[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: An initial attempt to help with SSL-related bugs

Hi Steve,

On Tuesday 15 April 2008, Steve Kemp wrote:
> #267477  ssl: some easy way to set up an ssl server
>          (as apache-ssl package in apache 1)
>    - Suggestion:
>      1. Update the sites-available/default to include SSL options.

Yes, but how? Put all common options into an include file and include 
it in each of the two virtual hosts (like Message #132 in the bug)? 
Maybe using two files sites-available/default and 
sites-available/default-ssl would be better even.

And what virtualhost setup to use? The most correct one would be 
NameVirtualHost *:80
<VirtualHost *:80>
<VirtualHost _default_:443>

because the ssl virtual host is IP/port based, not name based. OTOH 
this could create headaches on upgrade.

BTW, the NameVirtualHost statement should go into ports.conf (there is 
another bug about this, too).

>      2. Update "a2enmod" so that if "a2enmod ssl" is executed then
>         a new certificate is generated via openssl | ssl-cert if
>         the referenced one isn't already present.

I would prefer a separate script. But "a2enmod ssl" could print a 
pointer to that script.

> #290458  mod_ssl preventing apache2 from starting (segfault)
>    - Suggestion:  Close.  Very old.  Not confirmed.


> #350733 apache2: SSI generate seg fault on apache 2.0.55-4
>    - Suggestion: Close.  Very old.  Not confirmed.


> #301155 ssl.conf won't run
>    - [Refers to an example file we no longer ship.  Close bug if
>       we can handle #267477]
> #395936: Apache2 SSL service stopped working since upgrade to
> 2.2.3-2
>    - Close.  Warning was added per bug log.

these two are the same and are an issue only when upgrading from 2.0. 
Can be closed for sid/lenny.

> #398520 missing /usr/sbin/apache2-ssl-certificate
>    - Reinstate script, as a wrapper around openssl, or the new
>      ssl-cert package.
>      Question:  Why was this removed?  Can we not re-add it?

Don't know, I wasn't around then. One should look at it if it does 
something differently than ssl-cert.

> #421802 apache2: ssl.conf dropped IE workarounds
>    - Reinstate options in the default file we ship as per
>       #2567477 - then close this bug.


> #260063 apache2: suggestion to add new file - conf.d/security.conf
>    - I would add this file with the suggested comments.  I'd also
> suggest adding comments here about things such as:
>        1. ServerTokens Minimal
>        2. ServerSignature Off

I am undecided about this. If yes, traceenable would be another 

>      (If this were done  #341022 could be closed.)

Denying "/" by default would definitely need a NEWS entry, because it 
would break quite a few setups.

>   I think those are the ones that jumped out at me on an initial
>  pass over the bugs of package 'apache2', I'm sure there are
> probably more relevant ones in the other Apache packages; so I'll
> look at those shortly, if this mail results in a positive response.
>   I guess my questions now are:
>     1.  Are these suggested solutions reasonable?


>     2.  If so should I submit patches to the list / the relevant
>        bugs / do something else?

I think mailing patches to the bugs would be best for a start.

Thanks for your help.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: