Debian Bug report logs - #267477
ssl: some easy way to set up an ssl server (as apache-ssl package in apache 1)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: txemi <txemi2@euskalnet.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ssl: some easy way to set up an ssl server (as apache-ssl package in apache 1)

Date: Sun, 22 Aug 2004 22:52:18 +0200

Package: apache2
Version: 2.0.50-9
Severity: wishlist

With apache 1 setting up an ssl apache server in debian was as easy as:

apt-get install apache-ssl

This way allowed non apache experts to set up an ssl server without
needing to know apache configuration options and avoiding making configuration
mistakes.

I cannot find some similar thing in apache2 packages, an it seem it is
not enough using a2enmod to load ssl, as I need some configuration
options in /etc/apache2/apache2.conf. Some of them are placed in
/etc/apache2/mods-available/ssl.conf but as I said, it does not seem
to be enough loading ssl module with a2enmod to get a working ssl
server. I prefer not messing with /etc/apache2/apache2.conf becouse I am
sure package maintainer knows much more than me and I could break
something.

I have seen some people uses virtual hosts to have an ssl apache server
listening on other port. Could it be as easy as adding a new file to 
/etc/apache2/sites-available/ to get apache server listening ssl on port
443? This file could be linked from /etc/apache2/sites-enabled/ by
administrators like me to get it to work with no risk to break anything.
This would be even cleaner than solution adopted in apache 1 packages
becouse only one apache service in /etc/init.d would be used.

thanks,
txemi.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.50-9   Traditional model for Apache2

-- no debconf information

Message #10 received at 267477@bugs.debian.org (full text, mbox, reply):

From: "Sam Snow" <sam.snow@christianheritageschool.org>

To: 267477@bugs.debian.org

Subject: Apache2 and SSL Quick Hints

Date: Tue, 14 Sep 2004 20:31:04 -0600 (MDT)

Here is a rough outline of how to get Apache2 SSL working. I agree that
the package could be more SSL friendly out of the box. I came here to file
a bug myself ;-).


Steps:

1. Have Apache working without SSL!


2. Generate your SSLCertificateFile and SSLCertificateKeyFile files. I
used the newcert-ca.sh script at  http://www.openssl.org/contrib/ . If you
go this route be sure to read the script before you start running it so
that you understand what you are doing. You will run it one time to create
a CA and a second time calling that CA to create a the files for your
server.

3. Copy the .key and .cert over to the /etc/apache2/ssl/ directory so that
they are easy to get to.

4. Copy your sites-available/default file and call it default-ssl.

***Including this file already set up is something that the APACHE2 .deb
could be doing at install time.***

5. Edit your new default-ssl as follows. The first two lines you will just
edit what is there. The stuff inside the # SSL STUFF + bars will be
inserted after the <VirtualHost *:443> line:
NameVirtualHost *:443
<VirtualHost *:443>

# SSL STUFF (START) ++++++++++++++++++++++++++++++++++++++++++++++++++++

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server_cert_name_httpsd.cert
SSLCertificateKeyFile /etc/apache2/ssl/server_key_name_httpsd.key

# see http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html for the meaning
of below.
# The following enables only the seven strongest ciphers.
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM


# SSL STUFF (END) +++++++++++++++++++++++++++++++++++++++++++++++++++++++


6. Run "a2enmod" and make sure that ssl is enabled.

7. Make sure the ports.conf line contains both a "Listen 80" and a "Listen
443" line.

8. Test your setup by running "apache2 -D SSL -S". The results should look
something like these below:

littleguy:/etc/apache2/sites-enabled# apache2 -D SSL -S
apache2: Could not determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server 127.0.0.1 (/etc/apache2/sites-enabled/default-ssl:2)
         port 443 namevhost 127.0.0.1
(/etc/apache2/sites-enabled/default-ssl:2)
*:80                   is a NameVirtualHost
         default server 127.0.0.1 (/etc/apache2/sites-enabled/default:2)
         port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/default:2)
Syntax OK


9. "/etc/inid.d/apache2 restart" and then go test your SSL (and nonSSL)
pages.

Debian Apache Maintainers -- Could y'all include at least a sample
default-ssl file and some terse documentation in the README?

Thanks,
Sam

Message #15 received at 267477@bugs.debian.org (full text, mbox, reply):

From: "Lucas Albers" <admin@cs.montana.edu>

To: 267477@bugs.debian.org

Cc: sam.snow@christianheritageschool.org

Subject: Apache2 and SSL Quick Hints

Date: Sun, 10 Oct 2004 22:45:42 -0600 (MDT)

I just installed apache2, and then spent 2 hours trying to get https
support working.

There is no documentation on getting https support in apache.

Following the directions mentioned made it trivial.
This should definitally be documented.
This should definitally be included as a a help documentation.
eg:
in /usr/share/doc/apache2/enable-https.txt.gz or similar.

This will raise a lot of questions when people upgrade wholesale to
apache2 and try and get https working.
This is trivial fix, and prevent a lot of needless questions.


-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

Message #20 received at 267477@bugs.debian.org (full text, mbox, reply):

From: The Anarcat <anarcat@anarcat.ath.cx>

To: Debian Bug Tracking System <267477@bugs.debian.org>

Subject: apache2: a thing missing from the above howto

Date: Wed, 17 Nov 2004 21:52:17 -0500

Package: apache2
Version: 2.0.52-1
Followup-For: Bug #267477


Excellent solution presented here... There is only one thing missing:

# a2ensite default-ssl

otherwise the new "site" doesn't load. Also, packagers or admins might
want to factor out common code in the 2 default site setups.

thank you very much, Sam!

A.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.24
Locale: LANG=fr_CA, LC_CTYPE=fr_CA (charmap=ISO-8859-1) (ignored: LC_ALL set to fr_CA.ISO8859-1)

Versions of packages apache2 depends on:
pn  apache2-mpm-worker | apache2-            Not found.

