Browse code

apache 2.4

Hanno Böck authored on 07/02/2013 10:40:08
Showing 4 changed files
... ...
@@ -1,12 +1,17 @@
1 1
 AUX 2.2.22-envvars-std.in 1071 SHA256 1721b424f2335640e49d71e671a4be15424d29fe90f55fe4f52bd241a998d3ee SHA512 c18fd461f02ab79fc456a1ad99bf91c8891ecdabd90f41437ebf87e20b3d28d2006a10d6726164c2f0333e7aee350bd125838abaff3a188d8ab2f5f34d3e5466 WHIRLPOOL 59cbee68fc8012df01229b8d5e38045eb974bab3f08ebf5b01097dabb5275bb83e28cd09a058ce71949ca4a2439811cff457d4c7df88d7b3fc5318c6b7ef0075
2 2
 AUX apache-2.2.14-staticdhparameters.diff 11745 SHA256 1fecd496f7df6438cf44b331a0b15d6ceaa0522fcb20d7246772f10f7c3c41df SHA512 5c7fa11b29efd430ddc7144ed8d656c82d9609c9da720cd5d217626505b2257c074bea1ef0f4f2c50b123be58d82fbefac3240b71c3b8c3b9b087c30b090bcf9 WHIRLPOOL ced66883bd7fc4ec868a5d6091cdc765424541c183e53283749d73d4f4b53d0c9221950df816625de9bd115f610931e91b1fac819530294fcb12a0a39b7f6f2c
3 3
 AUX apache-2.2.23-tls-compression-option.diff 4211 SHA256 6ccc0003f486734e660292ac2640d99af830443c09a2d5c9d6aaf371b636d9bd SHA512 915044023b10afca9a67ca90fa4d1175d4d3ef7274308df74c78b0972fd7ec54e3fdb3f4b03ecbfc543b64153b232a140cc8e095b2f74abfcfa0cb86e21fb612 WHIRLPOOL 028be436ac78adcb631b109a23ab7f4b5c2349a95202f8ed33a111b9b2048675892b160ac737875ebe7a73937f8868d665d016a61bdbaec301eacbbad0d1cc05
4
+AUX apache-2.4.3-dhparam.diff 12684 SHA256 5185da7eecf04f26cc496a25fabe420db065e59dd088eca51b8c08f0238d12ad SHA512 c49e4c6e607cf5bf11e59c929791d806b15ff30d11e8473e633f2ef406e5d926a2ced1910672e5263f8ea45de6f30eb37048065c1d9fbd11fb7c52603e93bd4b WHIRLPOOL 41e2ac7c8c0734e3132639db7222e488b8ffd18a6c2f2e76b401fdc0b71fc528f3d80eb3d95710084b9fa88e29ce916df215c79b47d80c3ae25188f4cea79e9c
4 5
 AUX apache-noip.diff 417 SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc SHA512 fa684688e707f5fb511b228b8fa9b0f996dbf615f2f9b6478ab478e801f14c65a7381137cdbda648d68f7818891085c744da3a8249843e73bdf5ef247a90d3fe WHIRLPOOL d2636a34b0d48139adef125e76ef477d84bf7cd9785f094fe57c1d81b45e7392622d232bee5f53896d8b48eb9b3241cd48cbb585ea70d97a872c5cd3f6bfe420
6
+AUX apache-npn 9799 SHA256 6e41b59680832b074246dd24a41aec56f9bb35ab4f34674cd20e32f1289c21ab SHA512 60d9c6f750562f087b607edf7939195f31b7e0101b9c8d1c883e3b01da192d354fc291d45832757ab50c029f99ac4ad06fa9b7ce4e5928367d1f89278fa79fa3 WHIRLPOOL 162dba8354efeccbb100a86cb61e47c0a96be11a057cfffccc194abd31721b99f4ef3e5fc9b4a7e82a7495d1369af1be3f7b3d4339ec33af24858a0049474331
5 7
 AUX httpd-2.2.16-ecc.diff 8236 SHA256 e7fe97852875de06372d8413248fa20419946e2ab7de5198c93bffa6b5a68461 SHA512 8b54c30f9edc76bd8969ee894038f267d722d1ab8c7332a84fe21704bde0451e1a27503252fa87bd0f749dac3281eb266cda36aa7faec1a36ee6e67a8f9ae6c7 WHIRLPOOL 2d8ad3cd12b27937dcafef31df8c9fa048fb4e1ed06109e745fbe12dc869ceaa21fa2e62aa9bcb729d7fb426c1ee0a82171b5038cac56f8b8ebbc3cd3569daa9
6 8
 DIST gentoo-apache-2.2.22-20120213.tar.bz2 64507 SHA256 737730dabf1e1ccfe9d409067dc3c4d37d16f7fa1e792f5bf39268d904ce1c31 SHA512 f364bdbee967b3bc797d2053b9eb347af963f99275441093930d0057465e1a12567106f5c5ac21a45a4bbd4b353ce67553038d6146f469a7bf980a9148471170 WHIRLPOOL f5a3ab44fc14ddf67ccf0785006b1d9f5c49b915114f9d7e97858fba447a5ee872c741e73c17e121b61cc0aa678b42dc154616cd64054461c552d3a8c29f4f17
7 9
