* [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades
@ 2014-02-27 3:22 Hongxu Jia
2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia
` (4 more replies)
0 siblings, 5 replies; 10+ messages in thread
From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw)
To: openembedded-devel; +Cc: paul.eggleton
Change in V2:
apache2-2.4.7: added support for TLS Next Protocol Negotiation
The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on
apache2-2.4.6 and conflicted with apache2-2.4.7, 4/4 patch fixed the
confliction with 2.4.7.
//Hongxu
The following changes since commit 8089aa451827cb791c7d795b9899dc152d1ceb66:
vlc: Fix build with flac-1.3.0 (2014-02-24 10:10:25 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib hongxu/upgrade-apache2
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=hongxu/upgrade-apache2
Hongxu Jia (1):
apache2-2.4.7: added support for TLS Next Protocol Negotiation
Paul Eggleton (3):
apache2: update to 2.4.7
modphp: upgrade to 5.5.8
phpmyadmin: update to 4.1.4
...he2-native_2.4.6.bb => apache2-native_2.4.7.bb} | 6 +-
.../apache-configure_perlbin.patch | 0
.../apache-ssl-ltmain-rpath.patch | 0
.../fix-libtool-name.patch | 0
.../httpd-2.4.1-corelimit.patch | 0
.../httpd-2.4.1-selinux.patch | 0
.../httpd-2.4.4-export.patch | 0
.../npn-patch-2.4.7.patch} | 111 +++++++++++++--------
.../replace-lynx-to-curl-in-apachectl-script.patch | 0
.../server-makefile.patch | 0
.../apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} | 8 +-
meta-webserver/recipes-php/modphp/modphp_5.5.2.bb | 7 --
meta-webserver/recipes-php/modphp/modphp_5.5.8.bb | 7 ++
.../{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} | 4 +-
14 files changed, 86 insertions(+), 57 deletions(-)
rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.6.bb => apache2-native_2.4.7.bb} (84%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-configure_perlbin.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-ssl-ltmain-rpath.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/fix-libtool-name.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-corelimit.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-selinux.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.4-export.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6/httpd-2.4.4-r1332643.patch => apache2/npn-patch-2.4.7.patch} (80%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/replace-lynx-to-curl-in-apachectl-script.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/server-makefile.patch (100%)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} (95%)
delete mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.2.bb
create mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.8.bb
rename meta-webserver/recipes-php/phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} (87%)
--
1.8.1.2
^ permalink raw reply [flat|nested] 10+ messages in thread* [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia @ 2014-02-27 3:22 ` Hongxu Jia 2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia ` (3 subsequent siblings) 4 siblings, 0 replies; 10+ messages in thread From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw) To: openembedded-devel; +Cc: paul.eggleton From: Paul Eggleton <paul.eggleton@linux.intel.com> * LIC_FILES_CHKSUM changed because of the introduction of an extra blank line in the LICENSE file (!) * Drop httpd-2.4.4-r1332643.patch - it no longer applies and was dropped in Fedora on the 2.4.7 upgrade. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> --- .../apache2-2.4.6/httpd-2.4.4-r1332643.patch | 260 --------------------- ...he2-native_2.4.6.bb => apache2-native_2.4.7.bb} | 6 +- .../apache-configure_perlbin.patch | 0 .../apache-ssl-ltmain-rpath.patch | 0 .../fix-libtool-name.patch | 0 .../httpd-2.4.1-corelimit.patch | 0 .../httpd-2.4.1-selinux.patch | 0 .../httpd-2.4.4-export.patch | 0 .../replace-lynx-to-curl-in-apachectl-script.patch | 0 .../server-makefile.patch | 0 .../apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} | 7 +- 11 files changed, 6 insertions(+), 267 deletions(-) delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.6.bb => apache2-native_2.4.7.bb} (84%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-configure_perlbin.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/apache-ssl-ltmain-rpath.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/fix-libtool-name.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-corelimit.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.1-selinux.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/httpd-2.4.4-export.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/replace-lynx-to-curl-in-apachectl-script.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2-2.4.6 => apache2}/server-makefile.patch (100%) rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.6.bb => apache2_2.4.7.bb} (95%) diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch b/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch deleted file mode 100644 index ba28231..0000000 --- a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-r1332643.patch +++ /dev/null @@ -1,260 +0,0 @@ -Add support for TLS Next Protocol Negotiation: - -* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new - hooks for next protocol advertisement/discovery. - -* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable - NPN advertisement callback in handshake. - -* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke - next-protocol discovery hook. - -* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): - New callback. - -* modules/ssl/ssl_private.h: Add prototype. - -Submitted by: Matthew Steele <mdsteele google.com> - with slight tweaks by jorton - -https://bugzilla.redhat.com//show_bug.cgi?id=809599 - -http://svn.apache.org/viewvc?view=revision&revision=1332643 - -Upstream-Status: Backport - ---- httpd-2.4.4/modules/ssl/ssl_private.h -+++ httpd-2.4.4/modules/ssl/ssl_private.h -@@ -139,6 +139,11 @@ - #define HAVE_FIPS - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ -+ && !defined(OPENSSL_NO_TLSEXT) -+#define HAVE_TLS_NPN -+#endif -+ - #if (OPENSSL_VERSION_NUMBER >= 0x10000000) - #define MODSSL_SSL_CIPHER_CONST const - #define MODSSL_SSL_METHOD_CONST const -@@ -840,6 +845,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); - int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, - EVP_CIPHER_CTX *, HMAC_CTX *, int); - #endif -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); - - /** Session Cache Support */ - void ssl_scache_init(server_rec *, apr_pool_t *); ---- httpd-2.4.4/modules/ssl/mod_ssl.c -+++ httpd-2.4.4/modules/ssl/mod_ssl.c -@@ -272,6 +272,18 @@ static const command_rec ssl_config_cmds[] = { - AP_END_CMD - }; - -+/* Implement 'modssl_run_npn_advertise_protos_hook'. */ -+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( -+ modssl, AP, int, npn_advertise_protos_hook, -+ (conn_rec *connection, apr_array_header_t *protos), -+ (connection, protos), OK, DECLINED); -+ -+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ -+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( -+ modssl, AP, int, npn_proto_negotiated_hook, -+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), -+ (connection, proto_name, proto_name_len), OK, DECLINED); -+ - /* - * the various processing hooks - */ ---- httpd-2.4.4/modules/ssl/mod_ssl.h -+++ httpd-2.4.4/modules/ssl/mod_ssl.h -@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); - - APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); - -+/** The npn_advertise_protos optional hook allows other modules to add entries -+ * to the list of protocol names advertised by the server during the Next -+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is -+ * given the connection and an APR array; it should push one or more char*'s -+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto -+ * the array and return OK, or do nothing and return DECLINED. */ -+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, -+ (conn_rec *connection, apr_array_header_t *protos)); -+ -+/** The npn_proto_negotiated optional hook allows other modules to discover the -+ * name of the protocol that was chosen during the Next Protocol Negotiation -+ * (NPN) portion of the SSL handshake. Note that this may be the empty string -+ * (in which case modules should probably assume HTTP), or it may be a protocol -+ * that was never even advertised by the server. The hook callee is given the -+ * connection, a non-null-terminated string containing the protocol name, and -+ * the length of the string; it should do something appropriate (i.e. insert or -+ * remove filters) and return OK, or do nothing and return DECLINED. */ -+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, -+ (conn_rec *connection, const char *proto_name, -+ apr_size_t proto_name_len)); -+ - #endif /* __MOD_SSL_H__ */ - /** @} */ ---- httpd-2.4.4/modules/ssl/ssl_engine_init.c -+++ httpd-2.4.4/modules/ssl/ssl_engine_init.c -@@ -725,6 +725,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, - #endif - - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); -+ -+#ifdef HAVE_TLS_NPN -+ SSL_CTX_set_next_protos_advertised_cb( -+ ctx, ssl_callback_AdvertiseNextProtos, NULL); -+#endif - } - - static void ssl_init_ctx_verify(server_rec *s, ---- httpd-2.4.4/modules/ssl/ssl_engine_io.c -+++ httpd-2.4.4/modules/ssl/ssl_engine_io.c -@@ -28,6 +28,7 @@ - core keeps dumping.'' - -- Unknown */ - #include "ssl_private.h" -+#include "mod_ssl.h" - #include "apr_date.h" - - /* _________________________________________________________________ -@@ -297,6 +298,7 @@ typedef struct { - apr_pool_t *pool; - char buffer[AP_IOBUFSIZE]; - ssl_filter_ctx_t *filter_ctx; -+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ - } bio_filter_in_ctx_t; - - /* -@@ -1385,6 +1387,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, - APR_BRIGADE_INSERT_TAIL(bb, bucket); - } - -+#ifdef HAVE_TLS_NPN -+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if -+ * our version of OpenSSL supports it). If we haven't already, find out -+ * which protocol was decided upon and inform other modules by calling -+ * npn_proto_negotiated_hook. */ -+ if (!inctx->npn_finished) { -+ const unsigned char *next_proto = NULL; -+ unsigned next_proto_len = 0; -+ -+ SSL_get0_next_proto_negotiated( -+ inctx->ssl, &next_proto, &next_proto_len); -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, -+ "SSL NPN negotiated protocol: '%s'", -+ apr_pstrmemdup(f->c->pool, (const char*)next_proto, -+ next_proto_len)); -+ modssl_run_npn_proto_negotiated_hook( -+ f->c, (const char*)next_proto, next_proto_len); -+ inctx->npn_finished = 1; -+ } -+#endif -+ - return APR_SUCCESS; - } - -@@ -1866,6 +1889,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, - inctx->block = APR_BLOCK_READ; - inctx->pool = c->pool; - inctx->filter_ctx = filter_ctx; -+ inctx->npn_finished = 0; - } - - /* The request_rec pointer is passed in here only to ensure that the ---- httpd-2.4.4/modules/ssl/ssl_engine_kernel.c -+++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c -@@ -29,6 +29,7 @@ - time I was too famous.'' - -- Unknown */ - #include "ssl_private.h" -+#include "mod_ssl.h" - #include "util_md5.