diff options
| author | jlam <jlam> | 2000-09-12 14:05:16 +0000 |
|---|---|---|
| committer | jlam <jlam> | 2000-09-12 14:05:16 +0000 |
| commit | 0a3caac7a470437ca31ba1fb74350bc2d6dc5a52 (patch) | |
| tree | 4ad8fc65a0eb63de789f33e27b16ac5514d3aea3 /www/ap-ssl/patches | |
| parent | 186587cbbe3cd8ea03d5df895fd244380fd7e1b6 (diff) | |
| download | pkgsrc-0a3caac7a470437ca31ba1fb74350bc2d6dc5a52.tar.gz | |
Update ap-ssl to 2.6.6. Important fixes for memory leaks and segfaults.
Also make me the maintainer. Relevant changes from version 2.6.3:
-) Install ${sbindir}/mkcert.sh to ease generation of SSL certificates.
*) Fixed server restarts: Under non-DSO run-time situation, the
OpenSSL library was shutdown (and never re-initialized) and this
way caused segfaults on server restarts. This affected only
installations where mod_ssl+OpenSSL were built as a static module
instead of a DSO. This nasty bug was unfortunately introduced in
2.6.5 as a side-effect of an (otherwise correct) memory leak bugfix.
*) Various typo fixes in user manual.
*) Removed more memory leaks by freeing even more stuff
from the OpenSSL toolkit on module shutdown.
*) Added missing TLSv1, EXP40 and EXP56 keywords to
ssl_reference's documentation of SSLCipherSuite.
*) Added hints about MSIE workarounds (-SSLv3, !EXP56, etc.)
to the FAQ entry about MSIE errors.
*) Added !EXP56 to pre-configured SSLCipherSuite in order to avoid
MSIE5.x problems in advance.
*) Allow spaces in ServerRoot and SSLPassPhraseDialog arguments
which is especially important for the Win32 environment.
*) Fixed syntax errors in ssl_howto.wml: "Deny all" -> "Deny from all"
*) Removed a left-over ssl_scache_expire() call in ssl_scache_init()
which made the life of vendors complicated.
*) Allow more fine-tuned overriding of ap_server_root_relative calls
by providing the context of the call.
*) Added Equifax Secure CA certificates to ca-bundle.crt.
*) Let the pass phrase dialog force the prompt to occur only once
(no verification step), because mod_ssl uses the dialog only for
pass phrases which are required for reading private keys. This as a
side-effect should fix a problem under Win32 where a second prompt
occured for unknown reasons.
*) Added more compatibility to Stronghold v2's SSL_SessionCache.
*) Added two more EAPI hools under SSL_VENDOR: one for overriding
ap_server_root_relative calls and one for hooking into the server
configuration step.
*) Fixed SSL display for mod_status in `short report' situation.
*) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
support (ssl_engine_ext.c/mod_proxy) under _NOT_ SSL_EXPERIMENTAL.
Diffstat (limited to 'www/ap-ssl/patches')
| -rw-r--r-- | www/ap-ssl/patches/patch-aa | 4 | ||||
| -rw-r--r-- | www/ap-ssl/patches/patch-ab | 450 |
2 files changed, 452 insertions, 2 deletions
diff --git a/www/ap-ssl/patches/patch-aa b/www/ap-ssl/patches/patch-aa index c4c3c375cf4..6c209cbcfe4 100644 --- a/www/ap-ssl/patches/patch-aa +++ b/www/ap-ssl/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.4 2000/06/02 23:34:31 jdolecek Exp $ +$NetBSD: patch-aa,v 1.5 2000/09/12 14:05:16 jlam Exp $ --- pkg.sslmod/libssl.module.orig Sat Jun 3 01:26:46 2000 +++ pkg.sslmod/libssl.module Sat Jun 3 01:26:58 2000 -@@ -418,7 +418,7 @@ ConfigStart +@@ -418,7 +418,7 @@ exit 1 fi fi diff --git a/www/ap-ssl/patches/patch-ab b/www/ap-ssl/patches/patch-ab new file mode 100644 index 00000000000..04811d675d2 --- /dev/null +++ b/www/ap-ssl/patches/patch-ab @@ -0,0 +1,450 @@ +$NetBSD: patch-ab,v 1.1 2000/09/12 14:05:16 jlam Exp $ + +--- pkg.sslsup/mkcert.sh.in.orig Sun Apr 16 05:21:24 2000 ++++ pkg.sslsup/mkcert.sh.in +@@ -5,35 +5,53 @@ + ## + + # parameters +-make="$1" +-mflags="$2" +-openssl="$3" +-support="$4" +-type="$5" +-algo="$6" +-crt="$7" +-key="$8" +-view="$9" +- +-# we can operate only inside the Apache 1.3 source +-# tree and only when mod_ssl+OpenSSL is actually configured. +-if [ ! -f "../README.configure" ]; then +- echo "mkcert.sh:Error: Cannot operate outside the Apache 1.3 source tree." 1>&2 +- echo "mkcert.sh:Hint: You have to stay inside apache_1.3.x/src." 1>&2 +- exit 1 +-fi +-if [ ".$openssl" = . ]; then +- echo "mkcert.sh:Error: mod_ssl/OpenSSL has to be configured before using this utility." 1>&2 +- echo "mkcert.sh:Hint: Configure mod_ssl with --enable-module=ssl in APACI, first." 1>&2 +- exit 1 ++parameters=`getopt a:c:t:k:v $*` ++if [ $# = 0 ]; then ++ cat << EOF ++Usage: ++ mkcert.sh [-t type] [-a algo] [-c crtfile ] [-k keyfile] [-v] ++ ++Options: ++ -t type Type of certificates to generate. Valid types are: ++ dummy self-signed Snake Oil cert ++ test test cert signed by Snake Oil CA ++ custom custom cert signed by own CA ++ existing existing cert ++ ++ -a algo Signature algorithm for generated certificate. Valid ++ algorithms are RSA or DSA. ++ ++ -c crtfile Path to an existing certificate ++ ++ -k keyfile Path to an existing key file ++ ++ -v Display the certificate and key, then exit. ++ ++EOF ++ exit 2 + fi + ++set -- $parameters ++for param; do ++ case $param in ++ -a) algo=$2 ;; ++ -c) crt=$2 ;; ++ -t) type=$2 ;; ++ -k) key=$2 ;; ++ -v) view=1 ;; ++ --) break ;; ++ esac ++ shift ++done ++ ++openssl="openssl" ++confdir=@PREFIX@/etc/httpd ++ + # configuration +-# WE ARE CALLED FROM THE PARENT DIR! +-sslcrtdir="../conf/ssl.crt" +-sslcsrdir="../conf/ssl.csr" +-sslkeydir="../conf/ssl.key" +-sslprmdir="../conf/ssl.prm" ++sslcrtdir="$confdir/ssl.crt" ++sslcsrdir="$confdir/ssl.csr" ++sslkeydir="$confdir/ssl.key" ++sslprmdir="$confdir/ssl.prm" + + # some optional terminal sequences + case $TERM in +@@ -93,11 +111,11 @@ + fi + + # find some random files +-# (do not use /dev/random here, because this device +-# doesn't work as expected on all platforms) +-randfiles='' ++# We will always generate a /tmp/randfile using /dev/urandom ++# before passing $randfile to openssl. ++randfiles='/tmp/randfile' + for file in /var/log/messages /var/adm/messages /var/log/system.log /var/wtmp \ +- /kernel /kernel/genunix /vmunix /vmlinuz /mach \ ++ /kernel /kernel/genunix /vmunix /vmlinuz /mach /netbsd \ + /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do + if [ -r $file ]; then + if [ ".$randfiles" = . ]; then +@@ -112,7 +130,7 @@ + if [ -f $HOME/.rnd ]; then + RANDFILE="$HOME/.rnd" + else +- RANDFILE=".mkcert.rnd" ++ RANDFILE="/tmp/.mkcert.rnd" + (ps; date) >$RANDFILE + fi + export RANDFILE +@@ -156,12 +174,12 @@ + fi + echo "${T_MD}RESULT: Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." +@@ -211,6 +229,7 @@ + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}" ++ (umask 077; head -500 /dev/urandom > randfile) + if [ ".$algo" = .RSA ]; then + if [ ".$randfiles" != . ]; then + $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 +@@ -238,10 +257,11 @@ + exit 1 + fi + fi ++ rm -f randfile + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}" +- cat >.mkcert.cfg <<EOT ++ cat >/tmp/.mkcert.cfg <<EOT + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -265,7 +285,7 @@ + emailAddress_max = 40 + emailAddress_default = www@snakeoil.dom + EOT +- $openssl req -config .mkcert.cfg \ ++ $openssl req -config /tmp/.mkcert.cfg \ + -new \ + -key $sslkeydir/server.key \ + -out $sslcsrdir/server.csr +@@ -273,7 +293,7 @@ + echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + prompt="8. Certificate Validity (days) [365]:" + echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" + read days +@@ -287,8 +307,8 @@ + read certversion + extfile="" + if [ ".$certversion" = .3 -o ".$certversion" = . ]; then +- extfile="-extfile .mkcert.cfg" +- cat >.mkcert.cfg <<EOT ++ extfile="-extfile /tmp/.mkcert.cfg" ++ cat >/tmp/.mkcert.cfg <<EOT + extensions = x509v3 + [ x509v3 ] + subjectAltName = email:copy +@@ -296,13 +316,13 @@ + nsCertType = server + EOT + fi +- if [ ! -f .mkcert.serial ]; then +- echo '01' >.mkcert.serial ++ if [ ! -f /tmp/.mkcert.serial ]; then ++ echo '01' >/tmp/.mkcert.serial + fi + if [ ".$algo" = .RSA ]; then + $openssl x509 $extfile \ + -days $days \ +- -CAserial .mkcert.serial \ ++ -CAserial /tmp/.mkcert.serial \ + -CA $sslcrtdir/snakeoil-ca-rsa.crt \ + -CAkey $sslkeydir/snakeoil-ca-rsa.key \ + -in $sslcsrdir/server.csr -req \ +@@ -310,7 +330,7 @@ + else + $openssl x509 $extfile \ + -days $days \ +- -CAserial .mkcert.serial \ ++ -CAserial /tmp/.mkcert.serial \ + -CA $sslcrtdir/snakeoil-ca-dsa.crt \ + -CAkey $sslkeydir/snakeoil-ca-dsa.key \ + -in $sslcsrdir/server.csr -req \ +@@ -320,7 +340,7 @@ + echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + echo "Verify: matching certificate & key modulus" + modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` + if [ ".$algo" = .RSA ]; then +@@ -387,22 +407,22 @@ + echo "" + echo "${T_MD}RESULT: Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." + echo "" +- echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}" + echo " The PEM-encoded X.509 certificate signing request file which" + echo " you can send to an official Certificate Authority (CA) in order" + echo " to request a real server certificate (signed by this CA instead" + echo " of our demonstration-only Snake Oil CA) which later can replace" +- echo " the conf/ssl.crt/server.crt file." ++ echo " the $confdir/ssl.crt/server.crt file." + echo "" + echo "WARNING: Do not use this for real-life/production systems" + echo "" +@@ -448,6 +468,7 @@ + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}" ++ (umask 077; head -500 /dev/urandom > randfile) + if [ ".$algo" = .RSA ]; then + if [ ".$randfiles" != . ]; then + $openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024 +@@ -475,10 +496,11 @@ + exit 1 + fi + fi ++ rm -f randfile + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}" +- cat >.mkcert.cfg <<EOT ++ cat >/tmp/.mkcert.cfg <<EOT + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -502,7 +524,7 @@ + emailAddress_max = 40 + emailAddress_default = ca@snakeoil.dom + EOT +- $openssl req -config .mkcert.cfg \ ++ $openssl req -config /tmp/.mkcert.cfg \ + -new \ + -key $sslkeydir/ca.key \ + -out $sslcsrdir/ca.csr +@@ -510,7 +532,7 @@ + echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + prompt="8. Certificate Validity (days) [365]:" + echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" + read days +@@ -524,8 +546,8 @@ + read certversion + extfile="" + if [ ".$certversion" = .3 -o ".$certversion" = . ]; then +- extfile="-extfile .mkcert.cfg" +- cat >.mkcert.cfg <<EOT ++ extfile="-extfile /tmp/.mkcert.cfg" ++ cat >/tmp/.mkcert.cfg <<EOT + extensions = x509v3 + [ x509v3 ] + subjectAltName = email:copy +@@ -543,7 +565,7 @@ + echo "mkcert.sh:Error: Failed to generate self-signed CA certificate" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + echo "Verify: matching certificate & key modulus" + modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'` + if [ ".$algo" = .RSA ]; then +@@ -564,6 +586,7 @@ + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}" ++ (umask 077; head -500 /dev/urandom > randfile) + if [ ".$algo" = .RSA ]; then + if [ ".$randfiles" != . ]; then + $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 +@@ -588,10 +611,11 @@ + exit 1 + fi + fi ++ rm -f randfile + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}" +- cat >.mkcert.cfg <<EOT ++ cat >/tmp/.mkcert.cfg <<EOT + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -615,7 +639,7 @@ + emailAddress_max = 40 + emailAddress_default = www@snakeoil.dom + EOT +- $openssl req -config .mkcert.cfg \ ++ $openssl req -config /tmp/.mkcert.cfg \ + -new \ + -key $sslkeydir/server.key \ + -out $sslcsrdir/server.csr +@@ -623,7 +647,7 @@ + echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + prompt="8. Certificate Validity (days) [365]:" + echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" + read days +@@ -637,8 +661,8 @@ + read certversion + extfile="" + if [ ".$certversion" = .3 -o ".$certversion" = . ]; then +- extfile="-extfile .mkcert.cfg" +- cat >.mkcert.cfg <<EOT ++ extfile="-extfile /tmp/.mkcert.cfg" ++ cat >/tmp/.mkcert.cfg <<EOT + extensions = x509v3 + [ x509v3 ] + subjectAltName = email:copy +@@ -646,12 +670,12 @@ + nsCertType = server + EOT + fi +- if [ ! -f .mkcert.serial ]; then +- echo '01' >.mkcert.serial ++ if [ ! -f /tmp/.mkcert.serial ]; then ++ echo '01' >/tmp/.mkcert.serial + fi + $openssl x509 $extfile \ + -days $days \ +- -CAserial .mkcert.serial \ ++ -CAserial /tmp/.mkcert.serial \ + -CA $sslcrtdir/ca.crt \ + -CAkey $sslkeydir/ca.key \ + -in $sslcsrdir/server.csr -req \ +@@ -660,7 +684,7 @@ + echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + echo "Verify: matching certificate & key modulus" + modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` + if [ ".$algo" = .RSA ]; then +@@ -764,31 +788,31 @@ + echo "" + echo "${T_MD}RESULT: CA and Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/ca.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/ca.key${T_ME}" + echo " The PEM-encoded $algo private key file of the CA which you can" + echo " use to sign other servers or clients. ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/ca.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/ca.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file of the CA which you use to" + echo " sign other servers or clients. When you sign clients with it (for" + echo " SSL client authentication) you can configure this file with the" + echo " 'SSLCACertificateFile' directive." + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file of the server which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file of the server which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." + echo "" +- echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}" + echo " The PEM-encoded X.509 certificate signing request of the server file which" + echo " you can send to an official Certificate Authority (CA) in order" + echo " to request a real server certificate (signed by this CA instead" +- echo " of our own CA) which later can replace the conf/ssl.crt/server.crt" ++ echo " of our own CA) which later can replace the $confdir/ssl.crt/server.crt" + echo " file." + echo "" + echo "Congratulations that you establish your server with real certificates." +@@ -808,14 +832,26 @@ + echo "mkcert.sh: Cannot find certificate file: $crt" 1>&2 + exit 1 + fi ++ if [ $crt -ef $sslcrtdir/server.crt ]; then ++ mv -f $crt $crt.backup ++ crt="$crt.backup" ++ fi + if [ ".$key" != . ]; then + if [ ! -f "$key" ]; then + echo "mkcert.sh: Cannot find private key file: $key" 1>&2 + exit 1 + fi ++ if [ $key -ef $sslkeydir/server.key ]; then ++ mv -f $key $key.backup ++ key="$key.backup" ++ fi + cp $crt $sslcrtdir/server.crt + (umask 077; cp $key $sslkeydir/server.key) + else ++ if [ $crt -ef $sslcrtdir/server.crt ]; then ++ mv -f $crt $crt.backup ++ crt="$crt.backup" ++ fi + key=$crt + umask 077 + touch $sslkeydir/server.key +@@ -836,12 +872,12 @@ + fi + echo "${T_MD}RESULT: Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." |