keks-overlay.git

@@ -1,12 +1,17 @@

 AUX 2.2.22-envvars-std.in 1071 SHA256 1721b424f2335640e49d71e671a4be15424d29fe90f55fe4f52bd241a998d3ee SHA512 c18fd461f02ab79fc456a1ad99bf91c8891ecdabd90f41437ebf87e20b3d28d2006a10d6726164c2f0333e7aee350bd125838abaff3a188d8ab2f5f34d3e5466 WHIRLPOOL 59cbee68fc8012df01229b8d5e38045eb974bab3f08ebf5b01097dabb5275bb83e28cd09a058ce71949ca4a2439811cff457d4c7df88d7b3fc5318c6b7ef0075

 AUX apache-2.2.14-staticdhparameters.diff 11745 SHA256 1fecd496f7df6438cf44b331a0b15d6ceaa0522fcb20d7246772f10f7c3c41df SHA512 5c7fa11b29efd430ddc7144ed8d656c82d9609c9da720cd5d217626505b2257c074bea1ef0f4f2c50b123be58d82fbefac3240b71c3b8c3b9b087c30b090bcf9 WHIRLPOOL ced66883bd7fc4ec868a5d6091cdc765424541c183e53283749d73d4f4b53d0c9221950df816625de9bd115f610931e91b1fac819530294fcb12a0a39b7f6f2c

 AUX apache-2.2.23-tls-compression-option.diff 4211 SHA256 6ccc0003f486734e660292ac2640d99af830443c09a2d5c9d6aaf371b636d9bd SHA512 915044023b10afca9a67ca90fa4d1175d4d3ef7274308df74c78b0972fd7ec54e3fdb3f4b03ecbfc543b64153b232a140cc8e095b2f74abfcfa0cb86e21fb612 WHIRLPOOL 028be436ac78adcb631b109a23ab7f4b5c2349a95202f8ed33a111b9b2048675892b160ac737875ebe7a73937f8868d665d016a61bdbaec301eacbbad0d1cc05

+AUX apache-2.4.3-dhparam.diff 12684 SHA256 5185da7eecf04f26cc496a25fabe420db065e59dd088eca51b8c08f0238d12ad SHA512 c49e4c6e607cf5bf11e59c929791d806b15ff30d11e8473e633f2ef406e5d926a2ced1910672e5263f8ea45de6f30eb37048065c1d9fbd11fb7c52603e93bd4b WHIRLPOOL 41e2ac7c8c0734e3132639db7222e488b8ffd18a6c2f2e76b401fdc0b71fc528f3d80eb3d95710084b9fa88e29ce916df215c79b47d80c3ae25188f4cea79e9c

 AUX apache-noip.diff 417 SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc SHA512 fa684688e707f5fb511b228b8fa9b0f996dbf615f2f9b6478ab478e801f14c65a7381137cdbda648d68f7818891085c744da3a8249843e73bdf5ef247a90d3fe WHIRLPOOL d2636a34b0d48139adef125e76ef477d84bf7cd9785f094fe57c1d81b45e7392622d232bee5f53896d8b48eb9b3241cd48cbb585ea70d97a872c5cd3f6bfe420

+AUX apache-npn 9799 SHA256 6e41b59680832b074246dd24a41aec56f9bb35ab4f34674cd20e32f1289c21ab SHA512 60d9c6f750562f087b607edf7939195f31b7e0101b9c8d1c883e3b01da192d354fc291d45832757ab50c029f99ac4ad06fa9b7ce4e5928367d1f89278fa79fa3 WHIRLPOOL 162dba8354efeccbb100a86cb61e47c0a96be11a057cfffccc194abd31721b99f4ef3e5fc9b4a7e82a7495d1369af1be3f7b3d4339ec33af24858a0049474331

 AUX httpd-2.2.16-ecc.diff 8236 SHA256 e7fe97852875de06372d8413248fa20419946e2ab7de5198c93bffa6b5a68461 SHA512 8b54c30f9edc76bd8969ee894038f267d722d1ab8c7332a84fe21704bde0451e1a27503252fa87bd0f749dac3281eb266cda36aa7faec1a36ee6e67a8f9ae6c7 WHIRLPOOL 2d8ad3cd12b27937dcafef31df8c9fa048fb4e1ed06109e745fbe12dc869ceaa21fa2e62aa9bcb729d7fb426c1ee0a82171b5038cac56f8b8ebbc3cd3569daa9

 DIST gentoo-apache-2.2.22-20120213.tar.bz2 64507 SHA256 737730dabf1e1ccfe9d409067dc3c4d37d16f7fa1e792f5bf39268d904ce1c31 SHA512 f364bdbee967b3bc797d2053b9eb347af963f99275441093930d0057465e1a12567106f5c5ac21a45a4bbd4b353ce67553038d6146f469a7bf980a9148471170 WHIRLPOOL f5a3ab44fc14ddf67ccf0785006b1d9f5c49b915114f9d7e97858fba447a5ee872c741e73c17e121b61cc0aa678b42dc154616cd64054461c552d3a8c29f4f17