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); -@@ -2186,3 +2187,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) - } - - #endif /* OPENSSL_NO_SRP */ -+ -+#ifdef HAVE_TLS_NPN -+/* -+ * This callback function is executed when SSL needs to decide what protocols -+ * to advertise during Next Protocol Negotiation (NPN). It must produce a -+ * string in wire format -- a sequence of length-prefixed strings -- indicating -+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb -+ * in OpenSSL for reference. -+ */ -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, -+ unsigned int *size_out, void *arg) -+{ -+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); -+ apr_array_header_t *protos; -+ int num_protos; -+ unsigned int size; -+ int i; -+ unsigned char *data; -+ unsigned char *start; -+ -+ *data_out = NULL; -+ *size_out = 0; -+ -+ /* If the connection object is not available, then there's nothing for us -+ * to do. */ -+ if (c == NULL) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to -+ * add alternate protocol names to advertise. */ -+ protos = apr_array_make(c->pool, 0, sizeof(char*)); -+ modssl_run_npn_advertise_protos_hook(c, protos); -+ num_protos = protos->nelts; -+ -+ /* We now have a list of null-terminated strings; we need to concatenate -+ * them together into a single string, where each protocol name is prefixed -+ * by its length. First, calculate how long that string will be. */ -+ size = 0; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ unsigned int length = strlen(string); -+ /* If the protocol name is too long (the length must fit in one byte), -+ * then log an error and skip it. */ -+ if (length > 255) { -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, -+ "SSL NPN protocol name too long (length=%u): %s", -+ length, string); -+ continue; -+ } -+ /* Leave room for the length prefix (one byte) plus the protocol name -+ * itself. */ -+ size += 1 + length; -+ } -+ -+ /* If there is nothing to advertise (either because no modules added -+ * anything to the protos array, or because all strings added to the array -+ * were skipped), then we're done. */ -+ if (size == 0) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Now we can build the string. Copy each protocol name string into the -+ * larger string, prefixed by its length. */ -+ data = apr_palloc(c->pool, size * sizeof(unsigned char)); -+ start = data; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ apr_size_t length = strlen(string); -+ *start = (unsigned char)length; -+ ++start; -+ memcpy(start, string, length * sizeof(unsigned char)); -+ start += length; -+ } -+ -+ /* Success. */ -+ *data_out = data; -+ *size_out = size; -+ return SSL_TLSEXT_ERR_OK; -+} -+#endif diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb similarity index 84% rename from meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb rename to meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb index 6efd469..bd935eb 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.6.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.7.bb @@ -12,9 +12,9 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2" S = "${WORKDIR}/httpd-${PV}" -LIC_FILES_CHKSUM = "file://LICENSE;md5=eff226ae95d0516d6210ed77dfdf2dcc" -SRC_URI[md5sum] = "ea5e361ca37b8d7853404419dd502efe" -SRC_URI[sha256sum] = "dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea" +LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" +SRC_URI[md5sum] = "170d7fb6fe5f28b87d1878020a9ab94e" +SRC_URI[sha256sum] = "64368d8301836815ae237f2b62d909711c896c1bd34573771e0ee5ad808ce71b" do_configure () { ./configure --with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-configure_perlbin.patch rename to meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-ssl-ltmain-rpath.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/apache-ssl-ltmain-rpath.patch rename to meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/fix-libtool-name.patch b/meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/fix-libtool-name.patch rename to meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-corelimit.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-corelimit.patch rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-selinux.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.1-selinux.patch rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-export.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/httpd-2.4.4-export.patch rename to meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/replace-lynx-to-curl-in-apachectl-script.patch rename to meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-2.4.6/server-makefile.patch b/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch similarity index 100% rename from meta-webserver/recipes-httpd/apache2/apache2-2.4.6/server-makefile.patch rename to meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb similarity index 95% rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb index cc88fac..f23776f 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.6.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb @@ -11,7 +11,6 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ file://httpd-2.4.1-corelimit.patch \ file://httpd-2.4.4-export.patch \ file://httpd-2.4.1-selinux.patch \ - file://httpd-2.4.4-r1332643.patch \ file://apache-configure_perlbin.patch \ file://replace-lynx-to-curl-in-apachectl-script.patch \ file://apache-ssl-ltmain-rpath.patch \ @@ -19,9 +18,9 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ file://init \ file://apache2-volatile.conf" -LIC_FILES_CHKSUM = "file://LICENSE;md5=eff226ae95d0516d6210ed77dfdf2dcc" -SRC_URI[md5sum] = "ea5e361ca37b8d7853404419dd502efe" -SRC_URI[sha256sum] = "dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea" +LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" +SRC_URI[md5sum] = "170d7fb6fe5f28b87d1878020a9ab94e" +SRC_URI[sha256sum] = "64368d8301836815ae237f2b62d909711c896c1bd34573771e0ee5ad808ce71b" S = "${WORKDIR}/httpd-${PV}" -- 1.8.1.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia 2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia @ 2014-02-27 3:22 ` Hongxu Jia 2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia ` (2 subsequent siblings) 4 siblings, 0 replies; 10+ messages in thread From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw) To: openembedded-devel; +Cc: paul.eggleton From: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> --- meta-webserver/recipes-php/modphp/modphp_5.5.2.bb | 7 ------- meta-webserver/recipes-php/modphp/modphp_5.5.8.bb | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.2.bb create mode 100644 meta-webserver/recipes-php/modphp/modphp_5.5.8.bb diff --git a/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb b/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb deleted file mode 100644 index 3c23242..0000000 --- a/meta-webserver/recipes-php/modphp/modphp_5.5.2.bb +++ /dev/null @@ -1,7 +0,0 @@ -include modphp5.inc - -EXTRA_OECONF += "--disable-opcache" - -SRC_URI[md5sum] = "caf7f4d86514a568fb3c8021b096a9f0" -SRC_URI[sha256sum] = "e72aaf1fa96eac0bff127bfc74c174d1de50cd3f66d7e0e1ee919674ab463bb7" - diff --git a/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb b/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb new file mode 100644 index 0000000..04925fb --- /dev/null +++ b/meta-webserver/recipes-php/modphp/modphp_5.5.8.bb @@ -0,0 +1,7 @@ +include modphp5.inc + +EXTRA_OECONF += "--disable-opcache" + +SRC_URI[md5sum] = "42fe814a3cbbf34b21a2c39f66ee0001" +SRC_URI[sha256sum] = "6d5f45659d13383fc8429f185cc9da0b30c7bb72dcae9baf568f0511eb7f8b68" + -- 1.8.1.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia 2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia 2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia @ 2014-02-27 3:22 ` Hongxu Jia 2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia 2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton 4 siblings, 0 replies; 10+ messages in thread From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw) To: openembedded-devel; +Cc: paul.eggleton From: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> --- .../phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-webserver/recipes-php/phpmyadmin/{phpmyadmin_4.0.5.bb => phpmyadmin_4.1.4.bb} (87%) diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb similarity index 87% rename from meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb rename to meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb index f97dc91..c2bc8bb 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.0.5.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.1.4.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \ SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \ file://apache.conf" -SRC_URI[md5sum] = "5cc493908d09df1760c7cdcd1622ebf7" -SRC_URI[sha256sum] = "f4df1190441ce5e094183cfadf8aec4af3a4f131339599e6380a1c6ac0a11fe4" +SRC_URI[md5sum] = "9802ba0a7ee6afd8941dc8d0af589913" +SRC_URI[sha256sum] = "4bd23cda85b3ac4e44a1e472a461638230020af78bd03d7178f60d55b8bb1331" S = "${WORKDIR}/phpMyAdmin-${PV}-all-languages" -- 1.8.1.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation 2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia ` (2 preceding siblings ...) 2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia @ 2014-02-27 3:22 ` Hongxu Jia 2014-02-27 19:08 ` Randy MacLeod 2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton 4 siblings, 1 reply; 10+ messages in thread From: Hongxu Jia @ 2014-02-27 3:22 UTC (permalink / raw) To: openembedded-devel; +Cc: paul.eggleton The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the confliction with 2.4.7. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++ .