 DIST gentoo-apache-2.2.23-20121012.tar.bz2 64135 SHA256 711a88f26c58b10b082f7ff411366cd768f9450101da050438a2f77abeab7333 SHA512 92a49f954b82d4427862f41977625a60641731cc25ab3efdd666be8db839038e7b1c2ef2f878d5efed243eaa63237e88ee4993cd25cca1dfbb0f56a6b2093d57 WHIRLPOOL 221d9c0cf999430afc11a8e48ae67019c7f31daca827a5db7615aca24859788743e5da00e4c99b7b7b375e58fafd6c148339e5671be939dbc30735031e12c49f
10
+DIST gentoo-apache-2.4.3-20121012.tar.bz2 24541 SHA256 aeed23c716f05d7430a6d905fb75c192418c9ba90feb96fcc474138c4addfd69 SHA512 fe37c91328bf090aacd4012030845b2e4461a116b9b60d95108c4a4749729bef5ac526d4bd3570406f3d7afe41b0f634c2e9a167ee416a56f5f82f46eb27cc26 WHIRLPOOL 421efb4a7940b52cbc2e054c5ef2f79ff19c13a3140941ec659da3ff61a70491485c1c375db29b1fa6c4dc45761df1f0fc63bd3d867c8937d33f5b6c948bade0
8 11
 DIST httpd-2.2.22.tar.bz2 5378934 SHA256 dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231 SHA512 b6901453aaef3cac31cf763f7748e06a2492e1f72e4158627f38e45423a9bcd9bea1f74ba1a1ec9a5c7fc554eb062ea61b944e2001f19825def2e530ce8a42bc WHIRLPOOL 32a03d638f82d791effdce888a02e66189d6fe87c2179ab9f3de034fbf5c8311d24835f28e9a18addb847aa6859ed817bf2e11833e315285474eefcea6f56891
9 12
 DIST httpd-2.2.23.tar.bz2 5485205 SHA256 14fe79bd6edd957c02cb41f4175e132c08e6ff74a7d08dc1858dd8224e351c34 SHA512 69b3bc942b2a91cdb57356a5c57078794db2d8404a23080a2621cdf33ae2d9bdbbacd0f6e95fd6e71fbfa87e94942be0a014c3e8709148f991e391d03aa6dee2 WHIRLPOOL 8d00184aff654b2d7f1c5ebd471f19ffcb57107ea37179fa05c424424d7b70ff0c9abf3be68ed9f0d091b3c057f1ba24cb989937e35087c3199f82e3dddbbd4f
13
+DIST httpd-2.4.3.tar.bz2 4559279 SHA256 d82102b9c111f1892fb20a2bccf4370de579c6521b2f172ed0b36f2759fb249e SHA512 d4501ae69aacb75d960bc8cb61c9e1ff52e6e42a37c37ca84c839262e183ca2f305794da28266aa2119d211ba0f4531705f66330079ab594c05e92ae8196d1ab WHIRLPOOL 4ffb7dc8057200f676557a70591d6938e92a8990d88dc88237d278f185290d260312dd8cfdd08994ffd7b7280502b3debea0f3e02acc718dd9db613222b6d2ae
10 14
 EBUILD apache-2.2.22-r1.ebuild 3206 SHA256 4c72b2164c32c34e85c6a8e99c68464e5505eeb79bf94eed7ad1d62ba2045c0e SHA512 bafab5ef6f8d8675614473c01ae71655b1cd94b75658353e8351df1cb8b9667b2164d501f98b4492810a2ec2d3415db6c5df416bc51aed4fc4ec6fc4a155288b WHIRLPOOL d6f4c9b06b3cfcad613084bb7902c7ba942848a8233b50ff48474e7407c3e1d4523f44a0ca9f0790510122719609ec767afbaf3fdd60b6dd7918fe409e9b08a2
11 15
 EBUILD apache-2.2.22.ebuild 3001 SHA256 cf930cea2f7e8a8bd2f7cabe7de9ecf56efb33d10bd3fe2d70acaa6e86cebb0c SHA512 1de2c503698334b00c3b44cad9680d8699e7ad21c80a746af4154d03433da4bcc072cf572d2ce9dbf478f6c97423ee2650521d877f2c62a27ec0189d5c66c045 WHIRLPOOL aadae0ae48a37cdd5ed3995c92fa5bf925fd2c12792cdcce08305191c09703a80bd7bc264c61165e8c26687bde97ad543722d04e090620cd7fe473c76688e233
12 16
 EBUILD apache-2.2.23.ebuild 3181 SHA256 b6502801683bcd8708e247fd11e8d7a639a7412f77d3a631827705f20e43c878 SHA512 860dce68ab969c4bacdedc3fec4d48937d7a331921e86fe02d6b1481a59cd8997d336b9c9bbc6cf9a69dd3719acc411abae1809e7770b42d31adb1cefd5dc560 WHIRLPOOL e2e128e74236c6a306d511cdc8d1e9799e9818fc842a1884eb48a8ef8683669ba321ca228ec780015e1c88044cff2904652c4a1c93a2f3af84e3552c8e7d3363
17
+EBUILD apache-2.4.3.ebuild 7203 SHA256 082ee4bc36fe78621a32ad8ae3f3117943b5572e1456618d1b547cf344c4d687 SHA512 56786dc2e5f835e1894760ad85bfba6ffd531b50e7e9f782240ac2deb7464a2aa222cd04495ab7bd81f0e30c91972f417857c9fd4ee53587ebc91ba6a542c41e WHIRLPOOL 4e8e22861a21d8defd9c8eb57fc5548ba38a911db640fc63b6a15fdcfcf86c8fbf50b09f78321ea784bf81340718242d5a7fa6c6ed1c4e0c31a4e79affc64d24
13 18
new file mode 100644
... ...
@@ -0,0 +1,214 @@
1
+# Copyright 1999-2012 Gentoo Foundation
2
+# Distributed under the terms of the GNU General Public License v2
3
+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/apache-2.4.3.ebuild,v 1.2 2012/10/13 03:13:09 mr_bones_ Exp $
4
+
5
+EAPI="2"
6
+
7
+# latest gentoo apache files
8
+GENTOO_PATCHSTAMP="20121012"
9
+GENTOO_DEVELOPER="patrick"
10
+#GENTOO_PATCHNAME="gentoo-apache-2.4.1"
11
+
12
+# IUSE/USE_EXPAND magic
13
+IUSE_MPMS_FORK="itk peruser prefork"
14
+IUSE_MPMS_THREAD="event worker"
15
+
16
+# << obsolete modules:
17
+# authn_default authz_default mem_cache
18
+# mem_cache is replaced by cache_disk
19
+# ?? buggy modules
20
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
21
+# >> added modules for reason:
22
+# compat: compatibility with 2.2 access control
23
+# authz_host: new module for access control
24
+# authn_core: functionality provided by authn_alias in previous versions
25
+# authz_core: new module, provides core authorization capabilities
26
+# cache_disk: replacement for mem_cache
27
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
28
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
29
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
30
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
31
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
32
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
33
+# unixd: fixes startup error: Invalid command 'User'
34
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest authn_alias authn_anon
35
+authn_core authn_dbd authn_dbm authn_file authz_core authz_dbm
36
+authz_groupfile authz_host authz_owner authz_user autoindex cache cache_disk cern_meta
37
+charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir dumpio
38
+env expires ext_filter file_cache filter headers ident imagemap include info
39
+lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat
40
+log_config log_forensic logio mime mime_magic negotiation proxy
41
+proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite
42
+reqtimeout setenvif slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
43
+unixd version vhost_alias"
44
+# The following are also in the source as of this version, but are not available
45
+# for user selection:
46
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
47
+# optional_fn_import optional_hook_export optional_hook_import
48
+
49
+# inter-module dependencies
50
+# TODO: this may still be incomplete
51
+MODULE_DEPENDS="
52
+	dav_fs:dav
53
+	dav_lock:dav
54
+	deflate:filter
55
+	cache_disk:cache
56
+	ext_filter:filter
57
+	file_cache:cache
58
+	lbmethod_byrequests:proxy_balancer
59
+	lbmethod_byrequests:slotmem_shm
60
+	lbmethod_bytraffic:proxy_balancer
61
+	lbmethod_bybusyness:proxy_balancer
62
+	lbmethod_heartbeat:proxy_balancer
63
+	log_forensic:log_config
64
+	logio:log_config
65
+	cache_disk:cache
66
+	mime_magic:mime
67
+	proxy_ajp:proxy
68
+	proxy_balancer:proxy
69
+	proxy_connect:proxy
70
+	proxy_ftp:proxy
71
+	proxy_http:proxy
72
+	proxy_scgi:proxy
73
+	substitute:filter
74
+"
75
+
76
+# module<->define mappings
77
+MODULE_DEFINES="
78
+	auth_digest:AUTH_DIGEST
79
+	authnz_ldap:AUTHNZ_LDAP
80
+	cache:CACHE
81
+	cache_disk:CACHE
82
+	dav:DAV
83
+	dav_fs:DAV
84
+	dav_lock:DAV
85
+	file_cache:CACHE
86
+	info:INFO
87
+	ldap:LDAP
88
+	proxy:PROXY
89
+	proxy_ajp:PROXY
90
+	proxy_balancer:PROXY
91
+	proxy_connect:PROXY
92
+	proxy_ftp:PROXY
93
+	proxy_http:PROXY
94
+	socache_shmcb:SSL
95
+	ssl:SSL
96
+	status:STATUS
97
+	suexec:SUEXEC
98
+	userdir:USERDIR
99
+"
100
+
101
+# critical modules for the default config
102
+MODULE_CRITICAL="
103
+	authn_core
104
+	authz_core
105
+	authz_host
106
+	dir
107
+	mime
108
+	unixd
109
+"
110
+# dependend criticals
111
+use ssl && MODULE_CRITICAL+=" socache_shmcb"
112
+use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
113
+
114
+inherit eutils apache-2
115
+
116
+DESCRIPTION="The Apache Web Server."
117
+HOMEPAGE="http://httpd.apache.org/"
118
+
119
+# some helper scripts are Apache-1.1, thus both are here
120
+LICENSE="Apache-2.0 Apache-1.1"
121
+SLOT="2"
122
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
123
+IUSE=""
124
+
125
+DEPEND="${DEPEND}
126
+	>=dev-libs/openssl-0.9.8m
127
+	apache2_modules_deflate? ( sys-libs/zlib )"
128
+
129
+# dependency on >=dev-libs/apr-1.4.5 for bug #368651
130
+RDEPEND="${RDEPEND}
131
+	>=dev-libs/apr-1.4.5
132
+	>=dev-libs/openssl-0.9.8m
133
+	apache2_modules_mime? ( app-misc/mime-types )"
134
+
135
+# init script fixup - should be rolled into next tarball #389965
136
+src_prepare() {
137
+	epatch "${FILESDIR}"/apache-npn
138
+	epatch "${FILESDIR}"/apache-2.4.3-dhparam.diff
139
+	# the following patch can be removed once it is included in
140
+	# GENTOO_PATCHNAME="gentoo-apache-2.4.1" ...
141
+	if [ -f "${FILESDIR}/${GENTOO_PATCHNAME}-${GENTOO_DEVELOPER}-${GENTOO_PATCHSTAMP}-${PVR}.patch" ]; then
142
+		cd "${GENTOO_PATCHDIR}" || die "Failed to cd to ${GENTOO_PATCHDIR}"
143
+		epatch "${FILESDIR}/${GENTOO_PATCHNAME}-${GENTOO_DEVELOPER}-${GENTOO_PATCHSTAMP}-${PVR}.patch" \
144
+			|| die "epatch failed"
145
+		cd "${S}" || die "Failed to cd to ${S}"
146
+	fi
147
+	apache-2_src_prepare
148
+	sed -i -e 's/! test -f/test -f/' "${GENTOO_PATCHDIR}"/init/apache2.initd || die "Failed to fix init script"
149
+}
150
+
151
+src_install() {
152
+	apache-2_src_install
153
+	for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do
154
+		rm "${D}"/$i || die "Failed to prune apache-tools bits"
155
+	done
156
+	for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do
157
+		rm "${D}"/$i || die "Failed to prune apache-tools bits"
158
+	done
159
+	for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do
160
+		rm "${D}"/$i || die "Failed to prune apache-tools bits"
161
+	done
162
+	for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do
163
+		rm "${D}/"$i || die "Failed to prune apache-tools bits"
164
+	done
165
+
166
+	# well, actually installing things makes them more installed, I guess?
167
+	cp "${S}"/support/apxs "${D}"/usr/sbin/apxs || die "Failed to install apxs"
168
+	chmod 0755 "${D}"/usr/sbin/apxs
169
+
170
+	# create dir defined in 40_mod_ssl.conf
171
+	if use ssl; then
172
+		dodir /var/run/apache_ssl_mutex || die "Failed to mkdir ssl_mutex"
173
+	fi
174
+}
175
+
176
+pkg_postinst()
177
+{
178
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
179
+	# warnings that default config might not work out of the box
180
+	for mod in $MODULE_CRITICAL; do
181
+		if ! use "apache2_modules_${mod}"; then
182
+			echo
183
+			ewarn "Warning: Critical module not installed!"
184
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
185
+			ewarn "are highly recomended but might not be in the base profile yet."
186
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
187
+			ewarn "Enabling the following flags is highly recommended:"
188
+			for cmod in $MODULE_CRITICAL; do
189
+				use "apache2_modules_${cmod}" || \
190
+					ewarn "+ apache2_modules_${cmod}"
191
+			done
192
+			echo
193
+			break
194
+		fi
195
+	done
196
+	# warning for proxy_balancer and missing load balancing scheduler
197
+	if use apache2_modules_proxy_balancer; then
198
+		local lbset=
199
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
200
+			if use "apache2_modules_${mod}"; then
201
+				lbset=1 && break
202
+			fi
203
+		done
204
+		if [ ! $lbset ]; then
205
+			echo
206
+			ewarn "Info: Missing load balancing scheduler algorithm module"
207
+			ewarn "(They were split off from proxy_balancer in 2.3)"
208
+			ewarn "In order to get the ability of load balancing, at least"
209
+			ewarn "one of these modules has to be present:"
210
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
211
+			echo
212
+		fi
213
+	fi
214
+}
0 215
new file mode 100644
... ...
@@ -0,0 +1,331 @@
1
+diff -Naur httpd-2.4.3/modules/ssl/mod_ssl.c httpd-2.4.3-dh/modules/ssl/mod_ssl.c
2
+--- httpd-2.4.3/modules/ssl/mod_ssl.c	2012-08-05 15:48:40.000000000 +0200
3
+@@ -88,6 +88,9 @@
4
+     SSL_CMD_SRV(CertificateKeyFile, TAKE1,
5
+                 "SSL Server Private Key file "
6
+                 "('/path/to/file' - PEM or DER encoded)")
7
++    SSL_CMD_SRV(DHParametersFile, TAKE1,
8
++                "SSL Server Diffie-Hellman parameters file "
9
++                "(`/path/to/file' - PEM or DER encoded)")
10
+     SSL_CMD_SRV(CertificateChainFile, TAKE1,
11
+                 "SSL Server CA Certificate Chain file "
12
+                 "('/path/to/file' - PEM encoded)")
13
+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_config.c httpd-2.4.3-dh/modules/ssl/ssl_engine_config.c
14
+--- httpd-2.4.3/modules/ssl/ssl_engine_config.c	2012-08-05 15:48:40.000000000 +0200
15
+@@ -67,6 +67,7 @@
16
+     mc->tVHostKeys             = apr_hash_make(pool);
17
+     mc->tPrivateKey            = apr_hash_make(pool);
18
+     mc->tPublicCert            = apr_hash_make(pool);
19
++    mc->tDHParams              = apr_hash_make(pool);
20
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
21
+     mc->szCryptoDevice         = NULL;
22
+ #endif
23
+@@ -182,6 +183,9 @@
24
+ 
25
+     /* mctx->pks->... certs/keys are set during module init */
26
+ 
27
++    mctx->pks->dhparams_file = NULL;
28
++    mctx->pks->dhparams     = NULL;
29
++
30
+ #ifdef HAVE_TLS_SESSION_TICKETS
31
+     mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));
32
+ #endif
33
+@@ -302,6 +306,7 @@
34
+ 
35
+     cfgMergeString(pks->ca_name_path);
36
+     cfgMergeString(pks->ca_name_file);
37
++    cfgMergeString(pks->dhparams_file);
38
+ 
39
+ #ifdef HAVE_TLS_SESSION_TICKETS
40
+     cfgMergeString(ticket_key->file_path);
41
+@@ -783,6 +788,22 @@
42
+ 
43
+     return NULL;
44
+ }
45
++
46
++const char *ssl_cmd_SSLDHParametersFile(cmd_parms *cmd,
47
++                                        void *dcfg,
48
++					const char *arg)
49
++{
50
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
51
++    const char *err;
52
++
53
++    if ((err = ssl_cmd_check_file(cmd, &arg))) {
54
++        return err;
55
++    }
56
++
57
++    sc->server->pks->dhparams_file = arg;
58
++
59
++    return NULL;
60
++}
61
+ 
62
+ const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,
63
+                                           void *dcfg,
64
+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_init.c httpd-2.4.3-dh/modules/ssl/ssl_engine_init.c
65
+--- httpd-2.4.3/modules/ssl/ssl_engine_init.c	2012-08-05 15:48:40.000000000 +0200
66
+@@ -962,6 +962,42 @@
67
+     }
68
+ }
69
+ 
70
++static int ssl_server_import_dhparams(server_rec *s,
71
++                                      modssl_ctx_t *mctx,
72
++                                      const char *id)
73
++{
74
++    SSLModConfigRec *mc = myModConfig(s);
75
++    ssl_asn1_t *asn1;
76
++    MODSSL_D2I_DHparams_CONST unsigned char *ptr;
77
++    DH *dhparams = NULL;
78
++
79
++    if (!(asn1 = ssl_asn1_table_get(mc->tDHParams, id))) {
80
++        return FALSE;
81
++    }
82
++
83
++    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
84
++                 "Configuring server Diffie-Hellman parameters");
85
++
86
++    ptr = asn1->cpData;
87
++    if (!(dhparams = d2i_DHparams(NULL, &ptr, asn1->nData))) {
88
++        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
89
++                "Unable to import server Diffie-Hellman parameters");
90
++        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
91
++        ssl_die(s);
92
++    }
93
++
94
++    if (SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams) <= 0) {
95
++        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
96
++                "Unable to configure server Diffie-Hellman parameters");
97
++        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
98
++        ssl_die(s);
99
++    }
100
++
101
++    mctx->pks->dhparams = dhparams;
102
++
103
++    return TRUE;
104
++}
105
++
106
+ static int ssl_server_import_cert(server_rec *s,
107
+                                   modssl_ctx_t *mctx,
108
+                                   const char *id,
109
+@@ -1169,7 +1205,7 @@
110
+                                   apr_pool_t *ptemp,
111
+                                   modssl_ctx_t *mctx)
112
+ {
113
+-    const char *rsa_id, *dsa_id;
114
++    const char *rsa_id, *dsa_id, *dh_id;
115
+ #ifndef OPENSSL_NO_EC
116
+     const char *ecc_id;
117
+ #endif
118
+@@ -1182,12 +1218,14 @@
119
+ 
120
+     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
121
+     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
122
++    dh_id = apr_pstrcat(ptemp, vhost_id, ":", "DH", NULL);
123
+ #ifndef OPENSSL_NO_EC
124
+     ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
125
+ #endif
126
+ 
127
+     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
128
+     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
129
++    (void)ssl_server_import_dhparams(s, mctx, dh_id);
130
+ #ifndef OPENSSL_NO_EC
131
+     have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
132
+ #endif
133
+@@ -1723,6 +1761,7 @@
134
+         MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
135
+                              mctx->pks->keys[i]);
136
+     }
137
++    MODSSL_CFG_ITEM_FREE(DH_free, mctx->pks->dhparams);
138
+ }
139
+ 
140
+ apr_status_t ssl_init_ModuleKill(void *data)
141
+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_pphrase.c httpd-2.4.3-dh/modules/ssl/ssl_engine_pphrase.c
142
+--- httpd-2.4.3/modules/ssl/ssl_engine_pphrase.c	2012-08-04 23:22:38.000000000 +0200
143
+@@ -147,6 +147,7 @@
144
+     unsigned char *ucp;
145
+     long int length;
146
+     X509 *pX509Cert;
147
++    DH *pDHParams;
148
+     BOOL bReadable;
149
+     apr_array_header_t *aPassPhrase;
150
+     int nPassPhrase;
151
+@@ -162,6 +163,7 @@
152
+     char *an;
153
+     apr_time_t pkey_mtime = 0;
154
+     apr_status_t rv;
155
++    const char *dhid;
156
+     /*
157
+      * Start with a fresh pass phrase array
158
+      */
159
+@@ -225,14 +227,14 @@
160
+                     ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)
161
+                                  "Init: Can't open server certificate file %s",
162
+                                  szPath);
163
+-                    ssl_die(s);
164
++                    ssl_die(pServ);
165
+                 }
166
+                 if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
167
+                     ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)
168
+                                  "Init: Unable to read server certificate from"
169
+                                  " file %s", szPath);
170
+                     ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
171
+-                    ssl_die(s);
172
++                    ssl_die(pServ);
173
+                 }
174
+                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)
175
+                              "Init: Read server certificate from '%s'",
176
+@@ -550,6 +552,43 @@
177
+              */
178
+             EVP_PKEY_free(pPrivateKey);
179
+         }
180
++	/*
181
++         * Read in Diffie-Hellman parameters file if such a file is
182
++         * specified.