 DIST gentoo-apache-2.2.23-20121012.tar.bz2 64135 SHA256 711a88f26c58b10b082f7ff411366cd768f9450101da050438a2f77abeab7333 SHA512 92a49f954b82d4427862f41977625a60641731cc25ab3efdd666be8db839038e7b1c2ef2f878d5efed243eaa63237e88ee4993cd25cca1dfbb0f56a6b2093d57 WHIRLPOOL 221d9c0cf999430afc11a8e48ae67019c7f31daca827a5db7615aca24859788743e5da00e4c99b7b7b375e58fafd6c148339e5671be939dbc30735031e12c49f

+DIST gentoo-apache-2.4.3-20121012.tar.bz2 24541 SHA256 aeed23c716f05d7430a6d905fb75c192418c9ba90feb96fcc474138c4addfd69 SHA512 fe37c91328bf090aacd4012030845b2e4461a116b9b60d95108c4a4749729bef5ac526d4bd3570406f3d7afe41b0f634c2e9a167ee416a56f5f82f46eb27cc26 WHIRLPOOL 421efb4a7940b52cbc2e054c5ef2f79ff19c13a3140941ec659da3ff61a70491485c1c375db29b1fa6c4dc45761df1f0fc63bd3d867c8937d33f5b6c948bade0

 DIST httpd-2.2.22.tar.bz2 5378934 SHA256 dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231 SHA512 b6901453aaef3cac31cf763f7748e06a2492e1f72e4158627f38e45423a9bcd9bea1f74ba1a1ec9a5c7fc554eb062ea61b944e2001f19825def2e530ce8a42bc WHIRLPOOL 32a03d638f82d791effdce888a02e66189d6fe87c2179ab9f3de034fbf5c8311d24835f28e9a18addb847aa6859ed817bf2e11833e315285474eefcea6f56891

 DIST httpd-2.2.23.tar.bz2 5485205 SHA256 14fe79bd6edd957c02cb41f4175e132c08e6ff74a7d08dc1858dd8224e351c34 SHA512 69b3bc942b2a91cdb57356a5c57078794db2d8404a23080a2621cdf33ae2d9bdbbacd0f6e95fd6e71fbfa87e94942be0a014c3e8709148f991e391d03aa6dee2 WHIRLPOOL 8d00184aff654b2d7f1c5ebd471f19ffcb57107ea37179fa05c424424d7b70ff0c9abf3be68ed9f0d091b3c057f1ba24cb989937e35087c3199f82e3dddbbd4f

+DIST httpd-2.4.3.tar.bz2 4559279 SHA256 d82102b9c111f1892fb20a2bccf4370de579c6521b2f172ed0b36f2759fb249e SHA512 d4501ae69aacb75d960bc8cb61c9e1ff52e6e42a37c37ca84c839262e183ca2f305794da28266aa2119d211ba0f4531705f66330079ab594c05e92ae8196d1ab WHIRLPOOL 4ffb7dc8057200f676557a70591d6938e92a8990d88dc88237d278f185290d260312dd8cfdd08994ffd7b7280502b3debea0f3e02acc718dd9db613222b6d2ae

 EBUILD apache-2.2.22-r1.ebuild 3206 SHA256 4c72b2164c32c34e85c6a8e99c68464e5505eeb79bf94eed7ad1d62ba2045c0e SHA512 bafab5ef6f8d8675614473c01ae71655b1cd94b75658353e8351df1cb8b9667b2164d501f98b4492810a2ec2d3415db6c5df416bc51aed4fc4ec6fc4a155288b WHIRLPOOL d6f4c9b06b3cfcad613084bb7902c7ba942848a8233b50ff48474e7407c3e1d4523f44a0ca9f0790510122719609ec767afbaf3fdd60b6dd7918fe409e9b08a2

 EBUILD apache-2.2.22.ebuild 3001 SHA256 cf930cea2f7e8a8bd2f7cabe7de9ecf56efb33d10bd3fe2d70acaa6e86cebb0c SHA512 1de2c503698334b00c3b44cad9680d8699e7ad21c80a746af4154d03433da4bcc072cf572d2ce9dbf478f6c97423ee2650521d877f2c62a27ec0189d5c66c045 WHIRLPOOL aadae0ae48a37cdd5ed3995c92fa5bf925fd2c12792cdcce08305191c09703a80bd7bc264c61165e8c26687bde97ad543722d04e090620cd7fe473c76688e233

 EBUILD apache-2.2.23.ebuild 3181 SHA256 b6502801683bcd8708e247fd11e8d7a639a7412f77d3a631827705f20e43c878 SHA512 860dce68ab969c4bacdedc3fec4d48937d7a331921e86fe02d6b1481a59cd8997d336b9c9bbc6cf9a69dd3719acc411abae1809e7770b42d31adb1cefd5dc560 WHIRLPOOL e2e128e74236c6a306d511cdc8d1e9799e9818fc842a1884eb48a8ef8683669ba321ca228ec780015e1c88044cff2904652c4a1c93a2f3af84e3552c8e7d3363

+EBUILD apache-2.4.3.ebuild 7203 SHA256 082ee4bc36fe78621a32ad8ae3f3117943b5572e1456618d1b547cf344c4d687 SHA512 56786dc2e5f835e1894760ad85bfba6ffd531b50e7e9f782240ac2deb7464a2aa222cd04495ab7bd81f0e30c91972f417857c9fd4ee53587ebc91ba6a542c41e WHIRLPOOL 4e8e22861a21d8defd9c8eb57fc5548ba38a911db640fc63b6a15fdcfcf86c8fbf50b09f78321ea784bf81340718242d5a7fa6c6ed1c4e0c31a4e79affc64d24

