Date: Tue, 31 Jan 2012 19:15:43 -0800 From: Jason Helfman <jgh@FreeBSD.org> To: "Philip M. Gollucci" <pgollucci@taximagic.com> Cc: FreeBSD-gnats-submit@freebsd.org, apache@freebsd.org Subject: Re: www/apache22: update to 2.2.22 (addresses multiple CVE reports) Message-ID: <CAMuy=%2Bgy9Z7Ec=-6xQ5roqa9mAELahDRv1mG1ph2bfhy47CRtA@mail.gmail.com> In-Reply-To: <4F28A12D.2080504@p6m7g8.com> References: <201202010011.q110Btm0002906@freefall.freebsd.org> <4F28A12D.2080504@p6m7g8.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 31, 2012 at 6:19 PM, Philip M. Gollucci <pgollucci@taximagic.com > wrote: > Do not change this file. You're reverting a local change we've pulled > from trunk svn for security. > > Please commit the rest of the patch with my review / hat. > > > > ==============================**==============================**======= >> RCS file: /home/pcvs/ports/www/apache22/**files/patch-docs__conf__extra_* >> *_httpd-ssl.conf.in <http://patch-docs__conf__extra__httpd-ssl.conf.in>,v >> retrieving revision 1.3 >> diff -u -r1.3 patch-docs__conf__extra__**httpd-ssl.conf.in<http://patch-docs__conf__extra__httpd-ssl.conf.in>; >> --- files/patch-docs__conf__extra_**_httpd-ssl.conf.in<http://patch-docs__conf__extra__httpd-ssl.conf.in>; 23 Jan 2012 23:24:38 -0000 1.3 >> +++ files/patch-docs__conf__extra_**_httpd-ssl.conf.in<http://patch-docs__conf__extra__httpd-ssl.conf.in>; 1 Feb 2012 00:05:53 -0000 >> @@ -1,58 +1,22 @@ >> ---- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2008-02-04 >> 23:00:07.000000000 +0000 >> -+++ ./docs/conf/extra/httpd-ssl.**conf.in <http://httpd-ssl.conf.in>; >> 2012-01-23 23:20:06.446390870 +0000 >> -@@ -77,17 +77,35 @@ >> +--- ./docs/conf/extra/httpd-ssl.**conf.in.orig 2012-01-31 15:16:43.000000000 >> -0800 >> ++++ ./docs/conf/extra/httpd-ssl.**conf.in <http://httpd-ssl.conf.in>; >> 2012-01-31 15:17:47.000000000 -0800 >> +@@ -77,8 +77,8 @@ >> DocumentRoot "@exp_htdocsdir@" >> ServerName www.example.com:@@SSLPort@@ >> ServerAdmin you@example.com >> -ErrorLog "@exp_logfiledir@/error_log" >> -TransferLog "@exp_logfiledir@/access_log" >> -+ErrorLog "@exp_logfiledir@/httpd-error.**log" >> -+TransferLog "@exp_logfiledir@/httpd-**access.log" >> ++ErrorLog "@exp_logfiledir@/httpd-error_**log" >> ++TransferLog "@exp_logfiledir@/httpd-**access_log" >> >> # SSL Engine Switch: >> # Enable/Disable SSL for this virtual host. >> - SSLEngine on >> - >> -+# SSL Protocol support: >> -+# List the protocol versions which clients are allowed to >> -+# connect with. Disable SSLv2 by default (cf. RFC 6176). >> -+SSLProtocol all -SSLv2 >> -+ >> - # SSL Cipher Suite: >> - # List the ciphers that the client is permitted to negotiate. >> - # See the mod_ssl documentation for a complete list. >> --SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+** >> HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:**+eNULL >> -+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 >> -+ >> -+# Speed-optimized SSL Cipher configuration: >> -+# If speed is your main concern (on busy HTTPS servers e.g.), >> -+# you might want to force clients to specific, performance >> -+# optimized ciphers. In this case, prepend those ciphers >> -+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. >> -+# Caveat: by giving precedence to RC4-SHA and AES128-SHA >> -+# (as in the example below), most connections will no longer >> -+# have perfect forward secrecy - if the server's key is >> -+# compromised, captures of past or future traffic must be >> -+# considered compromised, too. >> -+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:**MEDIUM:!aNULL:!MD5 >> -+#SSLHonorCipherOrder on >> - >> - # Server Certificate: >> - # Point SSLCertificateFile at a PEM encoded certificate. If >> -@@ -218,14 +236,14 @@ >> - # Similarly, one has to force some clients to use HTTP/1.0 to >> workaround >> - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" >> and >> - # "force-response-1.0" for this. >> --BrowserMatch ".*MSIE.*" \ >> -+BrowserMatch "MSIE [2-5]" \ >> - nokeepalive ssl-unclean-shutdown \ >> - downgrade-1.0 force-response-1.0 >> - >> +@@ -243,7 +243,7 @@ >> # Per-Server Logging: >> # The home of a custom SSL log file. Use this when you want a >> # compact non-error SSL logfile on a virtual host basis. >> -CustomLog "@exp_logfiledir@/ssl_request_**log" \ >> -+CustomLog "@exp_logfiledir@/httpd-ssl_**request.log" \ >> ++CustomLog "@exp_logfiledir@/httpd-ssl_**request_log" \ >> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >> >> </VirtualHost> >> ______________________________**_________________ >> freebsd-apache@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-**apache<http://lists.freebsd.org/mailman/listinfo/freebsd-apache>; >> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@** >> freebsd.org <freebsd-apache-unsubscribe@freebsd.org>" >> >> > > -- > ------------------------------**------------------------------** > ------------ > 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C > Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Operations, Ridecharge Inc. > > Work like you don't need the money, > love like you'll never get hurt, > and dance like nobody's watching. > > I will be glad to do that, however it didn't patch cleanly. The additions were in the downloaded source, unless I am mistaken. Can you please verify? -jgh
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMuy=%2Bgy9Z7Ec=-6xQ5roqa9mAELahDRv1mG1ph2bfhy47CRtA>