183
++         */
184
++        if (sc->server->pks->dhparams_file) {
185
++            apr_cpystrn(szPath, sc->server->pks->dhparams_file, sizeof(szPath));
186
++            if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {
187
++                ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
188
++                             "Init: Can't open server Diffie-Hellman parameters file %s",
189
++                             szPath);
190
++                ssl_die(s);
191
++            }
192
++            if ((pDHParams = SSL_read_DHparams(szPath, NULL, NULL)) == NULL) {
193
++                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
194
++                        "Init: Unable to read server Diffie-Hellman parameters from file %s", szPath);
195
++                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
196
++                ssl_die(s);
197
++            }
198
++
199
++	    /*
200
++             * Insert the DH params into global module configuration
201
++             * to let it survive the processing between the 1st Apache
202
++             * API init round (where we operate here) and the 2nd
203
++             * Apache init round (where it will be actually used to
204
++             * configure mod_ssl's per-server configuration
205
++             * structures).
206
++             */
207
++            dhid = asn1_table_vhost_key(mc, p, cpVHostID, "DH");
208
++            length = i2d_DHparams(pDHParams, NULL);
209
++            ucp = ssl_asn1_table_set(mc->tDHParams, dhid, length);
210
++            (void)i2d_DHparams(pDHParams, &ucp); /* 2nd arg increments */
211
++
212
++            /*
213
++             * Free the DH structure
214
++             */
215
++            DH_free(pDHParams);
216
++        }
217
+     }
218
+ 
219
+     /*
220
+diff -Naur httpd-2.4.3/modules/ssl/ssl_private.h httpd-2.4.3-dh/modules/ssl/ssl_private.h
221
+--- httpd-2.4.3/modules/ssl/ssl_private.h	2012-08-05 15:48:40.000000000 +0200
222
+@@ -121,10 +121,12 @@
223
+ #define MODSSL_D2I_ASN1_type_bytes_CONST const
224
+ #define MODSSL_D2I_PrivateKey_CONST const
225
+ #define MODSSL_D2I_X509_CONST const
226
++#define MODSSL_D2I_DHparams_CONST const
227
+ #else
228
+ #define MODSSL_D2I_ASN1_type_bytes_CONST
229
+ #define MODSSL_D2I_PrivateKey_CONST
230
+ #define MODSSL_D2I_X509_CONST
231
++#define MODSSL_D2I_DHparams_CONST
232
+ #endif
233
+ 
234
+ #if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
235
+@@ -535,6 +537,7 @@
236
+      * example the string "vhost.example.com:443:RSA". */
237
+     apr_hash_t     *tPublicCert;
238
+     apr_hash_t     *tPrivateKey;
239
++    apr_hash_t     *tDHParams;
240
+ 
241
+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
242
+     const char     *szCryptoDevice;
243
+@@ -561,11 +564,13 @@
244
+      * unordered lists. */
245
+     const char  *cert_files[SSL_AIDX_MAX];
246
+     const char  *key_files[SSL_AIDX_MAX];
247
++    const char  *dhparams_file;
248
+     /* Loaded certs and keys; these arrays ARE indexed by the
249
+      * algorithm type, i.e.  keys[SSL_AIDX_RSA] maps to the RSA
250
+      * private key. */
251
+     X509        *certs[SSL_AIDX_MAX];
252
+     EVP_PKEY    *keys[SSL_AIDX_MAX];
253
++    DH          *dhparams;
254
+ 
255
+     /** Certificates which specify the set of CA names which should be
256
+      * sent in the CertificateRequest message: */
257
+@@ -723,6 +728,7 @@
258
+ const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
259
+ const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
260
+ const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
261
++const char  *ssl_cmd_SSLDHParametersFile(cmd_parms *, void *, const char *);
262
+ const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
263
+ const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
264
+ const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
265
+diff -Naur httpd-2.4.3/modules/ssl/ssl_util_ssl.c httpd-2.4.3-dh/modules/ssl/ssl_util_ssl.c
266
+--- httpd-2.4.3/modules/ssl/ssl_util_ssl.c	2012-02-28 13:07:31.000000000 +0100
267
+@@ -156,6 +156,47 @@
268
+     return rc;
269
+ }
270
+ 
271
++DH *SSL_read_DHparams(char* filename, DH **DHparams, void *cb)
272
++{
273
++    DH  *rc;
274
++    BIO *bioS;
275
++    BIO *bioF;
276
++
277
++    /* 1. try PEM (= DER+Base64+headers) */
278
++    if ((bioS=BIO_new_file(filename, "r")) == NULL)
279
++        return NULL;
280
++    rc = PEM_read_bio_DHparams(bioS, DHparams, cb, NULL);
281
++    BIO_free(bioS);
282
++
283
++    if (rc == NULL) {
284
++        /* 2. try DER+Base64 */
285
++        if ((bioS=BIO_new_file(filename, "r")) == NULL)
286
++            return NULL;
287
++
288
++        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
289
++            BIO_free(bioS);
290
++            return NULL;
291
++        }
292
++        bioS = BIO_push(bioF, bioS);
293
++        rc = d2i_DHparams_bio(bioS, NULL);
294
++        BIO_free_all(bioS);
295
++
296
++        if (rc == NULL) {
297
++            /* 3. try plain DER */
298
++            if ((bioS=BIO_new_file(filename, "r")) == NULL)
299
++                return NULL;
300
++            rc = d2i_DHparams_bio(bioS, NULL);
301
++            BIO_free(bioS);
302
++        }
303
++    }
304
++    if (rc != NULL && DHparams != NULL) {
305
++        if (*DHparams != NULL)
306
++            DH_free(*DHparams);
307
++        *DHparams = rc;
308
++    }
309
++    return rc;
310
++}
311
++
312
+ /*  _________________________________________________________________
313
+ **
314
+ **  Smart shutdown
315
+diff -Naur httpd-2.4.3/modules/ssl/ssl_util_ssl.h httpd-2.4.3-dh/modules/ssl/ssl_util_ssl.h
316
+--- httpd-2.4.3/modules/ssl/ssl_util_ssl.h	2012-01-08 11:12:18.000000000 +0100
317
+@@ -62,6 +62,7 @@
318
+ void        SSL_set_app_data2(SSL *, void *);
319
+ X509       *SSL_read_X509(char *, X509 **, pem_password_cb *);
320
+ EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
321
++DH         *SSL_read_DHparams(char* filename, DH **DHparams, void *cb);
322
+ int         SSL_smart_shutdown(SSL *ssl);
323
+ BOOL        SSL_X509_isSGC(X509 *);
324
+ BOOL        SSL_X509_getBC(X509 *, int *, int *);
0 325
new file mode 100644
... ...
@@ -0,0 +1,242 @@
1
+diff -Naur httpd-2.4.3/modules/ssl/mod_ssl.c httpd-2.4.3-1/modules/ssl/mod_ssl.c
2
+--- httpd-2.4.3/modules/ssl/mod_ssl.c	2012-08-05 15:48:40.000000000 +0200
3
+@@ -263,6 +263,18 @@
4
+     AP_END_CMD
5
+ };
6
+ 
7
++/* Implement 'modssl_run_npn_advertise_protos_hook'. */
8
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
9
++    modssl, AP, int, npn_advertise_protos_hook,
10
++    (conn_rec *connection, apr_array_header_t *protos),
11
++    (connection, protos), OK, DECLINED);
12
++
13
++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
14
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
15
++    modssl, AP, int, npn_proto_negotiated_hook,
16
++    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
17
++    (connection, proto_name, proto_name_len), OK, DECLINED);
18
++
19
+ /*
20
+  *  the various processing hooks
21
+  */
22
+diff -Naur httpd-2.4.3/modules/ssl/mod_ssl.h httpd-2.4.3-1/modules/ssl/mod_ssl.h
23
+--- httpd-2.4.3/modules/ssl/mod_ssl.h	2011-09-23 15:38:09.000000000 +0200
24
+@@ -63,5 +63,26 @@
25
+ 
26
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
27
+ 
28
++/** The npn_advertise_protos optional hook allows other modules to add entries
29
++ * to the list of protocol names advertised by the server during the Next
30
++ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
31
++ * given the connection and an APR array; it should push one or more char*'s
32
++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
33
++ * the array and return OK, or do nothing and return DECLINED. */
34
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
35
++                          (conn_rec *connection, apr_array_header_t *protos));
36
++
37
++/** The npn_proto_negotiated optional hook allows other modules to discover the
38
++ * name of the protocol that was chosen during the Next Protocol Negotiation
39
++ * (NPN) portion of the SSL handshake.  Note that this may be the empty string
40
++ * (in which case modules should probably assume HTTP), or it may be a protocol
41
++ * that was never even advertised by the server.  The hook callee is given the
42
++ * connection, a non-null-terminated string containing the protocol name, and
43
++ * the length of the string; it should do something appropriate (i.e. insert or
44
++ * remove filters) and return OK, or do nothing and return DECLINED. */
45
++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
46
++                          (conn_rec *connection, const char *proto_name,
47
++                           apr_size_t proto_name_len));
48
++
49
+ #endif /* __MOD_SSL_H__ */
50
+ /** @} */
51
+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_init.c httpd-2.4.3-1/modules/ssl/ssl_engine_init.c
52
+--- httpd-2.4.3/modules/ssl/ssl_engine_init.c	2012-08-05 15:48:40.000000000 +0200
53
+@@ -693,6 +693,11 @@
54
+ #endif
55
+ 
56
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
57
++
58
++#ifdef HAVE_TLS_NPN
59
++    SSL_CTX_set_next_protos_advertised_cb(
60
++        ctx, ssl_callback_AdvertiseNextProtos, NULL);
61
++#endif
62
+ }
63
+ 
64
+ static void ssl_init_ctx_verify(server_rec *s,
65
+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_io.c httpd-2.4.3-1/modules/ssl/ssl_engine_io.c
66
+--- httpd-2.4.3/modules/ssl/ssl_engine_io.c	2012-05-05 10:44:19.000000000 +0200
67
+@@ -28,6 +28,7 @@
68
+                                   core keeps dumping.''
