* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-09-03 8:32 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2023-09-03 8:32 UTC (permalink / raw
To: gentoo-commits
commit: 0e37a586f336fa92d10c4113b9e3ebd5012f6a00
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 3 08:31:25 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Sep 3 08:31:25 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=0e37a586
Add rustls-ffi patch
Bug: https://bugs.gentoo.org/906523
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/06_rustls_ffi.patch | 51 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/2.4/patches/06_rustls_ffi.patch b/2.4/patches/06_rustls_ffi.patch
new file mode 100644
index 0000000..81869f7
--- /dev/null
+++ b/2.4/patches/06_rustls_ffi.patch
@@ -0,0 +1,51 @@
+https://github.com/apache/httpd/commit/0495a95f511c0bc7f34dc1b706d6d8276865743b
+https://bugs.gentoo.org/906523
+
+From 0495a95f511c0bc7f34dc1b706d6d8276865743b Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Tue, 2 May 2023 09:21:07 +0000
+Subject: [PATCH] Backport of r1909558 from trunk:
+
+ *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
+ Checking in configure for proper version installed. Code
+ fixes for changed clienthello member name.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1909561 13f79535-47bb-0310-9956-ffa450edef68
+--- /dev/null
++++ b/changes-entries/tls-rustls-update.txt
+@@ -0,0 +1,4 @@
++ *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
++ Checking in configure for proper version installed. Code
++ fixes for changed clienthello member name.
++ [Stefan Eissing]
+\ No newline at end of file
+--- a/modules/tls/config2.m4
++++ b/modules/tls/config2.m4
+@@ -109,9 +109,10 @@ AC_DEFUN([APACHE_CHECK_RUSTLS],[
+ fi
+ fi
+
+- AC_MSG_CHECKING([for rustls version >= 0.8.2])
++ AC_MSG_CHECKING([for rustls version >= 0.9.2])
+ AC_TRY_COMPILE([#include <rustls.h>],[
+ rustls_version();
++rustls_acceptor_new();
+ ],
+ [AC_MSG_RESULT(OK)
+ ac_cv_rustls=yes],
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -507,8 +507,8 @@ static const rustls_certified_key *extract_client_hello_values(
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "extract client hello values");
+ if (!cc) goto cleanup;
+ cc->client_hello_seen = 1;
+- if (hello->sni_name.len > 0) {
+- cc->sni_hostname = apr_pstrndup(c->pool, hello->sni_name.data, hello->sni_name.len);
++ if (hello->server_name.len > 0) {
++ cc->sni_hostname = apr_pstrndup(c->pool, hello->server_name.data, hello->server_name.len);
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "sni detected: %s", cc->sni_hostname);
+ }
+ else {
+
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-09-03 8:32 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2023-09-03 8:32 UTC (permalink / raw
To: gentoo-commits
commit: 4dc522359ec9731c76f5de74c4b3904c9592fd5a
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 3 08:30:15 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Sep 3 08:30:15 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=4dc52235
Add libtool patch
Bug: https://bugs.gentoo.org/858836
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05_libtool.patch | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/2.4/patches/05_libtool.patch b/2.4/patches/05_libtool.patch
new file mode 100644
index 0000000..a0d55d8
--- /dev/null
+++ b/2.4/patches/05_libtool.patch
@@ -0,0 +1,21 @@
+Bug: https://bugs.gentoo.org/858836
+
+From: orbea <orbea@riseup.net>
+Date: Tue, 19 Jul 2022 07:46:36 -0700
+Subject: [PATCH] build: Fix the build with slibtool
+
+Adding LT_INIT to configure.in generates the libtool script in the build
+directory which is required by rlibtool to determine if the build is
+shared or static.
+
+--- a/configure.in
++++ b/configure.in
+@@ -398,7 +398,7 @@ AC_PATH_PROG(RSYNC, rsync)
+ AC_PATH_PROG(SVN, svn)
+ AC_PROG_AWK
+ AC_PROG_LN_S
+-AC_CHECK_TOOL(RANLIB, ranlib, true)
++LT_INIT
+ dnl AC_PATH_PROG(PERL_PATH, perl)
+ AC_CHECK_PROGS(LYNX_PATH,[lynx links elinks], [lynx])
+
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-09-03 8:32 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2023-09-03 8:32 UTC (permalink / raw
To: gentoo-commits
commit: 2a33ab54bf77360d792c2ec853e2c03b2dbe0e3d
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 3 08:29:03 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Sep 3 08:29:03 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=2a33ab54
Add no-which patch
Bug: https://bugs.gentoo.org/844868
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/04_no_which.patch | 54 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/2.4/patches/04_no_which.patch b/2.4/patches/04_no_which.patch
new file mode 100644
index 0000000..65764df
--- /dev/null
+++ b/2.4/patches/04_no_which.patch
@@ -0,0 +1,54 @@
+https://bugs.gentoo.org/844868
+https://bz.apache.org/bugzilla/show_bug.cgi?id=66130
+--- a/build/aix/buildaix.ksh
++++ b/build/aix/buildaix.ksh
+@@ -26,14 +26,14 @@ export CFLAGS='-O2 -qlanglvl=extc99'
+ lslpp -L bos.adt.insttools >/dev/null
+ [[ $? -ne 0 ]] && echo "must have bos.adt.insttools installed" && exit -1
+
+-apr_config=`which apr-1-config`
+-apu_config=`which apu-1-config`
++apr_config=`command -v apr-1-config 2>/dev/null`
++apu_config=`command -v apu-1-config 2>/dev/null`
+
+ if [[ -z ${apr_config} && -z ${apu_config} ]]
+ then
+ export PATH=/opt/bin:${PATH}
+- apr_config=`which apr-1-config`
+- apu_config=`which apu-1-config`
++ apr_config=`command -v apr-1-config 2>/dev/null`
++ apu_config=`command -v apu-1-config 2>/dev/null`
+ fi
+
+ while test $# -gt 0
+--- a/build/pkg/buildpkg.sh
++++ b/build/pkg/buildpkg.sh
+@@ -24,8 +24,8 @@ PREFIX=/usr/local/apache2
+ TEMPDIR=/var/tmp/$USER/httpd-root
+ rm -rf $TEMPDIR
+
+-apr_config=`which apr-1-config`
+-apu_config=`which apu-1-config`
++apr_config=`command -v apr-1-config 2>/dev/null`
++apu_config=`command -v apu-1-config 2>/dev/null`
+
+ while test $# -gt 0
+ do
+--- a/configure.in
++++ b/configure.in
+@@ -216,13 +216,13 @@ AC_ARG_WITH(pcre,
+ APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library))
+ if test "x$with_pcre" = "x" || test "$with_pcre" = "yes"; then
+ with_pcre="$PATH"
+-else if which $with_pcre 2>/dev/null; then :; else
++else if command -v $with_pcre 2>/dev/null; then :; else
+ with_pcre="$with_pcre/bin:$with_pcre"
+ fi
+ fi
+
+ AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config],
+- [`which $with_pcre 2>/dev/null`], $with_pcre)
++ [`command -v $with_pcre 2>/dev/null`], $with_pcre)
+
+ if test "x$PCRE_CONFIG" != "x"; then
+ if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-10-11 5:54 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2023-10-11 5:54 UTC (permalink / raw
To: gentoo-commits
commit: 25a1eaafc964ef2e29cc663292a0bcddab7f43e5
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 11 05:48:11 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Wed Oct 11 05:54:04 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=25a1eaaf
Drop 2.4 libtool patch
Bug: https://bugs.gentoo.org/860081
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05_libtool.patch | 21 ---------------------
1 file changed, 21 deletions(-)
diff --git a/2.4/patches/05_libtool.patch b/2.4/patches/05_libtool.patch
deleted file mode 100644
index a0d55d8..0000000
--- a/2.4/patches/05_libtool.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Bug: https://bugs.gentoo.org/858836
-
-From: orbea <orbea@riseup.net>
-Date: Tue, 19 Jul 2022 07:46:36 -0700
-Subject: [PATCH] build: Fix the build with slibtool
-
-Adding LT_INIT to configure.in generates the libtool script in the build
-directory which is required by rlibtool to determine if the build is
-shared or static.
