summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuboš Uhliarik <luhliari@redhat.com>2017-06-19 11:48:36 +0200
committerLuboš Uhliarik <luhliari@redhat.com>2017-06-19 11:48:36 +0200
commitfd6452a0f2d4aa85e5f8e757be7f0b89511cdf0e (patch)
treeb713575a6719a87b365c4033f773ffbce3b6b8e5
parentfce414a1c1f39ab4631e9747b212e037276d295d (diff)
downloadhttpd-fd6452a0f2d4aa85e5f8e757be7f0b89511cdf0e.tar.gz
httpd-fd6452a0f2d4aa85e5f8e757be7f0b89511cdf0e.tar.xz
httpd-fd6452a0f2d4aa85e5f8e757be7f0b89511cdf0e.zip
new version 2.4.26
-rw-r--r--.gitignore1
-rw-r--r--httpd-2.4.10-sigint.patch25
-rw-r--r--httpd-2.4.23-openssl11.patch1311
-rw-r--r--httpd-2.4.25-r1738878.patch14
-rw-r--r--httpd-2.4.25-r1778319+.patch34
-rw-r--r--httpd-2.4.25-r1787141.patch103
-rw-r--r--httpd.spec18
-rw-r--r--sources2
8 files changed, 20 insertions, 1488 deletions
diff --git a/.gitignore b/.gitignore
index 65aa7f9..e51254b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,4 @@ x86_64
/httpd-2.4.25.tar.bz2
/httpd.socket.8
/httpd.service.8
+/httpd-2.4.26.tar.bz2
diff --git a/httpd-2.4.10-sigint.patch b/httpd-2.4.10-sigint.patch
index 7574a9c..ecdd82e 100644
--- a/httpd-2.4.10-sigint.patch
+++ b/httpd-2.4.10-sigint.patch
@@ -1,24 +1,10 @@
-From 20656c3b77cc548b59fea3bde5e2b7705d71c427 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20Kalu=C5=BEa?= <jkaluza@apache.org>
-Date: Mon, 18 Aug 2014 07:43:43 +0000
-Subject: [PATCH] prefork: Ignore SIGINT in child. This fixes race-condition in
- signals handling when httpd is runnning on foreground and user hits ctrl+c.
- In this case, SIGINT is sent to all children followed by SIGTERM from the
- main process, which interrupts the SIGINT handler and leads to inconsistency
- (process freezes or crashes).
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1618555 13f79535-47bb-0310-9956-ffa450edef68
----
- server/mpm/prefork/prefork.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c
-index 8790ec0..d6c038b 100644
+index 559f90a..a386a75 100644
--- a/server/mpm/prefork/prefork.c
+++ b/server/mpm/prefork/prefork.c
-@@ -222,6 +222,9 @@ static void clean_child_exit(int code)
+@@ -220,6 +220,9 @@ static void clean_child_exit(int code)
{
- mpm_state = AP_MPMQ_STOPPING;
+ retained->mpm->mpm_state = AP_MPMQ_STOPPING;
+ apr_signal(SIGHUP, SIG_IGN);
+ apr_signal(SIGTERM, SIG_IGN);
@@ -26,7 +12,7 @@ index 8790ec0..d6c038b 100644
if (pchild) {
apr_pool_destroy(pchild);
}
-@@ -817,6 +820,13 @@ static int make_child(server_rec *s, int slot)
+@@ -699,6 +702,13 @@ static int make_child(server_rec *s, int slot, int bucket)
*/
apr_signal(SIGHUP, just_die);
apr_signal(SIGTERM, just_die);
@@ -40,6 +26,3 @@ index 8790ec0..d6c038b 100644
/* The child process just closes listeners on AP_SIG_GRACEFUL.
* The pod is used for signalling the graceful restart.
*/
---
-2.0.4
-
diff --git a/httpd-2.4.23-openssl11.patch b/httpd-2.4.23-openssl11.patch
deleted file mode 100644
index 61ff849..0000000
--- a/httpd-2.4.23-openssl11.patch
+++ /dev/null
@@ -1,1311 +0,0 @@
-
-Diff to https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/
-as of upstream r1769589.
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index dd0e2ea..907fbe8 100644
---- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -579,7 +579,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[
- dnl Run library and function checks
- liberrors=""
- AC_CHECK_HEADERS([openssl/engine.h])
-- AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
-+ AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"])
- AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
- if test "x$liberrors" != "x"; then
- AC_MSG_WARN([OpenSSL libraries are unusable])
-diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
-index 9e63a7d..adc90d1 100644
---- a/modules/ssl/mod_ssl.c
-+++ b/modules/ssl/mod_ssl.c
-@@ -312,7 +312,13 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
- #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
- ENGINE_cleanup();
- #endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
-+ ERR_remove_thread_state(NULL);
-+#else
- ERR_remove_state(0);
-+#endif
-+#endif
-
- /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
- * actually loaded the error strings once per process due to static
-@@ -342,7 +348,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
- /* We must register the library in full, to ensure our configuration
- * code can successfully test the SSL environment.
- */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CRYPTO_malloc_init();
-+#else
-+ OPENSSL_malloc_init();
-+#endif
- ERR_load_crypto_strings();
- SSL_load_error_strings();
- SSL_library_init();
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index cb3efa2..ba79ef3 100644
---- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -47,21 +47,50 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
- #define KEYTYPES "RSA or DSA"
- #endif
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+/* OpenSSL Pre-1.1.0 compatibility */
-+/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
-+static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+ /* q is optional */
-+ if (p == NULL || g == NULL)
-+ return 0;
-+ BN_free(dh->p);
-+ BN_free(dh->q);
-+ BN_free(dh->g);
-+ dh->p = p;
-+ dh->q = q;
-+ dh->g = g;
-+
-+ if (q != NULL) {
-+ dh->length = BN_num_bits(q);
-+ }
-+
-+ return 1;
-+}
-+#endif
-+
- /*
-- * Grab well-defined DH parameters from OpenSSL, see the get_rfc*
-+ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
- * functions in <openssl/bn.h> for all available primes.