@@ -0,0 +1,214 @@

+# Copyright 1999-2012 Gentoo Foundation

+# Distributed under the terms of the GNU General Public License v2

+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/apache-2.4.3.ebuild,v 1.2 2012/10/13 03:13:09 mr_bones_ Exp $

+

+EAPI="2"

+

+# latest gentoo apache files

+GENTOO_PATCHSTAMP="20121012"

+GENTOO_DEVELOPER="patrick"

+#GENTOO_PATCHNAME="gentoo-apache-2.4.1"

+

+# IUSE/USE_EXPAND magic

+IUSE_MPMS_FORK="itk peruser prefork"

+IUSE_MPMS_THREAD="event worker"

+

+# << obsolete modules:

+# authn_default authz_default mem_cache

+# mem_cache is replaced by cache_disk

+# ?? buggy modules

+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found

+# >> added modules for reason:

+# compat: compatibility with 2.2 access control

+# authz_host: new module for access control

+# authn_core: functionality provided by authn_alias in previous versions

+# authz_core: new module, provides core authorization capabilities

+# cache_disk: replacement for mem_cache

+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3

+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3

+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3

+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3

+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).

+# socache_shmcb: shared object cache provider. Default config with ssl needs it

+# unixd: fixes startup error: Invalid command 'User'

+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest authn_alias authn_anon

+authn_core authn_dbd authn_dbm authn_file authz_core authz_dbm

+authz_groupfile authz_host authz_owner authz_user autoindex cache cache_disk cern_meta

+charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir dumpio

+env expires ext_filter file_cache filter headers ident imagemap include info

+lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat

+log_config log_forensic logio mime mime_magic negotiation proxy

+proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite

+reqtimeout setenvif slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack

+unixd version vhost_alias"

+# The following are also in the source as of this version, but are not available

+# for user selection:

+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export

+# optional_fn_import optional_hook_export optional_hook_import

+

+# inter-module dependencies

+# TODO: this may still be incomplete

+MODULE_DEPENDS="

+	dav_fs:dav

+	dav_lock:dav

+	deflate:filter

+	cache_disk:cache

+	ext_filter:filter

+	file_cache:cache

+	lbmethod_byrequests:proxy_balancer

+	lbmethod_byrequests:slotmem_shm

+	lbmethod_bytraffic:proxy_balancer

+	lbmethod_bybusyness:proxy_balancer

+	lbmethod_heartbeat:proxy_balancer

+	log_forensic:log_config

+	logio:log_config

+	cache_disk:cache

+	mime_magic:mime

+	proxy_ajp:proxy

+	proxy_balancer:proxy

+	proxy_connect:proxy

+	proxy_ftp:proxy

+	proxy_http:proxy

+	proxy_scgi:proxy

+	substitute:filter

+"

+

+# module<->define mappings

+MODULE_DEFINES="

+	auth_digest:AUTH_DIGEST

+	authnz_ldap:AUTHNZ_LDAP

+	cache:CACHE

+	cache_disk:CACHE

+	dav:DAV

+	dav_fs:DAV

+	dav_lock:DAV

+	file_cache:CACHE

+	info:INFO

+	ldap:LDAP

+	proxy:PROXY

+	proxy_ajp:PROXY

+	proxy_balancer:PROXY

+	proxy_connect:PROXY

+	proxy_ftp:PROXY

+	proxy_http:PROXY

+	socache_shmcb:SSL

+	ssl:SSL

+	status:STATUS

+	suexec:SUEXEC

+	userdir:USERDIR

+"

+

+# critical modules for the default config

+MODULE_CRITICAL="

+	authn_core

+	authz_core

+	authz_host

+	dir

+	mime

+	unixd

+"

+# dependend criticals

+use ssl && MODULE_CRITICAL+=" socache_shmcb"

+use doc && MODULE_CRITICAL+=" alias negotiation setenvif"

+

+inherit eutils apache-2

+

+DESCRIPTION="The Apache Web Server."

+HOMEPAGE="http://httpd.apache.org/"

+

+# some helper scripts are Apache-1.1, thus both are here

+LICENSE="Apache-2.0 Apache-1.1"

+SLOT="2"

+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"

+IUSE=""

+

+DEPEND="${DEPEND}

+	>=dev-libs/openssl-0.9.8m

+	apache2_modules_deflate? ( sys-libs/zlib )"

+

+# dependency on >=dev-libs/apr-1.4.5 for bug #368651

+RDEPEND="${RDEPEND}

+	>=dev-libs/apr-1.4.5

+	>=dev-libs/openssl-0.9.8m

+	apache2_modules_mime? ( app-misc/mime-types )"

+

+# init script fixup - should be rolled into next tarball #389965

+src_prepare() {

+	epatch "${FILESDIR}"/apache-npn

+	epatch "${FILESDIR}"/apache-2.4.3-dhparam.diff

+	# the following patch can be removed once it is included in

+	# GENTOO_PATCHNAME="gentoo-apache-2.4.1" ...

