Bug 579311
Summary: | Support safe SSL renegotiation (RFC 5746) and related options (in Apache 2.2.15) | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matt McCutchen <matt> | |
Component: | httpd | Assignee: | Joe Orton <jorton> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | low | |||
Version: | 12 | CC: | jorton, mvadkert, pahan, redhat-bugzilla, thoger | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | httpd-2.2.15-1.fc12.2 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 580997 (view as bug list) | Environment: | ||
Last Closed: | 2010-05-31 18:25:21 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 588181 | |||
Bug Blocks: | 580997 |
Description
Matt McCutchen
2010-04-04 03:33:36 UTC
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13 httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12 httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11 (In reply to comment #0) > Support has been added in Apache 2.2.15. Please update or patch Apache in > Fedora. That is incorrect. httpd 2.2.15 does not add support for RFC 5746, you need updated openssl for that. mod_ssl in 2.2.15 does two things: - refuses client-initiated renegotiation (does not require new openssl) - adds SSLInsecureRenegotiation directive (this requires new openssl at build time to actually work, though looking at the build logs, old openssl was used on F11, 1.0.0-beta4 on F12 should be missing some bits too) To reply a question from bodhi: - first upstream openssl release with RFC 5746 support is 0.9.8m http://marc.info/?l=openssl-dev&m=126712103527093&w=2 there are already updated 0.9.8n packages in F11 testing - for F12+ / openssl-1.0.0, 1.0.0-beta5 should have all httpd needs, so for F12, it needs openssl 1.0.0-1 or newer (In reply to comment #5) > - for F12+ / openssl-1.0.0, 1.0.0-beta5 should have all httpd needs, so for > F12, > it needs openssl 1.0.0-1 or newer Unfortunately, openssl-1.0.0-1.fc12 is considered broken due to a multilib conflict (bug 579004), though that might not actually interfere with building against it. Though httpd build against it will have to wait for it to enter stable / testing. There are two options: - leave httpd 2.2.15 built against old openssl for now, SSLInsecureRenegotiation won't work (but based on comment #0, you don't really care) - wait for openssl updates In either case, openssl update is needed to actually get RFC support. Understood. I would be inclined to wait for the openssl update. I don't see much point in marking this bug fixed while leaving SSLInsecureRenegotiation broken; instead, I'll broaden this bug. Buildroot override requested: https://fedorahosted.org/rel-eng/ticket/3584 httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13 httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1 httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1 httpd-2.2.15-1.fc12.1 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1 httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1 httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. This is not fixed in F12 until an installable httpd update is pushed, which requires that an installable openssl update be pushed (bug 588181). (I should have reopened this a long time ago.) httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |