-private key is used in parallel.</p> ++This directive points to the PEM-encoded private key file for the ++server. If the contained private key is encrypted, the pass phrase ++dialog is forced at startup time.</p> ++ ++<p> ++The directive can be used up to three times (referencing different filenames) ++when an RSA, a DSA, and an ECC based private key is used in parallel. For each ++<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> ++directive, there must be a matching <code class="directive">SSLCertificateFile</code> ++directive.</p> ++ ++<p> ++The private key may also be combined with the certificate in the file given by ++<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>, but this practice ++is highly discouraged.</p> ++ + <div class="example"><h3>Example</h3><p><code> + SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key + </code></p></div> +@@ -1886,6 +1925,6 @@ SSLVerifyDepth 10 + <div class="bottomlang"> + <p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English"> en </a></p> + </div><div id="footer"> +-<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> ++<p class="apache">Copyright 2015 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> + <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> + </body></html> +\ No newline at end of file +--- a/docs/manual/ssl/ssl_faq.html.en ++++ b/docs/manual/ssl/ssl_faq.html.en +@@ -675,6 +675,7 @@ HTTPS to an Apache+mod_ssl server with M + <li><a href="#nn">Why do I get I/O errors, or the message "Netscape has + encountered bad data from the server", when connecting via + HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></li> ++<li><a href="#javadh">Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?</a></li> + </ul> + + <h3><a name="random" id="random">Why do I get lots of random SSL protocol +@@ -907,6 +908,40 @@ HTTPS to an Apache+mod_ssl server with N + implementation is correct, so when you encounter I/O errors with Netscape + Navigator it is usually caused by the configured certificates.</p> + ++ ++<h3><a name="javadh" id="javadh">Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?</a></h3> ++ <p>Beginning with version 2.2.30, ++ <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> will use DH parameters which include primes ++ with lengths of more than 1024 bits. Java 7 and earlier limit their ++ support for DH prime sizes to a maximum of 1024 bits, however.</p> ++ ++ <p>If your Java-based client aborts with exceptions such as ++ <code>java.lang.RuntimeException: Could not generate DH keypair</code> and ++ <code>java.security.InvalidAlgorithmParameterException: Prime size must be ++ multiple of 64, and can only range from 512 to 1024 (inclusive)</code>, ++ and httpd logs <code>tlsv1 alert internal error (SSL alert number 80)</code> ++ (at <code class="directive"><a href="../mod/core.html#loglevel">LogLevel</a></code> <code>info</code> ++ or higher), you can either rearrange mod_ssl's cipher list with ++ <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> ++ (possibly in conjunction with <code class="directive"><a href="../mod/mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder</a></code>), ++ or you can use custom DH parameters with a 1024-bit prime, which ++ will always have precedence over any of the built-in DH parameters.</p> ++ ++ <p>To generate custom DH parameters, use the <code>openssl dhparam 1024</code> ++ command. Alternatively, you can use the following standard 1024-bit DH ++ parameters from <a href="http://www.ietf.org/rfc/rfc2409.txt">RFC 2409</a>, ++ section 6.2:</p> ++ <div class="example"><pre>-----BEGIN DH PARAMETERS----- ++MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR ++Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL ++/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC ++-----END DH PARAMETERS-----</pre></div> ++ <p>Add the custom parameters including the "BEGIN DH PARAMETERS" and ++ "END DH PARAMETERS" lines to the end of the first certificate file ++ you have configured using the ++ <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> directive.</p> ++ ++ + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> + <div class="section"> + <h2><a name="support" id="support">mod_ssl Support</a></h2> +@@ -1054,6 +1089,6 @@ the reason for my core dump?</a></h3> + <div class="bottomlang"> + <p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p> + </div><div id="footer"> +-<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> ++<p class="apache">Copyright 2015 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> + <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> + </body></html> +\ No newline at end of file +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -422,15 +422,6 @@ int ssl_init_ssl_connection(conn_rec *c) + + sslconn->ssl = ssl; + +- /* +- * Configure callbacks for SSL connection +- */ +- SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); +- SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); +-#ifndef OPENSSL_NO_EC +- SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH); +-#endif +- + SSL_set_verify_result(ssl, X509_V_OK); + + ssl_io_filter_init(c, ssl); +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -76,8 +76,6 @@ SSLModConfigRec *ssl_config_global_creat + mc->szCryptoDevice = NULL; + #endif + +- memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); +- + apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY, + apr_pool_cleanup_null, + pool); +--- a/modules/ssl/ssl_engine_dh.c ++++ b/modules/ssl/ssl_engine_dh.c +@@ -41,21 +41,9 @@ + ** 0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70: + ** e6:aa:87:10:33 + ** generator: 2 (0x2) +-** Diffie-Hellman-Parameters: (1024 bit) +-** prime:
View file
debian.tar.gz/patches/SNI_case_insensitve.diff
Added
@@ -0,0 +1,13 @@ +# https://svn.apache.org/viewvc?view=revision&revision=r1515565 +# http://bugs.debian.org/771199 +--- apache2.orig/modules/ssl/ssl_engine_kernel.c ++++ apache2/modules/ssl/ssl_engine_kernel.c +@@ -136,7 +136,7 @@ int ssl_hook_ReadReq(request_rec *r) + if (rv != APR_SUCCESS || scope_id) { + return HTTP_BAD_REQUEST; + } +- if (strcmp(host, servername)) { ++ if (strcasecmp(host, servername)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI and hostname %s provided" + " via HTTP are different", servername, host);
View file
debian.tar.gz/patches/SSL_CTX_use_certificate_clear_errors.diff
Added
@@ -0,0 +1,21 @@ +# fix spurious errors during startup +# Print detailed info in case of error. +# +# http://bugs.debian.org/794383 +--- apache2.orig/modules/ssl/ssl_engine_init.c ++++ apache2/modules/ssl/ssl_engine_init.c +@@ -675,12 +675,14 @@ static void ssl_init_ctx_cert_chain(serv + } + } + ++ ERR_clear_error(); + n = SSL_CTX_use_certificate_chain(mctx->ssl_ctx, + (char *)chain, + skip_first, NULL); + if (n < 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Failed to configure CA certificate chain!"); ++ ERR_print_errors_fp(stderr); + ssl_die(); + } +
View file
debian.tar.gz/patches/mod_ssl_SSL_CLIENT_S_DN_UID.diff
Added
@@ -0,0 +1,13 @@ +# http://svn.apache.org/viewvc?view=revision&revision=1445112 +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773841 +--- apache2.orig/modules/ssl/ssl_engine_vars.c ++++ apache2/modules/ssl/ssl_engine_vars.c +@@ -431,7 +431,7 @@ static const struct { + { "S", NID_surname, 1 }, + { "D", NID_description, 1 }, + #ifdef NID_userId +- { "UID", NID_x500UniqueIdentifier, 1 }, ++ { "UID", NID_userId, 1 }, + #endif + { "Email", NID_pkcs9_emailAddress, 1 }, + { NULL, 0, 0 }
View file
debian.tar.gz/patches/series
Changed
@@ -45,3 +45,10 @@ CVE-2014-0226_scoreboard.patch CVE-2014-0231_mod_cgid-DoS.patch CVE-2014-0118_mod_deflate-DoS.patch +CVE-2013-5704_trailers.patch +SNI_case_insensitve.diff +mod_ssl_SSL_CLIENT_S_DN_UID.diff +DH-SSLCertificateFile.patch +CVE-2015-3183.patch +SSL_CTX_use_certificate_clear_errors.diff +CVE-2016-5387.patch
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.