+	if [ -f "${FILESDIR}/${GENTOO_PATCHNAME}-${GENTOO_DEVELOPER}-${GENTOO_PATCHSTAMP}-${PVR}.patch" ]; then

+		cd "${GENTOO_PATCHDIR}" || die "Failed to cd to ${GENTOO_PATCHDIR}"

+		epatch "${FILESDIR}/${GENTOO_PATCHNAME}-${GENTOO_DEVELOPER}-${GENTOO_PATCHSTAMP}-${PVR}.patch" \

+			|| die "epatch failed"

+		cd "${S}" || die "Failed to cd to ${S}"

+	fi

+	apache-2_src_prepare

+	sed -i -e 's/! test -f/test -f/' "${GENTOO_PATCHDIR}"/init/apache2.initd || die "Failed to fix init script"

+}

+

+src_install() {

+	apache-2_src_install

+	for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do

+		rm "${D}"/$i || die "Failed to prune apache-tools bits"

+	done

+	for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do

+		rm "${D}"/$i || die "Failed to prune apache-tools bits"

+	done

+	for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do

+		rm "${D}"/$i || die "Failed to prune apache-tools bits"

+	done

+	for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do

+		rm "${D}/"$i || die "Failed to prune apache-tools bits"

+	done

+

+	# well, actually installing things makes them more installed, I guess?

+	cp "${S}"/support/apxs "${D}"/usr/sbin/apxs || die "Failed to install apxs"

+	chmod 0755 "${D}"/usr/sbin/apxs

+

+	# create dir defined in 40_mod_ssl.conf

+	if use ssl; then

+		dodir /var/run/apache_ssl_mutex || die "Failed to mkdir ssl_mutex"

+	fi

+}

+

+pkg_postinst()

+{

+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"

+	# warnings that default config might not work out of the box

+	for mod in $MODULE_CRITICAL; do

+		if ! use "apache2_modules_${mod}"; then

+			echo

+			ewarn "Warning: Critical module not installed!"

+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"

+			ewarn "are highly recomended but might not be in the base profile yet."

+			ewarn "Default config for ssl needs module 'socache_shmcb'."

+			ewarn "Enabling the following flags is highly recommended:"

+			for cmod in $MODULE_CRITICAL; do

+				use "apache2_modules_${cmod}" || \

+					ewarn "+ apache2_modules_${cmod}"

+			done

+			echo

+			break

+		fi

+	done

+	# warning for proxy_balancer and missing load balancing scheduler

+	if use apache2_modules_proxy_balancer; then

+		local lbset=

+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do

+			if use "apache2_modules_${mod}"; then

+				lbset=1 && break

+			fi

+		done

+		if [ ! $lbset ]; then

+			echo

+			ewarn "Info: Missing load balancing scheduler algorithm module"

+			ewarn "(They were split off from proxy_balancer in 2.3)"

+			ewarn "In order to get the ability of load balancing, at least"

+			ewarn "one of these modules has to be present:"

+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"

+			echo

+		fi

+	fi

+}

@@ -0,0 +1,331 @@

+diff -Naur httpd-2.4.3/modules/ssl/mod_ssl.c httpd-2.4.3-dh/modules/ssl/mod_ssl.c

+--- httpd-2.4.3/modules/ssl/mod_ssl.c	2012-08-05 15:48:40.000000000 +0200

++++ httpd-2.4.3-dh/modules/ssl/mod_ssl.c	2012-10-23 16:10:39.905810300 +0200

+@@ -88,6 +88,9 @@

+     SSL_CMD_SRV(CertificateKeyFile, TAKE1,

+                 "SSL Server Private Key file "

+                 "('/path/to/file' - PEM or DER encoded)")

++    SSL_CMD_SRV(DHParametersFile, TAKE1,

++                "SSL Server Diffie-Hellman parameters file "

++                "(`/path/to/file' - PEM or DER encoded)")

+     SSL_CMD_SRV(CertificateChainFile, TAKE1,

+                 "SSL Server CA Certificate Chain file "

+                 "('/path/to/file' - PEM encoded)")

+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_config.c httpd-2.4.3-dh/modules/ssl/ssl_engine_config.c

+--- httpd-2.4.3/modules/ssl/ssl_engine_config.c	2012-08-05 15:48:40.000000000 +0200

++++ httpd-2.4.3-dh/modules/ssl/ssl_engine_config.c	2012-10-23 16:10:39.907810276 +0200

+@@ -67,6 +67,7 @@

+     mc->tVHostKeys             = apr_hash_make(pool);

+     mc->tPrivateKey            = apr_hash_make(pool);

+     mc->tPublicCert            = apr_hash_make(pool);

++    mc->tDHParams              = apr_hash_make(pool);

+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)

+     mc->szCryptoDevice         = NULL;

+ #endif

+@@ -182,6 +183,9 @@

+ 

+     /* mctx->pks->... certs/keys are set during module init */

+ 

++    mctx->pks->dhparams_file = NULL;

++    mctx->pks->dhparams     = NULL;

++

+ #ifdef HAVE_TLS_SESSION_TICKETS

+     mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));

+ #endif

+@@ -302,6 +306,7 @@

+ 

+     cfgMergeString(pks->ca_name_path);

+     cfgMergeString(pks->ca_name_file);

++    cfgMergeString(pks->dhparams_file);

+ 

+ #ifdef HAVE_TLS_SESSION_TICKETS

+     cfgMergeString(ticket_key->file_path);

+@@ -783,6 +788,22 @@

+ 

+     return NULL;