Message #25 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Olaf van der Spek <OvdSpek@LIACS.NL>

To: 267477@bugs.debian.org

Subject: Apache 2 TLS by default

Date: Thu, 02 Dec 2004 21:58:18 +0100

Hi,

Instead of just an easy way to enable SSL/TLS, I'd like to see it 
enabled by default. :)

Anyway:
Step 3 and 4 can be replaced by running /usr/sbin/apache2-ssl-certificate

In step 5 you can use
SSLCertificateFile /etc/apache2/ssl/apache.pem
and SSLCertificateKeyFile isn't needed.
-- 
Olaf van der Spek
http://xccu.sf.net/

Message #30 received at 267477@bugs.debian.org (full text, mbox, reply):

From: "Sam Snow" <sam.snow@christianheritageschool.org>

To: 267477@bugs.debian.org

Subject: SSLCertificateKeyFile Directive further comment

Date: Sat, 4 Dec 2004 19:01:04 -0700 (MST)

Regarding the comment saying that the SSLCertificateKeyFile Directive was
not needed, this advice should be taken with a grain of salt. Quoting from
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslcertificatekeyfile
(emphasis added):

"This directive points to the PEM-encoded Private Key file for the server.
If the Private Key is not combined with the Certificate in the
SSLCertificateFile, use this additional directive to point to the file
with the stand-alone Private Key. ******When SSLCertificateFile is used
and the file contains both the Certificate and the Private Key this
directive need not be used. But we strongly discourage this practice.
Instead we recommend you to separate the Certificate and the Private
Key.****** If the contained Private Key is encrypted, the Pass Phrase
dialog is forced at startup time. This directive can be used up to two
times (referencing different filenames) when both a RSA and a DSA based
private key is used in parallel."

So, it can go either way depending on how you have things set up. I chose
to go with the apache suggested setup. The apache-ssl (apache v1)
httpd.conf includes the following text (which pretty much walks you
through whether to use this Key directive or not):

"

# Point SSLCertificateFile at a PEM encoded certificate.
# If the certificate is encrypted, then you will be prompted for a pass
phrase.
# Note that a kill -1 will prompt again.
# A test certificate can be generated with "make certificate".
SSLCertificateFile /etc/apache-ssl/apache.pem
#SSLCertificateFile /u/ben/apache/apache_1.2.6-ssl/SSLconf/conf/t1.pem


# If the key is not combined with the certificate, use this directive to
# point at the key file. If this starts with a '/' it specifies an absolute
# path, otherwise it is relative to the default certificate area. That is, it
# means "<default>/private/<keyfile>".
#SSLCertificateKeyFile /some/place/with/your.key

"


Sam

Message #35 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Thom May <thom@debian.org>

To: Olaf van der Spek <OvdSpek@LIACS.NL>, 267477@bugs.debian.org

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Mon, 6 Dec 2004 16:50:04 +0100

* Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
> Hi,
> 
> Instead of just an easy way to enable SSL/TLS, I'd like to see it 
> enabled by default. :)
> 
> Anyway:
> Step 3 and 4 can be replaced by running /usr/sbin/apache2-ssl-certificate
> 
> In step 5 you can use
> SSLCertificateFile /etc/apache2/ssl/apache.pem
> and SSLCertificateKeyFile isn't needed.
Tried that, far more pain than we need.
-Thom

Message #40 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Olaf van der Spek <OvdSpek@LIACS.NL>

To: Thom May <thom@debian.org>

Cc: 267477@bugs.debian.org

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Mon, 06 Dec 2004 17:30:38 +0100

Thom May wrote:
> * Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
> 
>>Hi,
>>
>>Instead of just an easy way to enable SSL/TLS, I'd like to see it 
>>enabled by default. :)
>>
>>Anyway:
>>Step 3 and 4 can be replaced by running /usr/sbin/apache2-ssl-certificate
>>
>>In step 5 you can use
>>SSLCertificateFile /etc/apache2/ssl/apache.pem
>>and SSLCertificateKeyFile isn't needed.
> 
> Tried that, far more pain than we need.

What exactly was tried and what pain was caused?

Message #45 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Thom May <thom@debian.org>

To: Olaf van der Spek <OvdSpek@LIACS.NL>, 267477@bugs.debian.org

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Sat, 11 Dec 2004 23:20:52 +0100

* Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
> Thom May wrote:
> >* Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
> >
> >>Hi,
> >>
> >>Instead of just an easy way to enable SSL/TLS, I'd like to see it 
> >>enabled by default. :)
> >>
> >>Anyway:
> >>Step 3 and 4 can be replaced by running /usr/sbin/apache2-ssl-certificate
> >>
> >>In step 5 you can use
> >>SSLCertificateFile /etc/apache2/ssl/apache.pem
> >>and SSLCertificateKeyFile isn't needed.
> >
> >Tried that, far more pain than we need.
> 
> What exactly was tried and what pain was caused?
> 
Generating an ssl cert during install, and setting up apache to use it.
See the many archived bugs from the time.
If we can sensibly use debconf to ask the questions, then i may reinstate
something like this post sarge.
-Thom

Message #50 received at 267477@bugs.debian.org (full text, mbox, reply):

From: "Olaf van der Spek" <OvdSpek@LIACS.NL>

To: "Thom May" <thom@debian.org>, <267477@bugs.debian.org>

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Sun, 12 Dec 2004 16:22:20 +0100

>* Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
>> Thom May wrote:
>> >* Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
>> >
>> >>Hi,
>> >>
>> >>Instead of just an easy way to enable SSL/TLS, I'd like to see it
>> >>enabled by default. :)
>> >>
>> >>Anyway:
>> >>Step 3 and 4 can be replaced by running 
>> >>/usr/sbin/apache2-ssl-certificate
>> >>
>> >>In step 5 you can use
>> >>SSLCertificateFile /etc/apache2/ssl/apache.pem
>> >>and SSLCertificateKeyFile isn't needed.
>> >
>> >Tried that, far more pain than we need.
>>
>> What exactly was tried and what pain was caused?
>>
> Generating an ssl cert during install, and setting up apache to use it.
> See the many archived bugs from the time.
> If we can sensibly use debconf to ask the questions, then i may reinstate
> something like this post sarge.

I'll try.
But would it be possible (pre Sarge) to provide a 
/etc/apache2/sites-available/ssl
so that apache2-ssl-certificate && a2enmod ssl && a2ensite ssl && 
invoke-rc.d apache reload
activates SSL?

> -Thom
> 

Message #55 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Thom May <thom@debian.org>

To: Olaf van der Spek <OvdSpek@LIACS.NL>, 267477@bugs.debian.org

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Sun, 12 Dec 2004 21:48:00 +0100

* Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
> >Generating an ssl cert during install, and setting up apache to use it.
> >See the many archived bugs from the time.
> >If we can sensibly use debconf to ask the questions, then i may reinstate
> >something like this post sarge.
> 
> I'll try.
> But would it be possible (pre Sarge) to provide a 
> /etc/apache2/sites-available/ssl
> so that apache2-ssl-certificate && a2enmod ssl && a2ensite ssl && 
> invoke-rc.d apache reload
> activates SSL?
>
NO.
We have to be interactive to use apache2-ssl-certificate, and that BREAKS
the buildds.
-T 

Message #60 received at 267477@bugs.debian.org (full text, mbox, reply):

From: "Olaf van der Spek" <OvdSpek@LIACS.NL>

To: "Thom May" <thom@debian.org>, <267477@bugs.debian.org>

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Sun, 12 Dec 2004 21:54:28 +0100

>* Olaf van der Spek (OvdSpek@LIACS.NL) wrote :
>> >Generating an ssl cert during install, and setting up apache to use it.
>> >See the many archived bugs from the time.
>> >If we can sensibly use debconf to ask the questions, then i may 
>> >reinstate
>> >something like this post sarge.
>>
>> I'll try.
>> But would it be possible (pre Sarge) to provide a
>> /etc/apache2/sites-available/ssl
>> so that apache2-ssl-certificate && a2enmod ssl && a2ensite ssl &&
>> invoke-rc.d apache reload
>> activates SSL?
>>
> NO.
> We have to be interactive to use apache2-ssl-certificate, and that BREAKS
> the buildds.

My idea was to let the user execute that if he wants to activate SSL.
Does only adding /etc/apache2/sites-available/ssl break anything? 

Message #65 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Olaf van der Spek <OvdSpek@LIACS.NL>

Cc: 267477@bugs.debian.org

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Mon, 13 Dec 2004 16:55:41 +0100

* Olaf van der Spek:

> Instead of just an easy way to enable SSL/TLS, I'd like to see it 
> enabled by default. :)

This would be a questionable change because it unnecessarily exposes
more program code to potential attacks.

Message #70 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Olaf van der Spek <OvdSpek@LIACS.NL>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 267477@bugs.debian.org

Subject: Re: Bug#267477: Apache 2 TLS by default

Date: Mon, 13 Dec 2004 17:04:18 +0100

Florian Weimer wrote:
> * Olaf van der Spek:
>>Instead of just an easy way to enable SSL/TLS, I'd like to see it 
>>enabled by default. :)
> 
> This would be a questionable change because it unnecessarily exposes
> more program code to potential attacks.

That's true, I guess being able to enable it with a single command would 
suffice.

Message #75 received at 267477@bugs.debian.org (full text, mbox, reply):

From: txemi <txemi2@euskalnet.net>

To: Debian Bug Tracking System <267477@bugs.debian.org>

Subject: apache2: let's sum it up. Quick steps to set it up.

Date: Sat, 22 Jan 2005 14:59:03 +0100

Package: apache2
Version: 2.0.52-3
Followup-For: Bug #267477


Well, with all the above information and my own sperience I will put
here the minimum number of steps to get it to work.

0) have apache working without SSL (easy: apt-get install apache2)
1) exec "a2enmod ssl"
2) add "Listen 443" to /etc/apache2/ports.conf
3) exec "apache2-ssl-certificate"
4) exec "cp /etc/apache2/sites-available/default /etc/apache2/sites-available/myown-ssl"
5) edit /etc/apache2/sites-available/myown-ssl
        change <VirtualHost *> to <VirtualHost *:443>
   add this just before </VirtualHost> 
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem
        SSLProtocol all
        SSLCipherSuite HIGH:MEDIUM
6) exec "a2ensite myown-ssl"
7) exec "/etc/init.d/apache2 restart"
				
There are other ways, but I think this is de minimal set of steps if you
want to get it quickly to work. Then you should tune it for yourself. 

I think this info should appear in /usr/share/doc/apache2

txemi.

 ______________________________
< hola, soy una firma horrible >
 ------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

txemi <txemi2@euskalnet.net>
web: http://txemi.webhop.org

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.52-3   Traditional model for Apache2

-- no debconf information

Message #80 received at 267477@bugs.debian.org (full text, mbox, reply):

From: txemi <txemi2@euskalnet.net>

To: Debian Bug Tracking System <267477@bugs.debian.org>

Subject: Re: apache2: let's sum it up. Quick steps to set it up.

Date: Sat, 22 Jan 2005 18:33:22 +0100

Sorry,  in previous message I forgot a detail in point 5. I rewrite the
complete list:

0) have apache working without SSL (easy: apt-get install apache2)
1) exec "a2enmod ssl"
2) add "Listen 443" to /etc/apache2/ports.conf
3) exec "apache2-ssl-certificate"
4) exec
"cp /etc/apache2/sites-available/default /etc/apache2/sites-available/myow
n-ssl"
5) edit /etc/apache2/sites-available/myown-ssl
        change NameVirtualHost * to NameVirtualHost *:443
        change <VirtualHost *> to <VirtualHost *:443>
   add this just before </VirtualHost>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem
        SSLProtocol all
        SSLCipherSuite HIGH:MEDIUM
6) exec "a2ensite myown-ssl"
7) exec "/etc/init.d/apache2 restart"

-- 
 ______________________________
< hola, soy una firma horrible >
 ------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

email: txemi2@euskalnet.net
web: http://txemi.webhop.org

Message #85 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Olaf van der Spek <Olaf@XCC.TMFWeb.NL>

To: 267477@bugs.debian.org

Subject: Re: apache2: let's sum it up. Quick steps to set it up.

Date: Sun, 23 Jan 2005 19:03:30 +0100

> SSLProtocol all
> SSLCipherSuite HIGH:MEDIUM

Those two lines aren't necessary.
The first is the default and the second is in ssl.conf already.

> I think this info should appear in /usr/share/doc/apache2

I think /etc/apache2/sites-available/ssl should be provided, eliminating 
step 4 and 5.

> 7) exec "/etc/init.d/apache2 restart"

Isn't invoke-rc.d apache2 restart the recommended way?

Message #90 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Charles Fry <debian@frogcircus.org>

To: Debian Bug Tracking System <267477@bugs.debian.org>

Subject: apache2-common: /etc/apache2/sites-available/ssl

Date: Thu, 03 Feb 2005 21:51:42 -0500

Package: apache2-common
Version: 2.0.52-3
Followup-For: Bug #267477

The following /etc/apache2/sites-available/ssl is sufficient to get an
HTTPS server running:

  # add "Listen 443" to ports.conf
  <VirtualHost *:443>
    SSLEngine on

    # generate with apache2-ssl-certificate
    SSLCertificateFile /etc/apache2/ssl/apache.pem
  </VirtualHost>

As recommended in a separate bug report (sorry, no number yet), there is
no reason (as far as I can tell) that the SSLCertificateFile line
couldn't simply be placed in mods-available/ssl.conf.

Charles

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (90, 'testing'), (80, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apache2-common depends on:
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
ii  libapr0                     2.0.52-3     The Apache Portable Runtime
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-17    Berkeley v4.2 Database Libraries [
ii  libexpat1                   1.95.8-1     XML parsing C library - runtime li
ii  libldap2                    2.1.30-3     OpenLDAP libraries
ii  libmagic1                   4.12-1       File type determination library us
ii  libssl0.9.7                 0.9.7e-2     SSL shared libraries
ii  mime-support                3.28-1       MIME files 'mime.types' & 'mailcap
ii  net-tools                   1.60-10      The NET-3 networking toolkit
ii  openssl                     0.9.7e-2     Secure Socket Layer (SSL) binary a
ii  ssl-cert                    1.0-11       Simple debconf wrapper for openssl
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- no debconf information

Message #95 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Omen Wild <dbug2.flibble@mandarb.com>

To: 267477@bugs.debian.org

Subject: Yet another way to easily set up SSL

Date: Sat, 5 Feb 2005 23:33:03 -0800


I have yet another way to easily set up a SSL server.  It is based
heavily on the method by txemi, but I didn't want to duplicate my
default configuration.  I wanted my SSL server to be identical to my
normal site, so I pulled the guts of sites-available/default into its
own file, sites-available/common, add 'Include sites-available/common'
and then copy the file to sites-available/ssl.  Finally add the SSL
specific parts to the top of ssl.

So, my sites-available/default looks like:
----- Begin sites-available/default -----
NameVirtualHost *:80

<VirtualHost *:80>
	Include sites-available/common
</VirtualHost>
----- End sites-available/default -----

sites-available/ssl looks like:
----- Begin sites-available/ssl -----
<IfModule mod_ssl.c>

Listen 443
NameVirtualHost *:443

<VirtualHost *:443>
   SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/apache.crt
	SSLCertificateKeyFile /etc/apache2/ssl/apache.key

	Include sites-available/common
</VirtualHost>

</IfModule>
----- End sites-available/ssl -----

This way I don't have to maintain to mostly identical files, and I can
still make SSL/non-SSL specific changes.

Omen

-- 
T-Shirt saying: Don't let school interfere with your education.

Message #100 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Olaf van der Spek <OvdSpek@LIACS.NL>

To: 267477@bugs.debian.org

Subject: Re: apache2-common: /etc/apache2/sites-available/ssl

Date: Tue, 08 Feb 2005 14:34:24 +0100

> As recommended in a separate bug report (sorry, no number yet), there 
> is no reason (as far as I can tell) that the SSLCertificateFile line
> couldn't simply be placed in mods-available/ssl.conf.

When you use multiple SSL/TLS vhosts that'd cause trouble.
-- 
Olaf van der Spek
http://xccu.sf.net/

Message #105 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <blade@debian.org>

To: 267477@bugs.debian.org

Subject: such basic things need to be USERFRIENDLY

Date: Mon, 7 Mar 2005 11:14:04 +0100

severity 267477 important
thanks

Come on people, is that really THAT COMPLICATED to add a simple guide to
new admins to enable such base functionality like SSL? Is this Debian or
LFS or why T.F. is a such basic thing so complicated? Even Gentoo guys
managed to solve it in a sane manner, you get correct docs and most
things are already preconfigured. For Debian, there is NOTHING in
README.Debian (or is hidden in some obscure other file that is not easy
to find). Fsck that.
Even howtos like http://www.ianmiller.net/article.php?id=13 do not work
out of the box [1].

Look at Exim4 maintainers. Understandable guides to enable things like
TLS. Simple. Userfriendly. Tested for fresh installations, no falls and
traps. The stuff for SSL setup in Apache2 packages makes me really
pissed.

[1] Reason:
Starting web server: Apache2Syntax error on line 3 of /etc/apache2/sites-enabled/ssl:
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration

<following the usual logic> I guess there is some module I need to add
and I remmeber something about a debconf setup... or so... but where was
it again?! I cannot find it! No hint! No README.Debian.modules or such
thing. That sucks! Should I need to install some doc package? Let me
see... Oh, no hints in apache2-doc, just the pure  upstream
documentation, and some examples/*. Does it tell me more about the SSL
setup? NO! Looks like a copy of the default file from the howto above,
something I did before, and that does not work.

And such user-unfriendly crap is to be released as "stable" for the next
three years now? That's ene of the moments when I feel ashamed of beeing
a DD.

Eduard.

PS: And no, I do not smoke at all. My current mood is not influenced by
any kind of drug (except of some coffein). If you do not believe me,
take an average admin (without much/any apache2 config know-how) and
watch him setting up SSL.
-- 
Wenn morgens früh der Wecker rasselt, ist der schönste Tag vermasselt.

Message #112 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Daniel Stone <daniel@fooishbar.org>

To: Eduard Bloch <blade@debian.org>, 267477@bugs.debian.org

Subject: Re: Bug#267477: such basic things need to be USERFRIENDLY

Date: Mon, 7 Mar 2005 21:30:50 +1100

[Message part 1 (text/plain, inline)]

On Mon, Mar 07, 2005 at 11:14:04AM +0100, Eduard Bloch wrote:
> Come on people, is that really THAT COMPLICATED to add a simple guide to
> new admins to enable such base functionality like SSL? Is this Debian or
> LFS or why T.F. is a such basic thing so complicated? Even Gentoo guys
> managed to solve it in a sane manner, you get correct docs and most
> things are already preconfigured. For Debian, there is NOTHING in
> README.Debian (or is hidden in some obscure other file that is not easy
> to find). Fsck that.
> Even howtos like http://www.ianmiller.net/article.php?id=13 do not work
> out of the box [1].
> 
> Look at Exim4 maintainers. Understandable guides to enable things like
> TLS. Simple. Userfriendly. Tested for fresh installations, no falls and
> traps. The stuff for SSL setup in Apache2 packages makes me really
> pissed.

Eduard,
While I admire your commitment, the abuse leaves a little to be desired,
and is possibly the worst way to motivate anyone to do anything.

I hope your next comment on this bug is a patch.

