- create default dummy cert in /etc/pki/tlshttpd-2_0_54-5

- use a pseudo-random serial number on the dummy cert
- change default ssl.conf to point at /etc/pki/tls
- merge back -suexec subpackage; SELinux policy can now be used to
    persistently disable suexec (#155716)
- drop /etc/httpd/conf/ssl.* directories and Makefiles
- unconditionally enable PIE support
- mod_ssl: fix for picking up -shutdown options (upstream #34452)

1 files changed, 7 insertions, 26 deletions

diff --git a/ssl.conf b/ssl.conf
index 332dc44..f489c66 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -107,21 +107,16 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
-#   pass phrase.  Note that a kill -HUP will prompt again. A test
-#   certificate can be generated with `make certificate' under
-#   built time. Keep in mind that if you've both a RSA and a DSA
-#   certificate you can configure both in parallel (to also allow
-#   the use of DSA ciphers, etc.)
-SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
-#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
+#   pass phrase.  Note that a kill -HUP will prompt again.  A new
+#   certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
-#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@@ -130,27 +125,13 @@ SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
 #   the referenced file can be the same as SSLCertificateFile
 #   when the CA certificates are directly appended to the server
 #   certificate for convinience.
-#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
 
 #   Certificate Authority (CA):
 #   Set the CA certificate verification path where to find CA
 #   certificates for client authentication or alternatively one
 #   huge file containing all of them (file must be PEM encoded)
-#   Note: Inside SSLCACertificatePath you need hash symlinks
-#         to point to the certificate files. Use the provided
-#         Makefile to update the hash symlinks after changes.
-#SSLCACertificatePath /etc/httpd/conf/ssl.crt
-#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
-
-#   Certificate Revocation Lists (CRL):
-#   Set the CA revocation path where to find CA CRLs for client
-#   authentication or alternatively one huge file containing all
-#   of them (file must be PEM encoded)
-#   Note: Inside SSLCARevocationPath you need hash symlinks
-#         to point to the certificate files. Use the provided
-#         Makefile to update the hash symlinks after changes.
-#SSLCARevocationPath /etc/httpd/conf/ssl.crl
-#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
 
 #   Client Authentication (Type):
 #   Client certificate verification type and depth.  Types are
@@ -202,7 +183,7 @@ SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
 #   o OptRenegotiate:
 #     This enables optimized SSL connection renegotiation handling when SSL
 #     directives are used in per-directory context. 
-#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
 </Files>