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 + 2 files changed, 290 insertions(+) create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch new file mode 100644 index 0000000..a4f1855 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch @@ -0,0 +1,289 @@ +Add support for TLS Next Protocol Negotiation: + +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new + hooks for next protocol advertisement/discovery. + +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable + NPN advertisement callback in handshake. + +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke + next-protocol discovery hook. + +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): + New callback. + +* modules/ssl/ssl_private.h: Add prototype. + +Submitted by: Matthew Steele <mdsteele google.com> + with slight tweaks by jorton + +http://svn.apache.org/viewvc?view=revision&revision=1332643 +https://bugzilla.redhat.com//show_bug.cgi?id=809599 +Upstream-Status: Backport +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + CHANGES | 2 + + modules/ssl/mod_ssl.c | 12 ++++++ + modules/ssl/mod_ssl.h | 21 +++++++++++ + modules/ssl/ssl_engine_init.c | 5 +++ + modules/ssl/ssl_engine_io.c | 24 ++++++++++++ + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++ + modules/ssl/ssl_private.h | 6 +++ + 7 files changed, 152 insertions(+) + +diff --git a/CHANGES b/CHANGES +--- a/CHANGES ++++ b/CHANGES +@@ -1,6 +1,8 @@ + -*- coding: utf-8 -*- + + Changes with Apache 2.4.7 ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. ++ [Matthew Steele <mdsteele google.com>] + + *) APR 1.5.0 or later is now required for the event MPM. + +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = { + AP_END_CMD + }; + ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */ ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( ++ modssl, AP, int, npn_advertise_protos_hook, ++ (conn_rec *connection, apr_array_header_t *protos), ++ (connection, protos), OK, DECLINED); ++ ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( ++ modssl, AP, int, npn_proto_negotiated_hook, ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), ++ (connection, proto_name, proto_name_len), OK, DECLINED); ++ + /* + * the various processing hooks + */ +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h +--- a/modules/ssl/mod_ssl.h ++++ b/modules/ssl/mod_ssl.h +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); + + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); + ++/** The npn_advertise_protos optional hook allows other modules to add entries ++ * to the list of protocol names advertised by the server during the Next ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is ++ * given the connection and an APR array; it should push one or more char*'s ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto ++ * the array and return OK, or do nothing and return DECLINED. */ ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, ++ (conn_rec *connection, apr_array_header_t *protos)); ++ ++/** The npn_proto_negotiated optional hook allows other modules to discover the ++ * name of the protocol that was chosen during the Next Protocol Negotiation ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string ++ * (in which case modules should probably assume HTTP), or it may be a protocol ++ * that was never even advertised by the server. The hook callee is given the ++ * connection, a non-null-terminated string containing the protocol name, and ++ * the length of the string; it should do something appropriate (i.e. insert or ++ * remove filters) and return OK, or do nothing and return DECLINED. */ ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, ++ (conn_rec *connection, const char *proto_name, ++ apr_size_t proto_name_len)); ++ + #endif /* __MOD_SSL_H__ */ + /** @} */ +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); + + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); ++ ++#ifdef HAVE_TLS_NPN ++ SSL_CTX_set_next_protos_advertised_cb( ++ ctx, ssl_callback_AdvertiseNextProtos, NULL); ++#endif + } + + static void ssl_init_ctx_verify(server_rec *s, +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -28,6 +28,7 @@ + core keeps dumping.'' + -- Unknown */ + #include "ssl_private.h" ++#include "mod_ssl.h" + #include "apr_date.h" + + /* _________________________________________________________________ +@@ -297,6 +298,7 @@ typedef struct { + apr_pool_t *pool; + char buffer[AP_IOBUFSIZE]; + ssl_filter_ctx_t *filter_ctx; ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ + } bio_filter_in_ctx_t; + + /* +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, + APR_BRIGADE_INSERT_TAIL(bb, bucket); + } + ++#ifdef HAVE_TLS_NPN ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if ++ * our version of OpenSSL supports it). If we haven't already, find out ++ * which protocol was decided upon and inform other modules by calling ++ * npn_proto_negotiated_hook. */ ++ if (!inctx->npn_finished) { ++ const unsigned char *next_proto = NULL; ++ unsigned next_proto_len = 0; ++ ++ SSL_get0_next_proto_negotiated( ++ inctx->ssl, &next_proto, &next_proto_len); ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, ++ "SSL NPN negotiated protocol: '%s'", ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto, ++ next_proto_len)); ++ modssl_run_npn_proto_negotiated_hook( ++ f->c, (const char*)next_proto, next_proto_len); ++ inctx->npn_finished = 1; ++ } ++#endif ++ + return APR_SUCCESS; + } + +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, + inctx->block = APR_BLOCK_READ; + inctx->pool = c->pool; + inctx->filter_ctx = filter_ctx; ++ inctx->npn_finished = 0; + } + + /* The request_rec pointer is passed in here only to ensure that the +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -29,6 +29,7 @@ + time I was too famous.'' + -- Unknown */ + #include "ssl_private.h" ++#include "mod_ssl.h" + #include "util_md5.h" + + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) + } + + #endif /* HAVE_SRP */ ++ ++#ifdef HAVE_TLS_NPN ++/* ++ * This callback function is executed when SSL needs to decide what protocols ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a ++ * string in wire format -- a sequence of length-prefixed strings -- indicating ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb ++ * in OpenSSL for reference. ++ */ ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, ++ unsigned int *size_out, void *arg) ++{ ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); ++ apr_array_header_t *protos; ++ int num_protos; ++ unsigned int size; ++ int i; ++ unsigned char *data; ++ unsigned char *start; ++ ++ *data_out = NULL; ++ *size_out = 0; ++ ++ /* If the connection object is not available, then there's nothing for us ++ * to do. */ ++ if (c == NULL) { ++ return SSL_TLSEXT_ERR_OK; ++ } ++ ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to ++ * add alternate protocol names to advertise. */ ++ protos = apr_array_make(c->pool, 0, sizeof(char*)); ++ modssl_run_npn_advertise_protos_hook(c, protos); ++ num_protos = protos->nelts; ++ ++ /* We now have a list of null-terminated strings; we need to concatenate ++ * them together into a single string, where each protocol name is prefixed ++ * by its length. First, calculate how long that string will be. */ ++ size = 0; ++ for (i = 0; i < num_protos; ++i) { ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); ++ unsigned int length = strlen(string); ++ /* If the protocol name is too long (the length must fit in one byte), ++ * then log an error and skip it. */ ++ if (length > 255) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, ++ "SSL NPN protocol name too long (length=%u): %s", ++ length, string); ++ continue; ++ } ++ /* Leave room for the length prefix (one byte) plus the protocol name ++ * itself. */ ++ size += 1 + length; ++ } ++ ++ /* If there is nothing to advertise (either because no modules added ++ * anything to the protos array, or because all strings added to the array ++ * were skipped), then we're done. */ ++ if (size == 0) { ++ return SSL_TLSEXT_ERR_OK; ++ } ++ ++ /* Now we can build the string. Copy each protocol name string into the ++ * larger string, prefixed by its length. */ ++ data = apr_palloc(c->pool, size * sizeof(unsigned char)); ++ start = data; ++ for (i = 0; i < num_protos; ++i) { ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); ++ apr_size_t length = strlen(string); ++ *start = (unsigned char)length; ++ ++start; ++ memcpy(start, string, length * sizeof(unsigned char)); ++ start += length; ++ } ++ ++ /* Success. */ ++ *data_out = data; ++ *size_out = size; ++ return SSL_TLSEXT_ERR_OK; ++} ++#endif /* HAVE_TLS_NPN */ +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -123,6 +123,11 @@ + #define MODSSL_SSL_METHOD_CONST + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ ++ && !defined(OPENSSL_NO_TLSEXT) ++#define HAVE_TLS_NPN ++#endif ++ + #if defined(OPENSSL_FIPS) + #define HAVE_FIPS + #endif +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, + EVP_CIPHER_CTX *, HMAC_CTX *, int); + #endif ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); + + /** Session Cache Support */ + void ssl_scache_init(server_rec *, apr_pool_t *); +-- +1.8.1.2 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb index f23776f..3c038a9 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ file://replace-lynx-to-curl-in-apachectl-script.patch \ file://apache-ssl-ltmain-rpath.patch \ file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ + file://npn-patch-2.4.7.patch \ file://init \ file://apache2-volatile.conf" -- 1.8.1.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation 2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia @ 2014-02-27 19:08 ` Randy MacLeod 2014-02-28 10:21 ` Hongxu Jia 0 siblings, 1 reply; 10+ messages in thread From: Randy MacLeod @ 2014-02-27 19:08 UTC (permalink / raw) To: Hongxu Jia, openembedded-devel; +Cc: paul.eggleton On 14-02-26 10:22 PM, Hongxu Jia wrote: > The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on > apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the > confliction with 2.4.7. Hongxu, Thanks, that's a good step. Even better would be to add the apache module that supports SPDY and confirm that it works with your desktop (google-chrome) browser. See: http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html and https://code.google.com/p/mod-spdy/wiki/GettingStarted It doesn't seem to be a huge task but let us know what you find out. ../Randy > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++ > .