-
---- a/configure.in
-+++ b/configure.in
-@@ -398,7 +398,7 @@ AC_PATH_PROG(RSYNC, rsync)
- AC_PATH_PROG(SVN, svn)
- AC_PROG_AWK
- AC_PROG_LN_S
--AC_CHECK_TOOL(RANLIB, ranlib, true)
-+LT_INIT
- dnl AC_PATH_PROG(PERL_PATH, perl)
- AC_CHECK_PROGS(LYNX_PATH,[lynx links elinks], [lynx])
-
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2023-10-19 12:10 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2023-10-19 12:10 UTC (permalink / raw
To: gentoo-commits
commit: 39aa4f5d435a7c0888a494b7f86772bb94b86418
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 19 12:10:17 2023 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Thu Oct 19 12:10:17 2023 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=39aa4f5d
Remove rustls-ffi patch
This patch was taken from upstream and has been released in apache
2.0.48.
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/06_rustls_ffi.patch | 51 -----------------------------------------
1 file changed, 51 deletions(-)
diff --git a/2.4/patches/06_rustls_ffi.patch b/2.4/patches/06_rustls_ffi.patch
deleted file mode 100644
index 81869f7..0000000
--- a/2.4/patches/06_rustls_ffi.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-https://github.com/apache/httpd/commit/0495a95f511c0bc7f34dc1b706d6d8276865743b
-https://bugs.gentoo.org/906523
-
-From 0495a95f511c0bc7f34dc1b706d6d8276865743b Mon Sep 17 00:00:00 2001
-From: Stefan Eissing <icing@apache.org>
-Date: Tue, 2 May 2023 09:21:07 +0000
-Subject: [PATCH] Backport of r1909558 from trunk:
-
- *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
- Checking in configure for proper version installed. Code
- fixes for changed clienthello member name.
-
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1909561 13f79535-47bb-0310-9956-ffa450edef68
---- /dev/null
-+++ b/changes-entries/tls-rustls-update.txt
-@@ -0,0 +1,4 @@
-+ *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
-+ Checking in configure for proper version installed. Code
-+ fixes for changed clienthello member name.
-+ [Stefan Eissing]
-\ No newline at end of file
---- a/modules/tls/config2.m4
-+++ b/modules/tls/config2.m4
-@@ -109,9 +109,10 @@ AC_DEFUN([APACHE_CHECK_RUSTLS],[
- fi
- fi
-
-- AC_MSG_CHECKING([for rustls version >= 0.8.2])
-+ AC_MSG_CHECKING([for rustls version >= 0.9.2])
- AC_TRY_COMPILE([#include <rustls.h>],[
- rustls_version();
-+rustls_acceptor_new();
- ],
- [AC_MSG_RESULT(OK)
- ac_cv_rustls=yes],
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -507,8 +507,8 @@ static const rustls_certified_key *extract_client_hello_values(
- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "extract client hello values");
- if (!cc) goto cleanup;
- cc->client_hello_seen = 1;
-- if (hello->sni_name.len > 0) {
-- cc->sni_hostname = apr_pstrndup(c->pool, hello->sni_name.data, hello->sni_name.len);
-+ if (hello->server_name.len > 0) {
-+ cc->sni_hostname = apr_pstrndup(c->pool, hello->server_name.data, hello->server_name.len);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "sni detected: %s", cc->sni_hostname);
- }
- else {
-
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2024-05-11 7:11 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2024-05-11 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 1a564c20ea1b5b1934d3e83d59a8fed07706b40b
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat May 11 07:06:06 2024 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sat May 11 07:11:14 2024 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=1a564c20
Add patches originally added in the ebuild
Both these patches are already fixed upstream and should be included
in 2.5.60 when it is released.
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05-rustls-0.13.0.patch | 544 +++++++++++++++++++++++++++++++++++++
2.4/patches/06-dh-regression.patch | 81 ++++++
2 files changed, 625 insertions(+)
diff --git a/2.4/patches/05-rustls-0.13.0.patch b/2.4/patches/05-rustls-0.13.0.patch
new file mode 100644
index 0000000..f8cfc6b
--- /dev/null
+++ b/2.4/patches/05-rustls-0.13.0.patch
@@ -0,0 +1,544 @@
+From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:05:19 -0400
+Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY
+
+The rustls version included in the rustls-ffi version output does not
+always contain three components. E.g. rustls-ffi 0.12.2 uses the version
+string:
+
+ rustls-ffi/0.12.2/rustls/0.22
+
+Notably there is no `.0` after the `0.22` for the Rustls version, and
+this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this.
+---
+ test/modules/tls/test_08_vars.py | 2 +-
+ test/modules/tls/test_14_proxy_ssl.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
+index ad764a7985a..0e3ee74d2df 100644
+--- a/test/modules/tls/test_08_vars.py
++++ b/test/modules/tls/test_08_vars.py
+@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
+
+ @pytest.mark.parametrize("name, pattern", [
+ ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+ ])
+ def test_tls_08_vars_match(self, env, name: str, pattern: str):
+ r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
+diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
+index 2f46c64f710..87e04c28afa 100644
+--- a/test/modules/tls/test_14_proxy_ssl.py
++++ b/test/modules/tls/test_14_proxy_ssl.py
+@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
+
+ @pytest.mark.parametrize("name, pattern", [
+ ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+ ])
+ def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
+ if not HttpdTestEnv.has_shared_module("tls"):
+From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:19:50 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11
+
+See upstream release notes[0] for more information.
