From 6ebb5a2203de9f5cf7c3d9f9a1e7bf026cfa8dc2 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 10 Oct 2017 13:31:46 +0200 Subject: Backport patch for fixing ticket key usage Signed-off-by: Patrick Uiterwijk --- httpd-2.4.27-fixticketkeys.patch | 65 ++++++++++++++++++++++++++++++++++++++++ httpd.spec | 10 ++++++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 httpd-2.4.27-fixticketkeys.patch diff --git a/httpd-2.4.27-fixticketkeys.patch b/httpd-2.4.27-fixticketkeys.patch new file mode 100644 index 0000000..3769da9 --- /dev/null +++ b/httpd-2.4.27-fixticketkeys.patch @@ -0,0 +1,65 @@ +From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 22 Mar 2016 13:09:17 +0000 +Subject: [PATCH] mod_ssl: return non ambigous value in + ssl_callback_SessionTicket() for encryption mode (we used to return 0, + OpenSSL documents returning 1 instead). + +Practically this does not change anything since OpenSSL will only check for +>= 0 return value (non error) for encryption mode (the other possible return +values are only relevant for decryption mode). + +However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb() +states: +" +The return value of the cb function is used by OpenSSL to determine what +further processing will occur. The following return values have meaning: + +2 + This indicates that the ctx and hctx have been set and the session can + continue on those parameters. Additionally it indicates that the session + ticket is in a renewal period and should be replaced. The OpenSSL library + will call cb again with an enc argument of 1 to set the new ticket (see + RFC5077 3.3 paragraph 2). + +1 + This indicates that the ctx and hctx have been set and the session can + continue on those parameters. + +0 + This indicates that it was not possible to set/retrieve a session ticket + and the SSL/TLS session will continue by by negotiating a set of + cryptographic parameters or using the alternate SSL/TLS resumption + mechanism, session ids. + If called with enc equal to 0 the library will call the cb again to get a + new set of parameters. + +less than 0 + This indicates an error. +" + +So 0 is not appropriate in our code, 1 is what we really want (and it won't +break if OpenSSL later changes its checks on the callback return value). + +Reported by: oknet on github, pull request #18. + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_kernel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 91da94c4f58..91d5e926d66 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl, + "TLS session ticket key for %s successfully set, " + "creating new session ticket", sc->vhost_id); + +- return 0; ++ return 1; + } + else if (mode == 0) { + /* diff --git a/httpd.spec b/httpd.spec index d780615..3c25596 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.28 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -76,6 +76,9 @@ Patch58: httpd-2.4.25-r1738878.patch Patch60: httpd-2.4.27-r1808230.patch # Security fixes +# https://github.com/apache/httpd/commit/4171fbfcb249e63f934471054d7a0752272fb8ee +Patch61: httpd-2.4.27-fixticketkeys.patch + License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -221,6 +224,8 @@ interface for storing and accessing per-user session data. %patch58 -p1 -b .r1738878 %patch60 -p1 -b .r1808230 +%patch61 -p1 -b .ticketkeys + # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -687,6 +692,9 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Oct 10 2017 Patrick Uiterwijk - 2.4.28-2 +- Backport patch for fixing ticket key usage + * Fri Oct 06 2017 Luboš Uhliarik - 2.4.28-1 - new version 2.4.28 -- cgit