Re: [users@httpd] CVE-2033-44487

2023-10-20 Thread Frank Gingras 
Yes, you need to upgrade to 2.4.58, and make sure your system has nghttp2
.57 installed.

On Thu, Oct 19, 2023 at 7:31 PM Brian Southern 
wrote:

> Has anyone been able to definitively determine if Apache HTTP 2.4.53 is
> vulnerable to CVE-2023-44487?  I've found forums where users and apparent
> sysadmins indicate it may be, however the only reference to this CVE I've
> been able to locate on Apache.org is as a comment made within another CVE
> vulnerability fix report.
>
> thank you.
>

Re: [users@httpd] dynamic ssl cert/key selection

2023-10-20 Thread Rainer Canavan 
On Fri, Oct 20, 2023 at 5:31 PM Marc  wrote:

[...]
> >ServerAlias test.*.*
[...]
> >
> > A trivial and safe way if you need a solution asap might involve declaring
> > a  for each host.
>
> I would like to have single access/error log for all these serveralias 
> matches.

That's no problem, multiple vhosts can write into the same access/error logs.

> > I’ve not seen globbing/wildcarding like this, and also makes me curious is
> > it possible to get a public key signed by a CA with this globbing pattern?
>
> yes I am getting the certs like this. I just want to prevent creating the 
> vhosts

I think what he ment is whether CAs issue wildcard certificates like
test.*.*. They don't, and that wouldn't work anyway, since only one *
is allowed, only at the beginning, and only representing a single
level of host names.

Concerning your problem, I think you're stuck with creating multiple
vhosts if you want to use httpd with multiple separate certificates.
If you can get a single certificate with all your hostnames as SAN
entries, that would work as well.

As an alternative, you could use OpenResty as an SSL offloader, and
load your certificates on demand using some lua code in
ssl_certificate_by_lua_block
(https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Unable to build Apache httpd

2023-10-20 Thread Daga, Navin (Navin) 
I'm trying to build Apache httpd RPM from the source tarball as mentioned in 
https://httpd.apache.org/docs/2.4/install.html

However, it always fails with the error "libtool:   error: require no space 
between '-L' and '-R'"

Complete Error :
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc   -o 
htpasswd  htpasswd.lo passwd_common.lo   -L -R -laprutil-1 -ldb-5.3 -lexpat
/usr/lib64/libapr-1.la -lpthread -lcrypt
libtool:   error: require no space between '-L' and '-R'
make[2]: *** [Makefile:48: htpasswd] Error 1
make[2]: Leaving directory '/httpd-2.4.58/support'
make[1]: *** [/httpd-2.4.58/build/rules.mk:75: all-recursive] Error 1
make[1]: Leaving directory '/httpd-2.4.58/support'
make: *** [/httpd-2.4.58/build/rules.mk:75: all-recursive] Error 1

Tried Building older version and get the same error and did not find anything 
when searching for similar errors.

Any help on what this could be?

Thanks

RE: [users@httpd] dynamic ssl cert/key selection

2023-10-20 Thread Marc 





- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -. 
F1 Outsourcing Development Sp. z o.o.
Poland 

t:  +48 (0)12 4207 835
e:  m...@f1-outsourcing.eu

> -Original Message-
> From: Will Fatherley 
> Sent: Friday, 20 October 2023 16:04
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] dynamic ssl cert/key selection
> 
> 
>   Is there a way to chose what ssl certs/keys to load when you have
> something like
> 
>ServerAlias test.*.*
> 
>   So when host test.example.com   is serviced,
> that it will get
> 
>   SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
> 
> 
>   So when host test.example.net   is serviced,
> that it will get
> 
>   SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"
> 
> 
> A trivial and safe way if you need a solution asap might involve declaring
> a  for each host.

I would like to have single access/error log for all these serveralias matches.

> I’ve not seen globbing/wildcarding like this, and also makes me curious is
> it possible to get a public key signed by a CA with this globbing pattern?

yes I am getting the certs like this. I just want to prevent creating the vhosts



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] dynamic ssl cert/key selection

2023-10-20 Thread Will Fatherley 
> Is there a way to chose what ssl certs/keys to load when you have
> something like
>
>  ServerAlias test.*.*
>
> So when host test.example.com is serviced, that it will get
>
> SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
>
>
> So when host test.example.net is serviced, that it will get
>
> SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"


A trivial and safe way if you need a solution asap might involve declaring
a  for each host.

I’ve not seen globbing/wildcarding like this, and also makes me curious is
it possible to get a public key signed by a CA with this globbing pattern?
If it’s not, there’s probably a good reason, and it might therefore be a
reason to avoid designing it into your configurations.

A helpful hint for you is to look at the “context” entry for each directive
you want to use in the man pages. SSLCertificateFile, as seen in the
mod_ssl man page, has “server config” and “virtual host” contexts listed.
This indicates that it can’t be used in an  directive. That doesn’t
mean it’s not possible to have some idiomatic and/or elegant solution that
involves the globbing pattern.

[users@httpd] dynamic ssl cert/key selection

2023-10-20 Thread Marc 
Is there a way to chose what ssl certs/keys to load when you have something like

 ServerAlias test.*.*

So when host test.example.com is serviced, that it will get 

SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"


So when host test.example.net is serviced, that it will get 

SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"