- create default dummy cert in /etc/pki/tlshttpd-2_0_54-5

- use a pseudo-random serial number on the dummy cert - change default ssl.conf to point at /etc/pki/tls - merge back -suexec subpackage; SELinux policy can now be used to persistently disable suexec (#155716) - drop /etc/httpd/conf/ssl.* directories and Makefiles - unconditionally enable PIE support - mod_ssl: fix for picking up -shutdown options (upstream #34452)
author: jorton <jorton@fedoraproject.org> 2005-04-25 21:35:08 +0000
committer: jorton <jorton@fedoraproject.org> 2005-04-25 21:35:08 +0000
commit: 06872c83d1fba3932d001e91b81c47eaea5a31f5 (patch)
tree: 1f51bd18d051e8e0d071437b97655f695dd72122
parent: 98f24d7e8cc02232a26f9bef455e44b788eea4a5 (diff)
download: httpd-06872c83d1fba3932d001e91b81c47eaea5a31f5.tar.gz
httpd-06872c83d1fba3932d001e91b81c47eaea5a31f5.tar.xz
httpd-06872c83d1fba3932d001e91b81c47eaea5a31f5.zip
2 files changed, 33 insertions, 72 deletions
diff --git a/httpd.spec b/httpd.spec
index c2f0a5c..7cd682a 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -7,7 +7,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.0.54
-Release: 4
+Release: 5
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
 Source1: index.html
@@ -21,8 +21,6 @@ Source10: httpd.conf
 Source11: ssl.conf
 Source12: welcome.conf
 Source13: manual.conf
-Source14: mod_ssl-Makefile.crt
-Source15: mod_ssl-Makefile.crl
 # Documentation
 Source30: migration.xml
 Source31: migration.css
@@ -49,6 +47,7 @@ Patch27: httpd-2.0.48-sslpphrase.patch
 Patch28: httpd-2.0.48-worker.patch
 Patch29: httpd-2.0.48-workerhup.patch
 Patch30: httpd-2.0.48-davmisc.patch
+Patch31: httpd-2.0.54-ssltrans.patch
 # Features/functional changes
 Patch70: httpd-2.0.48-release.patch
 Patch71: httpd-2.0.40-xfsz.patch
@@ -75,7 +74,7 @@ BuildRequires: db4-devel, expat-devel, findutils, perl, pkgconfig, xmlto >= 0.0.
 BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0, 
 BuildRequires: zlib-devel
 Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
-Requires: httpd-suexec
+Obsoletes: httpd-suexec
 Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
 Prereq: sh-utils, textutils, /usr/sbin/useradd
 Provides: webserver
@@ -120,7 +119,7 @@ Group: System Environment/Daemons
 Summary: SSL/TLS module for the Apache HTTP server
 Epoch: 1
 BuildRequires: openssl-devel, distcache-devel
-Prereq: openssl, dev, /bin/cat
+Requires(pre): openssl >= 0.9.7f-4, dev, /bin/cat
 Requires: httpd = %{version}-%{release}, make, httpd-mmn = %{mmn}
 Obsoletes: stronghold-mod_ssl
 
@@ -129,22 +128,13 @@ The mod_ssl module provides strong cryptography for the Apache Web
 server via the Secure Sockets Layer (SSL) and Transport Layer
 Security (TLS) protocols.
 
-%package suexec
-Group: System Environment/Daemons
-Summary: suexec binary for the Apache HTTP server
-Requires(pre): httpd = %{version}-%{release}
-
-%description suexec
-This package includes the /usr/sbin/suexec binary which can be installed
-to allow the Apache HTTP server to run CGI programs (and any programs
-executed by SSI pages) as a user other than the 'apache' user.
-
 %prep
 %setup -q
 %patch1 -p1 -b .apctl
 %patch2 -p1 -b .apxs
 %patch3 -p1 -b .linkmods
 %patch4 -p1 -b .deplibs
+%patch5 -p1 -b .pie
 %patch6 -p1 -b .syspcre
 %patch8 -p1 -b .vpathinc
 %patch9 -p1 -b .apctlopts
@@ -161,6 +151,7 @@ executed by SSI pages) as a user other than the 'apache' user.
 %patch28 -p1 -b .worker
 %patch29 -p1 -b .workerhup
 %patch30 -p1 -b .davmisc
+%patch31 -p1 -b .ssltrans
 
