604744 – www-servers/apache: broken SSL config for MSIE

Bug 604744 - www-servers/apache: broken SSL config for MSIE

Summary: www-servers/apache: broken SSL config for MSIE

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Lars Wendler (Polynomial-C) (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-05 13:09 UTC by Ortwin Glueck
Modified:	2018-07-16 08:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ortwin Glueck 2017-01-05 13:09:42 UTC

The Gentoo configuration for the default SSL vhost is shipped with the patch in gentoo-apache-2.4.18-r1-20160303.tar.bz2. The file conf/vhosts.d/00_default_ssl_vhost.conf contains the following directive:

<IfModule setenvif_module>
   BrowserMatch ".*MSIE.*" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
</IfModule>

This will match too many IE versions (and possibly other browsers) which do not require those workarounds and it is even harmful. Please note that upstream actually ships a different version of this directive, see https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in :

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

See also this blog entry for more details:
https://blogs.msdn.microsoft.com/ieinternals/2011/03/26/https-and-keep-alive-connections/

Gentoo should ship a default that works with non-stoneage browsers too :-)

Comment 1 Michael Orlitzky gentoo-dev

2018-07-16 01:46:18 UTC

I'm pretty sure we can delete that line now. Even Windows 98 can run IE6.

Comment 2 Larry the Git Cow gentoo-dev

2018-07-16 08:05:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/apache.git/commit/?id=2e25601450315b6343daec1c7b928dabbd4c374d

commit 2e25601450315b6343daec1c7b928dabbd4c374d
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-07-16 08:03:43 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-07-16 08:03:43 +0000

    Don't perform SSL exceptions for MSIE anymore.
    
    Bug: https://bugs.gentoo.org/604744

 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 5 -----
 1 file changed, 5 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2018-07-16 08:08:28 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8c74bd1ef305496ced3f231fb93c9e1de05575f

commit d8c74bd1ef305496ced3f231fb93c9e1de05575f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-07-16 08:08:20 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-07-16 08:08:20 +0000

    www-servers/apache: New tarball without MSIE SSL exception.
    
    Closes: https://bugs.gentoo.org/604744
    Package-Manager: Portage-2.3.42, Repoman-2.3.9

 www-servers/apache/Manifest             | 1 +
 www-servers/apache/apache-2.4.34.ebuild | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)