[signature.asc (application/pgp-signature, inline)]

Message #117 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <edi@gmx.de>

To: 267477@bugs.debian.org

Subject: Re: Bug#267477: such basic things need to be USERFRIENDLY

Date: Mon, 7 Mar 2005 11:58:14 +0100

#include <hallo.h>
* Daniel Stone [Mon, Mar 07 2005, 09:30:50PM]:

> > Even howtos like http://www.ianmiller.net/article.php?id=13 do not work
> > out of the box [1].
> > 
> > Look at Exim4 maintainers. Understandable guides to enable things like
> > TLS. Simple. Userfriendly. Tested for fresh installations, no falls and
> > traps. The stuff for SSL setup in Apache2 packages makes me really
> > pissed.
> 
> Eduard,
> While I admire your commitment, the abuse leaves a little to be desired,
> and is possibly the worst way to motivate anyone to do anything.
> 
> I hope your next comment on this bug is a patch.

More or less. I suggest putting the contents of:

http://wiki.debian.net/?SubversionApache2SSLHowto

into README.SSL.setup and add it to the main apache2 package
documentation. When I have more spare time (AFAICS next week), I will
look how to bring the pieces together to make it more automated.

Regards,
Eduard.
-- 
<Ganneff> hrmmmmm. wehe das quotet einer out-of-context

Message #122 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Olaf van der Spek <OvdSpek@LIACS.NL>

To: 267477@bugs.debian.org

Subject: Patch

Date: Tue, 08 Mar 2005 10:58:19 +0100

[Message part 1 (text/plain, inline)]

-- 
Olaf van der Spek
http://xccu.sf.net/

[Apache 2 ssl.txt (text/plain, inline)]

mkdir --mode=750 --parents /var/log/apache2/ssl && apache2-ssl-certificate && a2enmod ssl && a2ensite ssl && invoke-rc.d apache2 reload

/etc/apache2/sites-available/ssl:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
	ServerName localhost
	ServerAlias www.localhost
	ServerAdmin webmaster@localhost

	SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/apache.pem

	DocumentRoot /var/www/
	<Directory /var/www/>
	    Options Indexes FollowSymLinks MultiViews
	    AllowOverride None
	    Order allow,deny
	    Allow from all
	</Directory>

	CustomLog /var/log/apache2/ssl/access.log combined
	ErrorLog /var/log/apache2/ssl/error.log
	LogLevel warn
</VirtualHost>

Message #127 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Dan Woodard <dan@www2.siri.org>

To: 267477@bugs.debian.org

Subject: Easing the task of setting up SSL

Date: Thu, 24 Mar 2005 11:55:35 -0500 (EST)

If I could make a couple of suggestions for the ordinary user,

1.  the "IfDefine" and "\IfDefine" tags in the example ssl.conf keep the
SSL virtual host from starting with "apache2ctl start" if SSL isn't
defined.  SSL is defined in some cases by the init script but not by
apache2ctl unless a specific command line option is given.
This took a long time for me to figure out.  My suggestion would be:

1) apache2ctl and the apache2 init script should by default start the
server in the same configuration, as the init script itself suggests.

2) Please consider dropping the "IfDefine SSL" tag from the example
ssh.conf; those who know how to use command-line options can easily add it
if they need to.  Virtual hosts can already be added or disabled by
linking them into sites-enabled.  The first-time user should be able to do
basic configuration and run the server without command-line options.

2.  The example ssl.conf file contains a "Listen 443" directive before the
virtualhost section, but some of the how-to files suggest adding this
directive to the ports.conf file.  If it is present in both places,
apache2ctl configtest gives "OK" but the server fails to fully start.

My suggestion would be to keep the "Listen 443" directives in the
ports.conf file, since that is apparently what the file is for, and have
apache2ctl warn if more than one "Listen 443" directive is present or if
there is a virtual host on 443 but no listen statement.  An alternative
would be to simply listen on all ports that have virtual hosts.

Finally, here is my current ssl.conf file: I think it would be helpful to
give a very short but workable example in the hosts-available directory so the
user can get it going.

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/var/run/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/var/run/ssl_mutex
#edit the following four lines for your site
<VirtualHost ssl.myhost.org:443>
DocumentRoot "/var/www"
ServerName ssl.myhost.org:443
ServerAdmin me@myhost.org
ErrorLog /var/log/apache2/ssl.error_log
TransferLog /var/log/apache2/ssl.access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#change the following two files to the files in /etc/apache2/ssl
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/1a2d4a6c.0
</VirtualHost>

Finally, a README.ssl file in the /etc/apache2 directory could give the
following steps:
1)  create a self-signed certificate and key file in /etc/apache2/ssl
2)  add "Listen 443" to "ports.conf"
3)  edit the /etc/hosts/available/ssl.conf file (noting that one can
either use the same hostname for https or a different virtual hostname).
3)  enable the ssl virtual host by linking it to /etc/apache2/hosts-enabled
4)  restart apache2 with apache2ctl configtest; apache2ctl restart

This is great software; I just want to save time for the many people who
use Debian.

Respectfully,
Dan Woodard

Message #132 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 267477@bugs.debian.org

Subject: ssl default config for apache2

Date: Wed, 26 Oct 2005 19:40:16 +0200

[Message part 1 (text/plain, inline)]

Hi,

I have created yet another default SSL configuration for this bug. 
With this one it is possible to enable the default SSL site just with 
"a2enmod ssl" (plus creation of a certificate). It does this by 
including a default.common file twice into the 
sites-available/default file, once inside a *:80 and once inside a 
*:443 virtualhost and using <IfModule mod_ssl.c> in the appropriate 
places.


Notes:
- Since ports.conf is not a conffile, upgraders need to change this by 
hand.

- Since the virtualhost in sites-available/default is now *:80, a hint 
is added to ports.conf that the virtualhost directives have to be 
changed as well when changing ports.

- A reasonable SSL default configuration should only allow save 
ciphers, therefore I have changed mods-available/ssl.conf. People 
needing cipher upgrades via SGC will know how to change it back.


Cheers,
Stefan

[apache2.267477.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #137 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@int-evry.fr>

To: 267477@bugs.debian.org

Subject: Adding SSLOptions StdEnvVars for CGIs

Date: Wed, 07 Feb 2007 16:34:10 +0100

Hi.

I've been strugling also with SSL configuration for HTTPS in apache
2.2...

Maybe it would be great to have some default conf propose
(commented-out) the optional setting of the option of mod-ssl :
SSLOptions StdEnvVars
for CGI programs (like Sympa's WWSympa), which won't work the right way
without it (relying on SSL_PROTOCOL variable which may not be set by
default, without this option).

Hope this helps.

Best regards,
-- 
Olivier BERGER <olivier.berger@int-evry.fr>
Ingénieur Recherche - Dept INF
INT Evry (http://www.int-evry.fr)
OpenPGP-Id: 1024D/6B829EEC

Message #144 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Maybach Admin <maybachadmin@maybach.freewayprojects.com>

To: 267477@bugs.debian.org

Subject: Suggested steps which should be used and my detailed notes RE getting SSL over Apache2 on a vanilla Etch machine

Date: Wed, 22 Aug 2007 18:24:35 +0100

I agree that it should be easier to get Apache2 working over SSL.

These are what I would suggest to be the steps needed to enable Apache2 
over SSL.


Create the certificate...

# apache2-ssl-certificate

Enable the SSL mod...

# a2enmod ssl

Enable the default SSL site

# a2ensite default-ssl



These steps should be in the default Apache2 README Debian file.  I feel 
that these are reasonable steps for an admin to carry out.  Obviously 
the certificate could be changed at a later date.

Now to get Apache2 to use SSL on the current Etch We have to create a 
couple of files and directories - I've pasted my twiki style notes for 
getting SSL to work on Apache2 at the end of this email.


Note - my method adds a new site to the default site which listens on 
443 - I would propose that a better way would be to create a site called 
default-ssl and this site is enabled by the a2ensite command.  Also, my 
method has GB for the locale - obviously this should be changed by the 
install script to the users locale.


These are my notes for getting SSL to work with the current version of 
Apache2 on Etch...


-------------------------8<-------------------------------

---+++ Setting up Apache2 to use ssl

The following instructions were used to run ssl on a standard Etch install.

Etch does not have the directory /etc/apache2/ssl

This needs to be created with ownership and permissions of

drwxr-xr-x root root

Etch also needs the script /usr/sbin/apache2-ssl-certificate created 
with ownership root:root and permissions of 766.

The contents of this file should be

<verbatim>
#!/bin/sh -e

if [ "$1" != "--force" -a -f /etc/apache2/ssl/apache.pem ]; then
 echo "/etc/apache2/ssl/apache.pem exists!  Use \"$0 --force.\""
 exit 0
fi

if [ "$1" = "--force" ]; then
 shift
fi

echo
echo creating selfsigned certificate
echo "replace it with one signed by a certification authority (CA)"
echo
echo enter your ServerName at the Common Name prompt
echo
echo If you want your certificate to expire after x days call this programm
echo with "-days x"

# use special .cnf, because with normal one no valid selfsigned
# certificate is created

export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \
 -new -x509 -nodes -out /etc/apache2/ssl/apache.pem \
 -keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
 /etc/apache2/ssl/`/usr/bin/openssl \
 x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0
</verbatim>

Etch also needs to have the file /usr/share/apache2/ssleay.cnf which 
should have ownership of root:root and permissions of 644

The contents of this file should be

<verbatim>
#
# SSLeay example configuration file.
#

RANDFILE                = $ENV::HOME/.rnd

[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = GB
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

organizationName                = Organization Name (eg, company; 
recommended)
organizationName_max            = 64

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_max      = 64

commonName                      = server name (eg. ssl.domain.tld; 
required!!!)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 40
</verbatim>

The rest of the instructions are:

run
<verbatim>
# apache2-ssl-certificate
</verbatim>

and respond to the prompts to create the certificate.

run
<verbatim>
# a2enmod ssl
</verbatim>
to enable the ssl mod

then run
<verbatim>
# /etc/init.d/apache2 force-reload
</verbatim>
as asked.

Edit /etc/apache2/ports.conf and add a new line
Listen 443

Make sure a new line character has been added after this line.  This may 
not be needed but better to be safe.

Then modified /etc/apache2/sites-available/default to basically add the 
ssl site to the default setup.

The original block is copied and the port numbers added but it is 
important to add the lines

<verbatim>
       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/apache.pem
</verbatim>

to the second section.

This configuration basically means that the original site will be served 
up over ssl (i.e. https)

This is the new /etc/apache2/sites-available/default file:

<verbatim>
NameVirtualHost *:80
<VirtualHost *:80>
       ServerAdmin webmaster@localhost

       DocumentRoot /var/www/
       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>
       <Directory /var/www/>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
               # This directive allows us to have apache2's default 
start page
               # in /apache2-default/, but still have / go to the right 
place
               RedirectMatch ^/$ /apache2-default/
       </Directory>

       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
       <Directory "/usr/lib/cgi-bin">
               AllowOverride None
               Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </Directory>

       ErrorLog /var/log/apache2/error.log

       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/log/apache2/access.log combined
       ServerSignature On

   Alias /doc/ "/usr/share/doc/"
   <Directory "/usr/share/doc/">
       Options Indexes MultiViews FollowSymLinks
       AllowOverride None
       Order deny,allow
       Deny from all
       Allow from 127.0.0.0/255.0.0.0 ::1/128
   </Directory>

</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
       ServerAdmin webmaster@localhost

       DocumentRoot /var/www/
       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>
       <Directory /var/www/>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
               # This directive allows us to have apache2's default 
start page
               # in /apache2-default/, but still have / go to the right 
place
               RedirectMatch ^/$ /apache2-default/
       </Directory>

       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
       <Directory "/usr/lib/cgi-bin">
               AllowOverride None
               Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </Directory>

       ErrorLog /var/log/apache2/error.log

       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/log/apache2/access.log combined
       ServerSignature On

   Alias /doc/ "/usr/share/doc/"
   <Directory "/usr/share/doc/">
       Options Indexes MultiViews FollowSymLinks
       AllowOverride None
       Order deny,allow
       Deny from all
       Allow from 127.0.0.0/255.0.0.0 ::1/128
   </Directory>

       # Added to enable ssl.
       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/apache.pem

</VirtualHost>
</verbatim>

Then restarted the Apache server with
<verbatim>
# apache2ctl graceful
</verbatim>

The default page was then available at

http://server.example.com

and

https://server.example.com

-------------------------8<-------------------------------


Hope my notes help towards a satisfactory resolution of this bug.

Kev

Message #151 received at 267477@bugs.debian.org (full text, mbox, reply):

From: "Adam Sommer" <asommer70@gmail.com>

To: 267477@bugs.debian.org

Subject: debdiff to enable SSL for new Installs

Date: Wed, 9 Jan 2008 17:11:44 -0500

[Message part 1 (text/plain, inline)]

Hello,

Attached is a debdiff for apache2_2.2.6 that uses the snakeoil certificate
and key generated by the ssl-cert package.  I tested this in a sid chroot
environment and it worked fine.  There are definitely multiple ways of
accomplishing this, so if adjustments are needed please let me know.

Also, I'm not 100% sure how this fits in with Debian's policies since this
patch will configure Apache to listen on another port, so any pointers to
more docs on the subject are greatly appreciated as well.

-- 
Party On,
Adam

[Message part 2 (text/html, inline)]

[apache2_2.2.6-4.debdiff (application/octet-stream, attachment)]

Message #156 received at 267477@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: "Adam Sommer" <asommer70@gmail.com>

Cc: 267477@bugs.debian.org

Subject: Re: Bug#267477: debdiff to enable SSL for new Installs

Date: Wed, 16 Jan 2008 23:18:40 +0100

On Wednesday 09 January 2008, Adam Sommer wrote:
> Attached is a debdiff for apache2_2.2.6 that uses the snakeoil
> certificate and key generated by the ssl-cert package.  I tested
> this in a sid chroot environment and it worked fine.  There are
> definitely multiple ways of accomplishing this, so if adjustments
> are needed please let me know.

For a reasonable default configuration, most directives in the *:80 
virtualhost would have to be copied into the ssl virtual host.

But I am also not comfortable using *:443 for ssl, because * is for 
NameVirtualHosts and ssl does not support name-based virtualhosts 
(yet). _default_:443 would be more appropriate.

On the other hand, support for SSL Server Name Indication will 
hopefully come in one of the next apache 2.2 releases. I think I will 
just wait with a ssl default configuration until apache supports SNI.

Cheers,
Stefan

Message #161 received at 267477@bugs.debian.org (full text, mbox, reply):

From: "Adam Sommer" <asommer70@gmail.com>

To: 267477@bugs.debian.org

Subject: Re: Bug#267477: debdiff to enable SSL for new Installs

Date: Wed, 16 Jan 2008 17:51:41 -0500

[Message part 1 (text/plain, inline)]

Hello,


> On the other hand, support for SSL Server Name Indication will
> hopefully come in one of the next apache 2.2 releases. I think I will
> just wait with a ssl default configuration until apache supports SNI.
>
>
Sounds reasonable to me.  I appreciate your reply.

-- 
Party On,
Adam

[Message part 2 (text/html, inline)]

Message #168 received at 267477-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 267477-close@bugs.debian.org

Subject: Bug#267477: fixed in apache2 2.2.9-3

Date: Wed, 02 Jul 2008 09:32:09 +0000

Source: apache2
Source-Version: 2.2.9-3

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-dbg_2.2.9-3_i386.deb
apache2-doc_2.2.9-3_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.9-3_all.deb
apache2-mpm-event_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.9-3_i386.deb
apache2-mpm-prefork_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.9-3_i386.deb
apache2-mpm-worker_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.9-3_i386.deb
apache2-prefork-dev_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.9-3_i386.deb
apache2-src_2.2.9-3_all.deb
  to pool/main/a/apache2/apache2-src_2.2.9-3_all.deb
apache2-suexec-custom_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-suexec-custom_2.2.9-3_i386.deb
apache2-suexec_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-suexec_2.2.9-3_i386.deb
apache2-threaded-dev_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.9-3_i386.deb
apache2-utils_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.9-3_i386.deb
apache2.2-common_2.2.9-3_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.9-3_i386.deb
apache2_2.2.9-3.diff.gz
  to pool/main/a/apache2/apache2_2.2.9-3.diff.gz
apache2_2.2.9-3.dsc
  to pool/main/a/apache2/apache2_2.2.9-3.dsc
apache2_2.2.9-3_all.deb
  to pool/main/a/apache2/apache2_2.2.9-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 267477@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 02 Jul 2008 10:15:57 +0200
Source: apache2
Binary: apache2.2-common apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.9-3
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-src - Apache source code
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-common - Apache HTTP Server common files
Closes: 260063 267477 293469 293519 293524 314606 395823 398520 421802 446765 450831 457708 473982 486286 488821
Changes: 
 apache2 (2.2.9-3) unstable; urgency=low
 .
   [ Stefan Fritsch ]
   * Move NameVirtualHost directive to ports.conf and switch from "*" to
     "*:80". (Closes: #314606, #486286)
   * Comment out the CacheEnable line in disk_cache.conf. It would have caused
     problems with Etch to Lenny upgrades.
   * Change the minimum user id for suexec back to 100, the new value of 1000
     was too disruptive for existing configurations. (Closes: #488821)
   * Add a default SSL virtual host. (Closes: #267477)
     - Use snakeoil certificate by default (if ssl-cert is installed).
       (Closes: #293524, #446765)
     - Document this in README.Debian.
       (Closes: #293469, #293519, #398520, #395823)
     - Add MSIE workarounds. (Closes: #421802)
     - Add ssl-cert to Recommends.
   * Add a new config file /etc/apache2/conf.d/security with some vaguely
     security related diectives. (Closes: #260063)
   * Adjust mod_userdir accordingly. Also add "AllowOverride Indexes" for the
     home directories.
   * Disable SSLv2 by default. It is insecure. Also only enable ciphers with
     key lengths of at least 128 bit.
   * Make the init script complain about a missing $APACHE_PID_FILE during
     "start", too, and not only during "stop" or "restart". This makes it more
     obvious that /etc/apache2/envvars has to be updated. (Closes: #473982)
   * Add hint about the "..., using 127.0.0.1 for ServerName" warning to
     README.Debian. (Closes: #457708)
   * Add hint about the "could not create rewrite_log_lock" error message to
     README.Debian. (Closes: #450831)
   * Remove empty dir from apache2-doc to fix Lintian warning.
   * Always pass -g to gcc instead of relying on dpkg-buildpackage to set
     CFLAGS. We always want the debug info for the apache2-dbg package.
 .
   [ Ryan Niebur ]
   * Upgraded to policy 3.8.0
     - added support for noopt in DEB_BUILD_OPTIONS
     - added a README.source
     - added support for parallel in DEB_BUILD_OPTIONS
   * Dropped XS- from the Vcs fields in control
Checksums-Sha1: 
 c2da7019dd46e34ddfda058571985fa8e2a1cde2 1641 apache2_2.2.9-3.dsc
 6513ca0c1d4c069965749dd62c73d40306faaf91 126616 apache2_2.2.9-3.diff.gz
 e6663ffb1488a222bcb281761a02d1146d34547a 778364 apache2.2-common_2.2.9-3_i386.deb
 2bafc49c5cbba27b193d5a979368954e60b679c7 239540 apache2-mpm-worker_2.2.9-3_i386.deb
 e64654eda8823f9ce705af3e3cfa2dd8cc8801bc 236618 apache2-mpm-prefork_2.2.9-3_i386.deb
 d1613c114cb036eb351e243f1d4242cd3984f19f 240186 apache2-mpm-event_2.2.9-3_i386.deb
 0e68d96dca72d484ec04601a9a231dda35d65f23 142418 apache2-utils_2.2.9-3_i386.deb
 7ae9d66b34d9b3253a024c1ea138edc8d65e3a58 80790 apache2-suexec_2.2.9-3_i386.deb
 d9abad54382b2d340b1944cc463785e87b0e2b72 82452 apache2-suexec-custom_2.2.9-3_i386.deb
 d384e1e8bac1941899ff589172ed7b5b18961737 209210 apache2-prefork-dev_2.2.9-3_i386.deb
 e89d383f84052e2f1dee295f4aa7748df8e96119 210304 apache2-threaded-dev_2.2.9-3_i386.deb
 738fd46416f008cb6a6a7d3637b2943a75347832 2319062 apache2-dbg_2.2.9-3_i386.deb
 d0679fb3ea7711f5b0fc7efb916bff5008f599dd 43140 apache2_2.2.9-3_all.deb
 8e38416e84e7cdd84d4fa98f96d5035528e29e8b 2057394 apache2-doc_2.2.9-3_all.deb
 cc8280b3c4de2709956da4112b5f36fafda377b0 6734336 apache2-src_2.2.9-3_all.deb
Checksums-Sha256: 
 d8e1de45a94ad6e70295c606f69c97c7a58ae0c5f6c7780f4dfba65d42695cdd 1641 apache2_2.2.9-3.dsc
 c5e543e717f7b2b9b212557c391679c0de45876e5d1ed63acef10acd5357ab75 126616 apache2_2.2.9-3.diff.gz
 bf6ad0ecfa1fd4d2d747be86b761743e47595b23e4a9baeea81b7aae2815b347 778364 apache2.2-common_2.2.9-3_i386.deb
 23e187115f6acdcd83d204f25f3907b331a68a892dbbc9f170216060540a13d4 239540 apache2-mpm-worker_2.2.9-3_i386.deb
 453ef890865600711d0195eb36695a1227ba40519763d96524cd60ab3033f2ff 236618 apache2-mpm-prefork_2.2.9-3_i386.deb
 752a556d1b6d3c06ff494bd7c529fd3f2e2e02bb0d0e89a638d571baafce7db5 240186 apache2-mpm-event_2.2.9-3_i386.deb
 aa01b704fa214313b7f34b96831fc69d4f7ac5bfe674e678995b7c372e21157c 142418 apache2-utils_2.2.9-3_i386.deb
 632956bd650448ce84e41b8641e5ec2f4cc4d3058af91837585ce9cc60d2d4f6 80790 apache2-suexec_2.2.9-3_i386.deb
 2455ae66549520e4238b39eb058176a668f34f22f6ea210d630346a6c0fe1a38 82452 apache2-suexec-custom_2.2.9-3_i386.deb
 6ea64e749fc571c916dd3c4874dfe757284d09a15f20b91e497b3e2777a18439 209210 apache2-prefork-dev_2.2.9-3_i386.deb
 9918b90dc309e67c86c590398052da29b324e53f4977b7222546cb206446283f 210304 apache2-threaded-dev_2.2.9-3_i386.deb
 d88a7ff32d206c92a3733037b87e04e7a10bf09760ab02cba1b5c22b78d5ab6a 2319062 apache2-dbg_2.2.9-3_i386.deb
 5f4d0ef2610207df726ff02934f14fea47a3354ad01f50c9143138be2d191613 43140 apache2_2.2.9-3_all.deb
 961fc5166a4b29a8bac5b3c9a9856d29b2d36dee90d80bbd2ae9f30075b0cea1 2057394 apache2-doc_2.2.9-3_all.deb
 4874727d6e67604e56dbc5db6177dda4ea99e847627d450f0b02f24788736978 6734336 apache2-src_2.2.9-3_all.deb
Files: 
 a8e523e0415174ac64577caf55f8745a 1641 web optional apache2_2.2.9-3.dsc
 0459503c0d88da287ff516ecafce9998 126616 web optional apache2_2.2.9-3.diff.gz
 1554d5ce7a70152d28d7b4bce6c79f45 778364 web optional apache2.2-common_2.2.9-3_i386.deb
 3287ed7279e3c0bc1cef038b886c1b7e 239540 web optional apache2-mpm-worker_2.2.9-3_i386.deb
 2b5156a06d46f0a7e4d643249ba55f2b 236618 web optional apache2-mpm-prefork_2.2.9-3_i386.deb
 effcc03772a7bd4d6b9b8f282c11a359 240186 web optional apache2-mpm-event_2.2.9-3_i386.deb
 c955c67dd02c1c2d5c543cd47b63aac2 142418 web optional apache2-utils_2.2.9-3_i386.deb
 64b3b0782228f7a656e705cff00e582f 80790 web optional apache2-suexec_2.2.9-3_i386.deb
 d15c5387d2758dcd039c7c2e509c8c4e 82452 web extra apache2-suexec-custom_2.2.9-3_i386.deb
 08001c4371cd1920d06a15a0f2649809 209210 devel extra apache2-prefork-dev_2.2.9-3_i386.deb
 362ef82244c8fefd8e7b3bfc8069f04e 210304 devel extra apache2-threaded-dev_2.2.9-3_i386.deb
 7dbdcf6abef745df3355cf079733af41 2319062 libdevel extra apache2-dbg_2.2.9-3_i386.deb
 add4e21d639577972115a45d03d27e2c 43140 web optional apache2_2.2.9-3_all.deb
 7edaa4241b46761d7c3be94f7a9feb87 2057394 doc optional apache2-doc_2.2.9-3_all.deb
 531cb4bf24dc5fbd09f98d58593716bb 6734336 devel extra apache2-src_2.2.9-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIa0Cqbxelr8HyTqQRArtPAJ9lgkZMRiyD3ucJhH6yvTJ0tbP71ACfQ5Un
6yFDwWTm3YCPi/QOiVhGSEk=
=RGTl
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.