- */
--static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
-+static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *))
- {
- DH *dh = DH_new();
-+ BIGNUM *p, *g;
-
- if (!dh) {
- return NULL;
- }
-- dh->p = prime(NULL);
-- BN_dec2bn(&dh->g, gen);
-- if (!dh->p || !dh->g) {
-+ p = prime(NULL);
-+ g = BN_new();
-+ if (g != NULL) {
-+ BN_set_word(g, 2);
-+ }
-+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
- DH_free(dh);
-+ BN_free(p);
-+ BN_free(g);
- return NULL;
- }
- return dh;
-@@ -73,12 +102,12 @@ static struct dhparam {
- DH *dh; /* ...this, used for keys.... */
- const unsigned int min; /* ...of length >= this. */
- } dhparams[] = {
-- { get_rfc3526_prime_8192, NULL, 6145 },
-- { get_rfc3526_prime_6144, NULL, 4097 },
-- { get_rfc3526_prime_4096, NULL, 3073 },
-- { get_rfc3526_prime_3072, NULL, 2049 },
-- { get_rfc3526_prime_2048, NULL, 1025 },
-- { get_rfc2409_prime_1024, NULL, 0 }
-+ { BN_get_rfc3526_prime_8192, NULL, 6145 },
-+ { BN_get_rfc3526_prime_6144, NULL, 4097 },
-+ { BN_get_rfc3526_prime_4096, NULL, 3073 },
-+ { BN_get_rfc3526_prime_3072, NULL, 2049 },
-+ { BN_get_rfc3526_prime_2048, NULL, 1025 },
-+ { BN_get_rfc2409_prime_1024, NULL, 0 }
- };
-
- static void init_dh_params(void)
-@@ -86,7 +115,7 @@ static void init_dh_params(void)
- unsigned n;
-
- for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++)
-- dhparams[n].dh = make_dh_params(dhparams[n].prime, "2");
-+ dhparams[n].dh = make_dh_params(dhparams[n].prime);
- }
-
- static void free_dh_params(void)
-@@ -153,7 +182,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
- "Init: this version of mod_ssl was compiled against "
- "a newer library (%s, version currently loaded is %s)"
- " - may result in undefined or erroneous behavior",
-- MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
-+ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT);
- }
-
- /* We initialize mc->pid per-process in the child init,
-@@ -228,9 +257,11 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
- #endif
- }
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- #if APR_HAS_THREADS
- ssl_util_thread_setup(p);
- #endif
-+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
-
- /*
- * SSL external crypto device ("engine") support
-@@ -351,6 +382,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
- modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
-
- init_dh_params();
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ init_bio_methods();
-+#endif
-
- return OK;
- }
-@@ -481,6 +515,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
- char *cp;
- int protocol = mctx->protocol;
- SSLSrvConfigRec *sc = mySrvConfig(s);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ int prot;
-+#endif
-
- /*
- * Create the new per-server SSL context
-@@ -506,6 +543,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
- ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
- "Creating new SSL context (protocols: %s)", cp);
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- #ifndef OPENSSL_NO_SSL3
- if (protocol == SSL_PROTOCOL_SSLV3) {
- method = mctx->pkp ?
-@@ -536,12 +574,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
- SSLv23_client_method() : /* proxy */
- SSLv23_server_method(); /* server */
- }
-+#else
-+ method = mctx->pkp ?
-+ TLS_client_method() : /* proxy */
-+ TLS_server_method(); /* server */
-+#endif
- ctx = SSL_CTX_new(method);
-
- mctx->ssl_ctx = ctx;
-
- SSL_CTX_set_options(ctx, SSL_OP_ALL);
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /* always disable SSLv2, as per RFC 6176 */
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
-
-@@ -565,6 +609,43 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
- }
- #endif
-
-+#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
-+ /* We first determine the maximum protocol version we should provide */
-+ if (protocol & SSL_PROTOCOL_TLSV1_2) {
-+ prot = TLS1_2_VERSION;
-+ } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
-+ prot = TLS1_1_VERSION;
-+ } else if (protocol & SSL_PROTOCOL_TLSV1) {
-+ prot = TLS1_VERSION;
-+#ifndef OPENSSL_NO_SSL3
-+ } else if (protocol & SSL_PROTOCOL_SSLV3) {
-+ prot = SSL3_VERSION;
-+#endif
-+ } else {
-+ SSL_CTX_free(ctx);
-+ mctx->ssl_ctx = NULL;
-+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
-+ "No SSL protocols available [hint: SSLProtocol]");
-+ return ssl_die(s);
-+ }
-+ SSL_CTX_set_max_proto_version(ctx, prot);
-+
-+ /* Next we scan for the minimal protocol version we should provide,
-+ * but we do not allow holes between max and min */
-+ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
-+ prot = TLS1_1_VERSION;
-+ }
-+ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
-+ prot = TLS1_VERSION;
-+ }
-+#ifndef OPENSSL_NO_SSL3
-+ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
-+ prot = SSL3_VERSION;
-+ }
-+#endif
-+ SSL_CTX_set_min_proto_version(ctx, prot);
-+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
-+
- #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
- if (sc->cipher_server_pref == TRUE) {
- SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-@@ -858,7 +939,7 @@ static int use_certificate_chain(
- unsigned long err;
- int n;
-
-- if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
-+ if ((bio = BIO_new(BIO_s_file())) == NULL)
- return -1;
- if (BIO_read_filename(bio, file) <= 0) {
- BIO_free(bio);
-@@ -1200,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
- "Custom DH parameters (%d bits) for %s loaded from %s",
-- BN_num_bits(dhparams->p), vhost_id, certfile);
-+ DH_bits(dhparams), vhost_id, certfile);
- DH_free(dhparams);
- }
-
-@@ -1721,7 +1802,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
- "an OpenSSL version with support for TLS extensions "
- "(RFC 6066 - Server Name Indication / SNI), "
- "but the currently used library version (%s) is "
-- "lacking this feature", SSLeay_version(SSLEAY_VERSION));
-+ "lacking this feature", MODSSL_LIBRARY_DYNTEXT);
- }
- #endif
-
-@@ -1917,6 +1998,9 @@ apr_status_t ssl_init_ModuleKill(void *data)
- ssl_init_ctx_cleanup(sc->server);
- }
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ free_bio_methods();
-+#endif
- free_dh_params();
-
- return APR_SUCCESS;
-diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
-index 82953ad..b463e1a 100644
---- a/modules/ssl/ssl_engine_io.c
-+++ b/modules/ssl/ssl_engine_io.c
-@@ -149,7 +149,7 @@ static int bio_filter_out_pass(bio_filter_out_ctx_t *outctx)
- * success, -1 on failure. */
- static int bio_filter_out_flush(BIO *bio)
- {
-- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
-+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
- apr_bucket *e;
-
- AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
-@@ -162,10 +162,16 @@ static int bio_filter_out_flush(BIO *bio)
-
- static int bio_filter_create(BIO *bio)
- {
-- bio->shutdown = 1;
-- bio->init = 1;
-+ BIO_set_shutdown(bio, 1);
-+ BIO_set_init(bio, 1);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ /* No setter method for OpenSSL 1.1.0 available,
-+ * but I can't find any functional use of the
-+ * "num" field there either.
-+ */
- bio->num = -1;
-- bio->ptr = NULL;
-+#endif
-+ BIO_set_data(bio, NULL);
-
- return 1;
- }
-@@ -190,7 +196,7 @@ static int bio_filter_out_read(BIO *bio, char *out, int outl)
-
- static int bio_filter_out_write(BIO *bio, const char *in, int inl)
- {
-- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
-+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
- apr_bucket *e;
- int need_flush;
-
-@@ -241,7 +247,7 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
- static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
- {
- long ret = 1;
-- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
-+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
-
- switch (cmd) {
- case BIO_CTRL_RESET:
-@@ -257,10 +263,10 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
- ret = 0;
- break;
- case BIO_CTRL_GET_CLOSE:
-- ret = (long)bio->shutdown;
-+ ret = (long)BIO_get_shutdown(bio);
- break;
- case BIO_CTRL_SET_CLOSE:
-- bio->shutdown = (int)num;
-+ BIO_set_shutdown(bio, (int)num);
- break;
- case BIO_CTRL_FLUSH:
- ret = bio_filter_out_flush(bio);
-@@ -294,19 +300,6 @@ static int bio_filter_out_puts(BIO *bio, const char *str)
- return -1;
- }
-
--static BIO_METHOD bio_filter_out_method = {
-- BIO_TYPE_MEM,
-- "APR output filter",
-- bio_filter_out_write,
-- bio_filter_out_read, /* read is never called */
-- bio_filter_out_puts, /* puts is never called */
-- bio_filter_out_gets, /* gets is never called */
-- bio_filter_out_ctrl,
-- bio_filter_create,
-- bio_filter_destroy,
-- NULL
--};
--
- typedef struct {
- int length;
- char *value;
-@@ -456,7 +449,7 @@ static apr_status_t brigade_consume(apr_bucket_brigade *bb,
- static int bio_filter_in_read(BIO *bio, char *in, int inlen)
- {
- apr_size_t inl = inlen;
-- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
-+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
- apr_read_type_e block = inctx->block;
-
- inctx->rc = APR_SUCCESS;
-@@ -536,20 +529,86 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
- return -1;
- }
-
-+static int bio_filter_in_write(BIO *bio, const char *in, int inl)
-+{
-+ return -1;
-+}
-+
-+static int bio_filter_in_puts(BIO *bio, const char *str)
-+{
-+ return -1;
-+}
-+
-+static int bio_filter_in_gets(BIO *bio, char *buf, int size)
-+{
-+ return -1;
-+}
-+
-+static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
-+{
-+ return -1;
-+}
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+static BIO_METHOD bio_filter_out_method = {
-+ BIO_TYPE_MEM,
-+ "APR output filter",
-+ bio_filter_out_write,
-+ bio_filter_out_read, /* read is never called */
-+ bio_filter_out_puts, /* puts is never called */
-+ bio_filter_out_gets, /* gets is never called */
-+ bio_filter_out_ctrl,
-+ bio_filter_create,
-+ bio_filter_destroy,
-+ NULL
-+};
-
- static BIO_METHOD bio_filter_in_method = {
- BIO_TYPE_MEM,
- "APR input filter",
-- NULL, /* write is never called */
-+ bio_filter_in_write, /* write is never called */
- bio_filter_in_read,
-- NULL, /* puts is never called */
-- NULL, /* gets is never called */
-- NULL, /* ctrl is never called */
-+ bio_filter_in_puts, /* puts is never called */
-+ bio_filter_in_gets, /* gets is never called */
-+ bio_filter_in_ctrl, /* ctrl is never called */
- bio_filter_create,
- bio_filter_destroy,
- NULL
- };
-
-+#else
-+
-+static BIO_METHOD *bio_filter_out_method = NULL;
-+static BIO_METHOD *bio_filter_in_method = NULL;
-+
-+void init_bio_methods(void)
-+{
-+ bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter");
-+ BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write);
-+ BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */
-+ BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */
-+ BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */
-+ BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl);
-+ BIO_meth_set_create(bio_filter_out_method, &bio_filter_create);
-+ BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy);
-+
-+ bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter");
-+ BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */
-+ BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read);
-+ BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */
-+ BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */
-+ BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */
-+ BIO_meth_set_create(bio_filter_in_method, &bio_filter_create);
-+ BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy);
-+}
-+
-+void free_bio_methods(void)
-+{
-+ BIO_meth_free(bio_filter_out_method);
-+ BIO_meth_free(bio_filter_in_method);
-+}
-+#endif
-
- static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
- char *buf,
-@@ -789,7 +848,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
- */
- ERR_clear_error();
-
-- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
-+ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
- res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
-
- if (res < 0) {
-@@ -1267,9 +1326,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
-
- if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
-- (filter_ctx->pbioRead->ptr);
-+ BIO_get_data(filter_ctx->pbioRead);
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
-- (filter_ctx->pbioWrite->ptr);
-+ BIO_get_data(filter_ctx->pbioWrite);
- apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
- ssl_err = SSL_get_error(filter_ctx->pssl, n);
-
-@@ -1682,8 +1741,8 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
- return ap_pass_brigade(f->next, bb);
- }
-
-- inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
-- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
-+ inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead);
-+ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
-
- /* When we are the writer, we must initialize the inctx
- * mode so that we block for any required ssl input, because
-@@ -1964,8 +2023,12 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
-
- filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
-- filter_ctx->pbioRead->ptr = (void *)inctx;
-+#else
-+ filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
-+#endif
-+ BIO_set_data(filter_ctx->pbioRead, (void *)inctx);
-
- inctx->ssl = ssl;
- inctx->bio_out = filter_ctx->pbioWrite;
-@@ -1995,8 +2058,12 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl)
- filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
- filter_ctx, r, c);
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
-- filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c);
-+#else
-+ filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
-+#endif
-+ BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c));
-
- /* write is non blocking for the benefit of async mpm */
- if (c->cs) {
-diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
-index d4459a2..da2776f 100644
---- a/modules/ssl/ssl_engine_kernel.c
-+++ b/modules/ssl/ssl_engine_kernel.c
-@@ -80,7 +80,7 @@ static apr_status_t upgrade_connection(request_rec *r)
- SSL_set_accept_state(ssl);
- SSL_do_handshake(ssl);
-
-- if (SSL_get_state(ssl) != SSL_ST_OK) {
-+ if (!SSL_is_init_finished(ssl)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
- "TLS upgrade handshake failed");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
-@@ -114,6 +114,7 @@ static int has_buffered_data(request_rec *r)
- return result;
- }
-
-+#ifdef HAVE_TLSEXT
- static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
- {
- int i;
-@@ -215,6 +216,7 @@ static int ssl_server_compatible(server_rec *s1, server_rec *s2)
-
- return 1;
- }
-+#endif
-
- /*
- * Post Read Request Handler
-@@ -432,7 +434,7 @@ int ssl_hook_Access(request_rec *r)
- X509 *cert;
- X509 *peercert;
- X509_STORE *cert_store = NULL;
-- X509_STORE_CTX cert_store_ctx;
-+ X509_STORE_CTX *cert_store_ctx;
- STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
- const SSL_CIPHER *cipher = NULL;
- int depth, verify_old, verify, n, is_slave = 0;
-@@ -456,7 +458,7 @@ int ssl_hook_Access(request_rec *r)
- * forbidden in the latter case, let ap_die() handle
- * this recursive (same) error.
- */
-- if (SSL_get_state(ssl) != SSL_ST_OK) {
-+ if (!SSL_is_init_finished(ssl)) {
- return HTTP_FORBIDDEN;
- }
- ctx = SSL_get_SSL_CTX(ssl);
-@@ -622,7 +624,7 @@ int ssl_hook_Access(request_rec *r)
- !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
- n++)
- {
-- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
-+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
-
- if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
- renegotiate = TRUE;
-@@ -633,7 +635,7 @@ int ssl_hook_Access(request_rec *r)
- !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
- n++)
- {
-- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
-+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
-
- if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
- renegotiate = TRUE;
-@@ -914,25 +916,27 @@ int ssl_hook_Access(request_rec *r)
- cert = sk_X509_value(cert_stack, 0);
- }
-
-- X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
-+ cert_store_ctx = X509_STORE_CTX_new();
-+ X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);
- depth = SSL_get_verify_depth(ssl);
-
- if (depth >= 0) {
-- X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
-+ X509_STORE_CTX_set_depth(cert_store_ctx, depth);
- }
-
-- X509_STORE_CTX_set_ex_data(&cert_store_ctx,
-+ X509_STORE_CTX_set_ex_data(cert_store_ctx,
- SSL_get_ex_data_X509_STORE_CTX_idx(),
- (char *)ssl);
-
-- if (!X509_verify_cert(&cert_store_ctx)) {
-+ if (!X509_verify_cert(cert_store_ctx)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
- "Re-negotiation verification step failed");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
- }
-
-- SSL_set_verify_result(ssl, cert_store_ctx.error);
-- X509_STORE_CTX_cleanup(&cert_store_ctx);
-+ SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx));
-+ X509_STORE_CTX_cleanup(cert_store_ctx);
-+ X509_STORE_CTX_free(cert_store_ctx);
-
- if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
- /* we created this ourselves, so free it */
-@@ -940,6 +944,7 @@ int ssl_hook_Access(request_rec *r)
- }
- }
- else {
-+ char peekbuf[1];
- const char *reneg_support;
- request_rec *id = r->main ? r->main : r;
-
-@@ -983,7 +988,7 @@ int ssl_hook_Access(request_rec *r)
- SSL_renegotiate(ssl);
- SSL_do_handshake(ssl);
-
-- if (SSL_get_state(ssl) != SSL_ST_OK) {
-+ if (!SSL_is_init_finished(ssl)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
- "Re-negotiation request failed");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
-@@ -999,16 +1004,15 @@ int ssl_hook_Access(request_rec *r)
- * However, this causes failures in perl-framework currently,
- * perhaps pre-test if we have already negotiated?
- */
--#ifdef OPENSSL_NO_SSL_INTERN
-- SSL_set_state(ssl, SSL_ST_ACCEPT);
--#else
-- ssl->state = SSL_ST_ACCEPT;
--#endif
-- SSL_do_handshake(ssl);
-+ /* Need to trigger renegotiation handshake by reading.
-+ * Peeking 0 bytes actually works.
-+ * See: http://marc.info/?t=145493359200002&r=1&w=2
-+ */
-+ SSL_peek(ssl, peekbuf, 0);
-
- sslconn->reneg_state = RENEG_REJECT;
-
-- if (SSL_get_state(ssl) != SSL_ST_OK) {
-+ if (!SSL_is_init_finished(ssl)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
- "Re-negotiation handshake failed");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
-@@ -1513,7 +1517,11 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
- SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
- #endif
- pkey = SSL_get_privatekey(ssl);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
-+#else
-+ type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
-+#endif
-
- /*
- * OpenSSL will call us with either keylen == 512 or keylen == 1024
-@@ -1725,11 +1733,19 @@ static void modssl_proxy_info_log(conn_rec *c,
- * so we need to increment here to prevent them from
- * being freed.
- */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- #define modssl_set_cert_info(info, cert, pkey) \
- *cert = info->x509; \
- CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
- *pkey = info->x_pkey->dec_pkey; \
- CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
-+#else
-+#define modssl_set_cert_info(info, cert, pkey) \
-+ *cert = info->x509; \
-+ X509_up_ref(*cert); \
-+ *pkey = info->x_pkey->dec_pkey; \
-+ EVP_PKEY_up_ref(*pkey);
-+#endif
-
- int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
- {
-@@ -1823,7 +1839,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
-
- static void ssl_session_log(server_rec *s,
- const char *request,
-- unsigned char *id,
-+ IDCONST unsigned char *id,
- unsigned int idlen,
- const char *status,
- const char *result,
-@@ -1863,7 +1879,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
- SSLSrvConfigRec *sc = mySrvConfig(s);
- long timeout = sc->session_cache_timeout;
- BOOL rc;
-- unsigned char *id;
-+ IDCONST unsigned char *id;
- unsigned int idlen;
-
- /*
-@@ -1907,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
- * of our other Apache pre-forked server processes.
- */
- SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
-- unsigned char *id,
-+ IDCONST unsigned char *id,
- int idlen, int *do_copy)
- {
- /* Get Apache context back through OpenSSL context */
-@@ -1946,7 +1962,7 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
- {
- server_rec *s;
- SSLSrvConfigRec *sc;
-- unsigned char *id;
-+ IDCONST unsigned char *id;
- unsigned int idlen;
-
- /*
-@@ -2067,15 +2083,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
- /* If the reneg state is to reject renegotiations, check the SSL
- * state machine and move to ABORT if a Client Hello is being
- * read. */
-- if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
-- int state = SSL_get_state((SSL *)ssl);
--
-- if (state == SSL3_ST_SR_CLNT_HELLO_A
-- || state == SSL23_ST_SR_CLNT_HELLO_A) {
-+ if (!scr->is_proxy &&
-+ (where & SSL_CB_HANDSHAKE_START) &&
-+ scr->reneg_state == RENEG_REJECT) {
- scr->reneg_state = RENEG_ABORT;
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
- "rejecting client initiated renegotiation");
-- }
- }
- /* If the first handshake is complete, change state to reject any
- * subsequent client-initiated renegotiation. */
-@@ -2279,7 +2292,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
- }
-
- memcpy(keyname, ticket_key->key_name, 16);
-- RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
-+ RAND_bytes(iv, EVP_MAX_IV_LENGTH);
- EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
- ticket_key->aes_key, iv);
- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
-@@ -2416,17 +2429,27 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
- SRP_user_pwd *u;
-
- if (username == NULL
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
-+#else
-+ || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) {
-+#endif
- *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
- return SSL3_AL_FATAL;
- }
-
- if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ SRP_user_pwd_free(u);
-+#endif
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL3_AL_FATAL;
- }
-
- /* reset all other options */
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ SRP_user_pwd_free(u);
-+#endif
- SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
- return SSL_ERROR_NONE;
- }
-diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
-index f295651..282a2a2 100644
---- a/modules/ssl/ssl_engine_ocsp.c
-+++ b/modules/ssl/ssl_engine_ocsp.c
-@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
- {
- OCSP_REQUEST *req = OCSP_REQUEST_new();
-
-- *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);
-+ *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx));
- if (!*certid || !OCSP_request_add0_id(req, *certid)) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
- "could not retrieve certificate id");
-@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
-
- if (rc == V_OCSP_CERTSTATUS_GOOD) {
- /* TODO: allow flags configuration. */
-- if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
-+ if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
- "failed to verify the OCSP response");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
-@@ -262,7 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
- "No cert available to check with OCSP");
- return 1;
- }
-- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
-+ else if (X509_check_issued(cert,cert) == X509_V_OK) {
- /* don't do OCSP checking for valid self-issued certs */
- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
- "Skipping OCSP check for valid self-issued cert");
-diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
-index 036cb36..42c22b0 100644
---- a/modules/ssl/ssl_engine_vars.c
-+++ b/modules/ssl/ssl_engine_vars.c
-@@ -380,7 +380,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn,
- char buf[MODSSL_SESSION_ID_STRING_LEN];
- SSL_SESSION *pSession = SSL_get_session(ssl);
- if (pSession) {
-- unsigned char *id;
-+ IDCONST unsigned char *id;
- unsigned int idlen;
-
- #ifdef OPENSSL_NO_SSL_INTERN
-@@ -545,13 +545,25 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
- resdup = FALSE;
- }
- else if (strcEQ(var, "A_SIG")) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
-+#else
-+ ASN1_OBJECT *paobj;
-+ X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs));
-+ nid = OBJ_obj2nid(paobj);
-+#endif
- result = apr_pstrdup(p,
- (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
- resdup = FALSE;
- }
- else if (strcEQ(var, "A_KEY")) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
-+#else
-+ ASN1_OBJECT *paobj;
-+ X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs));
-+ nid = OBJ_obj2nid(paobj);
-+#endif
- result = apr_pstrdup(p,
- (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
- resdup = FALSE;
-@@ -613,11 +625,8 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
- for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
- if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
- && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
-- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
-- xsname->entries);
-- j++) {
-- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
-- xsname->entries, j);
-+ for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
-+ xsne = X509_NAME_get_entry(xsname, j);
-
- n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
-
-@@ -919,7 +928,6 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
- static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
- X509_NAME *xn, apr_pool_t *p)
- {
-- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
- X509_NAME_ENTRY *xsne;
- apr_hash_t *count;
- int i, nid;
-@@ -929,10 +937,9 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
- count = apr_hash_make(p);
-
- /* For each RDN... */
-- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
-+ for (i = 0; i < X509_NAME_entry_count(xn); i++) {
- const char *tag;
--
-- xsne = sk_X509_NAME_ENTRY_value(ents, i);
-+ xsne = X509_NAME_get_entry(xn, i);
-
- /* Retrieve the nid, and check whether this is one of the nids
- * which are to be extracted. */
-@@ -1106,7 +1113,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
- for (j = 0; j < count; j++) {
- X509_EXTENSION *ext = X509_get_ext(xs, j);
-
-- if (OBJ_cmp(ext->object, oid) == 0) {
-+ if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
- BIO *bio = BIO_new(BIO_s_mem());
-
- /* We want to obtain a string representation of the extensions
-diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
-index 7813e41..08de3a1 100644
---- a/modules/ssl/ssl_private.h
-+++ b/modules/ssl/ssl_private.h
-@@ -135,6 +135,13 @@
- #define HAVE_SSL_CONF_CMD
- #endif
-
-+/* session id constness */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define IDCONST
-+#else
-+#define IDCONST const
-+#endif
-+
- /**
- * The following features all depend on TLS extension support.
- * Within this block, check again for features (not version numbers).
-@@ -151,6 +158,8 @@
- /* OCSP stapling */
- #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
- #define HAVE_OCSP_STAPLING
-+/* All exist but are no longer macros since OpenSSL 1.1.0 */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /* backward compatibility with OpenSSL < 1.0 */
- #ifndef sk_OPENSSL_STRING_num
- #define sk_OPENSSL_STRING_num sk_num
-@@ -161,7 +170,8 @@
- #ifndef sk_OPENSSL_STRING_pop
- #define sk_OPENSSL_STRING_pop sk_pop
- #endif
--#endif
-+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
-+#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
-
- /* TLS session tickets */
- #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
-@@ -189,6 +199,36 @@
-
- #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
-+#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
-+#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
-+#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
-+#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
-+#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
-+#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
-+#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
-+#define BIO_set_init(x,v) (x->init=v)
-+#define BIO_get_data(x) (x->ptr)
-+#define BIO_set_data(x,v) (x->ptr=v)
-+#define BIO_get_shutdown(x) (x->shutdown)
-+#define BIO_set_shutdown(x,v) (x->shutdown=v)
-+#define DH_bits(x) (BN_num_bits(x->p))
-+#else
-+void init_bio_methods(void);
-+void free_bio_methods(void);
-+#endif
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10002000L
-+#define X509_STORE_CTX_get0_store(x) (x->ctx)
-+#endif
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10000000L
-+#ifndef X509_STORE_CTX_get0_current_issuer
-+#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
-+#endif
-+#endif
-+
- /* mod_ssl headers */
- #include "ssl_util_ssl.h"
-
-@@ -454,12 +494,12 @@ typedef struct {
- * partial fix for CVE-2009-3555. */
- enum {
- RENEG_INIT = 0, /* Before initial handshake */
-- RENEG_REJECT, /* After initial handshake; any client-initiated
-- * renegotiation should be rejected */
-- RENEG_ALLOW, /* A server-initiated renegotiation is taking
-- * place (as dictated by configuration) */
-- RENEG_ABORT /* Renegotiation initiated by client, abort the
-- * connection */
-+ RENEG_REJECT, /* After initial handshake; any client-initiated
-+ * renegotiation should be rejected */
-+ RENEG_ALLOW, /* A server-initiated renegotiation is taking
-+ * place (as dictated by configuration) */
-+ RENEG_ABORT /* Renegotiation initiated by client, abort the
-+ * connection */
- } reneg_state;
-
- server_rec *server;
-@@ -810,7 +850,7 @@ int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
- int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
- int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
- int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
--SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
-+SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
- void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
- void ssl_callback_Info(const SSL *, int, int);
- #ifdef HAVE_TLSEXT
-@@ -831,10 +871,10 @@ int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
- apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
- void ssl_scache_status_register(apr_pool_t *p);
- void ssl_scache_kill(server_rec *);
--BOOL ssl_scache_store(server_rec *, UCHAR *, int,
-+BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int,
- apr_time_t, SSL_SESSION *, apr_pool_t *);
--SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
--void ssl_scache_remove(server_rec *, UCHAR *, int,
-+SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
-+void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int,
- apr_pool_t *);
-
- /** Proxy Support */
-@@ -882,7 +922,9 @@ void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
- char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
- const char * const *);
- BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- void ssl_util_thread_setup(apr_pool_t *);
-+#endif
- int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
-
- BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
-diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c
-index 70d1877..7b4a203 100644
---- a/modules/ssl/ssl_scache.c
-+++ b/modules/ssl/ssl_scache.c
-@@ -110,7 +110,7 @@ void ssl_scache_kill(server_rec *s)
-
- }
-
--BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
-+BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen,
- apr_time_t expiry, SSL_SESSION *sess,
- apr_pool_t *p)
- {
-@@ -144,7 +144,7 @@ BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
- return rv == APR_SUCCESS ? TRUE : FALSE;
- }
-
--SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
-+SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen,
- apr_pool_t *p)
- {
- SSLModConfigRec *mc = myModConfig(s);
-@@ -173,7 +173,7 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
- return d2i_SSL_SESSION(NULL, &ptr, destlen);
- }
-
--void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen,
-+void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen,
- apr_pool_t *p)
- {
- SSLModConfigRec *mc = myModConfig(s);
-diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
-index ddde3c7..052d23e 100644
---- a/modules/ssl/ssl_util.c
-+++ b/modules/ssl/ssl_util.c
-@@ -247,6 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *table,
- }
-
- #if APR_HAS_THREADS
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /*
- * To ensure thread-safetyness in OpenSSL - work in progress
- */
-@@ -362,6 +363,28 @@ static void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l,
- apr_pool_destroy(l->pool);
- }
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
-+
-+static void ssl_util_thr_id(CRYPTO_THREADID *id)
-+{
-+ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
-+ * id is a structure twice that big. Use the TCB pointer instead as a
-+ * unique unsigned long.
-+ */
-+#ifdef __MVS__
-+ struct PSA {
-+ char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */
-+ unsigned long PSATOLD;
-+ } *psaptr = 0; /* PSA is at address 0 */
-+
-+ CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD);
-+#else
-+ CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current());
-+#endif
-+}
-+
-+#else
-+
- static unsigned long ssl_util_thr_id(void)
- {
- /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
-@@ -380,10 +403,16 @@ static unsigned long ssl_util_thr_id(void)
- #endif
- }
-
-+#endif
-+
- static apr_status_t ssl_util_thread_cleanup(void *data)
- {
- CRYPTO_set_locking_callback(NULL);
-+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
-+ CRYPTO_THREADID_set_callback(NULL);
-+#else
- CRYPTO_set_id_callback(NULL);
-+#endif
-
- CRYPTO_set_dynlock_create_callback(NULL);
- CRYPTO_set_dynlock_lock_callback(NULL);
-@@ -407,7 +436,11 @@ void ssl_util_thread_setup(apr_pool_t *p)
- apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p);
- }
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
-+ CRYPTO_THREADID_set_callback(ssl_util_thr_id);
-+#else
- CRYPTO_set_id_callback(ssl_util_thr_id);
-+#endif
-
- CRYPTO_set_locking_callback(ssl_util_thr_lock);
-
-@@ -422,4 +455,5 @@ void ssl_util_thread_setup(apr_pool_t *p)
- apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup,
- apr_pool_cleanup_null);
- }
--#endif
-+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
-+#endif /* #if APR_HAS_THREADS */
-diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
-index a7607c7..9807592 100644
---- a/modules/ssl/ssl_util_ssl.c
-+++ b/modules/ssl/ssl_util_ssl.c
-@@ -488,7 +488,7 @@ EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
- ** _________________________________________________________________
- */
-
--char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen,
-+char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen,
- char *str, int strsize)
- {
- if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
-diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
-index 5f74831..4f18f91 100644
---- a/modules/ssl/ssl_util_ssl.h
-+++ b/modules/ssl/ssl_util_ssl.h
-@@ -41,7 +41,11 @@
- #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
- #define MODSSL_LIBRARY_NAME "OpenSSL"
- #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
-+#else
-+#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
-+#endif
-
- /**
- * Maximum length of a DER encoded session.
-@@ -67,7 +71,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsn
- char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
- BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
- BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
--char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
-+char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int);
-
- #endif /* __SSL_UTIL_SSL_H__ */
- /** @} */
-diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
-index 413e40f..718a291 100644
---- a/modules/ssl/ssl_util_stapling.c
-+++ b/modules/ssl/ssl_util_stapling.c
-@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
- X509 *issuer = NULL;
- int i;
- X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
-- X509_STORE_CTX inctx;
-+ X509_STORE_CTX *inctx;
- STACK_OF(X509) *extra_certs = NULL;
-
- #ifdef OPENSSL_NO_SSL_INTERN
-@@ -91,18 +91,23 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
- for (i = 0; i < sk_X509_num(extra_certs); i++) {
- issuer = sk_X509_value(extra_certs, i);
- if (X509_check_issued(issuer, x) == X509_V_OK) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
-+#else
-+ X509_up_ref(issuer);
-+#endif
- return issuer;
- }
- }
-
-- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
-+ inctx = X509_STORE_CTX_new();
-+ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
- return 0;
-- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
-+ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
- issuer = NULL;
-- X509_STORE_CTX_cleanup(&inctx);
-+ X509_STORE_CTX_cleanup(inctx);
-+ X509_STORE_CTX_free(inctx);
- return issuer;
--
- }
-
- int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
-@@ -398,7 +403,9 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
-
- if (bio) {
- int n;
-- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
-+ ASN1_INTEGER *pserial;
-+ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
-+ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
- ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
- snum[n] = '\0';
- BIO_free(bio);
-diff --git a/support/ab.c b/support/ab.c
-index 072d2e6..3d61b2d 100644
---- a/support/ab.c
-+++ b/support/ab.c
-@@ -2165,6 +2165,14 @@ int main(int argc, const char * const argv[])
- apr_getopt_t *opt;
- const char *opt_arg;
- char c;
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ int max_prot = TLS1_2_VERSION;
-+#ifndef OPENSSL_NO_SSL3
-+ int min_prot = SSL3_VERSION;
-+#else
-+ int min_prot = TLS1_VERSION;
-+#endif
-+#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */
- #ifdef USE_SSL
- AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();
- #endif
-@@ -2391,6 +2399,7 @@ int main(int argc, const char * const argv[])
- method_str[CUSTOM_METHOD] = strdup(opt_arg);
- break;
- case 'f':
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (strncasecmp(opt_arg, "ALL", 3) == 0) {
- meth = SSLv23_client_method();
- #ifndef OPENSSL_NO_SSL2
-@@ -2416,6 +2425,31 @@ int main(int argc, const char * const argv[])
- } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
- meth = TLSv1_client_method();
- }
-+#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
-+ meth = TLS_client_method();
-+ if (strncasecmp(opt_arg, "ALL", 3) == 0) {
-+ max_prot = TLS1_2_VERSION;
-+#ifndef OPENSSL_NO_SSL3
-+ min_prot = SSL3_VERSION;
-+#else
-+ min_prot = TLS1_VERSION;
-+#endif
-+#ifndef OPENSSL_NO_SSL3
-+ } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
-+ max_prot = SSL3_VERSION;
-+ min_prot = SSL3_VERSION;
-+#endif
-+ } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
-+ max_prot = TLS1_1_VERSION;
-+ min_prot = TLS1_1_VERSION;
-+ } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {
-+ max_prot = TLS1_2_VERSION;
-+ min_prot = TLS1_2_VERSION;
-+ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
-+ max_prot = TLS1_VERSION;
-+ min_prot = TLS1_VERSION;
-+ }
-+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
- break;
- #ifdef HAVE_TLSEXT
- case 'I':
-@@ -2465,7 +2499,11 @@ int main(int argc, const char * const argv[])
- #ifdef RSAREF
- R_malloc_init();
- #else
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CRYPTO_malloc_init();
-+#else
-+ OPENSSL_malloc_init();
-+#endif
- #endif
- SSL_load_error_strings();
- SSL_library_init();
-@@ -2478,6 +2516,10 @@ int main(int argc, const char * const argv[])
- exit(1);
- }
- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ SSL_CTX_set_max_proto_version(ssl_ctx, max_prot);
-+ SSL_CTX_set_min_proto_version(ssl_ctx, min_prot);
-+#endif
- #ifdef SSL_MODE_RELEASE_BUFFERS
- /* Keep memory usage as low as possible */
- SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
diff --git a/httpd-2.4.25-r1738878.patch b/httpd-2.4.25-r1738878.patch
index c8c18f9..e4b46cc 100644
--- a/httpd-2.4.25-r1738878.patch
+++ b/httpd-2.4.25-r1738878.patch
@@ -73,12 +73,12 @@ index 67353a7..680a8f3 100644
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988)
"ajp_send_header: ajp_marshal_into_msgb failed");
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
-index d6e6500..2fe71b9 100644
+index f6fb473..f693f63 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
-@@ -308,6 +308,12 @@ static const char *set_worker_param(apr_pool_t *p,
- (int)sizeof(worker->s->flusher));
- PROXY_STRNCPY(worker->s->flusher, val);
+@@ -314,6 +314,12 @@ static const char *set_worker_param(apr_pool_t *p,
+ (int)sizeof(worker->s->upgrade));
+ }
}
+ else if (!strcasecmp(key, "secret")) {
+ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) {
@@ -90,7 +90,7 @@ index d6e6500..2fe71b9 100644
if (set_worker_hc_param_f) {
return set_worker_hc_param_f(p, s, worker, key, val, NULL);
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
-index 281a776..b416db4 100644
+index 8a0ad10..f92c185 100644
--- a/modules/proxy/mod_proxy.h
+++ b/modules/proxy/mod_proxy.h
@@ -352,6 +352,7 @@ PROXY_WORKER_HC_FAIL )
@@ -101,10 +101,10 @@ index 281a776..b416db4 100644
/* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names,
* dotted together(?) this would fit the below size (+ trailing NUL).
-@@ -442,6 +443,7 @@ typedef struct {
- int fcount; /* current count of failures */
+@@ -443,6 +444,7 @@ typedef struct {
hcmethod_t method; /* method to use for health check */
apr_interval_time_t interval;
+ char upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */
+ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */
} proxy_worker_shared;
diff --git a/httpd-2.4.25-r1778319+.patch b/httpd-2.4.25-r1778319+.patch
deleted file mode 100644
index 3f0bee2..0000000
--- a/httpd-2.4.25-r1778319+.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-# ./pullrev.sh 1778319 1778331
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1410883
-
-http://svn.apache.org/viewvc?view=revision&revision=1778319
-http://svn.apache.org/viewvc?view=revision&revision=1778331
-
---- httpd-2.4.6/modules/core/mod_watchdog.c
-+++ httpd-2.4.6/modules/core/mod_watchdog.c
-@@ -436,19 +436,19 @@
- {
- apr_status_t rv;
- const char *pk = "watchdog_init_module_tag";
-- apr_pool_t *pproc = s->process->pool;
-+ apr_pool_t *ppconf = pconf;
- const apr_array_header_t *wl;
-
- if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
- /* First time config phase -- skip. */
- return OK;
-
-- apr_pool_userdata_get((void *)&wd_server_conf, pk, pproc);
-+ apr_pool_userdata_get((void *)&wd_server_conf, pk, ppconf);
- if (!wd_server_conf) {
-- if (!(wd_server_conf = apr_pcalloc(pproc, sizeof(wd_server_conf_t))))
-+ if (!(wd_server_conf = apr_pcalloc(ppconf, sizeof(wd_server_conf_t))))
- return APR_ENOMEM;
-- apr_pool_create(&wd_server_conf->pool, pproc);
-- apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, pproc);
-+ apr_pool_create(&wd_server_conf->pool, ppconf);
-+ apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, ppconf);
- }
- wd_server_conf->s = s;
- if ((wl = ap_list_provider_names(pconf, AP_WATCHDOG_PGROUP,
diff --git a/httpd-2.4.25-r1787141.patch b/httpd-2.4.25-r1787141.patch
deleted file mode 100644
index 012bc13..0000000
--- a/httpd-2.4.25-r1787141.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-diff --git a/modules/http2/h2_workers.c b/modules/http2/h2_workers.c
-index 1dcfb2f..cbaf1bc 100644
---- a/modules/http2/h2_workers.c
-+++ b/modules/http2/h2_workers.c
-@@ -235,6 +235,28 @@ static apr_status_t h2_workers_start(h2_workers *workers)
- return status;
- }
-
-+static apr_status_t workers_pool_cleanup(void *data)
-+{
-+ h2_workers *workers = data;
-+ h2_worker *w;
-+
-+ if (!workers->aborted) {
-+ workers->aborted = 1;
-+
-+ /* before we go, cleanup any zombies and abort the rest */
-+ cleanup_zombies(workers, 1);
-+ w = H2_WORKER_LIST_FIRST(&workers->workers);
-+ while (w != H2_WORKER_LIST_SENTINEL(&workers->workers)) {
-+ h2_worker_abort(w);
-+ w = H2_WORKER_NEXT(w);
-+ }
-+ apr_thread_mutex_lock(workers->lock);
-+ apr_thread_cond_broadcast(workers->mplx_added);
-+ apr_thread_mutex_unlock(workers->lock);
-+ }
-+ return APR_SUCCESS;
-+}
-+
- h2_workers *h2_workers_create(server_rec *s, apr_pool_t *server_pool,
- int min_workers, int max_workers,
- apr_size_t max_tx_handles)
-@@ -283,50 +305,20 @@ h2_workers *h2_workers_create(server_rec *s, apr_pool_t *server_pool,
- if (status == APR_SUCCESS) {
- status = apr_thread_cond_create(&workers->mplx_added, workers->pool);
- }
--
- if (status == APR_SUCCESS) {
- status = apr_thread_mutex_create(&workers->tx_lock,
- APR_THREAD_MUTEX_DEFAULT,
- workers->pool);
- }
--
- if (status == APR_SUCCESS) {
- status = h2_workers_start(workers);
- }
--
-- if (status != APR_SUCCESS) {
-- h2_workers_destroy(workers);
-- workers = NULL;
-+ if (status == APR_SUCCESS) {
-+ apr_pool_pre_cleanup_register(pool, workers, workers_pool_cleanup);
-+ return workers;
- }
- }
-- return workers;
--}
--
--void h2_workers_destroy(h2_workers *workers)
--{
-- /* before we go, cleanup any zombie workers that may have accumulated */
-- cleanup_zombies(workers, 1);
--
-- if (workers->mplx_added) {
-- apr_thread_cond_destroy(workers->mplx_added);
-- workers->mplx_added = NULL;
-- }
-- if (workers->lock) {
-- apr_thread_mutex_destroy(workers->lock);
-- workers->lock = NULL;
-- }
-- while (!H2_MPLX_LIST_EMPTY(&workers->mplxs)) {
-- h2_mplx *m = H2_MPLX_LIST_FIRST(&workers->mplxs);
-- H2_MPLX_REMOVE(m);
-- }
-- while (!H2_WORKER_LIST_EMPTY(&workers->workers)) {
-- h2_worker *w = H2_WORKER_LIST_FIRST(&workers->workers);
-- H2_WORKER_REMOVE(w);
-- }
-- if (workers->pool) {
-- apr_pool_destroy(workers->pool);
-- /* workers is gone */
-- }
-+ return NULL;
- }
-
- apr_status_t h2_workers_register(h2_workers *workers, struct h2_mplx *m)
-diff --git a/modules/http2/h2_workers.h b/modules/http2/h2_workers.h
-index ae7b4d8..b96cff3 100644
---- a/modules/http2/h2_workers.h
-+++ b/modules/http2/h2_workers.h
-@@ -67,10 +67,6 @@ h2_workers *h2_workers_create(server_rec *s, apr_pool_t *pool,
- int min_size, int max_size,
- apr_size_t max_tx_handles);
-
--/* Destroy the worker pool and all its threads.
-- */
--void h2_workers_destroy(h2_workers *workers);
--
- /**
- * Registers a h2_mplx for task scheduling. If this h2_mplx runs
- * out of tasks, it will be automatically be unregistered. Should
diff --git a/httpd.spec b/httpd.spec
index 3db2d21..5882045 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -7,8 +7,8 @@
Summary: Apache HTTP Server
Name: httpd
-Version: 2.4.25
-Release: 10%{?dist}
+Version: 2.4.26
+Release: 1%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -49,7 +49,6 @@ Patch2: httpd-2.4.9-apxs.patch
Patch3: httpd-2.4.1-deplibs.patch
Patch5: httpd-2.4.3-layout.patch
Patch6: httpd-2.4.3-apctl-systemd.patch
-Patch7: httpd-2.4.23-openssl11.patch
# Needed for socket activation and mod_systemd patch
Patch19: httpd-2.4.25-detect-systemd.patch
# Features/functional changes
@@ -66,11 +65,8 @@ Patch35: httpd-2.4.17-sslciphdefault.patch
# Bug fixes
Patch56: httpd-2.4.4-mod_unique_id.patch
Patch57: httpd-2.4.10-sigint.patch
-Patch58: httpd-2.4.25-r1778319+.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1434916
-Patch59: httpd-2.4.25-r1787141.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
-Patch60: httpd-2.4.25-r1738878.patch
+Patch58: httpd-2.4.25-r1738878.patch
# Security fixes
License: ASL 2.0
@@ -200,7 +196,6 @@ interface for storing and accessing per-user session data.
%patch3 -p1 -b .deplibs
%patch5 -p1 -b .layout
%patch6 -p1 -b .apctlsystemd
-%patch7 -p1 -b .openssl11
%patch19 -p1 -b .detectsystemd
@@ -217,9 +212,7 @@ interface for storing and accessing per-user session data.
%patch56 -p1 -b .uniqueid
%patch57 -p1 -b .sigint
-%patch58 -p1 -b .r1778319+
-%patch59 -p1 -b .r1787141
-%patch60 -p1 -b .r1738878
+%patch58 -p1 -b .r1738878
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -698,6 +691,9 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
+* Mon Jun 19 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.26-1
+- new version 2.4.26
+
* Mon Jun 5 2017 Joe Orton <jorton@redhat.com> - 2.4.25-10
- move unit man pages to section 8, add as Documentation= in units
diff --git a/sources b/sources
index f90dcc6..4f174e0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (httpd-2.4.25.tar.bz2) = 6ba4ce1dcef71416cf1c0de2468c002767b5637a75744daf5beb0edd045749a751b3826c4132f594c48e4b33ca8e1b25ebfb63ac4c8b759ca066a89d3261fb22
+SHA512 (httpd-2.4.26.tar.bz2) = 4b32f01f17c912011f24bf3991430d474be13836af41b26c072e3c1eab2b45a3c52851eb00423e046c59fc16e1f501d64daaee3f2469b2745857ec1982966c9a