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 + > 2 files changed, 290 insertions(+) > create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch > > diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch > new file mode 100644 > index 0000000..a4f1855 > --- /dev/null > +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch > @@ -0,0 +1,289 @@ > +Add support for TLS Next Protocol Negotiation: > + > +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new > + hooks for next protocol advertisement/discovery. > + > +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable > + NPN advertisement callback in handshake. > + > +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke > + next-protocol discovery hook. > + > +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): > + New callback. > + > +* modules/ssl/ssl_private.h: Add prototype. > + > +Submitted by: Matthew Steele <mdsteele google.com> > + with slight tweaks by jorton > + > +http://svn.apache.org/viewvc?view=revision&revision=1332643 > +https://bugzilla.redhat.com//show_bug.cgi?id=809599 > +Upstream-Status: Backport > +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > +--- > + CHANGES | 2 + > + modules/ssl/mod_ssl.c | 12 ++++++ > + modules/ssl/mod_ssl.h | 21 +++++++++++ > + modules/ssl/ssl_engine_init.c | 5 +++ > + modules/ssl/ssl_engine_io.c | 24 ++++++++++++ > + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++ > + modules/ssl/ssl_private.h | 6 +++ > + 7 files changed, 152 insertions(+) > + > +diff --git a/CHANGES b/CHANGES > +--- a/CHANGES > ++++ b/CHANGES > +@@ -1,6 +1,8 @@ > + -*- coding: utf-8 -*- > + > + Changes with Apache 2.4.7 > ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. > ++ [Matthew Steele <mdsteele google.com>] > + > + *) APR 1.5.0 or later is now required for the event MPM. > + > +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c > +--- a/modules/ssl/mod_ssl.c > ++++ b/modules/ssl/mod_ssl.c > +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = { > + AP_END_CMD > + }; > + > ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */ > ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( > ++ modssl, AP, int, npn_advertise_protos_hook, > ++ (conn_rec *connection, apr_array_header_t *protos), > ++ (connection, protos), OK, DECLINED); > ++ > ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ > ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( > ++ modssl, AP, int, npn_proto_negotiated_hook, > ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), > ++ (connection, proto_name, proto_name_len), OK, DECLINED); > ++ > + /* > + * the various processing hooks > + */ > +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h > +--- a/modules/ssl/mod_ssl.h > ++++ b/modules/ssl/mod_ssl.h > +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); > + > + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); > + > ++/** The npn_advertise_protos optional hook allows other modules to add entries > ++ * to the list of protocol names advertised by the server during the Next > ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is > ++ * given the connection and an APR array; it should push one or more char*'s > ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto > ++ * the array and return OK, or do nothing and return DECLINED. */ > ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, > ++ (conn_rec *connection, apr_array_header_t *protos)); > ++ > ++/** The npn_proto_negotiated optional hook allows other modules to discover the > ++ * name of the protocol that was chosen during the Next Protocol Negotiation > ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string > ++ * (in which case modules should probably assume HTTP), or it may be a protocol > ++ * that was never even advertised by the server. The hook callee is given the > ++ * connection, a non-null-terminated string containing the protocol name, and > ++ * the length of the string; it should do something appropriate (i.e. insert or > ++ * remove filters) and return OK, or do nothing and return DECLINED. */ > ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, > ++ (conn_rec *connection, const char *proto_name, > ++ apr_size_t proto_name_len)); > ++ > + #endif /* __MOD_SSL_H__ */ > + /** @} */ > +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c > +--- a/modules/ssl/ssl_engine_init.c > ++++ b/modules/ssl/ssl_engine_init.c > +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, > + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); > + > + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); > ++ > ++#ifdef HAVE_TLS_NPN > ++ SSL_CTX_set_next_protos_advertised_cb( > ++ ctx, ssl_callback_AdvertiseNextProtos, NULL); > ++#endif > + } > + > + static void ssl_init_ctx_verify(server_rec *s, > +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c > +--- a/modules/ssl/ssl_engine_io.c > ++++ b/modules/ssl/ssl_engine_io.c > +@@ -28,6 +28,7 @@ > + core keeps dumping.'' > + -- Unknown */ > + #include "ssl_private.h" > ++#include "mod_ssl.h" > + #include "apr_date.h" > + > + /* _________________________________________________________________ > +@@ -297,6 +298,7 @@ typedef struct { > + apr_pool_t *pool; > + char buffer[AP_IOBUFSIZE]; > + ssl_filter_ctx_t *filter_ctx; > ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ > + } bio_filter_in_ctx_t; > + > + /* > +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, > + APR_BRIGADE_INSERT_TAIL(bb, bucket); > + } > + > ++#ifdef HAVE_TLS_NPN > ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if > ++ * our version of OpenSSL supports it). If we haven't already, find out > ++ * which protocol was decided upon and inform other modules by calling > ++ * npn_proto_negotiated_hook. */ > ++ if (!inctx->npn_finished) { > ++ const unsigned char *next_proto = NULL; > ++ unsigned next_proto_len = 0; > ++ > ++ SSL_get0_next_proto_negotiated( > ++ inctx->ssl, &next_proto, &next_proto_len); > ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, > ++ "SSL NPN negotiated protocol: '%s'", > ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto, > ++ next_proto_len)); > ++ modssl_run_npn_proto_negotiated_hook( > ++ f->c, (const char*)next_proto, next_proto_len); > ++ inctx->npn_finished = 1; > ++ } > ++#endif > ++ > + return APR_SUCCESS; > + } > + > +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, > + inctx->block = APR_BLOCK_READ; > + inctx->pool = c->pool; > + inctx->filter_ctx = filter_ctx; > ++ inctx->npn_finished = 0; > + } > + > + /* The request_rec pointer is passed in here only to ensure that the > +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c > +--- a/modules/ssl/ssl_engine_kernel.c > ++++ b/modules/ssl/ssl_engine_kernel.c > +@@ -29,6 +29,7 @@ > + time I was too famous.'' > + -- Unknown */ > + #include "ssl_private.h" > ++#include "mod_ssl.h" > + #include "util_md5.h" > + > + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); > +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) > + } > + > + #endif /* HAVE_SRP */ > ++ > ++#ifdef HAVE_TLS_NPN > ++/* > ++ * This callback function is executed when SSL needs to decide what protocols > ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a > ++ * string in wire format -- a sequence of length-prefixed strings -- indicating > ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb > ++ * in OpenSSL for reference. > ++ */ > ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, > ++ unsigned int *size_out, void *arg) > ++{ > ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); > ++ apr_array_header_t *protos; > ++ int num_protos; > ++ unsigned int size; > ++ int i; > ++ unsigned char *data; > ++ unsigned char *start; > ++ > ++ *data_out = NULL; > ++ *size_out = 0; > ++ > ++ /* If the connection object is not available, then there's nothing for us > ++ * to do. */ > ++ if (c == NULL) { > ++ return SSL_TLSEXT_ERR_OK; > ++ } > ++ > ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to > ++ * add alternate protocol names to advertise. */ > ++ protos = apr_array_make(c->pool, 0, sizeof(char*)); > ++ modssl_run_npn_advertise_protos_hook(c, protos); > ++ num_protos = protos->nelts; > ++ > ++ /* We now have a list of null-terminated strings; we need to concatenate > ++ * them together into a single string, where each protocol name is prefixed > ++ * by its length. First, calculate how long that string will be. */ > ++ size = 0; > ++ for (i = 0; i < num_protos; ++i) { > ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); > ++ unsigned int length = strlen(string); > ++ /* If the protocol name is too long (the length must fit in one byte), > ++ * then log an error and skip it. */ > ++ if (length > 255) { > ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, > ++ "SSL NPN protocol name too long (length=%u): %s", > ++ length, string); > ++ continue; > ++ } > ++ /* Leave room for the length prefix (one byte) plus the protocol name > ++ * itself. */ > ++ size += 1 + length; > ++ } > ++ > ++ /* If there is nothing to advertise (either because no modules added > ++ * anything to the protos array, or because all strings added to the array > ++ * were skipped), then we're done. */ > ++ if (size == 0) { > ++ return SSL_TLSEXT_ERR_OK; > ++ } > ++ > ++ /* Now we can build the string. Copy each protocol name string into the > ++ * larger string, prefixed by its length. */ > ++ data = apr_palloc(c->pool, size * sizeof(unsigned char)); > ++ start = data; > ++ for (i = 0; i < num_protos; ++i) { > ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); > ++ apr_size_t length = strlen(string); > ++ *start = (unsigned char)length; > ++ ++start; > ++ memcpy(start, string, length * sizeof(unsigned char)); > ++ start += length; > ++ } > ++ > ++ /* Success. */ > ++ *data_out = data; > ++ *size_out = size; > ++ return SSL_TLSEXT_ERR_OK; > ++} > ++#endif /* HAVE_TLS_NPN */ > +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h > +--- a/modules/ssl/ssl_private.h > ++++ b/modules/ssl/ssl_private.h > +@@ -123,6 +123,11 @@ > + #define MODSSL_SSL_METHOD_CONST > + #endif > + > ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ > ++ && !defined(OPENSSL_NO_TLSEXT) > ++#define HAVE_TLS_NPN > ++#endif > ++ > + #if defined(OPENSSL_FIPS) > + #define HAVE_FIPS > + #endif > +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); > + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, > + EVP_CIPHER_CTX *, HMAC_CTX *, int); > + #endif > ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); > + > + /** Session Cache Support */ > + void ssl_scache_init(server_rec *, apr_pool_t *); > +-- > +1.8.1.2 > + > diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb > index f23776f..3c038a9 100644 > --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb > +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb > @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ > file://replace-lynx-to-curl-in-apachectl-script.patch \ > file://apache-ssl-ltmain-rpath.patch \ > file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ > + file://npn-patch-2.4.7.patch \ > file://init \ > file://apache2-volatile.conf" > > -- # Randy MacLeod. SMTS, Linux, Wind River Direct: 613.963.1350 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation 2014-02-27 19:08 ` Randy MacLeod @ 2014-02-28 10:21 ` Hongxu Jia 2014-02-28 17:17 ` Khem Raj 0 siblings, 1 reply; 10+ messages in thread From: Hongxu Jia @ 2014-02-28 10:21 UTC (permalink / raw) To: Randy MacLeod, openembedded-devel; +Cc: paul.eggleton On 02/28/2014 03:08 AM, Randy MacLeod wrote: > On 14-02-26 10:22 PM, Hongxu Jia wrote: >> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on >> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the >> confliction with 2.4.7. > > Hongxu, > > Thanks, that's a good step. Even better would be to add the > apache module that supports SPDY and confirm that it works > with your desktop (google-chrome) browser. > > See: > http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html > > > and > > https://code.google.com/p/mod-spdy/wiki/GettingStarted Hi Randy, I have tested, the ssl worked well with the new patch, but the mod_spdy doesn't support 2.4.7 for now, and the spdy test failed. http://code.google.com/p/mod-spdy/issues/detail?id=63 http://code.google.com/p/mod-spdy/issues/detail?id=64 http://code.google.com/p/mod-spdy/issues/detail?id=65 ... root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load lib64/apache2/modules/mod_spdy.so into server: /usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror ... //Hongxu > > It doesn't seem to be a huge task but let us know what you find out. > > ../Randy > >> >> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >> --- >> .../apache2/apache2/npn-patch-2.4.7.patch | 289 >> +++++++++++++++++++++ >> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 + >> 2 files changed, 290 insertions(+) >> create mode 100644 >> meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >> >> diff --git >> a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >> b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >> new file mode 100644 >> index 0000000..a4f1855 >> --- /dev/null >> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >> @@ -0,0 +1,289 @@ >> +Add support for TLS Next Protocol Negotiation: >> + >> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new >> + hooks for next protocol advertisement/discovery. >> + >> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable >> + NPN advertisement callback in handshake. >> + >> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke >> + next-protocol discovery hook. >> + >> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): >> + New callback. >> + >> +* modules/ssl/ssl_private.h: Add prototype. >> + >> +Submitted by: Matthew Steele <mdsteele google.com> >> + with slight tweaks by jorton >> + >> +http://svn.apache.org/viewvc?view=revision&revision=1332643 >> +https://bugzilla.redhat.com//show_bug.cgi?id=809599 >> +Upstream-Status: Backport >> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >> +--- >> + CHANGES | 2 + >> + modules/ssl/mod_ssl.c | 12 ++++++ >> + modules/ssl/mod_ssl.h | 21 +++++++++++ >> + modules/ssl/ssl_engine_init.c | 5 +++ >> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++ >> + modules/ssl/ssl_engine_kernel.c | 82 >> +++++++++++++++++++++++++++++++++++++++++ >> + modules/ssl/ssl_private.h | 6 +++ >> + 7 files changed, 152 insertions(+) >> + >> +diff --git a/CHANGES b/CHANGES >> +--- a/CHANGES >> ++++ b/CHANGES >> +@@ -1,6 +1,8 @@ >> + -*- >> coding: utf-8 -*- >> + >> + Changes with Apache 2.4.7 >> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. >> ++ [Matthew Steele <mdsteele google.com>] >> + >> + *) APR 1.5.0 or later is now required for the event MPM. >> + >> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c >> +--- a/modules/ssl/mod_ssl.c >> ++++ b/modules/ssl/mod_ssl.c >> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = { >> + AP_END_CMD >> + }; >> + >> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */ >> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( >> ++ modssl, AP, int, npn_advertise_protos_hook, >> ++ (conn_rec *connection, apr_array_header_t *protos), >> ++ (connection, protos), OK, DECLINED); >> ++ >> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ >> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( >> ++ modssl, AP, int, npn_proto_negotiated_hook, >> ++ (conn_rec *connection, const char *proto_name, apr_size_t >> proto_name_len), >> ++ (connection, proto_name, proto_name_len), OK, DECLINED); >> ++ >> + /* >> + * the various processing hooks >> + */ >> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h >> +--- a/modules/ssl/mod_ssl.h >> ++++ b/modules/ssl/mod_ssl.h >> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, >> (conn_rec *)); >> + >> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); >> + >> ++/** The npn_advertise_protos optional hook allows other modules to >> add entries >> ++ * to the list of protocol names advertised by the server during >> the Next >> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The >> hook callee is >> ++ * given the connection and an APR array; it should push one or >> more char*'s >> ++ * pointing to null-terminated strings (such as "http/1.1" or >> "spdy/2") onto >> ++ * the array and return OK, or do nothing and return DECLINED. */ >> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, >> ++ (conn_rec *connection, apr_array_header_t >> *protos)); >> ++ >> ++/** The npn_proto_negotiated optional hook allows other modules to >> discover the >> ++ * name of the protocol that was chosen during the Next Protocol >> Negotiation >> ++ * (NPN) portion of the SSL handshake. Note that this may be the >> empty string >> ++ * (in which case modules should probably assume HTTP), or it may >> be a protocol >> ++ * that was never even advertised by the server. The hook callee >> is given the >> ++ * connection, a non-null-terminated string containing the protocol >> name, and >> ++ * the length of the string; it should do something appropriate >> (i.e. insert or >> ++ * remove filters) and return OK, or do nothing and return >> DECLINED. */ >> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, >> ++ (conn_rec *connection, const char >> *proto_name, >> ++ apr_size_t proto_name_len)); >> ++ >> + #endif /* __MOD_SSL_H__ */ >> + /** @} */ >> +diff --git a/modules/ssl/ssl_engine_init.c >> b/modules/ssl/ssl_engine_init.c >> +--- a/modules/ssl/ssl_engine_init.c >> ++++ b/modules/ssl/ssl_engine_init.c >> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, >> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); >> + >> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); >> ++ >> ++#ifdef HAVE_TLS_NPN >> ++ SSL_CTX_set_next_protos_advertised_cb( >> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL); >> ++#endif >> + } >> + >> + static void ssl_init_ctx_verify(server_rec *s, >> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c >> +--- a/modules/ssl/ssl_engine_io.c >> ++++ b/modules/ssl/ssl_engine_io.c >> +@@ -28,6 +28,7 @@ >> + core keeps dumping.'' >> + -- Unknown */ >> + #include "ssl_private.h" >> ++#include "mod_ssl.h" >> + #include "apr_date.h" >> + >> + /* _________________________________________________________________ >> +@@ -297,6 +298,7 @@ typedef struct { >> + apr_pool_t *pool; >> + char buffer[AP_IOBUFSIZE]; >> + ssl_filter_ctx_t *filter_ctx; >> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ >> + } bio_filter_in_ctx_t; >> + >> + /* >> +@@ -1412,6 +1414,27 @@ static apr_status_t >> ssl_io_filter_input(ap_filter_t *f, >> + APR_BRIGADE_INSERT_TAIL(bb, bucket); >> + } >> + >> ++#ifdef HAVE_TLS_NPN >> ++ /* By this point, Next Protocol Negotiation (NPN) should be >> completed (if >> ++ * our version of OpenSSL supports it). If we haven't already, >> find out >> ++ * which protocol was decided upon and inform other modules by >> calling >> ++ * npn_proto_negotiated_hook. */ >> ++ if (!inctx->npn_finished) { >> ++ const unsigned char *next_proto = NULL; >> ++ unsigned next_proto_len = 0; >> ++ >> ++ SSL_get0_next_proto_negotiated( >> ++ inctx->ssl, &next_proto, &next_proto_len); >> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, >> ++ "SSL NPN negotiated protocol: '%s'", >> ++ apr_pstrmemdup(f->c->pool, (const >> char*)next_proto, >> ++ next_proto_len)); >> ++ modssl_run_npn_proto_negotiated_hook( >> ++ f->c, (const char*)next_proto, next_proto_len); >> ++ inctx->npn_finished = 1; >> ++ } >> ++#endif >> ++ >> + return APR_SUCCESS; >> + } >> + >> +@@ -1893,6 +1916,7 @@ static void >> ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, >> + inctx->block = APR_BLOCK_READ; >> + inctx->pool = c->pool; >> + inctx->filter_ctx = filter_ctx; >> ++ inctx->npn_finished = 0; >> + } >> + >> + /* The request_rec pointer is passed in here only to ensure that the >> +diff --git a/modules/ssl/ssl_engine_kernel.c >> b/modules/ssl/ssl_engine_kernel.c >> +--- a/modules/ssl/ssl_engine_kernel.c >> ++++ b/modules/ssl/ssl_engine_kernel.c >> +@@ -29,6 +29,7 @@ >> + time I was too famous.'' >> + -- >> Unknown */ >> + #include "ssl_private.h" >> ++#include "mod_ssl.h" >> + #include "util_md5.h" >> + >> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); >> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, >> int *ad, void *arg) >> + } >> + >> + #endif /* HAVE_SRP */ >> ++ >> ++#ifdef HAVE_TLS_NPN >> ++/* >> ++ * This callback function is executed when SSL needs to decide what >> protocols >> ++ * to advertise during Next Protocol Negotiation (NPN). It must >> produce a >> ++ * string in wire format -- a sequence of length-prefixed strings >> -- indicating >> ++ * the advertised protocols. Refer to >> SSL_CTX_set_next_protos_advertised_cb >> ++ * in OpenSSL for reference. >> ++ */ >> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char >> **data_out, >> ++ unsigned int *size_out, void >> *arg) >> ++{ >> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); >> ++ apr_array_header_t *protos; >> ++ int num_protos; >> ++ unsigned int size; >> ++ int i; >> ++ unsigned char *data; >> ++ unsigned char *start; >> ++ >> ++ *data_out = NULL; >> ++ *size_out = 0; >> ++ >> ++ /* If the connection object is not available, then there's >> nothing for us >> ++ * to do. */ >> ++ if (c == NULL) { >> ++ return SSL_TLSEXT_ERR_OK; >> ++ } >> ++ >> ++ /* Invoke our npn_advertise_protos hook, giving other modules a >> chance to >> ++ * add alternate protocol names to advertise. */ >> ++ protos = apr_array_make(c->pool, 0, sizeof(char*)); >> ++ modssl_run_npn_advertise_protos_hook(c, protos); >> ++ num_protos = protos->nelts; >> ++ >> ++ /* We now have a list of null-terminated strings; we need to >> concatenate >> ++ * them together into a single string, where each protocol name >> is prefixed >> ++ * by its length. First, calculate how long that string will >> be. */ >> ++ size = 0; >> ++ for (i = 0; i < num_protos; ++i) { >> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); >> ++ unsigned int length = strlen(string); >> ++ /* If the protocol name is too long (the length must fit in >> one byte), >> ++ * then log an error and skip it. */ >> ++ if (length > 255) { >> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, >> ++ "SSL NPN protocol name too long >> (length=%u): %s", >> ++ length, string); >> ++ continue; >> ++ } >> ++ /* Leave room for the length prefix (one byte) plus the >> protocol name >> ++ * itself. */ >> ++ size += 1 + length; >> ++ } >> ++ >> ++ /* If there is nothing to advertise (either because no modules >> added >> ++ * anything to the protos array, or because all strings added >> to the array >> ++ * were skipped), then we're done. */ >> ++ if (size == 0) { >> ++ return SSL_TLSEXT_ERR_OK; >> ++ } >> ++ >> ++ /* Now we can build the string. Copy each protocol name string >> into the >> ++ * larger string, prefixed by its length. */ >> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char)); >> ++ start = data; >> ++ for (i = 0; i < num_protos; ++i) { >> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); >> ++ apr_size_t length = strlen(string); >> ++ *start = (unsigned