20813188 problem in UTILITY/APACHE
authorPetr Sumbera <petr.sumbera@oracle.com>
Wed, 01 Apr 2015 05:08:30 -0700
changeset 4052 dd17ecf751c3
parent 4051 64c125e997d0
child 4053 7450d4817b39
20813188 problem in UTILITY/APACHE
components/apache2/patches/no_ssl2_and_3.patch
components/apache2/patches/ssl.conf.patch
components/apache24/patches/no_ssl3.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/no_ssl2_and_3.patch	Wed Apr 01 05:08:30 2015 -0700
@@ -0,0 +1,46 @@
+Patch origin: in-house
+Patch status: will be submitted to upstream
+
+--- modules/ssl/ssl_private.h
++++ modules/ssl/ssl_private.h
[email protected]@ -246,9 +246,9 @@
+ #define SSL_PROTOCOL_SSLV3 (1<<1)
+ #define SSL_PROTOCOL_TLSV1 (1<<2)
+ #ifdef OPENSSL_NO_SSL2
+-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
+ #else
+-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
+ #endif
+ #ifdef HAVE_TLSV1_X
+ #define SSL_PROTOCOL_TLSV1_1 (1<<3)
+--- docs/manual/mod/mod_ssl.html.en
++++ docs/manual/mod/mod_ssl.html.en
[email protected]@ -1029,8 +1029,8 @@
+     <p>
+     This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
+     the Netscape Corporation. 
+-    It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by
+-    almost all popular browsers.</p></li>
++    It is the successor to SSLv2 and the predecessor to TLSv1. Though its
++    use has been deprecated, because of weaknesses in the security of the protocol.</p></li>
+ 
+ <li><code>TLSv1</code>
+     <p>
[email protected]@ -1050,13 +1050,11 @@
+ 
+ <li><code>All</code>
+     <p>
+-    This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' or
+-    - when using OpenSSL 1.0.1 and later -
+-    ``<code>+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively.</p></li>
++    This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
+ </ul>
+ <div class="example"><h3>Example</h3><p><code>
+ # enable SSLv3 and all available TLSv1 flavors, but not SSLv2<br />
+-SSLProtocol All -SSLv2
++SSLProtocol All +SSLv3
+ </code></p></div>
+ 
+ </div>
--- a/components/apache2/patches/ssl.conf.patch	Fri Apr 03 15:09:14 2015 -0700
+++ b/components/apache2/patches/ssl.conf.patch	Wed Apr 01 05:08:30 2015 -0700
@@ -1,8 +1,9 @@
 Patch origin: in-house
 Patch status: Solaris-specific; not suitable for upstream
+Patch status: SSLProtocol part will be submitted to upstream
 
---- docs/conf/extra/httpd-ssl.conf.in	Wed Jan  4 12:10:40 2012
-+++ docs/conf/extra/httpd-ssl.conf.in	Mon Feb 27 07:09:48 2012
+--- docs/conf/extra/httpd-ssl.conf.in
++++ docs/conf/extra/httpd-ssl.conf.in
 @@ -22,11 +22,16 @@
  # Manual for more details.
  #
@@ -31,3 +32,15 @@
  ServerAdmin [email protected]
  ErrorLog "@[email protected]/error_log"
  TransferLog "@[email protected]/access_log"
[email protected]@ -86,8 +91,9 @@
+ 
+ #   SSL Protocol support:
+ #   List the protocol versions which clients are allowed to
+-#   connect with. Disable SSLv2 by default (cf. RFC 6176).
+-SSLProtocol all -SSLv2
++#   connect with. SSLv2 and SSLv3 are disabled by default and
++#   and must be enabled below if really needed.
++SSLProtocol all
+ 
+ #   SSL Cipher Suite:
+ #   List the ciphers that the client is permitted to negotiate.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/patches/no_ssl3.patch	Wed Apr 01 05:08:30 2015 -0700
@@ -0,0 +1,43 @@
+Patch origin: in-house
+Patch status: will be submitted to upstream
+
+--- modules/ssl/ssl_private.h
++++ modules/ssl/ssl_private.h
[email protected]@ -298,10 +298,10 @@
+ #ifdef HAVE_TLSV1_X
+ #define SSL_PROTOCOL_TLSV1_1 (1<<3)
+ #define SSL_PROTOCOL_TLSV1_2 (1<<4)
+-#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
++#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_TLSV1| \
+                             SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+ #else
+-#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
++#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_TLSV1)
+ #endif
+ typedef int ssl_proto_t;
+ 
+--- docs/manual/mod/mod_ssl.html.en
++++ docs/manual/mod/mod_ssl.html.en
[email protected]@ -1348,9 +1348,7 @@
+ 
+ <li><code>all</code>
+     <p>
+-    This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
+-    - when using OpenSSL 1.0.1 and later -
+-    ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
++    This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
+ </ul>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre>
+ </div>
+--- docs/manual/mod/mod_ssl.html.fr
++++ docs/manual/mod/mod_ssl.html.fr
[email protected]@ -1518,8 +1518,7 @@
+ 
+ <li><code>all</code>
+     <p>
+-    C'est un raccourci pour ``<code>+SSLv3 +TLSv1</code>'' ou -  partir
+-    de la version 1.0.1 d'OpenSSL - ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>.</p></li>
++    C'est un raccourci pour ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
+ </ul>
+ <div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre>
+ </div>