update to 2.4.17 (#1271224)

- build, load mod_http2
- don't build mod_asis, mod_file_cache
- load mod_cache_socache, mod_proxy_wstunnel by default
- check every built mod_* is configured
- synch ssl.conf with upstream; disable SSLv3 by default
Resolves: rhbz#1271224

9 files changed, 74 insertions, 44 deletions

diff --git a/.gitignore b/.gitignore
index 654f469..2abdf3f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,3 +20,4 @@ x86_64
 /httpd-2.4.10.tar.bz2
 /httpd-2.4.12.tar.bz2
 /httpd-2.4.16.tar.bz2
+/httpd-2.4.17.tar.bz2
diff --git a/00-base.conf b/00-base.conf
index 964de69..c109de6 100644
--- a/00-base.conf
+++ b/00-base.conf
@@ -25,6 +25,7 @@ LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule autoindex_module modules/mod_autoindex.so
 LoadModule cache_module modules/mod_cache.so
 LoadModule cache_disk_module modules/mod_cache_disk.so
+LoadModule cache_socache_module modules/mod_cache_socache.so
 LoadModule data_module modules/mod_data.so
 LoadModule dbd_module modules/mod_dbd.so
 LoadModule deflate_module modules/mod_deflate.so
@@ -36,6 +37,7 @@ LoadModule expires_module modules/mod_expires.so
 LoadModule ext_filter_module modules/mod_ext_filter.so
 LoadModule filter_module modules/mod_filter.so
 LoadModule headers_module modules/mod_headers.so
+LoadModule http2_module modules/mod_http2.so
 LoadModule include_module modules/mod_include.so
 LoadModule info_module modules/mod_info.so
 LoadModule log_config_module modules/mod_log_config.so
diff --git a/00-optional.conf b/00-optional.conf
index b8c43c6..208a48e 100644
--- a/00-optional.conf
+++ b/00-optional.conf
@@ -11,6 +11,7 @@
 #LoadModule dialup_module modules/mod_dialup.so
 #LoadModule charset_lite_module modules/mod_charset_lite.so
 #LoadModule log_debug_module modules/mod_log_debug.so
+#LoadModule log_forensic_module modules/mod_log_forensic.so
 #LoadModule ratelimit_module modules/mod_ratelimit.so
 #LoadModule reflector_module modules/mod_reflector.so
 #LoadModule sed_module modules/mod_sed.so
diff --git a/00-proxy.conf b/00-proxy.conf
index a446822..cc0bca0 100644
--- a/00-proxy.conf
+++ b/00-proxy.conf
@@ -13,3 +13,4 @@ LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
 LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
+LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
diff --git a/httpd-2.4.10-sslciphdefault.patch b/httpd-2.4.10-sslciphdefault.patch
deleted file mode 100644
index 37a74e3..0000000
--- a/httpd-2.4.10-sslciphdefault.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1109119
-
-Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
-
---- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault
-+++ httpd-2.4.10/modules/ssl/ssl_engine_config.c
-@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
-     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
- 
--    /* always disable null and export ciphers */
--    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
-+    /* Disable null and export ciphers by default, except for PROFILE=
-+     * configs where the parser doesn't cope. */
-+    if (strncmp(arg, "PROFILE=", 8) != 0)
-+        arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
- 
-     if (cmd->path) {
-         dc->szCipherSuite = arg;
diff --git a/httpd-2.4.17-sslciphdefault.patch b/httpd-2.4.17-sslciphdefault.patch
new file mode 100644
index 0000000..8efc461
--- /dev/null
+++ b/httpd-2.4.17-sslciphdefault.patch
@@ -0,0 +1,33 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1109119
+
+Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
+
+--- httpd-2.4.17/modules/ssl/ssl_engine_config.c.sslciphdefault
++++ httpd-2.4.17/modules/ssl/ssl_engine_config.c
+@@ -708,8 +708,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ 
+-    /* always disable null and export ciphers */
+-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++    /* Disable null and export ciphers by default, except for PROFILE=
++     * configs where the parser doesn't cope. */
++    if (strncmp(arg, "PROFILE=", 8) != 0)
++        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+ 
+     if (cmd->path) {
+         dc->szCipherSuite = arg;
+@@ -1428,8 +1430,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(
+ {
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ 
+-    /* always disable null and export ciphers */
+-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++    /* Disable null and export ciphers by default, except for PROFILE=
++     * configs where the parser doesn't cope. */
++    if (strncmp(arg, "PROFILE=", 8) != 0)
++        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+ 
+     sc->proxy->auth.cipher_suite = arg;
+ 
diff --git a/httpd.spec b/httpd.spec
index 1d62390..8f10cd4 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -7,7 +7,7 @@
 