char)length; >> ++ ++start; >> ++ memcpy(start, string, length * sizeof(unsigned char)); >> ++ start += length; >> ++ } >> ++ >> ++ /* Success. */ >> ++ *data_out = data; >> ++ *size_out = size; >> ++ return SSL_TLSEXT_ERR_OK; >> ++} >> ++#endif /* HAVE_TLS_NPN */ >> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h >> +--- a/modules/ssl/ssl_private.h >> ++++ b/modules/ssl/ssl_private.h >> +@@ -123,6 +123,11 @@ >> + #define MODSSL_SSL_METHOD_CONST >> + #endif >> + >> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && >> !defined(OPENSSL_NO_NEXTPROTONEG) \ >> ++ && !defined(OPENSSL_NO_TLSEXT) >> ++#define HAVE_TLS_NPN >> ++#endif >> ++ >> + #if defined(OPENSSL_FIPS) >> + #define HAVE_FIPS >> + #endif >> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int >> *, modssl_ctx_t *); >> + int ssl_callback_SessionTicket(SSL *, unsigned char *, >> unsigned char *, >> + EVP_CIPHER_CTX *, HMAC_CTX >> *, int); >> + #endif >> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char >> **data, unsigned int *len, void *arg); >> + >> + /** Session Cache Support */ >> + void ssl_scache_init(server_rec *, apr_pool_t *); >> +-- >> +1.8.1.2 >> + >> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >> b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >> index f23776f..3c038a9 100644 >> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >> @@ -15,6 +15,7 @@ SRC_URI = >> "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ >> file://replace-lynx-to-curl-in-apachectl-script.patch \ >> file://apache-ssl-ltmain-rpath.patch \ >> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ >> + file://npn-patch-2.4.7.patch \ >> file://init \ >> file://apache2-volatile.conf" >> >> > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation 2014-02-28 10:21 ` Hongxu Jia @ 2014-02-28 17:17 ` Khem Raj 2014-03-03 1:25 ` Hongxu Jia 0 siblings, 1 reply; 10+ messages in thread From: Khem Raj @ 2014-02-28 17:17 UTC (permalink / raw) To: openembeded-devel; +Cc: Paul Eggleton [-- Attachment #1: Type: text/plain, Size: 15997 bytes --] On Feb 28, 2014, at 2:21 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote: > On 02/28/2014 03:08 AM, Randy MacLeod wrote: >> On 14-02-26 10:22 PM, Hongxu Jia wrote: >>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on >>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the >>> confliction with 2.4.7. >> >> Hongxu, >> >> Thanks, that's a good step. Even better would be to add the >> apache module that supports SPDY and confirm that it works >> with your desktop (google-chrome) browser. >> >> See: >> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html >> >> and >> >> https://code.google.com/p/mod-spdy/wiki/GettingStarted > > Hi Randy, > > I have tested, the ssl worked well with the new patch, > but the mod_spdy doesn't support 2.4.7 for now, and the > spdy test failed. > http://code.google.com/p/mod-spdy/issues/detail?id=63 > http://code.google.com/p/mod-spdy/issues/detail?id=64 > http://code.google.com/p/mod-spdy/issues/detail?id=65 > ... > root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart > httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load lib64/apache2/modules/mod_spdy.so into server: /usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror > … > spdy does not work with apache 2.4 but there is port see https://github.com/eousphoros/mod-spdy Try to back port the needed. > //Hongxu > >> >> It doesn't seem to be a huge task but let us know what you find out. >> >> ../Randy >> >>> >>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >>> --- >>> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++ >>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 + >>> 2 files changed, 290 insertions(+) >>> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >>> >>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >>> new file mode 100644 >>> index 0000000..a4f1855 >>> --- /dev/null >>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >>> @@ -0,0 +1,289 @@ >>> +Add support for TLS Next Protocol Negotiation: >>> + >>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new >>> + hooks for next protocol advertisement/discovery. >>> + >>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable >>> + NPN advertisement callback in handshake. >>> + >>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke >>> + next-protocol discovery hook. >>> + >>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): >>> + New callback. >>> + >>> +* modules/ssl/ssl_private.h: Add prototype. >>> + >>> +Submitted by: Matthew Steele <mdsteele google.com> >>> + with slight tweaks by jorton >>> + >>> +http://svn.apache.org/viewvc?view=revision&revision=1332643 >>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599 >>> +Upstream-Status: Backport >>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >>> +--- >>> + CHANGES | 2 + >>> + modules/ssl/mod_ssl.c | 12 ++++++ >>> + modules/ssl/mod_ssl.h | 21 +++++++++++ >>> + modules/ssl/ssl_engine_init.c | 5 +++ >>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++ >>> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++ >>> + modules/ssl/ssl_private.h | 6 +++ >>> + 7 files changed, 152 insertions(+) >>> + >>> +diff --git a/CHANGES b/CHANGES >>> +--- a/CHANGES >>> ++++ b/CHANGES >>> +@@ -1,6 +1,8 @@ >>> + -*- coding: utf-8 -*- >>> + >>> + Changes with Apache 2.4.7 >>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. >>> ++ [Matthew Steele <mdsteele google.com>] >>> + >>> + *) APR 1.5.0 or later is now required for the event MPM. >>> + >>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c >>> +--- a/modules/ssl/mod_ssl.c >>> ++++ b/modules/ssl/mod_ssl.c >>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = { >>> + AP_END_CMD >>> + }; >>> + >>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */ >>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( >>> ++ modssl, AP, int, npn_advertise_protos_hook, >>> ++ (conn_rec *connection, apr_array_header_t *protos), >>> ++ (connection, protos), OK, DECLINED); >>> ++ >>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ >>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( >>> ++ modssl, AP, int, npn_proto_negotiated_hook, >>> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), >>> ++ (connection, proto_name, proto_name_len), OK, DECLINED); >>> ++ >>> + /* >>> + * the various processing hooks >>> + */ >>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h >>> +--- a/modules/ssl/mod_ssl.h >>> ++++ b/modules/ssl/mod_ssl.h >>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); >>> + >>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); >>> + >>> ++/** The npn_advertise_protos optional hook allows other modules to add entries >>> ++ * to the list of protocol names advertised by the server during the Next >>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is >>> ++ * given the connection and an APR array; it should push one or more char*'s >>> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto >>> ++ * the array and return OK, or do nothing and return DECLINED. */ >>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, >>> ++ (conn_rec *connection, apr_array_header_t *protos)); >>> ++ >>> ++/** The npn_proto_negotiated optional hook allows other modules to discover the >>> ++ * name of the protocol that was chosen during the Next Protocol Negotiation >>> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string >>> ++ * (in which case modules should probably assume HTTP), or it may be a protocol >>> ++ * that was never even advertised by the server. The hook callee is given the >>> ++ * connection, a non-null-terminated string containing the protocol name, and >>> ++ * the length of the string; it should do something appropriate (i.e. insert or >>> ++ * remove filters) and return OK, or do nothing and return DECLINED. */ >>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, >>> ++ (conn_rec *connection, const char *proto_name, >>> ++ apr_size_t proto_name_len)); >>> ++ >>> + #endif /* __MOD_SSL_H__ */ >>> + /** @} */ >>> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c >>> +--- a/modules/ssl/ssl_engine_init.c >>> ++++ b/modules/ssl/ssl_engine_init.c >>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, >>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); >>> + >>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); >>> ++ >>> ++#ifdef HAVE_TLS_NPN >>> ++ SSL_CTX_set_next_protos_advertised_cb( >>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL); >>> ++#endif >>> + } >>> + >>> + static void ssl_init_ctx_verify(server_rec *s, >>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c >>> +--- a/modules/ssl/ssl_engine_io.c >>> ++++ b/modules/ssl/ssl_engine_io.c >>> +@@ -28,6 +28,7 @@ >>> + core keeps dumping.'' >>> + -- Unknown */ >>> + #include "ssl_private.h" >>> ++#include "mod_ssl.h" >>> + #include "apr_date.h" >>> + >>> + /* _________________________________________________________________ >>> +@@ -297,6 +298,7 @@ typedef struct { >>> + apr_pool_t *pool; >>> + char buffer[AP_IOBUFSIZE]; >>> + ssl_filter_ctx_t *filter_ctx; >>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ >>> + } bio_filter_in_ctx_t; >>> + >>> + /* >>> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, >>> + APR_BRIGADE_INSERT_TAIL(bb, bucket); >>> + } >>> + >>> ++#ifdef HAVE_TLS_NPN >>> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if >>> ++ * our version of OpenSSL supports it). If we haven't already, find out >>> ++ * which protocol was decided upon and inform other modules by calling >>> ++ * npn_proto_negotiated_hook. */ >>> ++ if (!inctx->npn_finished) { >>> ++ const unsigned char *next_proto = NULL; >>> ++ unsigned next_proto_len = 0; >>> ++ >>> ++ SSL_get0_next_proto_negotiated( >>> ++ inctx->ssl, &next_proto, &next_proto_len); >>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, >>> ++ "SSL NPN negotiated protocol: '%s'", >>> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto, >>> ++ next_proto_len)); >>> ++ modssl_run_npn_proto_negotiated_hook( >>> ++ f->c, (const char*)next_proto, next_proto_len); >>> ++ inctx->npn_finished = 1; >>> ++ } >>> ++#endif >>> ++ >>> + return APR_SUCCESS; >>> + } >>> + >>> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, >>> + inctx->block = APR_BLOCK_READ; >>> + inctx->pool = c->pool; >>> + inctx->filter_ctx = filter_ctx; >>> ++ inctx->npn_finished = 0; >>> + } >>> + >>> + /* The request_rec pointer is passed in here only to ensure that the >>> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c >>> +--- a/modules/ssl/ssl_engine_kernel.c >>> ++++ b/modules/ssl/ssl_engine_kernel.c >>> +@@ -29,6 +29,7 @@ >>> + time I was too famous.'' >>> + -- Unknown */ >>> + #include "ssl_private.h" >>> ++#include "mod_ssl.h" >>> + #include "util_md5.h" >>> + >>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); >>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) >>> + } >>> + >>> + #endif /* HAVE_SRP */ >>> ++ >>> ++#ifdef HAVE_TLS_NPN >>> ++/* >>> ++ * This callback function is executed when SSL needs to decide what protocols >>> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a >>> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating >>> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb >>> ++ * in OpenSSL for reference. >>> ++ */ >>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, >>> ++ unsigned int *size_out, void *arg) >>> ++{ >>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); >>> ++ apr_array_header_t *protos; >>> ++ int num_protos; >>> ++ unsigned int size; >>> ++ int i; >>> ++ unsigned char *data; >>> ++ unsigned char *start; >>> ++ >>> ++ *data_out = NULL; >>> ++ *size_out = 0; >>> ++ >>> ++ /* If the connection object is not available, then there's nothing for us >>> ++ * to do. */ >>> ++ if (c == NULL) { >>> ++ return SSL_TLSEXT_ERR_OK; >>> ++ } >>> ++ >>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to >>> ++ * add alternate protocol names to advertise. */ >>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*)); >>> ++ modssl_run_npn_advertise_protos_hook(c, protos); >>> ++ num_protos = protos->nelts; >>> ++ >>> ++ /* We now have a list of null-terminated strings; we need to concatenate >>> ++ * them together into a single string, where each protocol name is prefixed >>> ++ * by its length. First, calculate how long that string will be. */ >>> ++ size = 0; >>> ++ for (i = 0; i < num_protos; ++i) { >>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); >>> ++ unsigned int length = strlen(string); >>> ++ /* If the protocol name is too long (the length must fit in one byte), >>> ++ * then log an error and skip it. */ >>> ++ if (length > 255) { >>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, >>> ++ "SSL NPN protocol name too long (length=%u): %s", >>> ++ length, string); >>> ++ continue; >>> ++ } >>> ++ /* Leave room for the length prefix (one byte) plus the protocol name >>> ++ * itself. */ >>> ++ size += 1 + length; >>> ++ } >>> ++ >>> ++ /* If there is nothing to advertise (either because no modules added >>> ++ * anything to the protos array, or because all strings added to the array >>> ++ * were skipped), then we're done. */ >>> ++ if (size == 0) { >>> ++ return SSL_TLSEXT_ERR_OK; >>> ++ } >>> ++ >>> ++ /* Now we can build the string. Copy each protocol name string into the >>> ++ * larger string, prefixed by its length. */ >>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char)); >>> ++ start = data; >>> ++ for (i = 0; i < num_protos; ++i) { >>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); >>> ++ apr_size_t length = strlen(string); >>> ++ *start = (unsigned char)length; >>> ++ ++start; >>> ++ memcpy(start, string, length * sizeof(unsigned char)); >>> ++ start += length; >>> ++ } >>> ++ >>> ++ /* Success. */ >>> ++ *data_out = data; >>> ++ *size_out = size; >>> ++ return SSL_TLSEXT_ERR_OK; >>> ++} >>> ++#endif /* HAVE_TLS_NPN */ >>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h >>> +--- a/modules/ssl/ssl_private.h >>> ++++ b/modules/ssl/ssl_private.h >>> +@@ -123,6 +123,11 @@ >>> + #define MODSSL_SSL_METHOD_CONST >>> + #endif >>> + >>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ >>> ++ && !defined(OPENSSL_NO_TLSEXT) >>> ++#define HAVE_TLS_NPN >>> ++#endif >>> ++ >>> + #if defined(OPENSSL_FIPS) >>> + #define HAVE_FIPS >>> + #endif >>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); >>> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, >>> + EVP_CIPHER_CTX *, HMAC_CTX *, int); >>> + #endif >>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); >>> + >>> + /** Session Cache Support */ >>> + void ssl_scache_init(server_rec *, apr_pool_t *); >>> +-- >>> +1.8.1.2 >>> + >>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >>> index f23776f..3c038a9 100644 >>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >>> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ >>> file://replace-lynx-to-curl-in-apachectl-script.patch \ >>> file://apache-ssl-ltmain-rpath.patch \ >>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ >>> + file://npn-patch-2.4.7.patch \ >>> file://init \ >>> file://apache2-volatile.conf" >>> >>> >> >> > > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 211 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation 2014-02-28 17:17 ` Khem Raj @ 2014-03-03 1:25 ` Hongxu Jia 0 siblings, 0 replies; 10+ messages in thread From: Hongxu Jia @ 2014-03-03 1:25 UTC (permalink / raw) To: openembedded-devel; +Cc: Paul Eggleton On 03/01/2014 01:17 AM, Khem Raj wrote: > On Feb 28, 2014, at 2:21 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote: > >> On 02/28/2014 03:08 AM, Randy MacLeod wrote: >>> On 14-02-26 10:22 PM, Hongxu Jia wrote: >>>> The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on >>>> apache2-2.4.6 and conflicted with apache2-2.4.7, this patch fixed the >>>> confliction with 2.4.7. >>> Hongxu, >>> >>> Thanks, that's a good step. Even better would be to add the >>> apache module that supports SPDY and confirm that it works >>> with your desktop (google-chrome) browser. >>> >>> See: >>> http://lists.openembedded.org/pipermail/openembedded-devel/2014-January/093772.html >>> >>> and >>> >>> https://code.google.com/p/mod-spdy/wiki/GettingStarted >> Hi Randy, >> >> I have tested, the ssl worked well with the new patch, >> but the mod_spdy doesn't support 2.4.7 for now, and the >> spdy test failed. >> http://code.google.com/p/mod-spdy/issues/detail?id=63 >> http://code.google.com/p/mod-spdy/issues/detail?id=64 >> http://code.google.com/p/mod-spdy/issues/detail?id=65 >> ... >> root@qemux86-64:/etc/apache2# /etc/init.d/apache2 restart >> httpd: Syntax error on line 151 of /etc/apache2/httpd.conf: Cannot load lib64/apache2/modules/mod_spdy.so into server: /usr/lib64/apache2/modules/mod_spdy.so: undefined symbol: ap_log_cerror >> ... >> > spdy does not work with apache 2.4 but there is port see > > https://github.com/eousphoros/mod-spdy > > Try to back port the needed. Yes, I have tried, but there are plenty of errors: ... jiahongxu:src$ make BUILDTYPE=Release ACTION Regenerating Makefile Updating projects from gyp files... Traceback (most recent call last): File "./build/gyp_chromium", line 24, in <module> execfile(os.path.join(chrome_src, 'build', 'gyp_chromium')) File "third_party/chromium/src/build/gyp_chromium", line 173, in <module> sys.exit(gyp.main(args)) File "/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/__init__.py", line 471, in main options.circular_check) File "/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/__init__.py", line 111, in Load depth, generator_input_info, check, circular_check) File "/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py", line 2378, in Load depth, check) File "/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py", line 358, in LoadTargetBuildFile includes, True, check) File "/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py", line 231, in LoadOneBuildFile aux_data, variables, includes, check) File "/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py", line 269, in LoadBuildFileIncludesIntoDict False, check), File "/home/jiahongxu/mod_spdy/mod-spdy/src/tools/gyp/pylib/gyp/input.py", line 208, in LoadOneBuildFile raise Exception("%s not found (cwd: %s)" % (build_file_path, os.getcwd())) Exception: /root/mod_spdy/src/build/common.gypi not found (cwd: /home/jiahongxu/mod_spdy/mod-spdy/src) while reading includes of build/all.gyp while trying to load build/all.gyp make: *** [Makefile] Error 1 ... //Hongxu > >> //Hongxu >> >>> It doesn't seem to be a huge task but let us know what you find out. >>> >>> ../Randy >>> >>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >>>> --- >>>> .../apache2/apache2/npn-patch-2.4.7.patch | 289 +++++++++++++++++++++ >>>> .../recipes-httpd/apache2/apache2_2.4.7.bb | 1 + >>>> 2 files changed, 290 insertions(+) >>>> create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >>>> >>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >>>> new file mode 100644 >>>> index 0000000..a4f1855 >>>> --- /dev/null >>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch >>>> @@ -0,0 +1,289 @@ >>>> +Add support for TLS Next Protocol Negotiation: >>>> + >>>> +* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new >>>> + hooks for next protocol advertisement/discovery. >>>> + >>>> +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable >>>> + NPN advertisement callback in handshake. >>>> + >>>> +* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke >>>> + next-protocol discovery hook. >>>> + >>>> +* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): >>>> + New callback. >>>> + >>>> +* modules/ssl/ssl_private.h: Add prototype. >>>> + >>>> +Submitted by: Matthew Steele <mdsteele google.com> >>>> + with slight tweaks by jorton >>>> + >>>> +http://svn.apache.org/viewvc?view=revision&revision=1332643 >>>> +https://bugzilla.redhat.com//show_bug.cgi?id=809599 >>>> +Upstream-Status: Backport >>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >>>> +--- >>>> + CHANGES | 2 + >>>> + modules/ssl/mod_ssl.c | 12 ++++++ >>>> + modules/ssl/mod_ssl.h | 21 +++++++++++ >>>> + modules/ssl/ssl_engine_init.c | 5 +++ >>>> + modules/ssl/ssl_engine_io.c | 24 ++++++++++++ >>>> + modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++ >>>> + modules/ssl/ssl_private.h | 6 +++ >>>> + 7 files changed, 152 insertions(+) >>>> + >>>> +diff --git a/CHANGES b/CHANGES >>>> +--- a/CHANGES >>>> ++++ b/CHANGES >>>> +@@ -1,6 +1,8 @@ >>>> + -*- coding: utf-8 -*- >>>> + >>>> + Changes with Apache 2.4.7 >>>> ++ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. >>>> ++ [Matthew Steele <mdsteele google.com>] >>>> + >>>> + *) APR 1.5.0 or later is now required for the event MPM. >>>> + >>>> +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c >>>> +--- a/modules/ssl/mod_ssl.c >>>> ++++ b/modules/ssl/mod_ssl.c >>>> +@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = { >>>> + AP_END_CMD >>>> + }; >>>> + >>>> ++/* Implement 'modssl_run_npn_advertise_protos_hook'. */ >>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( >>>> ++ modssl, AP, int, npn_advertise_protos_hook, >>>> ++ (conn_rec *connection, apr_array_header_t *protos), >>>> ++ (connection, protos), OK, DECLINED); >>>> ++ >>>> ++/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ >>>> ++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( >>>> ++ modssl, AP, int, npn_proto_negotiated_hook, >>>> ++ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), >>>> ++ (connection, proto_name, proto_name_len), OK, DECLINED); >>>> ++ >>>> + /* >>>> + * the various processing hooks >>>> + */ >>>> +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h >>>> +--- a/modules/ssl/mod_ssl.h >>>> ++++ b/modules/ssl/mod_ssl.h >>>> +@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); >>>> + >>>> + APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); >>>> + >>>> ++/** The