+
+Also note that the, ahem, clunkyness of the verifier API is reduced in
+the 0.12 release and this is a transition state.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0
+---
+ .github/workflows/linux.yml | 2 +-
+ modules/tls/tls_cert.c | 26 ++++++++++++++++++--------
+ modules/tls/tls_cert.h | 6 +++---
+ modules/tls/tls_core.c | 4 ++--
+ 4 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 8c45faf5651..1ac41c6b2d6 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+ APR_VERSION=1.7.4
+ APU_VERSION=1.6.3
+ APU_CONFIG="--with-crypto"
+- RUSTLS_VERSION="v0.10.0"
++ RUSTLS_VERSION="v0.11.0"
+ NO_TEST_FRAMEWORK=1
+ TEST_INSTALL=1
+ TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 624535aa444..17a35fc498d 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get(
+
+ typedef struct {
+ const char *id;
+- const rustls_client_cert_verifier *client_verifier;
+- const rustls_client_cert_verifier_optional *client_verifier_opt;
++ const rustls_allow_any_authenticated_client_verifier *client_verifier;
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+ tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+ (void)ctx; (void)key; (void)klen;
+ if (entry->client_verifier) {
+- rustls_client_cert_verifier_free(entry->client_verifier);
++ rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
+ entry->client_verifier = NULL;
+ }
+ if (entry->client_verifier_opt) {
+- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
++ rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
+ entry->client_verifier_opt = NULL;
+ }
+ return 1;
+@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+ apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier **pverifier)
++ const rustls_allow_any_authenticated_client_verifier **pverifier)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_verifiers_entry_t *entry;
++ struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
+
+ entry = verifiers_get_or_make_entry(verifiers, store_file);
+ if (!entry->client_verifier) {
+ rustls_root_cert_store *store;
+ rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- entry->client_verifier = rustls_client_cert_verifier_new(store);
++ verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
++ entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
+ }
+
+ cleanup:
++ if (verifier_builder != NULL) {
++ rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++ }
+ if (APR_SUCCESS == rv) {
+ *pverifier = entry->client_verifier;
+ }
+@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier_optional **pverifier)
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_verifiers_entry_t *entry;
++ struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+
+ entry = verifiers_get_or_make_entry(verifiers, store_file);
+ if (!entry->client_verifier_opt) {
+ rustls_root_cert_store *store;
+ rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
++ verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
++ entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+ }
+
+ cleanup:
++ if (verifier_builder != NULL) {
++ rustls_client_cert_verifier_optional_builder_free(verifier_builder);
++ }
+ if (APR_SUCCESS == rv) {
+ *pverifier = entry->client_verifier_opt;
+ }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 6ab3f48ae13..4ac3865dd86 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier **pverifier);
++ const rustls_allow_any_authenticated_client_verifier **pverifier);
+
+ /**
+ * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_client_cert_verifier_optional **pverifier);
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
+
+-#endif /* tls_cert_h */
+\ No newline at end of file
++#endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index 25479392f1a..df29077826d 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+ if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+ ap_assert(sc->client_ca); /* checked in server_setup */
+ if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+- const rustls_client_cert_verifier *verifier;
++ const rustls_allow_any_authenticated_client_verifier *verifier;
+ rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+ rustls_server_config_builder_set_client_verifier(builder, verifier);
+ }
+ else {
+- const rustls_client_cert_verifier_optional *verifier;
++ const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
+ rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+ rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
+From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:37:25 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12
+
+See upstream release notes for more information:
+
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2
+---
+ .github/workflows/linux.yml | 2 +-
+ modules/tls/tls_cert.c | 99 ++++++++++++++++++++-----------------
+ modules/tls/tls_cert.h | 8 +--
+ modules/tls/tls_core.c | 16 ++++--
+ 4 files changed, 70 insertions(+), 55 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 1ac41c6b2d6..3700bc4546a 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+ APR_VERSION=1.7.4
+ APU_VERSION=1.6.3
+ APU_CONFIG="--with-crypto"
+- RUSTLS_VERSION="v0.11.0"
++ RUSTLS_VERSION="v0.12.2"
+ NO_TEST_FRAMEWORK=1
+ TEST_INSTALL=1
+ TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 17a35fc498d..ffb941cae40 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+ }
+
+ apr_status_t tls_cert_load_root_store(
+- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
++ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
+ {
+ const char *fpath;
+ tls_data_t pem;
+- rustls_root_cert_store *store = NULL;
++ rustls_root_cert_store_builder *store_builder = NULL;
++ const rustls_root_cert_store *store = NULL;
+ rustls_result rr = RUSTLS_RESULT_OK;
+ apr_pool_t *ptemp = NULL;
+ apr_status_t rv;
+@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
+ rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
+ if (APR_SUCCESS != rv) goto cleanup;
+
+- store = rustls_root_cert_store_new();
+- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
++ store_builder = rustls_root_cert_store_builder_new();
++ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
++ if (RUSTLS_RESULT_OK != rr) goto cleanup;
++
++ rr = rustls_root_cert_store_builder_build(store_builder, &store);
+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
+
+ cleanup:
++ if (store_builder != NULL) {
++ rustls_root_cert_store_builder_free(store_builder);
++ }
+ if (RUSTLS_RESULT_OK != rr) {
+ const char *err_descr;
+ rv = tls_util_rustls_error(p, rr, &err_descr);
+@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
+
+ typedef struct {
+ const char *id;
+- rustls_root_cert_store *store;
++ const rustls_root_cert_store *store;
+ } tls_cert_root_stores_entry_t;
+
+ static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
+ apr_status_t tls_cert_root_stores_get(
+ tls_cert_root_stores_t *stores,
+ const char *store_file,
+- rustls_root_cert_store **pstore)
++ const rustls_root_cert_store **pstore)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_root_stores_entry_t *entry;
+
+ entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
+ if (!entry) {
+- rustls_root_cert_store *store;
++ const rustls_root_cert_store *store;
+ rv = tls_cert_load_root_store(stores->pool, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+ entry = apr_pcalloc(stores->pool, sizeof(*entry));
+@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
+
+ typedef struct {
+ const char *id;
+- const rustls_allow_any_authenticated_client_verifier *client_verifier;
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
++ rustls_client_cert_verifier *client_verifier;
++ rustls_client_cert_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+ tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+ (void)ctx; (void)key; (void)klen;
+ if (entry->client_verifier) {
+- rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
++ rustls_client_cert_verifier_free(entry->client_verifier);
+ entry->client_verifier = NULL;
+ }
+ if (entry->client_verifier_opt) {
+- rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
++ rustls_client_cert_verifier_free(entry->client_verifier_opt);
+ entry->client_verifier_opt = NULL;
+ }
+ return 1;
+@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+ return entry;
+ }
+
+-apr_status_t tls_cert_client_verifiers_get(
+- tls_cert_verifiers_t *verifiers,
+- const char *store_file,
+- const rustls_allow_any_authenticated_client_verifier **pverifier)
++static apr_status_t tls_cert_client_verifiers_get_internal(
++ tls_cert_verifiers_t *verifiers,
++ const char *store_file,
++ const rustls_client_cert_verifier **pverifier,
++ bool allow_unauthenticated)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ tls_cert_verifiers_entry_t *entry;
+- struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
++ rustls_result rr = RUSTLS_RESULT_OK;
++ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
+
+ entry = verifiers_get_or_make_entry(verifiers, store_file);
+ if (!entry->client_verifier) {
+- rustls_root_cert_store *store;
++ const rustls_root_cert_store *store;
+ rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
+- entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
++ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
++
++ if (allow_unauthenticated) {
++ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
++ if (rr != RUSTLS_RESULT_OK) {
++ goto cleanup;
++ }
++ }
++
++ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
++ if (rr != RUSTLS_RESULT_OK) {
++ goto cleanup;
++ }
+ }
+
+ cleanup:
+ if (verifier_builder != NULL) {
+- rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
++ }
++ if (rr != RUSTLS_RESULT_OK) {
++ rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
+ }
+ if (APR_SUCCESS == rv) {
+ *pverifier = entry->client_verifier;
+@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
+ return rv;
+ }
+
+-apr_status_t tls_cert_client_verifiers_get_optional(
++
++apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
++ const rustls_client_cert_verifier **pverifier)
+ {
+- apr_status_t rv = APR_SUCCESS;
+- tls_cert_verifiers_entry_t *entry;
+- struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+-
+- entry = verifiers_get_or_make_entry(verifiers, store_file);
+- if (!entry->client_verifier_opt) {
+- rustls_root_cert_store *store;
+- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+- if (APR_SUCCESS != rv) goto cleanup;
+- verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
+- entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+- }
++ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
++}
+
+-cleanup:
+- if (verifier_builder != NULL) {
+- rustls_client_cert_verifier_optional_builder_free(verifier_builder);
+- }
+- if (APR_SUCCESS == rv) {
+- *pverifier = entry->client_verifier_opt;
+- }
+- else {
+- *pverifier = NULL;
+- }
+- return rv;
++apr_status_t tls_cert_client_verifiers_get_optional(
++ tls_cert_verifiers_t *verifiers,
++ const char *store_file,
++ const rustls_client_cert_verifier **pverifier)
++{
++ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
+ }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 4ac3865dd86..3326f0eb3e7 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+ * @param pstore the loaded root store on success
+ */
+ apr_status_t tls_cert_load_root_store(
+- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
++ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
+
+ typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
+ struct tls_cert_root_stores_t {
+@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
+ apr_status_t tls_cert_root_stores_get(
+ tls_cert_root_stores_t *stores,
+ const char *store_file,
+- rustls_root_cert_store **pstore);
++ const rustls_root_cert_store **pstore);
+
+ typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
+ struct tls_cert_verifiers_t {
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_allow_any_authenticated_client_verifier **pverifier);
++ const rustls_client_cert_verifier **pverifier);
+
+ /**
+ * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+ tls_cert_verifiers_t *verifiers,
+ const char *store_file,
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
++ const rustls_client_cert_verifier **pverifier);
+
+ #endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index df29077826d..1cef254f103 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+ tls_conf_proxy_t *pc;
+ const apr_array_header_t *ciphersuites = NULL;
+ apr_array_header_t *tls_versions = NULL;
++ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
++ struct rustls_server_cert_verifier *verifier = NULL;
+ rustls_client_config_builder *builder = NULL;
+- rustls_root_cert_store *ca_store = NULL;
++ const rustls_root_cert_store *ca_store = NULL;
+ const char *hostname = NULL, *alpn_note = NULL;
+ rustls_result rr = RUSTLS_RESULT_OK;
+ apr_status_t rv = APR_SUCCESS;
+@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+ if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
+ rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
+ if (APR_SUCCESS != rv) goto cleanup;
+- rustls_client_config_builder_use_roots(builder, ca_store);
++ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
++ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
++ if (RUSTLS_RESULT_OK != rr) goto cleanup;
++ rustls_client_config_builder_set_server_verifier(builder, verifier);
+ }
+
+ #if TLS_MACHINE_CERTS
+@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+ rustls_connection_set_userdata(cc->rustls_connection, c);
+
+ cleanup:
++ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
+ if (builder != NULL) rustls_client_config_builder_free(builder);
+ if (RUSTLS_RESULT_OK != rr) {
+ const char *err_descr = NULL;
+@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+ if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+ ap_assert(sc->client_ca); /* checked in server_setup */
+ if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+- const rustls_allow_any_authenticated_client_verifier *verifier;
++ const rustls_client_cert_verifier *verifier;
+ rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+ rustls_server_config_builder_set_client_verifier(builder, verifier);
+ }
+ else {
+- const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
++ const rustls_client_cert_verifier *verifier;
+ rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+ if (APR_SUCCESS != rv) goto cleanup;
+- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
++ rustls_server_config_builder_set_client_verifier(builder, verifier);
+ }
+ }
+
+From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 13:49:49 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13
+
+The breaking API changes in this release don't affect `mod_tls`, making
+this an in-place update.
+
+See the upstream release notes[0] for more information.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0
+---
+ .github/workflows/linux.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 3700bc4546a..54dcd7b0b32 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+ APR_VERSION=1.7.4
+ APU_VERSION=1.6.3
+ APU_CONFIG="--with-crypto"
+- RUSTLS_VERSION="v0.12.2"
++ RUSTLS_VERSION="v0.13.0"
+ NO_TEST_FRAMEWORK=1
+ TEST_INSTALL=1
+ TEST_MOD_TLS=1
diff --git a/2.4/patches/06-dh-regression.patch b/2.4/patches/06-dh-regression.patch
new file mode 100644
index 0000000..63cb606
--- /dev/null
+++ b/2.4/patches/06-dh-regression.patch
@@ -0,0 +1,81 @@
+From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Mon, 8 Apr 2024 13:18:28 +0000
+Subject: [PATCH] * Ensure that we set the default DH parameters for the key
+
+Replace else with an if as the if branch no longer ensures that
+custome DH parameters have been loaded.
+This fixes a regression that causes the default DH parameters for a key
+no longer set and thus effectively disabling DH ciphers when no explicit
+DH parameters are set.
+
+PR: 68863
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/pr68863.txt | 3 +++
+ modules/ssl/ssl_engine_init.c | 11 ++++++-----
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+ create mode 100644 changes-entries/pr68863.txt
+
+diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt
+new file mode 100644
+index 00000000000..d45ffc708cc
+--- /dev/null
++++ b/changes-entries/pr68863.txt
+@@ -0,0 +1,3 @@
++ *) mod_ssl: Fix a regression that causes the default DH parameters for a key
++ no longer set and thus effectively disabling DH ciphers when no explicit
++ DH parameters are set. PR 68863 [Ruediger Pluem]
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 64e4aaf1dcd..f657026d137 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+ const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
+ int i;
+ EVP_PKEY *pkey;
++ int custom_dh_done = 0;
+ #ifdef HAVE_ECC
+ EC_GROUP *ecgroup = NULL;
+ int curve_nid = 0;
+@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+ */
+ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
+ if (certfile && !modssl_is_engine_id(certfile)) {
+- int done = 0, num_bits = 0;
++ int num_bits = 0;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+ DH *dh = modssl_dh_from_file(certfile);
+ if (dh) {
+ num_bits = DH_bits(dh);
+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+ DH_free(dh);
+- done = 1;
++ custom_dh_done = 1;
+ }
+ #else
+ pkey = modssl_dh_pkey_from_file(certfile);
+@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+ EVP_PKEY_free(pkey);
+ }
+ else {
+- done = 1;
++ custom_dh_done = 1;
+ }
+ }
+ #endif
+- if (done) {
++ if (custom_dh_done) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+ "Custom DH parameters (%d bits) for %s loaded from %s",
+ num_bits, vhost_id, certfile);
+ }
+ }
+ #if !MODSSL_USE_OPENSSL_PRE_1_1_API
+- else {
++ if (!custom_dh_done) {
+ /* If no parameter is manually configured, enable auto
+ * selection. */
+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2024-07-01 19:47 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2024-07-01 19:47 UTC (permalink / raw
To: gentoo-commits
commit: ce494eb59b4868bd110942041e3c0a6cfb558ed6
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 1 18:24:54 2024 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Mon Jul 1 19:47:09 2024 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=ce494eb5
Update patches for 2.4.60
Remove patches that are already included in the 2.5.60 release.
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05-rustls-0.13.0.patch | 544 -------------------------------------
2.4/patches/06-dh-regression.patch | 81 ------
2 files changed, 625 deletions(-)
diff --git a/2.4/patches/05-rustls-0.13.0.patch b/2.4/patches/05-rustls-0.13.0.patch
deleted file mode 100644
index f8cfc6b..0000000
--- a/2.4/patches/05-rustls-0.13.0.patch
+++ /dev/null
@@ -1,544 +0,0 @@
-From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:05:19 -0400
-Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY
-
-The rustls version included in the rustls-ffi version output does not
-always contain three components. E.g. rustls-ffi 0.12.2 uses the version
-string:
-
- rustls-ffi/0.12.2/rustls/0.22
-
-Notably there is no `.0` after the `0.22` for the Rustls version, and
-this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this.
----
- test/modules/tls/test_08_vars.py | 2 +-
- test/modules/tls/test_14_proxy_ssl.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
-index ad764a7985a..0e3ee74d2df 100644
---- a/test/modules/tls/test_08_vars.py
-+++ b/test/modules/tls/test_08_vars.py
-@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
-
- @pytest.mark.parametrize("name, pattern", [
- ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
-+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
- ])
- def test_tls_08_vars_match(self, env, name: str, pattern: str):
- r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
-diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
-index 2f46c64f710..87e04c28afa 100644
---- a/test/modules/tls/test_14_proxy_ssl.py
-+++ b/test/modules/tls/test_14_proxy_ssl.py
-@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
-
- @pytest.mark.parametrize("name, pattern", [
- ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
-- ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
-+ ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
- ])
- def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
- if not HttpdTestEnv.has_shared_module("tls"):
-From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:19:50 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11
-
-See upstream release notes[0] for more information.
-
-Also note that the, ahem, clunkyness of the verifier API is reduced in
-the 0.12 release and this is a transition state.
-
-[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0
----
- .github/workflows/linux.yml | 2 +-
- modules/tls/tls_cert.c | 26 ++++++++++++++++++--------
- modules/tls/tls_cert.h | 6 +++---
- modules/tls/tls_core.c | 4 ++--
- 4 files changed, 24 insertions(+), 14 deletions(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 8c45faf5651..1ac41c6b2d6 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.10.0"
-+ RUSTLS_VERSION="v0.11.0"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
-diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
-index 624535aa444..17a35fc498d 100644
---- a/modules/tls/tls_cert.c
-+++ b/modules/tls/tls_cert.c
-@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get(
-
- typedef struct {
- const char *id;
-- const rustls_client_cert_verifier *client_verifier;
-- const rustls_client_cert_verifier_optional *client_verifier_opt;
-+ const rustls_allow_any_authenticated_client_verifier *client_verifier;
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
- } tls_cert_verifiers_entry_t;
-
- static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
- tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
- (void)ctx; (void)key; (void)klen;
- if (entry->client_verifier) {
-- rustls_client_cert_verifier_free(entry->client_verifier);
-+ rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
- entry->client_verifier = NULL;
- }
- if (entry->client_verifier_opt) {
-- rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
-+ rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
- entry->client_verifier_opt = NULL;
- }
- return 1;
-@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier **pverifier)
-+ const rustls_allow_any_authenticated_client_verifier **pverifier)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-+ struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- entry->client_verifier = rustls_client_cert_verifier_new(store);
-+ verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
-+ entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
- }
-
- cleanup:
-+ if (verifier_builder != NULL) {
-+ rustls_allow_any_authenticated_client_builder_free(verifier_builder);
-+ }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier;
- }
-@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier_optional **pverifier)
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-+ struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier_opt) {
- rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
-+ verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
-+ entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
- }
-
- cleanup:
-+ if (verifier_builder != NULL) {
-+ rustls_client_cert_verifier_optional_builder_free(verifier_builder);
-+ }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier_opt;
- }
-diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
-index 6ab3f48ae13..4ac3865dd86 100644
---- a/modules/tls/tls_cert.h
-+++ b/modules/tls/tls_cert.h
-@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier **pverifier);
-+ const rustls_allow_any_authenticated_client_verifier **pverifier);
-
- /**
- * Get the optional client certificate verifier for the
-@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_client_cert_verifier_optional **pverifier);
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
-
--#endif /* tls_cert_h */
-\ No newline at end of file
-+#endif /* tls_cert_h */
-diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
-index 25479392f1a..df29077826d 100644
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
- if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
- ap_assert(sc->client_ca); /* checked in server_setup */
- if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
-- const rustls_client_cert_verifier *verifier;
-+ const rustls_allow_any_authenticated_client_verifier *verifier;
- rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- else {
-- const rustls_client_cert_verifier_optional *verifier;
-+ const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
- rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
-From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 15:37:25 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12
-
-See upstream release notes for more information:
-
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1
-https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2
----
- .github/workflows/linux.yml | 2 +-
- modules/tls/tls_cert.c | 99 ++++++++++++++++++++-----------------
- modules/tls/tls_cert.h | 8 +--
- modules/tls/tls_core.c | 16 ++++--
- 4 files changed, 70 insertions(+), 55 deletions(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 1ac41c6b2d6..3700bc4546a 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.11.0"
-+ RUSTLS_VERSION="v0.12.2"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
-diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
-index 17a35fc498d..ffb941cae40 100644
---- a/modules/tls/tls_cert.c
-+++ b/modules/tls/tls_cert.c
-@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
- }
-
- apr_status_t tls_cert_load_root_store(
-- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
-+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
- {
- const char *fpath;
- tls_data_t pem;
-- rustls_root_cert_store *store = NULL;
-+ rustls_root_cert_store_builder *store_builder = NULL;
-+ const rustls_root_cert_store *store = NULL;
- rustls_result rr = RUSTLS_RESULT_OK;
- apr_pool_t *ptemp = NULL;
- apr_status_t rv;
-@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
- rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
- if (APR_SUCCESS != rv) goto cleanup;
-
-- store = rustls_root_cert_store_new();
-- rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
-+ store_builder = rustls_root_cert_store_builder_new();
-+ rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
-+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
-+
-+ rr = rustls_root_cert_store_builder_build(store_builder, &store);
- if (RUSTLS_RESULT_OK != rr) goto cleanup;
-
- cleanup:
-+ if (store_builder != NULL) {
-+ rustls_root_cert_store_builder_free(store_builder);
-+ }
- if (RUSTLS_RESULT_OK != rr) {
- const char *err_descr;
- rv = tls_util_rustls_error(p, rr, &err_descr);
-@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
-
- typedef struct {
- const char *id;
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- } tls_cert_root_stores_entry_t;
-
- static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
- apr_status_t tls_cert_root_stores_get(
- tls_cert_root_stores_t *stores,
- const char *store_file,
-- rustls_root_cert_store **pstore)
-+ const rustls_root_cert_store **pstore)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_root_stores_entry_t *entry;
-
- entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
- if (!entry) {
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- rv = tls_cert_load_root_store(stores->pool, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
- entry = apr_pcalloc(stores->pool, sizeof(*entry));
-@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
-
- typedef struct {
- const char *id;
-- const rustls_allow_any_authenticated_client_verifier *client_verifier;
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
-+ rustls_client_cert_verifier *client_verifier;
-+ rustls_client_cert_verifier *client_verifier_opt;
- } tls_cert_verifiers_entry_t;
-
- static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
-@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
- tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
- (void)ctx; (void)key; (void)klen;
- if (entry->client_verifier) {
-- rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
-+ rustls_client_cert_verifier_free(entry->client_verifier);
- entry->client_verifier = NULL;
- }
- if (entry->client_verifier_opt) {
-- rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
-+ rustls_client_cert_verifier_free(entry->client_verifier_opt);
- entry->client_verifier_opt = NULL;
- }
- return 1;
-@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
- return entry;
- }
-
--apr_status_t tls_cert_client_verifiers_get(
-- tls_cert_verifiers_t *verifiers,
-- const char *store_file,
-- const rustls_allow_any_authenticated_client_verifier **pverifier)
-+static apr_status_t tls_cert_client_verifiers_get_internal(
-+ tls_cert_verifiers_t *verifiers,
-+ const char *store_file,
-+ const rustls_client_cert_verifier **pverifier,
-+ bool allow_unauthenticated)
- {
- apr_status_t rv = APR_SUCCESS;
- tls_cert_verifiers_entry_t *entry;
-- struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
-+ rustls_result rr = RUSTLS_RESULT_OK;
-+ struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
-
- entry = verifiers_get_or_make_entry(verifiers, store_file);
- if (!entry->client_verifier) {
-- rustls_root_cert_store *store;
-+ const rustls_root_cert_store *store;
- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
- if (APR_SUCCESS != rv) goto cleanup;
-- verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
-- entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
-+ verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
-+
-+ if (allow_unauthenticated) {
-+ rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
-+ if (rr != RUSTLS_RESULT_OK) {
-+ goto cleanup;
-+ }
-+ }
-+
-+ rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
-+ if (rr != RUSTLS_RESULT_OK) {
-+ goto cleanup;
-+ }
- }
-
- cleanup:
- if (verifier_builder != NULL) {
-- rustls_allow_any_authenticated_client_builder_free(verifier_builder);
-+ rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
-+ }
-+ if (rr != RUSTLS_RESULT_OK) {
-+ rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
- }
- if (APR_SUCCESS == rv) {
- *pverifier = entry->client_verifier;
-@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
- return rv;
- }
-
--apr_status_t tls_cert_client_verifiers_get_optional(
-+
-+apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
-+ const rustls_client_cert_verifier **pverifier)
- {
-- apr_status_t rv = APR_SUCCESS;
-- tls_cert_verifiers_entry_t *entry;
-- struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
--
-- entry = verifiers_get_or_make_entry(verifiers, store_file);
-- if (!entry->client_verifier_opt) {
-- rustls_root_cert_store *store;
-- rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
-- if (APR_SUCCESS != rv) goto cleanup;
-- verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
-- entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
-- }
-+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
-+}
-
--cleanup:
-- if (verifier_builder != NULL) {
-- rustls_client_cert_verifier_optional_builder_free(verifier_builder);
-- }
-- if (APR_SUCCESS == rv) {
-- *pverifier = entry->client_verifier_opt;
-- }
-- else {
-- *pverifier = NULL;
-- }
-- return rv;
-+apr_status_t tls_cert_client_verifiers_get_optional(
-+ tls_cert_verifiers_t *verifiers,
-+ const char *store_file,
-+ const rustls_client_cert_verifier **pverifier)
-+{
-+ return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
- }
-diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
-index 4ac3865dd86..3326f0eb3e7 100644
---- a/modules/tls/tls_cert.h
-+++ b/modules/tls/tls_cert.h
-@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
- * @param pstore the loaded root store on success
- */
- apr_status_t tls_cert_load_root_store(
-- apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
-+ apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
-
- typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
- struct tls_cert_root_stores_t {
-@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
- apr_status_t tls_cert_root_stores_get(
- tls_cert_root_stores_t *stores,
- const char *store_file,
-- rustls_root_cert_store **pstore);
-+ const rustls_root_cert_store **pstore);
-
- typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
- struct tls_cert_verifiers_t {
-@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
- apr_status_t tls_cert_client_verifiers_get(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_authenticated_client_verifier **pverifier);
-+ const rustls_client_cert_verifier **pverifier);
-
- /**
- * Get the optional client certificate verifier for the
-@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
- apr_status_t tls_cert_client_verifiers_get_optional(
- tls_cert_verifiers_t *verifiers,
- const char *store_file,
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
-+ const rustls_client_cert_verifier **pverifier);
-
- #endif /* tls_cert_h */
-diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
-index df29077826d..1cef254f103 100644
---- a/modules/tls/tls_core.c
-+++ b/modules/tls/tls_core.c
-@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- tls_conf_proxy_t *pc;
- const apr_array_header_t *ciphersuites = NULL;
- apr_array_header_t *tls_versions = NULL;
-+ rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
-+ struct rustls_server_cert_verifier *verifier = NULL;
- rustls_client_config_builder *builder = NULL;
-- rustls_root_cert_store *ca_store = NULL;
-+ const rustls_root_cert_store *ca_store = NULL;
- const char *hostname = NULL, *alpn_note = NULL;
- rustls_result rr = RUSTLS_RESULT_OK;
- apr_status_t rv = APR_SUCCESS;
-@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
- rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
- if (APR_SUCCESS != rv) goto cleanup;
-- rustls_client_config_builder_use_roots(builder, ca_store);
-+ verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
-+ rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
-+ if (RUSTLS_RESULT_OK != rr) goto cleanup;
-+ rustls_client_config_builder_set_server_verifier(builder, verifier);
- }
-
- #if TLS_MACHINE_CERTS
-@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
- rustls_connection_set_userdata(cc->rustls_connection, c);
-
- cleanup:
-+ if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
- if (builder != NULL) rustls_client_config_builder_free(builder);
- if (RUSTLS_RESULT_OK != rr) {
- const char *err_descr = NULL;
-@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
- if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
- ap_assert(sc->client_ca); /* checked in server_setup */
- if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
-- const rustls_allow_any_authenticated_client_verifier *verifier;
-+ const rustls_client_cert_verifier *verifier;
- rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
- rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- else {
-- const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
-+ const rustls_client_cert_verifier *verifier;
- rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
- if (APR_SUCCESS != rv) goto cleanup;
-- rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
-+ rustls_server_config_builder_set_client_verifier(builder, verifier);
- }
- }
-
-From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001
-From: Daniel McCarney <daniel@binaryparadox.net>
-Date: Sun, 21 Apr 2024 13:49:49 -0400
-Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13
-
-The breaking API changes in this release don't affect `mod_tls`, making
-this an in-place update.
-
-See the upstream release notes[0] for more information.
-
-[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0
----
- .github/workflows/linux.yml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
-index 3700bc4546a..54dcd7b0b32 100644
---- a/.github/workflows/linux.yml
-+++ b/.github/workflows/linux.yml
-@@ -241,7 +241,7 @@ jobs:
- APR_VERSION=1.7.4
- APU_VERSION=1.6.3
- APU_CONFIG="--with-crypto"
-- RUSTLS_VERSION="v0.12.2"
-+ RUSTLS_VERSION="v0.13.0"
- NO_TEST_FRAMEWORK=1
- TEST_INSTALL=1
- TEST_MOD_TLS=1
diff --git a/2.4/patches/06-dh-regression.patch b/2.4/patches/06-dh-regression.patch
deleted file mode 100644
index 63cb606..0000000
--- a/2.4/patches/06-dh-regression.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001
-From: Ruediger Pluem <rpluem@apache.org>
-Date: Mon, 8 Apr 2024 13:18:28 +0000
-Subject: [PATCH] * Ensure that we set the default DH parameters for the key
-
-Replace else with an if as the if branch no longer ensures that
-custome DH parameters have been loaded.
-This fixes a regression that causes the default DH parameters for a key
-no longer set and thus effectively disabling DH ciphers when no explicit
-DH parameters are set.
-
-PR: 68863
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
----
- changes-entries/pr68863.txt | 3 +++
- modules/ssl/ssl_engine_init.c | 11 ++++++-----
- 2 files changed, 9 insertions(+), 5 deletions(-)
- create mode 100644 changes-entries/pr68863.txt
-
-diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt
-new file mode 100644
-index 00000000000..d45ffc708cc
---- /dev/null
-+++ b/changes-entries/pr68863.txt
-@@ -0,0 +1,3 @@
-+ *) mod_ssl: Fix a regression that causes the default DH parameters for a key
-+ no longer set and thus effectively disabling DH ciphers when no explicit
-+ DH parameters are set. PR 68863 [Ruediger Pluem]
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index 64e4aaf1dcd..f657026d137 100644
---- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
- const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
- int i;
- EVP_PKEY *pkey;
-+ int custom_dh_done = 0;
- #ifdef HAVE_ECC
- EC_GROUP *ecgroup = NULL;
- int curve_nid = 0;
-@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
- */
- certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
- if (certfile && !modssl_is_engine_id(certfile)) {
-- int done = 0, num_bits = 0;
-+ int num_bits = 0;
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
- DH *dh = modssl_dh_from_file(certfile);
- if (dh) {
- num_bits = DH_bits(dh);
- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
- DH_free(dh);
-- done = 1;
-+ custom_dh_done = 1;
- }
- #else
- pkey = modssl_dh_pkey_from_file(certfile);
-@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
- EVP_PKEY_free(pkey);
- }
- else {
-- done = 1;
-+ custom_dh_done = 1;
- }
- }
- #endif
-- if (done) {
-+ if (custom_dh_done) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
- "Custom DH parameters (%d bits) for %s loaded from %s",
- num_bits, vhost_id, certfile);
- }
- }
- #if !MODSSL_USE_OPENSSL_PRE_1_1_API
-- else {
-+ if (!custom_dh_done) {
- /* If no parameter is manually configured, enable auto
- * selection. */
- SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2025-05-25 9:27 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2025-05-25 9:27 UTC (permalink / raw
To: gentoo-commits
commit: 9bffce54dbffbeb9bc67d61d84cfad4e7981b4dc
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat May 24 09:27:30 2025 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun May 25 09:21:15 2025 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=9bffce54
Patch apxs for correct configuration filename
Bug: https://bugs.gentoo.org/112863
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05_apxs_conf_name.patch | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/2.4/patches/05_apxs_conf_name.patch b/2.4/patches/05_apxs_conf_name.patch
new file mode 100644
index 0000000..60fe3b0
--- /dev/null
+++ b/2.4/patches/05_apxs_conf_name.patch
@@ -0,0 +1,11 @@
+--- a/support/apxs.in 2020-03-20 14:00:44.000000000 +0100
++++ b/support/apxs.in 2025-05-24 11:20:25.632979926 +0200
+@@ -45,7 +45,7 @@
+ my $exec_prefix = get_vars("exec_prefix");
+ my $datadir = get_vars("datadir");
+ my $localstatedir = get_vars("localstatedir");
+-my $CFG_TARGET = get_vars("progname");
++my $CFG_TARGET = "httpd"; # get_vars("progname");
+ my $CFG_SYSCONFDIR = get_vars("sysconfdir");
+ my $CFG_CFLAGS = join ' ', map { get_vars($_) }
+ qw(SHLTCFLAGS CFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS);
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/apache:master commit in: 2.4/patches/
@ 2025-07-11 6:47 Hans de Graaff
0 siblings, 0 replies; 9+ messages in thread
From: Hans de Graaff @ 2025-07-11 6:47 UTC (permalink / raw
To: gentoo-commits
commit: d025c67c8e7800b48c0bd6af05677d14e0968887
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 7 08:13:00 2025 +0000
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sat Jun 7 08:13:00 2025 +0000
URL: https://gitweb.gentoo.org/proj/apache.git/commit/?id=d025c67c
Fix apxs patch to properly report target and conf file
The previous patch overwrote the TARGET since this determines the name
of the configuration file, but TARGET is also used to determine the
binary name. This causes dev-lang/php's configure script to fail.
Create a separate variable for the configuration name instead and use
it with a hard-coded name.
Bug: https://bugs.gentoo.org/957142
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
2.4/patches/05_apxs_conf_name.patch | 54 ++++++++++++++++++++++++++++++++-----
1 file changed, 48 insertions(+), 6 deletions(-)
diff --git a/2.4/patches/05_apxs_conf_name.patch b/2.4/patches/05_apxs_conf_name.patch
index 60fe3b0..24096e4 100644
--- a/2.4/patches/05_apxs_conf_name.patch
+++ b/2.4/patches/05_apxs_conf_name.patch
@@ -1,11 +1,53 @@
--- a/support/apxs.in 2020-03-20 14:00:44.000000000 +0100
-+++ b/support/apxs.in 2025-05-24 11:20:25.632979926 +0200
-@@ -45,7 +45,7 @@
- my $exec_prefix = get_vars("exec_prefix");
- my $datadir = get_vars("datadir");
++++ b/support/apxs.in 2025-06-07 10:06:41.194351543 +0200
+@@ -47,6 +47,7 @@
my $localstatedir = get_vars("localstatedir");
--my $CFG_TARGET = get_vars("progname");
-+my $CFG_TARGET = "httpd"; # get_vars("progname");
+ my $CFG_TARGET = get_vars("progname");
my $CFG_SYSCONFDIR = get_vars("sysconfdir");
++my $CFG_CONFFILE = "httpd.conf";
my $CFG_CFLAGS = join ' ', map { get_vars($_) }
qw(SHLTCFLAGS CFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS);
+ my $CFG_LDFLAGS = join ' ', map { get_vars($_) }
+@@ -560,17 +561,17 @@
+
+ # activate module via LoadModule/AddModule directive
+ if ($opt_a or $opt_A) {
+- if (not -f "$CFG_SYSCONFDIR/$CFG_TARGET.conf") {
+- error("Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found");
++ if (not -f "$CFG_SYSCONFDIR/$CFG_CONFFILE") {
++ error("Config file $CFG_SYSCONFDIR/$CFG_CONFFILE not found");
+ exit(1);
+ }
+
+- open(FP, "<$CFG_SYSCONFDIR/$CFG_TARGET.conf") || die;
++ open(FP, "<$CFG_SYSCONFDIR/$CFG_CONFFILE") || die;
+ my $content = join('', <FP>);
+ close(FP);
+
+ if ($content !~ m|\n#?\s*LoadModule\s+|) {
+- error("Activation failed for custom $CFG_SYSCONFDIR/$CFG_TARGET.conf file.");
++ error("Activation failed for custom $CFG_SYSCONFDIR/$CFG_CONFFILE file.");
+ error("At least one `LoadModule' directive already has to exist.");
+ exit(1);
+ }
+@@ -649,15 +650,15 @@
+ $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1$c$lmd\n|s;
+ }
+ $lmd =~ m|LoadModule\s+(.+?)_module.*|;
+- notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_TARGET.conf]");
++ notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_CONFFILE]");
+ }
+ if (@lmd) {
+- if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) {
++ if (open(FP, ">$CFG_SYSCONFDIR/$CFG_CONFFILE.new")) {
+ print FP $content;
+ close(FP);
+- system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " .
+- "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .
+- "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new");
++ system("cp $CFG_SYSCONFDIR/$CFG_CONFFILE $CFG_SYSCONFDIR/$CFG_CONFFILE.bak && " .
++ "cp $CFG_SYSCONFDIR/$CFG_CONFFILE.new $CFG_SYSCONFDIR/$CFG_CONFFILE && " .
++ "rm $CFG_SYSCONFDIR/$CFG_CONFFILE.new");
+ } else {
+ notice("unable to open configuration file");
+ }
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-07-11 6:47 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-25 9:27 [gentoo-commits] proj/apache:master commit in: 2.4/patches/ Hans de Graaff
-- strict thread matches above, loose matches on Subject: below --
2025-07-11 6:47 Hans de Graaff
2024-07-01 19:47 Hans de Graaff
2024-05-11 7:11 Hans de Graaff
2023-10-19 12:10 Hans de Graaff
2023-10-11 5:54 Hans de Graaff
2023-09-03 8:32 Hans de Graaff
2023-09-03 8:32 Hans de Graaff
2023-09-03 8:32 Hans de Graaff
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox