From owner-svn-ports-all@FreeBSD.ORG Thu May 21 02:13:08 2015 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 983555FB; Thu, 21 May 2015 02:13:08 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 869D3199C; Thu, 21 May 2015 02:13:08 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t4L2D8rC059581; Thu, 21 May 2015 02:13:08 GMT (envelope-from zi@FreeBSD.org) Received: (from zi@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t4L2D8Fp059579; Thu, 21 May 2015 02:13:08 GMT (envelope-from zi@FreeBSD.org) Message-Id: <201505210213.t4L2D8Fp059579@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: zi set sender to zi@FreeBSD.org using -f From: Ryan Steinmetz Date: Thu, 21 May 2015 02:13:08 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r386904 - in head/www/apache22: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 02:13:08 -0000 Author: zi Date: Thu May 21 02:13:07 2015 New Revision: 386904 URL: https://svnweb.freebsd.org/changeset/ports/386904 Log: - Generate new DH params during build to mitigate Logjam attack - Fix deprecated USE_AUTOTOOLS - Bump PORTREVISION With hat: ports-secteam Obtained from: Winni Neessen Added: head/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c (contents, props changed) Modified: head/www/apache22/Makefile Modified: head/www/apache22/Makefile ============================================================================== --- head/www/apache22/Makefile Thu May 21 00:58:26 2015 (r386903) +++ head/www/apache22/Makefile Thu May 21 02:13:07 2015 (r386904) @@ -2,7 +2,7 @@ PORTNAME= apache22 PORTVERSION= 2.2.29 -PORTREVISION?= 2 +PORTREVISION?= 3 CATEGORIES= www ipv6 MASTER_SITES= APACHE_HTTPD DISTNAME= httpd-${PORTVERSION} @@ -20,9 +20,9 @@ CONFLICTS_INSTALL= caudium14-1.* \ apache-*-2.4.* apache24-*-2.4.* USE_APACHE= common22 -USES= tar:bzip2 iconv perl5 libtool cpe +USES= tar:bzip2 iconv perl5 libtool cpe autoreconf USE_PERL5= run -USE_AUTOTOOLS= autoconf +GNU_CONFIGURE= yes USE_RC_SUBR= apache22 htcacheclean CPE_VENDOR= apache @@ -173,6 +173,12 @@ post-configure: @${REINPLACE_CMD} -e "s,%%WWWOWN%%,${WWWOWN}," -e "s,%%WWWGRP%%,${WWWGRP}," ${WRKSRC}/docs/conf/httpd.conf @${REINPLACE_CMD} -e "s,%%PREFIX%%,${PREFIX}," ${WRKSRC}/support/envvars-std +pre-build: +.if ${PORT_OPTIONS:MSSL} + @${ECHO_MSG} "===> Generating unique DH group to mitigate Logjam attack (this will take a while)" + (cd ${WRKSRC}/modules/ssl && ${SETENV} HOME=${WRKDIR} ${PERL} ssl_engine_dh.c) +.endif + post-install: @${MKDIR} ${ETC_SUBDIRS:S|^|${STAGEDIR}${ETCDIR}/|} ${INSTALL_DATA} ${FILESDIR}/no-accf.conf ${STAGEDIR}${ETCDIR}/Includes/ Added: head/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c Thu May 21 02:13:07 2015 (r386904) @@ -0,0 +1,73 @@ +--- modules/ssl/ssl_engine_dh.c.orig 2006-07-12 03:38:44 UTC ++++ modules/ssl/ssl_engine_dh.c +@@ -102,12 +102,12 @@ DH *ssl_dh_GetTmpParam(int nKeyLen) + { + DH *dh; + +- if (nKeyLen == 512) +- dh = get_dh512(); +- else if (nKeyLen == 1024) +- dh = get_dh1024(); ++ if (nKeyLen == 2048) ++ dh = get_dh2048(); ++ else if (nKeyLen == 3072) ++ dh = get_dh3072(); + else +- dh = get_dh1024(); ++ dh = get_dh3072(); + return dh; + } + +@@ -151,7 +151,7 @@ print FP $source; + close(FP); + + # generate the DH parameters +-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; ++print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n"; + my $rand = ''; + foreach $file (qw(/var/log/messages /var/adm/messages + /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { +@@ -161,15 +161,15 @@ foreach $file (qw(/var/log/messages /var + } + } + $rand = "-rand $rand" if ($rand ne ''); +-system("openssl gendh $rand -out dh512.pem 512"); +-system("openssl gendh $rand -out dh1024.pem 1024"); ++system("openssl gendh $rand -out dh2048.pem 2048"); ++system("openssl gendh $rand -out dh3072.pem 3072"); + + # generate DH param info + my $dhinfo = ''; +-open(FP, "openssl dh -noout -text -in dh512.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die; + $dhinfo .= $_ while (); + close(FP); +-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh3072.pem |") || die; + $dhinfo .= $_ while (); + close(FP); + $dhinfo =~ s|^|** |mg; +@@ -177,10 +177,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; + + # generate C source from DH params + my $dhsource = ''; +-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die; + $dhsource .= $_ while (); + close(FP); +-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die; + $dhsource .= $_ while (); + close(FP); + $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) +@@ -203,8 +203,8 @@ print FP $source; + close(FP); + + # cleanup +-unlink("dh512.pem"); +-unlink("dh1024.pem"); ++unlink("dh2048.pem"); ++unlink("dh3072.pem"); + + =pod + */