npn_advertise_protos optional hook allows other modules to add entries >>>> ++ * to the list of protocol names advertised by the server during the Next >>>> ++ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is >>>> ++ * given the connection and an APR array; it should push one or more char*'s >>>> ++ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto >>>> ++ * the array and return OK, or do nothing and return DECLINED. */ >>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, >>>> ++ (conn_rec *connection, apr_array_header_t *protos)); >>>> ++ >>>> ++/** The npn_proto_negotiated optional hook allows other modules to discover the >>>> ++ * name of the protocol that was chosen during the Next Protocol Negotiation >>>> ++ * (NPN) portion of the SSL handshake. Note that this may be the empty string >>>> ++ * (in which case modules should probably assume HTTP), or it may be a protocol >>>> ++ * that was never even advertised by the server. The hook callee is given the >>>> ++ * connection, a non-null-terminated string containing the protocol name, and >>>> ++ * the length of the string; it should do something appropriate (i.e. insert or >>>> ++ * remove filters) and return OK, or do nothing and return DECLINED. */ >>>> ++APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, >>>> ++ (conn_rec *connection, const char *proto_name, >>>> ++ apr_size_t proto_name_len)); >>>> ++ >>>> + #endif /* __MOD_SSL_H__ */ >>>> + /** @} */ >>>> +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c >>>> +--- a/modules/ssl/ssl_engine_init.c >>>> ++++ b/modules/ssl/ssl_engine_init.c >>>> +@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, >>>> + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); >>>> + >>>> + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); >>>> ++ >>>> ++#ifdef HAVE_TLS_NPN >>>> ++ SSL_CTX_set_next_protos_advertised_cb( >>>> ++ ctx, ssl_callback_AdvertiseNextProtos, NULL); >>>> ++#endif >>>> + } >>>> + >>>> + static void ssl_init_ctx_verify(server_rec *s, >>>> +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c >>>> +--- a/modules/ssl/ssl_engine_io.c >>>> ++++ b/modules/ssl/ssl_engine_io.c >>>> +@@ -28,6 +28,7 @@ >>>> + core keeps dumping.'' >>>> + -- Unknown */ >>>> + #include "ssl_private.h" >>>> ++#include "mod_ssl.h" >>>> + #include "apr_date.h" >>>> + >>>> + /* _________________________________________________________________ >>>> +@@ -297,6 +298,7 @@ typedef struct { >>>> + apr_pool_t *pool; >>>> + char buffer[AP_IOBUFSIZE]; >>>> + ssl_filter_ctx_t *filter_ctx; >>>> ++ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ >>>> + } bio_filter_in_ctx_t; >>>> + >>>> + /* >>>> +@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, >>>> + APR_BRIGADE_INSERT_TAIL(bb, bucket); >>>> + } >>>> + >>>> ++#ifdef HAVE_TLS_NPN >>>> ++ /* By this point, Next Protocol Negotiation (NPN) should be completed (if >>>> ++ * our version of OpenSSL supports it). If we haven't already, find out >>>> ++ * which protocol was decided upon and inform other modules by calling >>>> ++ * npn_proto_negotiated_hook. */ >>>> ++ if (!inctx->npn_finished) { >>>> ++ const unsigned char *next_proto = NULL; >>>> ++ unsigned next_proto_len = 0; >>>> ++ >>>> ++ SSL_get0_next_proto_negotiated( >>>> ++ inctx->ssl, &next_proto, &next_proto_len); >>>> ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, >>>> ++ "SSL NPN negotiated protocol: '%s'", >>>> ++ apr_pstrmemdup(f->c->pool, (const char*)next_proto, >>>> ++ next_proto_len)); >>>> ++ modssl_run_npn_proto_negotiated_hook( >>>> ++ f->c, (const char*)next_proto, next_proto_len); >>>> ++ inctx->npn_finished = 1; >>>> ++ } >>>> ++#endif >>>> ++ >>>> + return APR_SUCCESS; >>>> + } >>>> + >>>> +@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, >>>> + inctx->block = APR_BLOCK_READ; >>>> + inctx->pool = c->pool; >>>> + inctx->filter_ctx = filter_ctx; >>>> ++ inctx->npn_finished = 0; >>>> + } >>>> + >>>> + /* The request_rec pointer is passed in here only to ensure that the >>>> +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c >>>> +--- a/modules/ssl/ssl_engine_kernel.c >>>> ++++ b/modules/ssl/ssl_engine_kernel.c >>>> +@@ -29,6 +29,7 @@ >>>> + time I was too famous.'' >>>> + -- Unknown */ >>>> + #include "ssl_private.h" >>>> ++#include "mod_ssl.h" >>>> + #include "util_md5.h" >>>> + >>>> + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); >>>> +@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) >>>> + } >>>> + >>>> + #endif /* HAVE_SRP */ >>>> ++ >>>> ++#ifdef HAVE_TLS_NPN >>>> ++/* >>>> ++ * This callback function is executed when SSL needs to decide what protocols >>>> ++ * to advertise during Next Protocol Negotiation (NPN). It must produce a >>>> ++ * string in wire format -- a sequence of length-prefixed strings -- indicating >>>> ++ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb >>>> ++ * in OpenSSL for reference. >>>> ++ */ >>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, >>>> ++ unsigned int *size_out, void *arg) >>>> ++{ >>>> ++ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); >>>> ++ apr_array_header_t *protos; >>>> ++ int num_protos; >>>> ++ unsigned int size; >>>> ++ int i; >>>> ++ unsigned char *data; >>>> ++ unsigned char *start; >>>> ++ >>>> ++ *data_out = NULL; >>>> ++ *size_out = 0; >>>> ++ >>>> ++ /* If the connection object is not available, then there's nothing for us >>>> ++ * to do. */ >>>> ++ if (c == NULL) { >>>> ++ return SSL_TLSEXT_ERR_OK; >>>> ++ } >>>> ++ >>>> ++ /* Invoke our npn_advertise_protos hook, giving other modules a chance to >>>> ++ * add alternate protocol names to advertise. */ >>>> ++ protos = apr_array_make(c->pool, 0, sizeof(char*)); >>>> ++ modssl_run_npn_advertise_protos_hook(c, protos); >>>> ++ num_protos = protos->nelts; >>>> ++ >>>> ++ /* We now have a list of null-terminated strings; we need to concatenate >>>> ++ * them together into a single string, where each protocol name is prefixed >>>> ++ * by its length. First, calculate how long that string will be. */ >>>> ++ size = 0; >>>> ++ for (i = 0; i < num_protos; ++i) { >>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); >>>> ++ unsigned int length = strlen(string); >>>> ++ /* If the protocol name is too long (the length must fit in one byte), >>>> ++ * then log an error and skip it. */ >>>> ++ if (length > 255) { >>>> ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, >>>> ++ "SSL NPN protocol name too long (length=%u): %s", >>>> ++ length, string); >>>> ++ continue; >>>> ++ } >>>> ++ /* Leave room for the length prefix (one byte) plus the protocol name >>>> ++ * itself. */ >>>> ++ size += 1 + length; >>>> ++ } >>>> ++ >>>> ++ /* If there is nothing to advertise (either because no modules added >>>> ++ * anything to the protos array, or because all strings added to the array >>>> ++ * were skipped), then we're done. */ >>>> ++ if (size == 0) { >>>> ++ return SSL_TLSEXT_ERR_OK; >>>> ++ } >>>> ++ >>>> ++ /* Now we can build the string. Copy each protocol name string into the >>>> ++ * larger string, prefixed by its length. */ >>>> ++ data = apr_palloc(c->pool, size * sizeof(unsigned char)); >>>> ++ start = data; >>>> ++ for (i = 0; i < num_protos; ++i) { >>>> ++ const char *string = APR_ARRAY_IDX(protos, i, const char*); >>>> ++ apr_size_t length = strlen(string); >>>> ++ *start = (unsigned char)length; >>>> ++ ++start; >>>> ++ memcpy(start, string, length * sizeof(unsigned char)); >>>> ++ start += length; >>>> ++ } >>>> ++ >>>> ++ /* Success. */ >>>> ++ *data_out = data; >>>> ++ *size_out = size; >>>> ++ return SSL_TLSEXT_ERR_OK; >>>> ++} >>>> ++#endif /* HAVE_TLS_NPN */ >>>> +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h >>>> +--- a/modules/ssl/ssl_private.h >>>> ++++ b/modules/ssl/ssl_private.h >>>> +@@ -123,6 +123,11 @@ >>>> + #define MODSSL_SSL_METHOD_CONST >>>> + #endif >>>> + >>>> ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ >>>> ++ && !defined(OPENSSL_NO_TLSEXT) >>>> ++#define HAVE_TLS_NPN >>>> ++#endif >>>> ++ >>>> + #if defined(OPENSSL_FIPS) >>>> + #define HAVE_FIPS >>>> + #endif >>>> +@@ -800,6 +805,7 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); >>>> + int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, >>>> + EVP_CIPHER_CTX *, HMAC_CTX *, int); >>>> + #endif >>>> ++int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); >>>> + >>>> + /** Session Cache Support */ >>>> + void ssl_scache_init(server_rec *, apr_pool_t *); >>>> +-- >>>> +1.8.1.2 >>>> + >>>> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >>>> index f23776f..3c038a9 100644 >>>> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >>>> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.7.bb >>>> @@ -15,6 +15,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ >>>> file://replace-lynx-to-curl-in-apachectl-script.patch \ >>>> file://apache-ssl-ltmain-rpath.patch \ >>>> file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ >>>> + file://npn-patch-2.4.7.patch \ >>>> file://init \ >>>> file://apache2-volatile.conf" >>>> >>>> >>> >> _______________________________________________ >> Openembedded-devel mailing list >> Openembedded-devel@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-devel > > > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades 2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia ` (3 preceding siblings ...) 2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia @ 2014-02-27 9:47 ` Paul Eggleton 4 siblings, 0 replies; 10+ messages in thread From: Paul Eggleton @ 2014-02-27 9:47 UTC (permalink / raw) To: Hongxu Jia; +Cc: openembedded-devel Hi Hongxu, On Thursday 27 February 2014 11:22:06 Hongxu Jia wrote: > Change in V2: > apache2-2.4.7: added support for TLS Next Protocol Negotiation > > The previous npn support patch (httpd-2.4.4-r1332643.patch) worked on > apache2-2.4.6 and conflicted with apache2-2.4.7, 4/4 patch fixed the > confliction with 2.4.7. > //Hongxu Thanks for doing this. For the modphp and phpmyadmin upgrades, I actually have 5.5.9 and 4.1.8 build-tested here; once I've tested them at runtime I'll send a v3 (should be today). Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-03-03 1:26 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-02-27 3:22 [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Hongxu Jia 2014-02-27 3:22 ` [PATCH 1/4][meta-webserver] apache2: update to 2.4.7 Hongxu Jia 2014-02-27 3:22 ` [PATCH 2/4][meta-webserver] modphp: upgrade to 5.5.8 Hongxu Jia 2014-02-27 3:22 ` [PATCH 3/4][meta-webserver] phpmyadmin: update to 4.1.4 Hongxu Jia 2014-02-27 3:22 ` [PATCH 4/4][meta-webserver] apache2-2.4.7: added support for TLS Next Protocol Negotiation Hongxu Jia 2014-02-27 19:08 ` Randy MacLeod 2014-02-28 10:21 ` Hongxu Jia 2014-02-28 17:17 ` Khem Raj 2014-03-03 1:25 ` Hongxu Jia 2014-02-27 9:47 ` [PATCH V2 0/4][meta-webserver] Apache / PHP upgrades Paul Eggleton
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox