[SCM] Debian packaging for apache2 branch, master, updated. debian/2.2.22-3-49-g80d139c
Stefan Fritsch
sf at sfritsch.de
Mon Jul 30 19:41:02 UTC 2012
The following commit has been merged in the master branch:
commit a06d536fcf3fbf202ffef6690159d7a35835c566
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Mon Jul 30 21:14:12 2012 +0200
Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
directives
diff --git a/debian/changelog b/debian/changelog
index 94b018d..c4987b3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
-apache2 (2.2.22-10) unstable; urgency=low
+apache2 (2.2.22-10) UNRELEASED; urgency=low
+ [ Arno Töll ]
* Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing
perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes:
#682401)
@@ -7,6 +8,10 @@ apache2 (2.2.22-10) unstable; urgency=low
with ext3" by changing the default to more moderate values. Note, some file
systems have a hard limit of supported subdirectories (Closes: #682840)
+ [ Stefan Fritsch ]
+ * Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
+ directives. Closes: #682897
+
-- Arno Töll <arno at debian.org> Thu, 26 Jul 2012 17:10:35 +0200
apache2 (2.2.22-9) unstable; urgency=low
diff --git a/debian/patches/SSLProtocol-tls11-12.2.patch b/debian/patches/SSLProtocol-tls11-12.2.patch
new file mode 100644
index 0000000..f483728
--- /dev/null
+++ b/debian/patches/SSLProtocol-tls11-12.2.patch
@@ -0,0 +1,183 @@
+Description: Support TLSv1.1 and TLSv1.2 in SSLProtocol directive
+Forwarded: not-needed
+Author: kbrand at apache.org, wrowe at apache.org
+Last-Update: 2012-07-30
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682897
+#
+# This patch encompases backports from 2.4 branch;
+#
+# http://svn.apache.org/viewvc?view=revision&revision=1222921
+# http://svn.apache.org/viewvc?view=revision&revision=1222930
+#
+# However, it also accounts for the fact that SSLv2 support
+# remains present in httpd-2.2 branch and makes no changes
+# which changes the existing configuration behavior, with
+# the exception of adding TLS1.1 and TLS1.2 by default.)
+#
+Index: apache2/modules/ssl/ssl_private.h
+===================================================================
+--- apache2.orig/modules/ssl/ssl_private.h
++++ apache2/modules/ssl/ssl_private.h
+@@ -59,6 +59,11 @@
+ /** mod_ssl headers */
+ #include "ssl_toolkit_compat.h"
+ #include "ssl_expr.h"
++
++#ifdef SSL_OP_NO_TLSv1_2
++#define HAVE_TLSV1_X
++#endif
++
+ #include "ssl_util_ssl.h"
+
+ /** The #ifdef macros are only defined AFTER including the above
+@@ -215,13 +220,22 @@
+ * Define the SSL Protocol options
+ */
+ #define SSL_PROTOCOL_NONE (0)
++#ifndef OPENSSL_NO_SSL2
+ #define SSL_PROTOCOL_SSLV2 (1<<0)
++#endif
+ #define SSL_PROTOCOL_SSLV3 (1<<1)
+ #define SSL_PROTOCOL_TLSV1 (1<<2)
+-#ifndef OPENSSL_NO_SSL2
+-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
++#ifdef OPENSSL_NO_SSL2
++#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#else
++#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#endif
++#ifdef HAVE_TLSV1_X
++#define SSL_PROTOCOL_TLSV1_1 (1<<3)
++#define SSL_PROTOCOL_TLSV1_2 (1<<4)
++#define SSL_PROTOCOL_ALL (SSL_MOST_ALL|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+ #else
+-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
++#define SSL_PROTOCOL_ALL (SSL_MOST_ALL)
+ #endif
+ typedef int ssl_proto_t;
+
+Index: apache2/modules/ssl/ssl_engine_init.c
+===================================================================
+--- apache2.orig/modules/ssl/ssl_engine_init.c
++++ apache2/modules/ssl/ssl_engine_init.c
+@@ -456,9 +456,15 @@
+ }
+
+ cp = apr_pstrcat(p,
++#ifndef OPENSSL_NO_SSL2
+ (protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
++#endif
+ (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+ (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
++#ifdef HAVE_TLSV1_X
++ (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
++ (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
++#endif
+ NULL);
+ cp[strlen(cp)-2] = NUL;
+
+@@ -474,6 +480,19 @@
+ }
+ else
+ #endif
++#ifdef HAVE_TLSV1_X
++ if (protocol == SSL_PROTOCOL_TLSV1_1) {
++ method = mctx->pkp ?
++ TLSv1_1_client_method() : /* proxy */
++ TLSv1_1_server_method(); /* server */
++ }
++ else if (protocol == SSL_PROTOCOL_TLSV1_2) {
++ method = mctx->pkp ?
++ TLSv1_2_client_method() : /* proxy */
++ TLSv1_2_server_method(); /* server */
++ }
++ else
++#endif
+ {
+ method = mctx->pkp ?
+ SSLv23_client_method() : /* proxy */
+@@ -485,9 +504,11 @@
+
+ SSL_CTX_set_options(ctx, SSL_OP_ALL);
+
++#ifndef OPENSSL_NO_SSL2
+ if (!(protocol & SSL_PROTOCOL_SSLV2)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ }
++#endif
+
+ if (!(protocol & SSL_PROTOCOL_SSLV3)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+@@ -497,6 +518,16 @@
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+ }
+
++#ifdef HAVE_TLSV1_X
++ if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
++ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
++ }
++
++ if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
++ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
++ }
++#endif
++
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ if (sc->cipher_server_pref == TRUE) {
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+Index: apache2/modules/ssl/ssl_engine_config.c
+===================================================================
+--- apache2.orig/modules/ssl/ssl_engine_config.c
++++ apache2/modules/ssl/ssl_engine_config.c
+@@ -1277,8 +1277,9 @@
+ if (action != '-') {
+ return "SSLv2 not supported by this version of OpenSSL";
+ }
+-#endif
++#else
+ thisopt = SSL_PROTOCOL_SSLV2;
++#endif
+ }
+ else if (strcEQ(w, "SSLv3")) {
+ thisopt = SSL_PROTOCOL_SSLV3;
+@@ -1286,6 +1287,14 @@
+ else if (strcEQ(w, "TLSv1")) {
+ thisopt = SSL_PROTOCOL_TLSV1;
+ }
++#ifdef HAVE_TLSV1_X
++ else if (strcEQ(w, "TLSv1.1")) {
++ thisopt = SSL_PROTOCOL_TLSV1_1;
++ }
++ else if (strcEQ(w, "TLSv1.2")) {
++ thisopt = SSL_PROTOCOL_TLSV1_2;
++ }
++#endif
+ else if (strcEQ(w, "all")) {
+ thisopt = SSL_PROTOCOL_ALL;
+ }
+Index: apache2/modules/ssl/mod_ssl.c
+===================================================================
+--- apache2.orig/modules/ssl/mod_ssl.c
++++ apache2/modules/ssl/mod_ssl.c
+@@ -142,8 +142,8 @@
+ "SSL Session Cache object lifetime "
+ "(`N' - number of seconds)")
+ SSL_CMD_SRV(Protocol, RAW_ARGS,
+- "Enable or disable various SSL protocols"
+- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
++ "Enable or disable various SSL protocols "
++ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+ SSL_CMD_SRV(HonorCipherOrder, FLAG,
+ "Use the server's cipher ordering preference")
+ SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+@@ -160,8 +160,8 @@
+ "SSL switch for the proxy protocol engine "
+ "(`on', `off')")
+ SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+- "SSL Proxy: enable or disable SSL protocol flavors "
+- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
++ "SSL Proxy: enable or disable SSL protocol flavors "
++ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+ SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+ "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+ "(`XXX:...:XXX' - see manual)")
diff --git a/debian/patches/series b/debian/patches/series
index 4622d6c..6113b65 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@
# as you wish.
#202_suexec-custom
dbmmanage-perl-510.patch
+SSLProtocol-tls11-12.2.patch
--
Debian packaging for apache2
More information about the Pkg-apache-commits
mailing list