 %patch71 -p0 -b .xfsz
 %patch72 -p1 -b .pod
@@ -194,15 +185,6 @@ if test "x${vmmn}" != "x%{mmn}"; then
    exit 1
 fi
 
-# Conditionally enable PIE support
-if echo 'static int foo[30000]; int main () { return 0; }' | 
-   gcc -pie -fpie -O2 -xc - -o pietest && 
-   ./pietest; then
-%patch5 -p1 -b .pie
-  : PIE support enabled
-else
-  : WARNING: PIE support not enabled
-fi
 
 : Building for '%{distro}' with MMN %{mmn} and vendor string '%{vstring}'
 
@@ -310,16 +292,7 @@ mkdir $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
 install -m 644 $RPM_SOURCE_DIR/httpd.sysconf \
    $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/httpd
 
-# mod_ssl bits
-for suffix in crl crt csr key prm; do
-   mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/ssl.${suffix}
-done
-
 # Makefiles for certificate management
-for ext in crt crl; do 
-  install -m 644 $RPM_SOURCE_DIR/mod_ssl-Makefile.${ext} \
-	$RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/ssl.${ext}/Makefile.${ext}
-done
 ln -s ../../../usr/share/ssl/certs/Makefile $RPM_BUILD_ROOT/etc/httpd/conf
 
 # for holding mod_dav lock database
@@ -445,11 +418,14 @@ if [ $1 = 0 ]; then
 	/sbin/chkconfig --del httpd
 fi
 
+%define certdir %{_sysconfdir}/pki/ssl/certs
+%define keydir %{_sysconfdir}/pki/ssl/private
+
 %post -n mod_ssl
 umask 077
 
-if [ ! -f %{_sysconfdir}/httpd/conf/ssl.key/server.key ] ; then
-%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{_sysconfdir}/httpd/conf/ssl.key/server.key 2> /dev/null
+if [ ! -f %{keydir}/localhost.key ] ; then
+%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{keydir}/localhost.key 2> /dev/null
 fi
 
 FQDN=`hostname`
@@ -457,8 +433,10 @@ if [ "x${FQDN}" = "x" ]; then
    FQDN=localhost.localdomain
 fi
 
-if [ ! -f %{_sysconfdir}/httpd/conf/ssl.crt/server.crt ] ; then
-cat << EOF | %{_bindir}/openssl req -new -key %{_sysconfdir}/httpd/conf/ssl.key/server.key -x509 -days 365 -out %{_sysconfdir}/httpd/conf/ssl.crt/server.crt 2>/dev/null
+if [ ! -f %{certdir}/localhost.crt ] ; then
+cat << EOF | %{_bindir}/openssl req -new -key %{keydir}/localhost.key \
+         -x509 -days 365 -set_serial $RANDOM \
+         -out %{certdir}/localhost.crt 2>/dev/null
 --
 SomeState
 SomeCity
@@ -517,6 +495,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/httpd.worker
 %{_sbindir}/apachectl
 %{_sbindir}/rotatelogs
+%attr(4510,root,%{suexec_caller}) %{_sbindir}/suexec
 
 %dir %{_libdir}/httpd
 %dir %{_libdir}/httpd/modules
@@ -541,7 +520,6 @@ rm -rf $RPM_BUILD_ROOT
 
 %{_mandir}/man?/*
 %exclude %{_mandir}/man8/apxs.8*
-%exclude %{_mandir}/man8/suexec.8*
 
 %files manual
 %defattr(-,root,root)
@@ -552,9 +530,6 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root)
 %{_libdir}/httpd/modules/mod_ssl.so
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
-%attr(0700,root,root) %dir %{_sysconfdir}/httpd/conf/ssl.*
-%config %{_sysconfdir}/httpd/conf/Makefile
-%config %{_sysconfdir}/httpd/conf/ssl.*/*
 %attr(0700,apache,root) %dir %{_localstatedir}/cache/mod_ssl
 %attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.dir
 %attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.pag
@@ -571,12 +546,17 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/httpd/build/instdso.sh
 %{_libdir}/httpd/build/libtool
 
-%files suexec
-%defattr(-,root,root)
-%attr(4510,root,%{suexec_caller}) %{_sbindir}/suexec
-%{_mandir}/man8/suexec.8*
-
 %changelog
+* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 2.0.54-5
+- create default dummy cert in /etc/pki/tls
+- use a pseudo-random serial number on the dummy cert
+- change default ssl.conf to point at /etc/pki/tls
+- merge back -suexec subpackage; SELinux policy can now be
+  used to persistently disable suexec (#155716)
+- drop /etc/httpd/conf/ssl.* directories and Makefiles
+- unconditionally enable PIE support
+- mod_ssl: fix for picking up -shutdown options (upstream #34452)
+
 * Mon Apr 18 2005 Joe Orton <jorton@redhat.com> 2.0.54-4
 - replace PreReq with Requires(pre) 
 
diff --git a/ssl.conf b/ssl.conf
index 332dc44..f489c66 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -107,21 +107,16 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
-#   pass phrase.  Note that a kill -HUP will prompt again. A test
-#   certificate can be generated with `make certificate' under
-#   built time. Keep in mind that if you've both a RSA and a DSA
-#   certificate you can configure both in parallel (to also allow
-#   the use of DSA ciphers, etc.)
-SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
-#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
+#   pass phrase.  Note that a kill -HUP will prompt again.  A new
+#   certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
-#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@@ -130,27 +125,13 @@ SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
 #   the referenced file can be the same as SSLCertificateFile
 #   when the CA certificates are directly appended to the server
 #   certificate for convinience.
-#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
 
 #   Certificate Authority (CA):
 #   Set the CA certificate verification path where to find CA
 #   certificates for client authentication or alternatively one
 #   huge file containing all of them (file must be PEM encoded)
-#   Note: Inside SSLCACertificatePath you need hash symlinks
-#         to point to the certificate files. Use the provided
-#         Makefile to update the hash symlinks after changes.
-#SSLCACertificatePath /etc/httpd/conf/ssl.crt
-#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
-
-#   Certificate Revocation Lists (CRL):
-#   Set the CA revocation path where to find CA CRLs for client
-#   authentication or alternatively one huge file containing all
-#   of them (file must be PEM encoded)
-#   Note: Inside SSLCARevocationPath you need hash symlinks
-#         to point to the certificate files. Use the provided
-#         Makefile to update the hash symlinks after changes.
-#SSLCARevocationPath /etc/httpd/conf/ssl.crl
-#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
 
 #   Client Authentication (Type):
 #   Client certificate verification type and depth.  Types are
@@ -202,7 +183,7 @@ SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
 #   o OptRenegotiate:
 #     This enables optimized SSL connection renegotiation handling when SSL
 #     directives are used in per-directory context. 
-#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
 </Files>
author	jorton <jorton@fedoraproject.org>	2005-04-25 21:35:08 +0000
committer	jorton <jorton@fedoraproject.org>	2005-04-25 21:35:08 +0000
commit	06872c83d1fba3932d001e91b81c47eaea5a31f5 (patch)
tree	1f51bd18d051e8e0d071437b97655f695dd72122
parent	98f24d7e8cc02232a26f9bef455e44b788eea4a5 (diff)
download	httpd-06872c83d1fba3932d001e91b81c47eaea5a31f5.tar.gz httpd-06872c83d1fba3932d001e91b81c47eaea5a31f5.tar.xz httpd-06872c83d1fba3932d001e91b81c47eaea5a31f5.zip