Hello community,
here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2018-11-06 15:34:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
and /work/SRC/openSUSE:Factory/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2"
Tue Nov 6 15:34:28 2018 rev:151 rq:645904 version:2.4.37
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2018-10-29 14:56:51.245716852 +0100
+++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2018-11-06 15:34:39.335678254 +0100
@@ -1,0 +2,7 @@
+Thu Oct 25 17:28:42 UTC 2018 - Arjen de Korte
+
+- the "event" MPM is fully supported since 2.4
+- configure an OCSP stapling cache by default (still requires enabling
+ SSLUseStapling in vhost)
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.wXf5Po/_old 2018-11-06 15:34:41.395675133 +0100
+++ /var/tmp/diff_new_pack.wXf5Po/_new 2018-11-06 15:34:41.399675127 +0100
@@ -264,8 +264,7 @@
process dies it will not affect other servers.
%description event
-The event MPM (multi-Processing Module) is experimental, so it may or
-may not work as expected.
+"event" MPM (multi-Processing Module)
It uses a separate thread to handle Keep Alive requests and accepting
connections. Keep Alive requests have traditionally required httpd to
++++++ apache2-ssl-global.conf ++++++
--- /var/tmp/diff_new_pack.wXf5Po/_old 2018-11-06 15:34:41.723674636 +0100
+++ /var/tmp/diff_new_pack.wXf5Po/_new 2018-11-06 15:34:41.723674636 +0100
@@ -46,12 +46,27 @@
#SSLSessionCache dbm:/var/lib/apache2/ssl_scache
#</IfModule>
- <IfModule mod_socache_shmcb.c>
+ <IfModule mod_socache_shmcb.c>
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
- </IfModule>
+ </IfModule>
SSLSessionCacheTimeout 300
+ # Configures the cache used to store OCSP responses which get included in
+ # the TLS handshake if SSLUseStapling is enabled. Configuration of a cache
+ # is mandatory for OCSP stapling. With the exception of none and nonenotnull,
+ # the same storage types are supported as with SSLSessionCache.
+ #<IfModule mod_socache_dbm.c>
+ #SSLStaplingCache dbm:/var/lib/apache2/ssl_stapling
+ #</IfModule>
+
+ <IfModule mod_socache_shmcb.c>
+ SSLStaplingCache shmcb:/var/lib/apache2/ssl_stapling(64000)
+ </IfModule>
+
+ SSLStaplingStandardCacheTimeout 86400
+ SSLStaplingErrorCacheTimeout 300
+ SSLStaplingReturnResponderErrors Off
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
@@ -72,13 +87,13 @@
# SSL protocols
# Allow TLS version 1.2 only, which is a recommended default these days
- # by international information security standards.
+ # by international information security standards.
SSLProtocol TLSv1.2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# SSLHonorCipherOrder
# If SSLHonorCipherOrder is disabled, then the client's preferences
++++++ apache2-vhost-ssl.template ++++++
--- /var/tmp/diff_new_pack.wXf5Po/_old 2018-11-06 15:34:41.739674612 +0100
+++ /var/tmp/diff_new_pack.wXf5Po/_new 2018-11-06 15:34:41.743674606 +0100
@@ -35,6 +35,10 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ # OCSP Stapling:
+ # Enable/Disable OCSP for this virtual host.
+ SSLUseStapling on
+
# You can use per vhost certificates if SNI is supported.
SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key