+ }

++

++const char *ssl_cmd_SSLDHParametersFile(cmd_parms *cmd,

++                                        void *dcfg,

++					const char *arg)

++{

++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

++    const char *err;

++

++    if ((err = ssl_cmd_check_file(cmd, &arg))) {

++        return err;

++    }

++

++    sc->server->pks->dhparams_file = arg;

++

++    return NULL;

++}

+ 

+ const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,

+                                           void *dcfg,

+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_init.c httpd-2.4.3-dh/modules/ssl/ssl_engine_init.c

+--- httpd-2.4.3/modules/ssl/ssl_engine_init.c	2012-08-05 15:48:40.000000000 +0200

++++ httpd-2.4.3-dh/modules/ssl/ssl_engine_init.c	2012-10-23 16:11:28.481213388 +0200

+@@ -962,6 +962,42 @@

+     }

+ }

+ 

++static int ssl_server_import_dhparams(server_rec *s,

++                                      modssl_ctx_t *mctx,

++                                      const char *id)

++{

++    SSLModConfigRec *mc = myModConfig(s);

++    ssl_asn1_t *asn1;

++    MODSSL_D2I_DHparams_CONST unsigned char *ptr;

++    DH *dhparams = NULL;

++

++    if (!(asn1 = ssl_asn1_table_get(mc->tDHParams, id))) {

++        return FALSE;

++    }

++

++    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

++                 "Configuring server Diffie-Hellman parameters");

++

++    ptr = asn1->cpData;

++    if (!(dhparams = d2i_DHparams(NULL, &ptr, asn1->nData))) {

++        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

++                "Unable to import server Diffie-Hellman parameters");

++        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

++        ssl_die(s);

++    }

++

++    if (SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams) <= 0) {

++        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

++                "Unable to configure server Diffie-Hellman parameters");

++        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

++        ssl_die(s);

++    }

++

++    mctx->pks->dhparams = dhparams;

++

++    return TRUE;

++}

++

+ static int ssl_server_import_cert(server_rec *s,

+                                   modssl_ctx_t *mctx,

+                                   const char *id,

+@@ -1169,7 +1205,7 @@

+                                   apr_pool_t *ptemp,

+                                   modssl_ctx_t *mctx)

+ {

+-    const char *rsa_id, *dsa_id;

++    const char *rsa_id, *dsa_id, *dh_id;

+ #ifndef OPENSSL_NO_EC

+     const char *ecc_id;

+ #endif

+@@ -1182,12 +1218,14 @@

+ 

+     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);

+     dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);

++    dh_id = apr_pstrcat(ptemp, vhost_id, ":", "DH", NULL);

+ #ifndef OPENSSL_NO_EC

+     ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);

+ #endif

+ 

+     have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);

+     have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);

++    (void)ssl_server_import_dhparams(s, mctx, dh_id);

+ #ifndef OPENSSL_NO_EC

+     have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);

+ #endif

+@@ -1723,6 +1761,7 @@

+         MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,

+                              mctx->pks->keys[i]);

+     }

++    MODSSL_CFG_ITEM_FREE(DH_free, mctx->pks->dhparams);

+ }

+ 

+ apr_status_t ssl_init_ModuleKill(void *data)

+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_pphrase.c httpd-2.4.3-dh/modules/ssl/ssl_engine_pphrase.c

+--- httpd-2.4.3/modules/ssl/ssl_engine_pphrase.c	2012-08-04 23:22:38.000000000 +0200

++++ httpd-2.4.3-dh/modules/ssl/ssl_engine_pphrase.c	2012-10-23 16:16:39.306422234 +0200

+@@ -147,6 +147,7 @@

+     unsigned char *ucp;

+     long int length;

+     X509 *pX509Cert;

++    DH *pDHParams;

+     BOOL bReadable;

+     apr_array_header_t *aPassPhrase;

+     int nPassPhrase;

+@@ -162,6 +163,7 @@

+     char *an;

+     apr_time_t pkey_mtime = 0;

+     apr_status_t rv;

++    const char *dhid;

+     /*

+      * Start with a fresh pass phrase array

+      */

+@@ -225,14 +227,14 @@

+                     ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)

+                                  "Init: Can't open server certificate file %s",

+                                  szPath);

+-                    ssl_die(s);

++                    ssl_die(pServ);

+                 }

+                 if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {

+                     ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)

+                                  "Init: Unable to read server certificate from"

+                                  " file %s", szPath);

+                     ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);

+-                    ssl_die(s);

++                    ssl_die(pServ);

+                 }

+                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)

+                              "Init: Read server certificate from '%s'",

+@@ -550,6 +552,43 @@

+              */

+             EVP_PKEY_free(pPrivateKey);

+         }

++	/*

++         * Read in Diffie-Hellman parameters file if such a file is

++         * specified.

++         */

++        if (sc->server->pks->dhparams_file) {

++            apr_cpystrn(szPath, sc->server->pks->dhparams_file, sizeof(szPath));

++            if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {

++                ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,

++                             "Init: Can't open server Diffie-Hellman parameters file %s",

++                             szPath);

++                ssl_die(s);

++            }

++            if ((pDHParams = SSL_read_DHparams(szPath, NULL, NULL)) == NULL) {

++                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

++                        "Init: Unable to read server Diffie-Hellman parameters from file %s", szPath);

++                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

++                ssl_die(s);

++            }

++

++	    /*

++             * Insert the DH params into global module configuration

++             * to let it survive the processing between the 1st Apache

++             * API init round (where we operate here) and the 2nd

++             * Apache init round (where it will be actually used to

++             * configure mod_ssl's per-server configuration

++             * structures).