69
+                                             -- Unknown    */
70
+ #include "ssl_private.h"
71
++#include "mod_ssl.h"
72
+ #include "apr_date.h"
73
+ 
74
+ /*  _________________________________________________________________
75
+@@ -297,6 +298,7 @@
76
+     apr_pool_t *pool;
77
+     char buffer[AP_IOBUFSIZE];
78
+     ssl_filter_ctx_t *filter_ctx;
79
++    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
80
+ } bio_filter_in_ctx_t;
81
+ 
82
+ /*
83
+@@ -1374,6 +1376,26 @@
84
+         APR_BRIGADE_INSERT_TAIL(bb, bucket);
85
+     }
86
+ 
87
++#ifdef HAVE_TLS_NPN
88
++    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
89
++     * our version of OpenSSL supports it).  If we haven't already, find out
90
++     * which protocol was decided upon and inform other modules by calling
91
++     * npn_proto_negotiated_hook. */
92
++    if (!inctx->npn_finished) {
93
++        const unsigned char *next_proto = NULL;
94
++        unsigned next_proto_len = 0;
95
++
96
++        SSL_get0_next_proto_negotiated(
97
++            inctx->ssl, &next_proto, &next_proto_len);
98
++        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
99
++                      APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
100
++                      next_proto_len, (const char*)next_proto);
101
++        modssl_run_npn_proto_negotiated_hook(
102
++            f->c, (const char*)next_proto, next_proto_len);
103
++        inctx->npn_finished = 1;
104
++    }
105
++#endif
106
++
107
+     return APR_SUCCESS;
108
+ }
109
+ 
110
+@@ -1855,6 +1877,7 @@
111
+     inctx->block = APR_BLOCK_READ;
112
+     inctx->pool = c->pool;
113
+     inctx->filter_ctx = filter_ctx;
114
++    inctx->npn_finished = 0;
115
+ }
116
+ 
117
+ /* The request_rec pointer is passed in here only to ensure that the
118
+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_kernel.c httpd-2.4.3-1/modules/ssl/ssl_engine_kernel.c
119
+--- httpd-2.4.3/modules/ssl/ssl_engine_kernel.c	2012-05-05 10:44:19.000000000 +0200
120
+@@ -29,6 +29,7 @@
121
+                                   time I was too famous.''
122
+                                             -- Unknown                */
123
+ #include "ssl_private.h"
124
++#include "mod_ssl.h"
125
+ #include "util_md5.h"
126
+ 
127
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
128
+@@ -2143,3 +2144,86 @@
129
+     return -1;
130
+ }
131
+ #endif
132
++
133
++#ifdef HAVE_TLS_NPN
134
++/*
135
++ * This callback function is executed when SSL needs to decide what protocols
136
++ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
137
++ * string in wire format -- a sequence of length-prefixed strings -- indicating
138
++ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
139
++ * in OpenSSL for reference.
140
++ */
141
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
142
++                                     unsigned int *size_out, void *arg)
143
++{
144
++    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
145
++    apr_array_header_t *protos;
146
++    int num_protos;
147
++    unsigned int size;
148
++    int i;
149
++    unsigned char *data;
150
++    unsigned char *start;
151
++
152
++    *data_out = NULL;
153
++    *size_out = 0;
154
++
155
++    /* If the connection object is not available, then there's nothing for us
156
++     * to do. */
157
++    if (c == NULL) {
158
++        return SSL_TLSEXT_ERR_OK;
159
++    }
160
++
161
++    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
162
++     * add alternate protocol names to advertise. */
163
++    protos = apr_array_make(c->pool, 0, sizeof(char*));
164
++    modssl_run_npn_advertise_protos_hook(c, protos);
165
++    num_protos = protos->nelts;
166
++
167
++    /* We now have a list of null-terminated strings; we need to concatenate
168
++     * them together into a single string, where each protocol name is prefixed
169
++     * by its length.  First, calculate how long that string will be. */
170
++    size = 0;
171
++    for (i = 0; i < num_protos; ++i) {
172
++        const char *string = APR_ARRAY_IDX(protos, i, const char*);
173
++        unsigned int length = strlen(string);
174
++        /* If the protocol name is too long (the length must fit in one byte),
175
++         * then log an error and skip it. */
176
++        if (length > 255) {
177
++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
178
++                          "SSL NPN protocol name too long (length=%u): %s",
179
++                          length, string);
180
++            continue;
181
++        }
182
++        /* Leave room for the length prefix (one byte) plus the protocol name
183
++         * itself. */
184
++        size += 1 + length;
185
++    }
186
++
187
++    /* If there is nothing to advertise (either because no modules added
188
++     * anything to the protos array, or because all strings added to the array
189
++     * were skipped), then we're done. */
190
++    if (size == 0) {
191
++        return SSL_TLSEXT_ERR_OK;
192
++    }
193
++
194
++    /* Now we can build the string.  Copy each protocol name string into the
195
++     * larger string, prefixed by its length. */
196
++    data = apr_palloc(c->pool, size * sizeof(unsigned char));
197
++    start = data;
198
++    for (i = 0; i < num_protos; ++i) {
199
++        const char *string = APR_ARRAY_IDX(protos, i, const char*);
200
++        apr_size_t length = strlen(string);
201
++        if (length > 255)
202
++            continue;
203
++        *start = (unsigned char)length;
204
++        ++start;
205
++        memcpy(start, string, length * sizeof(unsigned char));
206
++        start += length;
207
++    }
208
++
209
++    /* Success. */
210
++    *data_out = data;
211
++    *size_out = size;
212
++    return SSL_TLSEXT_ERR_OK;
213
++}
214
++#endif
215
+diff -Naur httpd-2.4.3/modules/ssl/ssl_private.h httpd-2.4.3-1/modules/ssl/ssl_private.h
216
+--- httpd-2.4.3/modules/ssl/ssl_private.h	2012-08-05 15:48:40.000000000 +0200
217
+@@ -139,6 +139,11 @@
218
+ #define HAVE_FIPS
219
+ #endif
220
+ 
221
++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
222
++    && !defined(OPENSSL_NO_TLSEXT)
223
++#define HAVE_TLS_NPN
224
++#endif
225
++
226
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
227
+ #define MODSSL_SSL_CIPHER_CONST const
228
+ #define MODSSL_SSL_METHOD_CONST const
229
+@@ -820,6 +825,7 @@
230
+ int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
231
+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
232
+ #endif
233
++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
234
+ 
235
+ /**  Session Cache Support  */
236
+ void         ssl_scache_init(server_rec *, apr_pool_t *);