7149111 Upgrade Apache Web Server to version 2.2.22
authorPetr Sumbera <petr.sumbera@oracle.com>
Wed, 29 Feb 2012 12:08:58 -0800
changeset 714 b205ca9f0d84
parent 713 49ef3f4a3990
child 715 eed3ed08f692
7149111 Upgrade Apache Web Server to version 2.2.22 7116031 Problem with utility/apache 7108129 Problem with utility/apache 7149106 Problem with utility/apache 7149109 Problem with utility/apache 7149110 Problem with utility/apache
components/apache2/Makefile
components/apache2/apache-22.p5m
components/apache2/documentation.p5m
components/apache2/patches/CVE-2011-3348.patch
components/apache2/patches/CVE-2011-3368.patch
components/apache2/patches/r1165607.patch
components/apache2/patches/ssl.conf.patch
--- a/components/apache2/Makefile	Wed Feb 29 11:01:07 2012 -0800
+++ b/components/apache2/Makefile	Wed Feb 29 12:08:58 2012 -0800
@@ -18,16 +18,16 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		httpd
-COMPONENT_VERSION=	2.2.20
+COMPONENT_VERSION=	2.2.22
 COMPONENT_PROJECT_URL=	http://httpd.apache.org/
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH=	sha1:5e670636e17286b7ae5ade5b7f5e21e686559e5a
+COMPONENT_ARCHIVE_HASH=	sha1:bf3bbfda967ac900348e697f26fe86b25695efe9
 COMPONENT_ARCHIVE_URL=	http://archive.apache.org/dist/httpd/$(COMPONENT_ARCHIVE)
 
 CONFIGURE_DEFAULT_DIRS=no
--- a/components/apache2/apache-22.p5m	Wed Feb 29 11:01:07 2012 -0800
+++ b/components/apache2/apache-22.p5m	Wed Feb 29 12:08:58 2012 -0800
@@ -66,6 +66,7 @@
 dir path=usr/bin/$(MACH64)
 dir path=usr/share
 dir path=usr/share/man
+dir path=usr/share/man/man1
 dir path=usr/share/man/man1m
 dir path=usr/share/man/man8
 dir path=var
@@ -347,16 +348,17 @@
 file path=usr/apache2/2.2/libexec/mod_usertrack.so
 file path=usr/apache2/2.2/libexec/mod_version.so
 file path=usr/apache2/2.2/libexec/mod_vhost_alias.so
+file path=usr/apache2/2.2/man/man1/ab.1
+file path=usr/apache2/2.2/man/man1/apxs.1
 file path=usr/apache2/2.2/man/man1/dbmmanage.1
 file path=usr/apache2/2.2/man/man1/htdbm.1
+file path=usr/apache2/2.2/man/man1/httxt2dbm.1
 file path=usr/apache2/2.2/man/man1/htdigest.1
 file path=usr/apache2/2.2/man/man1/htpasswd.1
-file path=usr/apache2/2.2/man/man8/ab.8
+file path=usr/apache2/2.2/man/man1/logresolve.1
 file path=usr/apache2/2.2/man/man8/apachectl.8
-file path=usr/apache2/2.2/man/man8/apxs.8
 file path=usr/apache2/2.2/man/man8/htcacheclean.8
 file path=usr/apache2/2.2/man/man8/httpd.8
-file path=usr/apache2/2.2/man/man8/logresolve.8
 file path=usr/apache2/2.2/man/man8/rotatelogs.8
 file path=usr/apache2/2.2/man/man8/suexec.8
 file Solaris/apache2.1m.sunman path=usr/share/man/man1m/apache2.1m
@@ -631,12 +633,17 @@
 link path=usr/bin/httxt2dbm target=../apache2/2.2/bin/httxt2dbm
 link path=usr/bin/logresolve target=../apache2/2.2/bin/logresolve
 link path=usr/bin/rotatelogs target=../apache2/2.2/bin/rotatelogs
-link path=usr/share/man/man8/ab.8 target=../../../apache2/2.2/man/man8/ab.8
+link path=usr/share/man/man1/ab.1 target=../../../apache2/2.2/man/man1/ab.1
+link path=usr/share/man/man1/apxs.1 target=../../../apache2/2.2/man/man1/apxs.1
+link path=usr/share/man/man1/dbmmanage.1 target=../../../apache2/2.2/man/man1/dbmmanage.1
+link path=usr/share/man/man1/htdbm.1 target=../../../apache2/2.2/man/man1/htdbm.1
+link path=usr/share/man/man1/httxt2dbm.1 target=../../../apache2/2.2/man/man1/httxt2dbm.1
+link path=usr/share/man/man1/htdigest.1 target=../../../apache2/2.2/man/man1/htdigest.1
+link path=usr/share/man/man1/htpasswd.1 target=../../../apache2/2.2/man/man1/htpasswd.1
+link path=usr/share/man/man1/logresolve.1 target=../../../apache2/2.2/man/man1/logresolve.1
 link path=usr/share/man/man8/apachectl.8 target=../../../apache2/2.2/man/man8/apachectl.8
-link path=usr/share/man/man8/apxs.8 target=../../../apache2/2.2/man/man8/apxs.8
 link path=usr/share/man/man8/htcacheclean.8 target=../../../apache2/2.2/man/man8/htcacheclean.8
 link path=usr/share/man/man8/httpd.8 target=../../../apache2/2.2/man/man8/httpd.8
-link path=usr/share/man/man8/logresolve.8 target=../../../apache2/2.2/man/man8/logresolve.8
 link path=usr/share/man/man8/rotatelogs.8 target=../../../apache2/2.2/man/man8/rotatelogs.8
 link path=usr/share/man/man8/suexec.8 target=../../../apache2/2.2/man/man8/suexec.8
 link path=var/apache2/2.2/libexec/64 target=$(MACH64)
--- a/components/apache2/documentation.p5m	Wed Feb 29 11:01:07 2012 -0800
+++ b/components/apache2/documentation.p5m	Wed Feb 29 12:08:58 2012 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
 #
 <transform dir file link hardlink path=usr/apache2/2.2/manual(/.+){0,1}$ -> \
     default facet.doc.html true>
@@ -254,6 +254,7 @@
 file path=usr/apache2/2.2/manual/license.html.en
 file path=usr/apache2/2.2/manual/logs.html
 file path=usr/apache2/2.2/manual/logs.html.en
+file path=usr/apache2/2.2/manual/logs.html.fr
 file path=usr/apache2/2.2/manual/logs.html.ja.utf8
 file path=usr/apache2/2.2/manual/logs.html.ko.euc-kr
 file path=usr/apache2/2.2/manual/logs.html.tr.utf8
@@ -528,11 +529,14 @@
 file path=usr/apache2/2.2/manual/mod/mod_proxy_connect.html.ja.utf8
 file path=usr/apache2/2.2/manual/mod/mod_proxy_ftp.html
 file path=usr/apache2/2.2/manual/mod/mod_proxy_ftp.html.en
+file path=usr/apache2/2.2/manual/mod/mod_proxy_ftp.html.ja.utf8
 file path=usr/apache2/2.2/manual/mod/mod_proxy_http.html
 file path=usr/apache2/2.2/manual/mod/mod_proxy_http.html.en
 file path=usr/apache2/2.2/manual/mod/mod_proxy_http.html.fr
+file path=usr/apache2/2.2/manual/mod/mod_proxy_http.html.ja.utf8
 file path=usr/apache2/2.2/manual/mod/mod_proxy_scgi.html
 file path=usr/apache2/2.2/manual/mod/mod_proxy_scgi.html.en
+file path=usr/apache2/2.2/manual/mod/mod_proxy_scgi.html.ja.utf8
 file path=usr/apache2/2.2/manual/mod/mod_reqtimeout.html
 file path=usr/apache2/2.2/manual/mod/mod_reqtimeout.html.en
 file path=usr/apache2/2.2/manual/mod/mod_rewrite.html
@@ -643,6 +647,7 @@
 file path=usr/apache2/2.2/manual/new_features_2_2.html
 file path=usr/apache2/2.2/manual/new_features_2_2.html.en
 file path=usr/apache2/2.2/manual/new_features_2_2.html.fr
+file path=usr/apache2/2.2/manual/new_features_2_2.html.ja.utf8
 file path=usr/apache2/2.2/manual/new_features_2_2.html.ko.euc-kr
 file path=usr/apache2/2.2/manual/new_features_2_2.html.pt-br
 file path=usr/apache2/2.2/manual/new_features_2_2.html.tr.utf8
@@ -710,6 +715,7 @@
 file path=usr/apache2/2.2/manual/programs/index.html
 file path=usr/apache2/2.2/manual/programs/index.html.en
 file path=usr/apache2/2.2/manual/programs/index.html.es
+file path=usr/apache2/2.2/manual/programs/index.html.ja.utf8
 file path=usr/apache2/2.2/manual/programs/index.html.ko.euc-kr
 file path=usr/apache2/2.2/manual/programs/index.html.ru.koi8-r
 file path=usr/apache2/2.2/manual/programs/index.html.tr.utf8
@@ -815,6 +821,7 @@
 file path=usr/apache2/2.2/manual/upgrading.html.de
 file path=usr/apache2/2.2/manual/upgrading.html.en
 file path=usr/apache2/2.2/manual/upgrading.html.fr
+file path=usr/apache2/2.2/manual/upgrading.html.ja.utf8
 file path=usr/apache2/2.2/manual/urlmapping.html
 file path=usr/apache2/2.2/manual/urlmapping.html.en
 file path=usr/apache2/2.2/manual/urlmapping.html.ja.utf8
--- a/components/apache2/patches/CVE-2011-3348.patch	Wed Feb 29 11:01:07 2012 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
-     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
-     recognized.  [Jean-Frederic Clere]
-
-http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1167158
-
---- modules/proxy/mod_proxy_ajp.c	2011/09/09 13:30:49	1167157
-+++ modules/proxy/mod_proxy_ajp.c	2011/09/09 13:31:06	1167158
[email protected]@ -214,7 +214,9 @@
-                      conn->worker->hostname);
-         if (status == AJP_EOVERFLOW)
-             return HTTP_BAD_REQUEST;
--        else {
-+        else if  (status == AJP_EBAD_METHOD) {
-+            return HTTP_NOT_IMPLEMENTED;
-+        } else {
-             /*
-              * This is only non fatal when the method is idempotent. In this
-              * case we can dare to retry it with a different worker if we are
--- a/components/apache2/patches/CVE-2011-3368.patch	Wed Feb 29 11:01:07 2012 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,34 +0,0 @@
-
-SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
-reverse proxy configurations by strictly validating the request-URI.
-
-http://svn.apache.org/viewvc?rev=1179239&view=rev
-
---- server/protocol.c
-+++ server/protocol.c
[email protected]@ -640,6 +640,25 @@
- 
-     ap_parse_uri(r, uri);
- 
-+    /* RFC 2616:
-+     *   Request-URI    = "*" | absoluteURI | abs_path | authority
-+     *
-+     * authority is a special case for CONNECT.  If the request is not
-+     * using CONNECT, and the parsed URI does not have scheme, and
-+     * it does not begin with '/', and it is not '*', then, fail
-+     * and give a 400 response. */
-+    if (r->method_number != M_CONNECT 
-+        && !r->parsed_uri.scheme 
-+        && uri[0] != '/'
-+        && !(uri[0] == '*' && uri[1] == '\0')) {
-+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+                      "invalid request-URI %s", uri);
-+        r->args = NULL;
-+        r->hostname = NULL;
-+        r->status = HTTP_BAD_REQUEST;
-+        r->uri = apr_pstrdup(r->pool, uri);
-+    }
-+
-     if (ll[0]) {
-         r->assbackwards = 0;
-         pro = ll;
--- a/components/apache2/patches/r1165607.patch	Wed Feb 29 11:01:07 2012 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,278 +0,0 @@
-Jeff Trawick <[email protected]>
-Subject 	[PATCH] byterange patch for 2.2.20
-Date 	Thu, 08 Sep 2011 15:16:11 GMT
-
-Here's what I have at present:
-http://people.apache.org/~trawick/2.2.20-byterange-fixes.txt
-
-(compiled-in max ranges, uses same AP_ symbol as 2.2.21 even though
-the compiled-in version isn't the same type of "DEFAULT")
-
---- modules/http/byterange_filter.c.orig	2011-09-08 11:03:54.000000000 -0400
-+++ modules/http/byterange_filter.c	2011-09-08 11:02:36.000000000 -0400
[email protected]@ -55,6 +55,10 @@
- #include <unistd.h>
- #endif
- 
-+#ifndef AP_DEFAULT_MAX_RANGES
-+#define AP_DEFAULT_MAX_RANGES 200
-+#endif
-+
- static int ap_set_byterange(request_rec *r, apr_off_t clength,
-                             apr_array_header_t **indexes);
- 
[email protected]@ -83,8 +87,6 @@
-     apr_bucket *first = NULL, *last = NULL, *out_first = NULL, *e;
-     apr_uint64_t pos = 0, off_first = 0, off_last = 0;
-     apr_status_t rv;
--    const char *s;
--    apr_size_t len;
-     apr_uint64_t start64, end64;
-     apr_off_t pofft = 0;
- 
[email protected]@ -136,44 +138,10 @@
-         if (e == first) {
-             if (off_first != start64) {
-                 rv = apr_bucket_split(copy, (apr_size_t)(start64 - off_first));
--                if (rv == APR_ENOTIMPL) {
--                    rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ);
--                    if (rv != APR_SUCCESS) {
--                        apr_brigade_cleanup(bbout);
--                        return rv;
--                    }
--                    /*
--                     * The read above might have morphed copy in a bucket
--                     * of shorter length. So read and delete until we reached
--                     * the correct bucket for splitting.
--                     */
--                    while (start64 - off_first > (apr_uint64_t)copy->length) {
--                        apr_bucket *tmp = APR_BUCKET_NEXT(copy);
--                        off_first += (apr_uint64_t)copy->length;
--                        APR_BUCKET_REMOVE(copy);
--                        apr_bucket_destroy(copy);
--                        copy = tmp;
--                        rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ);
--                        if (rv != APR_SUCCESS) {
--                            apr_brigade_cleanup(bbout);
--                            return rv;
--                        }
--                    }
--                    if (start64 > off_first) {
--                        rv = apr_bucket_split(copy, (apr_size_t)(start64 - off_first));
-                         if (rv != APR_SUCCESS) {
-                             apr_brigade_cleanup(bbout);
-                             return rv;
-                         }
--                    }
--                    else {
--                        copy = APR_BUCKET_PREV(copy);
--                    }
--                }
--                else if (rv != APR_SUCCESS) {
--                        apr_brigade_cleanup(bbout);
--                        return rv;
--                }
-                 out_first = APR_BUCKET_NEXT(copy);
-                 APR_BUCKET_REMOVE(copy);
-                 apr_bucket_destroy(copy);
[email protected]@ -189,38 +157,10 @@
-             }
-             if (end64 - off_last != (apr_uint64_t)e->length) {
-                 rv = apr_bucket_split(copy, (apr_size_t)(end64 + 1 - off_last));
--                if (rv == APR_ENOTIMPL) {
--                    rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ);
-                     if (rv != APR_SUCCESS) {
-                         apr_brigade_cleanup(bbout);
-                         return rv;
-                     }
--                    /*
--                     * The read above might have morphed copy in a bucket
--                     * of shorter length. So read until we reached
--                     * the correct bucket for splitting.
--                     */
--                    while (end64 + 1 - off_last > (apr_uint64_t)copy->length) {
--                        off_last += (apr_uint64_t)copy->length;
--                        copy = APR_BUCKET_NEXT(copy);
--                        rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ);
--                        if (rv != APR_SUCCESS) {
--                            apr_brigade_cleanup(bbout);
--                            return rv;
--                        }
--                    }
--                    if (end64 < off_last + (apr_uint64_t)copy->length - 1) {
--                        rv = apr_bucket_split(copy, end64 + 1 - off_last);
--                        if (rv != APR_SUCCESS) {
--                            apr_brigade_cleanup(bbout);
--                            return rv;
--                        }
--                    }
--                }
--                else if (rv != APR_SUCCESS) {
--                        apr_brigade_cleanup(bbout);
--                        return rv;
--                }
-                 copy = APR_BUCKET_NEXT(copy);
-                 if (copy != APR_BRIGADE_SENTINEL(bbout)) {
-                     APR_BUCKET_REMOVE(copy);
[email protected]@ -243,6 +183,20 @@
-     apr_off_t end;
- } indexes_t;
- 
-+static apr_status_t send_416(ap_filter_t *f, apr_bucket_brigade *tmpbb)
-+{
-+    apr_bucket *e;
-+    conn_rec *c = f->r->connection;
-+    ap_remove_output_filter(f);
-+    f->r->status = HTTP_OK;
-+    e = ap_bucket_error_create(HTTP_RANGE_NOT_SATISFIABLE, NULL,
-+                               f->r->pool, c->bucket_alloc);
-+    APR_BRIGADE_INSERT_TAIL(tmpbb, e);
-+    e = apr_bucket_eos_create(c->bucket_alloc);
-+    APR_BRIGADE_INSERT_TAIL(tmpbb, e);
-+    return ap_pass_brigade(f->next, tmpbb);
-+}
-+
- AP_CORE_DECLARE_NONSTD(apr_status_t) ap_byterange_filter(ap_filter_t *f,
-                                                          apr_bucket_brigade *bb)
- {
[email protected]@ -290,17 +244,23 @@
-     num_ranges = ap_set_byterange(r, clength, &indexes);
- 
-     /* We have nothing to do, get out of the way. */
--    if (num_ranges == 0) {
-+    if (num_ranges == 0 || (AP_DEFAULT_MAX_RANGES >= 0 && num_ranges > AP_DEFAULT_MAX_RANGES)) {
-         r->status = original_status;
-         ap_remove_output_filter(f);
-         return ap_pass_brigade(f->next, bb);
-     }
- 
-+    /* this brigade holds what we will be sending */
-+    bsend = apr_brigade_create(r->pool, c->bucket_alloc);
-+
-+    if (num_ranges < 0)
-+        return send_416(f, bsend);
-+
-     if (num_ranges > 1) {
-         /* Is ap_make_content_type required here? */
-         const char *orig_ct = ap_make_content_type(r, r->content_type);
-         boundary = apr_psprintf(r->pool, "%" APR_UINT64_T_HEX_FMT "%lx",
--                                (apr_uint64_t)r->request_time, (long) getpid());
-+                                (apr_uint64_t)r->request_time, c->id);
- 
-         ap_set_content_type(r, apr_pstrcat(r->pool, "multipart",
-                                            use_range_x(r) ? "/x-" : "/",
[email protected]@ -325,8 +285,6 @@
-         ap_xlate_proto_to_ascii(bound_head, strlen(bound_head));
-     }
- 
--    /* this brigade holds what we will be sending */
--    bsend = apr_brigade_create(r->pool, c->bucket_alloc);
-     tmpbb = apr_brigade_create(r->pool, c->bucket_alloc);
- 
-     idx = (indexes_t *)indexes->elts;
[email protected]@ -384,15 +342,8 @@
-     }
- 
-     if (found == 0) {
--        ap_remove_output_filter(f);
--        r->status = HTTP_OK;
-         /* bsend is assumed to be empty if we get here. */
--        e = ap_bucket_error_create(HTTP_RANGE_NOT_SATISFIABLE, NULL,
--                                   r->pool, c->bucket_alloc);
--        APR_BRIGADE_INSERT_TAIL(bsend, e);
--        e = apr_bucket_eos_create(c->bucket_alloc);
--        APR_BRIGADE_INSERT_TAIL(bsend, e);
--        return ap_pass_brigade(f->next, bsend);
-+        return send_416(f, bsend);
-     }
- 
-     if (num_ranges > 1) {
[email protected]@ -424,7 +375,7 @@
-     const char *match;
-     const char *ct;
-     char *cur;
--    int num_ranges = 0;
-+    int num_ranges = 0, unsatisfiable = 0;
-     apr_off_t sum_lengths = 0;
-     indexes_t *idx;
-     int ranges = 1;
[email protected]@ -497,14 +448,25 @@
-         char *errp;
-         apr_off_t number, start, end;
- 
--        if (!(dash = strchr(cur, '-'))) {
-+        if (!*cur)
-             break;
-+
-+        /*
-+         * Per RFC 2616 14.35.1: If there is at least one syntactically invalid
-+         * byte-range-spec, we must ignore the whole header.
-+         */
-+
-+        if (!(dash = strchr(cur, '-'))) {
-+            return 0;
-         }
- 
--        if (dash == range) {
-+        if (dash == cur) {
-             /* In the form "-5" */
-             if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) {
--                break;
-+                return 0;
-+            }
-+            if (number < 1) {
-+                return 0;
-             }
-             start = clength - number;
-             end = clength - 1;
[email protected]@ -512,14 +474,17 @@
-         else {
-             *dash++ = '\0';
-             if (apr_strtoff(&number, cur, &errp, 10) || *errp) {
--                break;
-+                return 0;
-             }
-             start = number;
-             if (*dash) {
-                 if (apr_strtoff(&number, dash, &errp, 10) || *errp) {
--                    break;
-+                    return 0;
-                 }
-                 end = number;
-+                if (start > end) {
-+                    return 0;
-+                }
-             }
-             else {                  /* "5-" */
-                 end = clength - 1;
[email protected]@ -529,15 +494,14 @@
-         if (start < 0) {
-             start = 0;
-         }
-+        if (start >= clength) {
-+            unsatisfiable = 1;
-+            continue;
-+        }
-         if (end >= clength) {
-             end = clength - 1;
-         }
- 
--        if (start > end) {
--            /* ignore? count? */
--            break;
--        }
--
-         idx = (indexes_t *)apr_array_push(*indexes);
-         idx->start = start;
-         idx->end = end;
[email protected]@ -546,6 +510,10 @@
-         num_ranges++;
-     }
- 
-+    if (num_ranges == 0 && unsatisfiable) {
-+        /* If all ranges are unsatisfiable, we should return 416 */
-+        return -1;
-+    }
-     if (sum_lengths >= clength) {
-         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                       "Sum of ranges not smaller than file, ignoring.");
--- a/components/apache2/patches/ssl.conf.patch	Wed Feb 29 11:01:07 2012 -0800
+++ b/components/apache2/patches/ssl.conf.patch	Wed Feb 29 12:08:58 2012 -0800
@@ -1,6 +1,6 @@
---- docs/conf/extra/httpd-ssl.conf.in.orig	Thu May 12 11:44:53 2011
-+++ docs/conf/extra/httpd-ssl.conf.in	Thu May 12 11:46:45 2011
[email protected]@ -22,9 +22,10 @@
+--- docs/conf/extra/httpd-ssl.conf.in	Wed Jan  4 12:10:40 2012
++++ docs/conf/extra/httpd-ssl.conf.in	Mon Feb 27 07:09:48 2012
[email protected]@ -22,11 +22,16 @@
  # Manual for more details.
  #
  #SSLRandomSeed startup file:/dev/random  512
@@ -9,11 +9,17 @@
  #SSLRandomSeed connect file:/dev/random  512
 -#SSLRandomSeed connect file:/dev/urandom 512
 +SSLRandomSeed connect file:/dev/urandom 512
+ 
++#
++# Enable Solaris crypto framework
++#
 +SSLCryptoDevice pkcs11
  
- 
++
  #
[email protected]@ -75,7 +76,7 @@
+ # When we also provide SSL we have to listen to the 
+ # standard HTTP port (see above) and to the HTTPS port
[email protected]@ -75,7 +80,7 @@
  
  #   General setup for the virtual host
  DocumentRoot "@[email protected]"
@@ -22,17 +28,3 @@
  ServerAdmin [email protected]
  ErrorLog "@[email protected]/error_log"
  TransferLog "@[email protected]/access_log"
[email protected]@ -87,8 +88,12 @@
- #   SSL Cipher Suite:
- #   List the ciphers that the client is permitted to negotiate.
- #   See the mod_ssl documentation for a complete list.
--SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-+#   AES with keylengths > 128 bit is not supported by default on Solaris.
-+#   To operate with AES256 you must install the SUNWcry and SUNWcryr
-+#   packages from the Solaris 10 Data Encryption Kit.
-+SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- 
-+
- #   Server Certificate:
- #   Point SSLCertificateFile at a PEM encoded certificate.  If
- #   the certificate is encrypted, then you will be prompted for a