++             */

++            dhid = asn1_table_vhost_key(mc, p, cpVHostID, "DH");

++            length = i2d_DHparams(pDHParams, NULL);

++            ucp = ssl_asn1_table_set(mc->tDHParams, dhid, length);

++            (void)i2d_DHparams(pDHParams, &ucp); /* 2nd arg increments */

++

++            /*

++             * Free the DH structure

++             */

++            DH_free(pDHParams);

++        }

+     }

+ 

+     /*

+diff -Naur httpd-2.4.3/modules/ssl/ssl_private.h httpd-2.4.3-dh/modules/ssl/ssl_private.h

+--- httpd-2.4.3/modules/ssl/ssl_private.h	2012-08-05 15:48:40.000000000 +0200

++++ httpd-2.4.3-dh/modules/ssl/ssl_private.h	2012-10-23 16:10:39.911810230 +0200

+@@ -121,10 +121,12 @@

+ #define MODSSL_D2I_ASN1_type_bytes_CONST const

+ #define MODSSL_D2I_PrivateKey_CONST const

+ #define MODSSL_D2I_X509_CONST const

++#define MODSSL_D2I_DHparams_CONST const

+ #else

+ #define MODSSL_D2I_ASN1_type_bytes_CONST

+ #define MODSSL_D2I_PrivateKey_CONST

+ #define MODSSL_D2I_X509_CONST

++#define MODSSL_D2I_DHparams_CONST

+ #endif

+ 

+ #if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \

+@@ -535,6 +537,7 @@

+      * example the string "vhost.example.com:443:RSA". */

+     apr_hash_t     *tPublicCert;

+     apr_hash_t     *tPrivateKey;

++    apr_hash_t     *tDHParams;

+ 

+ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)

+     const char     *szCryptoDevice;

+@@ -561,11 +564,13 @@

+      * unordered lists. */

+     const char  *cert_files[SSL_AIDX_MAX];

+     const char  *key_files[SSL_AIDX_MAX];

++    const char  *dhparams_file;

+     /* Loaded certs and keys; these arrays ARE indexed by the

+      * algorithm type, i.e.  keys[SSL_AIDX_RSA] maps to the RSA

+      * private key. */

+     X509        *certs[SSL_AIDX_MAX];

+     EVP_PKEY    *keys[SSL_AIDX_MAX];

++    DH          *dhparams;

+ 

+     /** Certificates which specify the set of CA names which should be

+      * sent in the CertificateRequest message: */

+@@ -723,6 +728,7 @@

+ const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);

+ const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);

+ const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);

++const char  *ssl_cmd_SSLDHParametersFile(cmd_parms *, void *, const char *);

+ const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);

+ const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);

+ const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);

+diff -Naur httpd-2.4.3/modules/ssl/ssl_util_ssl.c httpd-2.4.3-dh/modules/ssl/ssl_util_ssl.c

+--- httpd-2.4.3/modules/ssl/ssl_util_ssl.c	2012-02-28 13:07:31.000000000 +0100

++++ httpd-2.4.3-dh/modules/ssl/ssl_util_ssl.c	2012-10-23 16:10:39.911810230 +0200

+@@ -156,6 +156,47 @@

+     return rc;

+ }

+ 

++DH *SSL_read_DHparams(char* filename, DH **DHparams, void *cb)

++{

++    DH  *rc;

++    BIO *bioS;

++    BIO *bioF;

++

++    /* 1. try PEM (= DER+Base64+headers) */

++    if ((bioS=BIO_new_file(filename, "r")) == NULL)

++        return NULL;

++    rc = PEM_read_bio_DHparams(bioS, DHparams, cb, NULL);

++    BIO_free(bioS);

++

++    if (rc == NULL) {

++        /* 2. try DER+Base64 */

++        if ((bioS=BIO_new_file(filename, "r")) == NULL)

++            return NULL;

++

++        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {

++            BIO_free(bioS);

++            return NULL;

++        }

++        bioS = BIO_push(bioF, bioS);

++        rc = d2i_DHparams_bio(bioS, NULL);

++        BIO_free_all(bioS);

++

++        if (rc == NULL) {

++            /* 3. try plain DER */

++            if ((bioS=BIO_new_file(filename, "r")) == NULL)

++                return NULL;

++            rc = d2i_DHparams_bio(bioS, NULL);

++            BIO_free(bioS);

++        }

++    }

++    if (rc != NULL && DHparams != NULL) {

++        if (*DHparams != NULL)

++            DH_free(*DHparams);

++        *DHparams = rc;

++    }

++    return rc;

++}

++

+ /*  _________________________________________________________________

+ **

+ **  Smart shutdown

+diff -Naur httpd-2.4.3/modules/ssl/ssl_util_ssl.h httpd-2.4.3-dh/modules/ssl/ssl_util_ssl.h

+--- httpd-2.4.3/modules/ssl/ssl_util_ssl.h	2012-01-08 11:12:18.000000000 +0100

++++ httpd-2.4.3-dh/modules/ssl/ssl_util_ssl.h	2012-10-23 16:10:39.912810219 +0200