 Summary: Apache HTTP Server
 Name: httpd
-Version: 2.4.16
+Version: 2.4.17
 Release: 1%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -61,7 +61,7 @@ Patch29: httpd-2.4.10-mod_systemd.patch
 Patch30: httpd-2.4.4-cachehardmax.patch
 Patch31: httpd-2.4.6-sslmultiproxy.patch
 Patch34: httpd-2.4.9-socket-activation.patch
-Patch35: httpd-2.4.10-sslciphdefault.patch
+Patch35: httpd-2.4.17-sslciphdefault.patch
 # Bug fixes
 Patch55: httpd-2.4.4-malformed-host.patch
 Patch56: httpd-2.4.4-mod_unique_id.patch
@@ -73,7 +73,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: autoconf, perl, pkgconfig, findutils, xmlto
 BuildRequires: zlib-devel, libselinux-devel, lua-devel
 BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0
-BuildRequires: systemd-devel
+BuildRequires: systemd-devel, libnghttp2-devel
 Requires: /etc/mime.types, system-logos-httpd
 Obsoletes: httpd-suexec
 Provides: webserver
@@ -204,7 +204,7 @@ interface for storing and accessing per-user session data.
 %patch29 -p1 -b .systemd
 %patch30 -p1 -b .cachehardmax
 %patch31 -p1 -b .sslmultiproxy
-%patch34 -p1 -b .socketactivation
+#patch34 -p1 -b .socketactivation
 %patch35 -p1 -b .sslciphdefault
 
 %patch55 -p1 -b .malformedhost
@@ -278,7 +278,8 @@ export LYNX_PATH=/usr/bin/links
         --enable-ldap --enable-authnz-ldap \
         --enable-cgid --enable-cgi \
         --enable-authn-anon --enable-authn-alias \
-        --disable-imagemap  \
+        --disable-imagemap --disable-file-cache \
+        --disable-asis
 	$*
 make %{?_smp_mflags}
 
@@ -529,6 +530,14 @@ if readelf -d $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so | grep TEXTREL; then
    : modules contain non-relocatable code
    exit 1
 fi
+# Ensure every mod_* that's built is loaded.
+for f in $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so; do
+  m=${f##*/}
+  if ! grep -q $m $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/*.conf; then
+    echo ERROR: Module $m not configured.  Disable it, or load it.
+    exit 1
+  fi
+done
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -665,6 +674,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Oct 13 2015 Joe Orton <jorton@redhat.com> - 2.4.17-1
+- update to 2.4.17 (#1271224)
+- build, load mod_http2
+- don't build mod_asis, mod_file_cache
+- load mod_cache_socache, mod_proxy_wstunnel by default
+- check every built mod_* is configured
+- synch ssl.conf with upstream; disable SSLv3 by default
+
 * Wed Jul 15 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.12-4
 - update to 2.4.16
 
diff --git a/sources b/sources
index 820ee71..c7410a8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-2b19cd338fd526dd5a63c57b1e9bfee2  httpd-2.4.16.tar.bz2
+cf4dfee11132cde836022f196611a8b7  httpd-2.4.17.tar.bz2
diff --git a/ssl.conf b/ssl.conf
index 9dba7c9..e8e6c97 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -69,31 +69,26 @@ LogLevel warn
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 
-#   SSL Protocol support:
-# List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+#   List the protocol versions which clients are allowed to connect with.
+#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
+#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
+#   protocol or later should remain in use.
+SSLProtocol all -SSLv3
+SSLProxyProtocol all -SSLv3
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
 # The OpenSSL system profile is configured by default.  See
 # update-crypto-policies(8) for more details.
-#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 SSLCipherSuite PROFILE=SYSTEM
-
-#   Speed-optimized SSL Cipher configuration:
-#   If speed is your main concern (on busy HTTPS servers e.g.),
-#   you might want to force clients to specific, performance
-#   optimized ciphers. In this case, prepend those ciphers
-#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
-#   (as in the example below), most connections will no longer
-#   have perfect forward secrecy - if the server's key is
-#   compromised, captures of past or future traffic must be
-#   considered compromised, too.
-#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on 
+SSLProxyCipherSuite PROFILE=SYSTEM
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If