This page collects goals for lenny for the apache2/apr/apr-util/ssl-cert packages and ideas how to implement them. Feel free to comment, but please mark comments as such.
SNI (delayed until lenny+1)
Support for SNI in openssl was added in 0.9.8g-7, already in lenny.
- Perfect solution would be if upstream made a 2.2.x release that includes SNI in time for lenny.
- Since this doesn't look certain, we should decide whether to backport the patch from trunk. If yes, we should do it soon, to get reasonable testing.
- Maybe asking upstream about known open issues would be a good idea.
At least the logging and configuration issues listed in this mail are still open.
thom on IRC: i don't think the outstanding questions will get cleared up and i don't think it'll have enough testing to get shoved in right before a release
SF: We will not backport the patch.
- We need a ssl virtual host example configuration.
- Do we want the default and the ssl virtual hosts to include a common configuration file, or should they be separate files?
Must include the MSIE SSL workaround. 421802
- Do we want ssl-cert integration? If yes, how? If no, README.Debian should document how to create certificates.
SF: I would like to get rid of NameVirtualHost * in favour of NameVirtualHost *:80 and NameVirtualHost *:443 (the latter only if we include SNI).
See this thread
Uploaded in 2.2.9-3
Mysql support for mod_dbd (done)
Uploaded in 2.2.8-5
Support for /srv (done)
Current suexec supports scripts only in /var/www (and in ~*/public_html).
- Layout under /srv is not defined. Could be /srv/www or /srv/hostname/www or something else. Therefore just including a second suexec with /srv or /srv/www instead of /var/www is not optimal.
- Configurable version would be nice.
- Configuration is read on every suexec request. Maybe use symlinks instead of configuration file for performance
- Would be nice if document root and userdir could be disabled separately.
- The original version should still be included.
Allow to disable (done)
Suexec can create local security issues. It would be nice if suexec could be disabled. Either by debconf query or by moving it into a separate package. Maybe two separate packages for original and configurable versions.
- A rewrite fixing all wishlist bug reports is mostly done. Uploaded in 2.2.8-5. Still lacks documentation.
- There is also a wishlist bug about the init script. Would be nice to include that, too.
- At least, it should be possible to have several apache instances running without having to edit any non-conffiles.
Debian wide hardening support seems unlikely for lenny (d-d-a mail). SF: I would be in favour of enabling the things manually for apr*/apache2.
We should decide and implement soon, to get better testing.
- TK: yes, important network-facing applications seem like the right place to start to introduce Hardening features before they are rolled out archive-wide. Good plan.
apr and apr-util is done (except on arm/armel which does not work because of a gcc bug).
apache2 should be next. Probably we should not enable -fpie, because of problems on some architectures. Also, I am not sure if lenny's gdb supports pie.
- remove 2.0 to 2.2 upgrade logic
- remove apache2-mpm-perchild transitional package (done)
- include apache2-mpm-itk into apache2 source package??? Would allow faster testing migration and easier stable-point-releases.
- TK: this mpm is labeled as "highly experimental" and is not produced by the ASF: I'm not so sure that pulling it into the source package is a good idea.
- SF: It lives in its own subdirectory and should not affect the other mpms (this needs to be ensured, of course). Currently, even if everything goes fine, apache2 will take at least two weeks to migrate to testing. And if an architecture lags behind, it takes much longer. Maybe the apache2-mpm-itk source package could be made priority optional (instead of extra).