+@@ -62,6 +62,7 @@

+ void        SSL_set_app_data2(SSL *, void *);

+ X509       *SSL_read_X509(char *, X509 **, pem_password_cb *);

+ EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);

++DH         *SSL_read_DHparams(char* filename, DH **DHparams, void *cb);

+ int         SSL_smart_shutdown(SSL *ssl);

+ BOOL        SSL_X509_isSGC(X509 *);

+ BOOL        SSL_X509_getBC(X509 *, int *, int *);

@@ -0,0 +1,242 @@

+diff -Naur httpd-2.4.3/modules/ssl/mod_ssl.c httpd-2.4.3-1/modules/ssl/mod_ssl.c

+--- httpd-2.4.3/modules/ssl/mod_ssl.c	2012-08-05 15:48:40.000000000 +0200

++++ httpd-2.4.3-1/modules/ssl/mod_ssl.c	2012-10-23 15:53:15.014424913 +0200

+@@ -263,6 +263,18 @@

+     AP_END_CMD

+ };

+ 

++/* Implement 'modssl_run_npn_advertise_protos_hook'. */

++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(

++    modssl, AP, int, npn_advertise_protos_hook,

++    (conn_rec *connection, apr_array_header_t *protos),

++    (connection, protos), OK, DECLINED);

++

++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */

++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(

++    modssl, AP, int, npn_proto_negotiated_hook,

++    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),

++    (connection, proto_name, proto_name_len), OK, DECLINED);

++

+ /*

+  *  the various processing hooks

+  */

+diff -Naur httpd-2.4.3/modules/ssl/mod_ssl.h httpd-2.4.3-1/modules/ssl/mod_ssl.h

+--- httpd-2.4.3/modules/ssl/mod_ssl.h	2011-09-23 15:38:09.000000000 +0200

++++ httpd-2.4.3-1/modules/ssl/mod_ssl.h	2012-10-23 15:53:15.014424913 +0200

+@@ -63,5 +63,26 @@

+ 

+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));

+ 

++/** The npn_advertise_protos optional hook allows other modules to add entries

++ * to the list of protocol names advertised by the server during the Next

++ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is

++ * given the connection and an APR array; it should push one or more char*'s

++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto

++ * the array and return OK, or do nothing and return DECLINED. */

++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,

++                          (conn_rec *connection, apr_array_header_t *protos));

++

++/** The npn_proto_negotiated optional hook allows other modules to discover the

++ * name of the protocol that was chosen during the Next Protocol Negotiation

++ * (NPN) portion of the SSL handshake.  Note that this may be the empty string

++ * (in which case modules should probably assume HTTP), or it may be a protocol

++ * that was never even advertised by the server.  The hook callee is given the

++ * connection, a non-null-terminated string containing the protocol name, and

++ * the length of the string; it should do something appropriate (i.e. insert or

++ * remove filters) and return OK, or do nothing and return DECLINED. */

++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,

++                          (conn_rec *connection, const char *proto_name,

++                           apr_size_t proto_name_len));

++

+ #endif /* __MOD_SSL_H__ */

+ /** @} */

+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_init.c httpd-2.4.3-1/modules/ssl/ssl_engine_init.c

+--- httpd-2.4.3/modules/ssl/ssl_engine_init.c	2012-08-05 15:48:40.000000000 +0200

++++ httpd-2.4.3-1/modules/ssl/ssl_engine_init.c	2012-10-23 15:53:15.030424726 +0200

+@@ -693,6 +693,11 @@

+ #endif

+ 

+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);

++

++#ifdef HAVE_TLS_NPN

++    SSL_CTX_set_next_protos_advertised_cb(

++        ctx, ssl_callback_AdvertiseNextProtos, NULL);

++#endif

+ }

+ 

+ static void ssl_init_ctx_verify(server_rec *s,

+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_io.c httpd-2.4.3-1/modules/ssl/ssl_engine_io.c

+--- httpd-2.4.3/modules/ssl/ssl_engine_io.c	2012-05-05 10:44:19.000000000 +0200

++++ httpd-2.4.3-1/modules/ssl/ssl_engine_io.c	2012-10-23 15:53:15.030424726 +0200

+@@ -28,6 +28,7 @@

+                                   core keeps dumping.''

+                                             -- Unknown    */

+ #include "ssl_private.h"

++#include "mod_ssl.h"

+ #include "apr_date.h"

+ 

+ /*  _________________________________________________________________

+@@ -297,6 +298,7 @@

+     apr_pool_t *pool;

+     char buffer[AP_IOBUFSIZE];

+     ssl_filter_ctx_t *filter_ctx;

++    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */

+ } bio_filter_in_ctx_t;

+ 

+ /*

+@@ -1374,6 +1376,26 @@

+         APR_BRIGADE_INSERT_TAIL(bb, bucket);

+     }

+ 

++#ifdef HAVE_TLS_NPN

++    /* By this point, Next Protocol Negotiation (NPN) should be completed (if

++     * our version of OpenSSL supports it).  If we haven't already, find out

++     * which protocol was decided upon and inform other modules by calling

++     * npn_proto_negotiated_hook. */

++    if (!inctx->npn_finished) {

++        const unsigned char *next_proto = NULL;

++        unsigned next_proto_len = 0;

++

++        SSL_get0_next_proto_negotiated(

++            inctx->ssl, &next_proto, &next_proto_len);

++        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,

++                      APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",

++                      next_proto_len, (const char*)next_proto);

++        modssl_run_npn_proto_negotiated_hook(

++            f->c, (const char*)next_proto, next_proto_len);

++        inctx->npn_finished = 1;

++    }

++#endif

++

+     return APR_SUCCESS;

+ }

+ 

+@@ -1855,6 +1877,7 @@

+     inctx->block = APR_BLOCK_READ;

+     inctx->pool = c->pool;

+     inctx->filter_ctx = filter_ctx;

++    inctx->npn_finished = 0;

+ }

+ 

+ /* The request_rec pointer is passed in here only to ensure that the

+diff -Naur httpd-2.4.3/modules/ssl/ssl_engine_kernel.c httpd-2.4.3-1/modules/ssl/ssl_engine_kernel.c

+--- httpd-2.4.3/modules/ssl/ssl_engine_kernel.c	2012-05-05 10:44:19.000000000 +0200

++++ httpd-2.4.3-1/modules/ssl/ssl_engine_kernel.c	2012-10-23 15:53:15.031424714 +0200

+@@ -29,6 +29,7 @@

+                                   time I was too famous.''

+                                             -- Unknown                */

+ #include "ssl_private.h"

++#include "mod_ssl.h"

+ #include "util_md5.h"

+ 

+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);

+@@ -2143,3 +2144,86 @@

+     return -1;

+ }

+ #endif

++

++#ifdef HAVE_TLS_NPN

++/*

++ * This callback function is executed when SSL needs to decide what protocols

++ * to advertise during Next Protocol Negotiation (NPN).  It must produce a

++ * string in wire format -- a sequence of length-prefixed strings -- indicating

++ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb

++ * in OpenSSL for reference.

++ */

++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,

++                                     unsigned int *size_out, void *arg)

++{

++    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);

++    apr_array_header_t *protos;

++    int num_protos;

++    unsigned int size;

++    int i;

++    unsigned char *data;

++    unsigned char *start;

++

++    *data_out = NULL;

++    *size_out = 0;

++

++    /* If the connection object is not available, then there's nothing for us

++     * to do. */

++    if (c == NULL) {

++        return SSL_TLSEXT_ERR_OK;

++    }

++

++    /* Invoke our npn_advertise_protos hook, giving other modules a chance to

++     * add alternate protocol names to advertise. */

++    protos = apr_array_make(c->pool, 0, sizeof(char*));

++    modssl_run_npn_advertise_protos_hook(c, protos);

++    num_protos = protos->nelts;

++

++    /* We now have a list of null-terminated strings; we need to concatenate

++     * them together into a single string, where each protocol name is prefixed

++     * by its length.  First, calculate how long that string will be. */

++    size = 0;

++    for (i = 0; i < num_protos; ++i) {

++        const char *string = APR_ARRAY_IDX(protos, i, const char*);

++        unsigned int length = strlen(string);

++        /* If the protocol name is too long (the length must fit in one byte),

++         * then log an error and skip it. */

++        if (length > 255) {

++            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)

++                          "SSL NPN protocol name too long (length=%u): %s",

++                          length, string);

++            continue;

++        }

++        /* Leave room for the length prefix (one byte) plus the protocol name

++         * itself. */

++        size += 1 + length;

++    }

++

++    /* If there is nothing to advertise (either because no modules added

++     * anything to the protos array, or because all strings added to the array

++     * were skipped), then we're done. */

++    if (size == 0) {

++        return SSL_TLSEXT_ERR_OK;

++    }

++

++    /* Now we can build the string.  Copy each protocol name string into the

++     * larger string, prefixed by its length. */

++    data = apr_palloc(c->pool, size * sizeof(unsigned char));

++    start = data;

++    for (i = 0; i < num_protos; ++i) {

++        const char *string = APR_ARRAY_IDX(protos, i, const char*);

++        apr_size_t length = strlen(string);

++        if (length > 255)

++            continue;

++        *start = (unsigned char)length;

++        ++start;

++        memcpy(start, string, length * sizeof(unsigned char));

++        start += length;

++    }

++

++    /* Success. */

++    *data_out = data;

++    *size_out = size;

++    return SSL_TLSEXT_ERR_OK;

++}

++#endif

+diff -Naur httpd-2.4.3/modules/ssl/ssl_private.h httpd-2.4.3-1/modules/ssl/ssl_private.h

+--- httpd-2.4.3/modules/ssl/ssl_private.h	2012-08-05 15:48:40.000000000 +0200

++++ httpd-2.4.3-1/modules/ssl/ssl_private.h	2012-10-23 15:53:15.031424714 +0200

+@@ -139,6 +139,11 @@

+ #define HAVE_FIPS

+ #endif

+ 

++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \

++    && !defined(OPENSSL_NO_TLSEXT)

++#define HAVE_TLS_NPN

++#endif

++

+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000)

+ #define MODSSL_SSL_CIPHER_CONST const

+ #define MODSSL_SSL_METHOD_CONST const

+@@ -820,6 +825,7 @@

+ int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,

+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);

+ #endif

++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);

+ 

+ /**  Session Cache Support  */

+ void         ssl_scache_init(server_rec *, apr_pool_t *);