From owner-freebsd-apache@FreeBSD.ORG Wed Feb 1 02:47:01 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBB44106564A; Wed, 1 Feb 2012 02:47:01 +0000 (UTC) (envelope-from pgollucci@taximagic.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6DD988FC13; Wed, 1 Feb 2012 02:47:00 +0000 (UTC) Received: by qcmt40 with SMTP id t40so528497qcm.13 for ; Tue, 31 Jan 2012 18:46:59 -0800 (PST) Received: by 10.224.105.203 with SMTP id u11mr7719179qao.77.1328062767412; Tue, 31 Jan 2012 18:19:27 -0800 (PST) Received: from jlhewitt.home (pool-173-66-140-39.washdc.fios.verizon.net. [173.66.140.39]) by mx.google.com with ESMTPS id el3sm44622264qab.8.2012.01.31.18.19.26 (version=SSLv3 cipher=OTHER); Tue, 31 Jan 2012 18:19:26 -0800 (PST) Message-ID: <4F28A12D.2080504@p6m7g8.com> Date: Tue, 31 Jan 2012 21:19:25 -0500 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Jason Helfman References: <201202010011.q110Btm0002906@freefall.freebsd.org> In-Reply-To: <201202010011.q110Btm0002906@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 02:47:01 -0000 Do not change this file. You're reverting a local change we've pulled from trunk svn for security. Please commit the rest of the patch with my review / hat. > =================================================================== > RCS file: /home/pcvs/ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in,v > retrieving revision 1.3 > diff -u -r1.3 patch-docs__conf__extra__httpd-ssl.conf.in > --- files/patch-docs__conf__extra__httpd-ssl.conf.in 23 Jan 2012 23:24:38 -0000 1.3 > +++ files/patch-docs__conf__extra__httpd-ssl.conf.in 1 Feb 2012 00:05:53 -0000 > @@ -1,58 +1,22 @@ > ---- ./docs/conf/extra/httpd-ssl.conf.in.orig 2008-02-04 23:00:07.000000000 +0000 > -+++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-23 23:20:06.446390870 +0000 > -@@ -77,17 +77,35 @@ > +--- ./docs/conf/extra/httpd-ssl.conf.in.orig 2012-01-31 15:16:43.000000000 -0800 > ++++ ./docs/conf/extra/httpd-ssl.conf.in 2012-01-31 15:17:47.000000000 -0800 > +@@ -77,8 +77,8 @@ > DocumentRoot "@exp_htdocsdir@" > ServerName www.example.com:@@SSLPort@@ > ServerAdmin you@example.com > -ErrorLog "@exp_logfiledir@/error_log" > -TransferLog "@exp_logfiledir@/access_log" > -+ErrorLog "@exp_logfiledir@/httpd-error.log" > -+TransferLog "@exp_logfiledir@/httpd-access.log" > ++ErrorLog "@exp_logfiledir@/httpd-error_log" > ++TransferLog "@exp_logfiledir@/httpd-access_log" > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > - SSLEngine on > - > -+# SSL Protocol support: > -+# List the protocol versions which clients are allowed to > -+# connect with. Disable SSLv2 by default (cf. RFC 6176). > -+SSLProtocol all -SSLv2 > -+ > - # SSL Cipher Suite: > - # List the ciphers that the client is permitted to negotiate. > - # See the mod_ssl documentation for a complete list. > --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > -+ > -+# Speed-optimized SSL Cipher configuration: > -+# If speed is your main concern (on busy HTTPS servers e.g.), > -+# you might want to force clients to specific, performance > -+# optimized ciphers. In this case, prepend those ciphers > -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA > -+# (as in the example below), most connections will no longer > -+# have perfect forward secrecy - if the server's key is > -+# compromised, captures of past or future traffic must be > -+# considered compromised, too. > -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 > -+#SSLHonorCipherOrder on > - > - # Server Certificate: > - # Point SSLCertificateFile at a PEM encoded certificate. If > -@@ -218,14 +236,14 @@ > - # Similarly, one has to force some clients to use HTTP/1.0 to workaround > - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and > - # "force-response-1.0" for this. > --BrowserMatch ".*MSIE.*" \ > -+BrowserMatch "MSIE [2-5]" \ > - nokeepalive ssl-unclean-shutdown \ > - downgrade-1.0 force-response-1.0 > - > +@@ -243,7 +243,7 @@ > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > -CustomLog "@exp_logfiledir@/ssl_request_log" \ > -+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \ > ++CustomLog "@exp_logfiledir@/httpd-ssl_request_log" \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > _______________________________________________ > freebsd-apache@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-apache > To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org" > -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Director Operations, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.