[Pkg-apache-commits] r1050 - in /trunk/apache2: NEWS README.Debian changelog patches/00list patches/070_better_missing_cert_error_msg.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Wed Sep 16 18:35:35 UTC 2009
Author: sf
Date: Wed Sep 16 18:35:35 2009
New Revision: 1050
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1050
Log:
improve error message and add infos about incompatible ssl configuration changes
Added:
trunk/apache2/patches/070_better_missing_cert_error_msg.dpatch
Modified:
trunk/apache2/NEWS
trunk/apache2/README.Debian
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/NEWS
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/NEWS?rev=1050&op=diff
==============================================================================
--- trunk/apache2/NEWS (original)
+++ trunk/apache2/NEWS Wed Sep 16 18:35:35 2009
@@ -1,3 +1,45 @@
+apache2 (2.2.13-2) unstable; urgency=low
+
+ * The new support for TLS Server Name Indication added in 2.2.12 causes
+ Apache to be stricter about certain misconfigurations involving name
+ based SSL virtual hosts. This may result in Apache refusing to start
+ with the logged error message:
+
+ Server should be SSL-aware but has no certificate configured
+ [Hint: SSLCertificateFile]
+
+ Up to 2.2.11, Apache accepted configurations where the necessary SSL
+ configuration statements were included in the first (default)
+ <Virtualhost *:443> block but not in subsequent <Virtualhost *:443>
+ blocks. Starting with 2.2.12, every VirtualHost block used with SSL must
+ contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile
+ directives (SSLCertificateKeyFile is optional in some cases).
+
+ When you encounter the above problem, the output of the command
+
+ egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \
+ /etc/apache2/*conf* /etc/apache2/*enabled
+
+ may be useful to determine which VirtualHost sections need to be changed.
+
+ Also, formerly accidentially working constructs like
+
+ <VirtualHost *:80 *:443>
+
+ where one virtual host definition is used for both a non-ssl and a ssl
+ virtual host do not work anymore. You can achieve a similar effect with
+
+ <VirtualHost *:80>
+ Include /.../vhost.include
+ </VirtualHost>
+ <VirtualHost *:443>
+ SSLEngine on
+ SSLCertificateFile ...
+ Include /.../vhost.include
+ </VirtualHost>
+
+ -- Stefan Fritsch <sf at debian.org> Wed, 16 Sep 2009 20:14:59 +0200
+
apache2 (2.2.9-3) unstable; urgency=low
* The directive "NameVirtualHost *" has been changed to "NameVirtualHost
Modified: trunk/apache2/README.Debian
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/README.Debian?rev=1050&op=diff
==============================================================================
--- trunk/apache2/README.Debian (original)
+++ trunk/apache2/README.Debian Wed Sep 16 18:35:35 2009
@@ -335,3 +335,9 @@
On the other hand, errors about to adding to a pollset are related to the
setting fs.epoll.max_user_watches. On most systems, max_user_watches should be
high enough by default.
+
+7) Message "Server should be SSL-aware but has no certificate configured" in
+ error log
+
+Since 2.2.12, Apache is stricter about certain misconfigurations concerning
+name based SSL virtual hosts. See NEWS.Debian.gz for more details.
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1050&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Wed Sep 16 18:35:35 2009
@@ -1,5 +1,9 @@
apache2 (2.2.13-2) UNRELEASED; urgency=low
+ * Add entries to NEWS.Debian and README.Debian about Apache being stricter
+ about certain misconfigurations involving name based SSL virtual hosts.
+ Also make Apache print the location of the misconfigured VirtualHost when
+ it complains about a missing SSLCertificateFile statement. Closes: #541607
* Add Build-Conflicts: autoconf2.13 (closes: #541536).
* Adjust priority of apache2-mpm-itk to extra.
* Switch apache2.2-common and the four mpm packages from architecture all to
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1050&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Wed Sep 16 18:35:35 2009
@@ -19,6 +19,7 @@
067_fix_segfault_in_ab.dpatch
068_mod_dav_detect_EOF.dpatch
069_no_deflate_for_HEAD.dpatch
+070_better_missing_cert_error_msg.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/070_better_missing_cert_error_msg.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/070_better_missing_cert_error_msg.dpatch?rev=1050&op=file
==============================================================================
--- trunk/apache2/patches/070_better_missing_cert_error_msg.dpatch (added)
+++ trunk/apache2/patches/070_better_missing_cert_error_msg.dpatch Wed Sep 16 18:35:35 2009
@@ -1,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: print the file and line number of the virtual host when
+## DP: SSLCertificateFile is missing (#541607)
+
+ at DPATCH@
+--- a/modules/ssl/ssl_engine_pphrase.c.dist 2006-07-23 13:11:58.000000000 +0200
++++ a/modules/ssl/ssl_engine_pphrase.c 2009-09-06 21:51:26.000000000 +0200
+@@ -188,7 +188,8 @@
+ if (sc->server->pks->cert_files[0] == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, pServ,
+ "Server should be SSL-aware but has no certificate "
+- "configured [Hint: SSLCertificateFile]");
++ "configured [Hint: SSLCertificateFile] (%s:%d)",
++ pServ->defn_name, pServ->defn_line_number);
+ ssl_die();
+ }
+ algoCert = SSL_ALGO_UNKNOWN;
More information about the Pkg-apache-commits
mailing list