Differences between revisions 5 and 6
Revision 5 as of 2008-03-18 15:29:12
Size: 3969
Comment:
Revision 6 as of 2008-03-19 21:24:53
Size: 4147
Editor: ?StefanFritsch
Comment:
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
Support for SNI in openssl was added in 0.9.8g-7, currently in unstable. Support for SNI in openssl was added in 0.9.8g-7, already in lenny.
Line 15: Line 15:
 * At least the logging and configuration issues listed in this [http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/<47B4B319.7040304%40apache.org> mail] are still open.

This page collects goals for lenny for the apache2/apr/apr-util/ssl-cert packages and ideas how to implement them. Feel free to comment, but please mark comments as such.

SSL

SNI

[http://weblogs.mozillazine.org/gerv/archives/2007/08/virtual_hosting_ssl_and_sni.html TLS Server Name Indication] support is in upstream trunk but not in 2.2.x. See [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461917 #461917] [http://issues.apache.org/bugzilla/show_bug.cgi?id=34607 PR34607]

Support for SNI in openssl was added in 0.9.8g-7, already in lenny.

  • Perfect solution would be if upstream made a 2.2.x release that includes SNI in time for lenny.
  • Since this doesn't look certain, we should decide whether to backport the patch from trunk. If yes, we should do it soon, to get reasonable testing.
  • Maybe asking upstream about known open issues would be a good idea.
  • At least the logging and configuration issues listed in this [http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/<47B4B319.7040304%40apache.org> mail] are still open.

Configuration

  • We need a ssl virtual host example configuration.
  • Do we want ssl-cert integration? If yes, how? If no, README.Debian should document how to create certificates.
  • SF: I would like to get rid of NameVirtualHost * in favour of NameVirtualHost *:80 and NameVirtualHost *:443 (the latter only if we include SNI).

Mysql support for mod_dbd

Either mysql [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=450535 #450535] or php-mysql [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469081 #469081] needs to change first. The latter seems more realistic.

Once this is done, changing apr-util is simple.

Suexec

Support for /srv

Current suexec supports scripts only in /var/www (and in ~*/public_html).

  • Layout under /srv is not defined. Could be /srv/www or /srv/hostname/www or something else. Therefore just including a second suexec with /srv or /srv/www instead of /var/www is not optimal.
  • Configurable version would be nice.
    • Configuration is read on every suexec request. Maybe use symlinks instead of configuration file for performance
    • Would be nice if document root and userdir could be disabled separately.
  • The original version should still be included.

Allow to disable

Suexec can create local security issues. It would be nice if suexec could be disabled. Either by debconf query or by moving it into a separate package. Maybe two separate packages for original and configurable versions.

a2scripts

[http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=apache2&users=sf@sfritsch.de&include=tags:a2scripts bug reports]

  • A rewrite fixing all wishlist bug reports is mostly done. Needs testing/uploading.
  • There is also a wishlist bug about the init script. Would be nice to include that, too.
  • At least, it should be possible to have several apache instances running without having to edit any non-conffiles.

Hardening

Debian wide hardening support seems unlikely for lenny ([http://lists.debian.org/debian-devel-announce/2008/01/msg00006.html d-d-a mail]). SF: I would be in favour of enabling the things manually for apr*/apache2.

We should decide and implement soon, to get better testing.

  • TK: yes, important network-facing applications seem like the right place to start to introduce Hardening features before they are rolled out archive-wide. Good plan.

Cleanup

  • remove 2.0 to 2.2 upgrade logic
  • remove apache2-mpm-perchild transitional package
  • include apache2-mpm-itk into apache2 source package??? Would allow faster testing migration and easier stable-point-releases.
    • TK: this mpm is labeled as "highly experimental" and is not produced by the ASF: I'm not so sure that pulling it into the source package is a good idea.