diff --git a/.gitignore b/.gitignore
index 260a2d6..9969f1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
 SOURCES/httpd-2.4.6.tar.bz2
-SOURCES/centos-noindex.tar.gz
diff --git a/.httpd.metadata b/.httpd.metadata
index 17ede1b..d335a99 100644
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -1,2 +1 @@
 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2
-6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz
diff --git a/SOURCES/httpd-2.4.6-default-port-worker.patch b/SOURCES/httpd-2.4.6-default-port-worker.patch
new file mode 100644
index 0000000..25315e2
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-default-port-worker.patch
@@ -0,0 +1,13 @@
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index e672e4a..8be833a 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -3557,6 +3557,8 @@ static proxy_schemes_t pschemes[] =
+     {"fcgi",     8000},
+     {"ajp",      AJP13_DEF_PORT},
+     {"scgi",     4000},
++    {"ws",       80},
++    {"wss",      443},
+     { NULL, 0xFFFF }     /* unknown port */
+ };
+ 
diff --git a/SOURCES/httpd-2.4.6-mpm-segfault.patch b/SOURCES/httpd-2.4.6-mpm-segfault.patch
index d42be44..55a6d08 100644
--- a/SOURCES/httpd-2.4.6-mpm-segfault.patch
+++ b/SOURCES/httpd-2.4.6-mpm-segfault.patch
@@ -8,3 +8,14 @@
  
      if (one_process) {
          /* not worth thinking about */
+
+--- a/server/mpm/worker/worker.c
++++ b/server/mpm/worker/worker.c
+@@ -1902,6 +1902,7 @@ static int worker_run(apr_pool_t *_pconf, apr_pool_t *plog, server_rec *s)
+ 
+     /* we've been told to restart */
+     apr_signal(SIGHUP, SIG_IGN);
++    apr_signal(AP_SIG_GRACEFUL, SIG_IGN);
+ 
+     if (one_process) {
+         /* not worth thinking about */
diff --git a/SOURCES/httpd-2.4.6-r1515372.patch b/SOURCES/httpd-2.4.6-r1515372.patch
new file mode 100644
index 0000000..dc782ac
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1515372.patch
@@ -0,0 +1,11 @@
+--- a/modules/ldap/util_ldap_cache.c 2013/08/19 11:41:29 1515371
++++ b/modules/ldap/util_ldap_cache.c 2013/08/19 11:45:19 1515372
+@@ -52,7 +52,7 @@
+ 
+     if (node) {
+         if (!(node->url = util_ald_strdup(cache, n->url))) {
+-            util_ald_free(cache, node->url);
++            util_ald_free(cache, node);
+             return NULL;
+         }
+         node->search_cache = n->search_cache;
diff --git a/SOURCES/httpd-2.4.6-r1555539.patch b/SOURCES/httpd-2.4.6-r1555539.patch
new file mode 100644
index 0000000..414d127
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1555539.patch
@@ -0,0 +1,265 @@
+diff --git a/docs/manual/expr.html.en b/docs/manual/expr.html.en
+index 5c3ae45..8bd941a 100644
+--- a/docs/manual/expr.html.en
++++ b/docs/manual/expr.html.en
+@@ -46,7 +46,7 @@
+ <li><img alt="" src="./images/down.gif" /> <a href="#other">Other</a></li>
+ <li><img alt="" src="./images/down.gif" /> <a href="#sslrequire">Comparison with SSLRequire</a></li>
+ <li><img alt="" src="./images/down.gif" /> <a href="#compatibility">Version History</a></li>
+-</ul><h3>See also</h3><ul class="seealso"><li><code class="directive"><a href="./mod/core.html#if">&lt;If&gt;</a></code></li><li><code class="directive"><a href="./mod/core.html#elseif">&lt;ElseIf&gt;</a></code></li><li><code class="directive"><a href="./mod/core.html#else">&lt;Else&gt;</a></code></li><li><code class="directive"><a href="./mod/mod_auth_basic.html#authbasicfake">AuthBasicFake</a></code></li><li><code class="directive"><a href="./mod/mod_auth_form.html#authformloginrequiredlocation">AuthFormLoginRequiredLocation</a></code></li><li><code class="directive"><a href="./mod/mod_auth_form.html#authformloginsuccesslocation">AuthFormLoginSuccessLocation</a></code></li><li><code class="directive"><a href="./mod/mod_auth_form.html#authformlogoutlocation">AuthFormLogoutLocation</a></code></li><li><code class="directive"><a href="./mod/mod_rewrite.html#rewritecond">RewriteCond</a></code></li><li><code class="directive"><a href="./mod/mod_setenvif.html#setenvifexpr">SetEnvIfExpr</a></code></li><li><code class="directive"><a href="./mod/mod_headers.html#header">Header</a></code></li><li><code class="directive"><a href="./mod/mod_headers.html#requestheader">RequestHeader</a></code></li><li><code class="directive"><a href="./mod/mod_filter.html#filterprovider">FilterProvider</a></code></li><li><a href="mod/mod_authz_core.html#reqexpr">Require expr</a></li><li><code class="directive"><a href="./mod/mod_ssl.html#sslrequire">SSLRequire</a></code></li><li><code class="directive"><a href="./mod/mod_log_debug.html#logmessage">LogMessage</a></code></li><li><code class="module"><a href="./mod/mod_include.html">mod_include</a></code></li></ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
++</ul><h3>See also</h3><ul class="seealso"><li><code class="directive"><a href="./mod/core.html#if">&lt;If&gt;</a></code></li><li><code class="directive"><a href="./mod/core.html#elseif">&lt;ElseIf&gt;</a></code></li><li><code class="directive"><a href="./mod/core.html#else">&lt;Else&gt;</a></code></li><li><code class="directive"><a href="./mod/mod_auth_basic.html#authbasicfake">AuthBasicFake</a></code></li><li><code class="directive"><a href="./mod/mod_auth_form.html#authformloginrequiredlocation">AuthFormLoginRequiredLocation</a></code></li><li><code class="directive"><a href="./mod/mod_auth_form.html#authformloginsuccesslocation">AuthFormLoginSuccessLocation</a></code></li><li><code class="directive"><a href="./mod/mod_auth_form.html#authformlogoutlocation">AuthFormLogoutLocation</a></code></li><li><code class="directive"><a href="./mod/mod_rewrite.html#rewritecond">RewriteCond</a></code></li><li><code class="directive"><a href="./mod/mod_setenvif.html#setenvifexpr">SetEnvIfExpr</a></code></li><li><code class="directive"><a href="./mod/mod_headers.html#header">Header</a></code></li><li><code class="directive"><a href="./mod/mod_headers.html#requestheader">RequestHeader</a></code></li><li><code class="directive"><a href="./mod/mod_filter.html#filterprovider">FilterProvider</a></code></li><li><a href="mod/mod_authz_core.html#reqexpr">Require expr</a></li><li><code class="directive"><a href="mod/mod_authnz_ldap.html#requser">Require ldap-user</a></code></li><li><code class="directive"><a href="mod/mod_authnz_ldap.html#reqgroup">Require ldap-group</a></code></li><li><code class="directive"><a href="mod/mod_authnz_ldap.html#reqdn">Require ldap-dn</a></code></li><li><code class="directive"><a href="mod/mod_authnz_ldap.html#reqattribute">Require ldap-attribute</a></code></li><li><code class="directive"><a href="mod/mod_authnz_ldap.html#reqfilter">Require ldap-filter</a></code></li><li><code class="directive"><a href="./mod/mod_ssl.html#sslrequire">SSLRequire</a></code></li><li><code class="directive"><a href="./mod/mod_log_debug.html#logmessage">LogMessage</a></code></li><li><code class="module"><a href="./mod/mod_include.html">mod_include</a></code></li></ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
+ <div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+ <div class="section">
+ <h2><a name="grammar" id="grammar">Grammar in Backus-Naur Form notation</a></h2>
+diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en
+index 7199052..c86dc8a 100644
+--- a/docs/manual/mod/mod_authnz_ldap.html.en
++++ b/docs/manual/mod/mod_authnz_ldap.html.en
+@@ -350,6 +350,9 @@ for HTTP Basic authentication.</td></tr>
+     <code>ldap-filter</code>.  Other authorization types may also be
+     used but may require that additional authorization modules be loaded.</p>
+ 
++    <p>Since v2.5.0, <a href="../expr.html">expressions</a> are supported
++    within the LDAP require directives.</p>
++
+ <h3><a name="requser" id="requser">Require ldap-user</a></h3>
+ 
+     <p>The <code>Require ldap-user</code> directive specifies what
+@@ -576,6 +579,16 @@ Require ldap-group cn=Administrators, o=Example
+       </li>
+ 
+       <li>
++        Grant access to anybody in the group whose name matches the
++        hostname of the virtual host. In this example an
++        <a href="../expr.html">expression</a> is used to build the filter.
++<highlight language="config">
++AuthLDAPURL ldap://ldap.example.com/o=Example?uid
++Require ldap-group cn=%{SERVER_NAME}, o=Example
++</highlight>
++      </li>
++
++      <li>
+         The next example assumes that everyone at Example who
+         carries an alphanumeric pager will have an LDAP attribute
+         of <code>qpagePagerID</code>. The example will grant access
+diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
+index 2c25dbc..063debe 100644
+--- a/modules/aaa/mod_authnz_ldap.c
++++ b/modules/aaa/mod_authnz_ldap.c
+@@ -607,6 +607,10 @@ static authz_status ldapuser_check_authorization(request_rec *r,
+ 
+     util_ldap_connection_t *ldc = NULL;
+ 
++    const char *err = NULL;
++    const ap_expr_info_t *expr = parsed_require_args;
++    const char *require;
++
+     const char *t;
+     char *w;
+ 
+@@ -680,11 +684,19 @@ static authz_status ldapuser_check_authorization(request_rec *r,
+         return AUTHZ_DENIED;
+     }
+ 
++    require = ap_expr_str_exec(r, expr, &err);
++    if (err) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)
++                      "auth_ldap authorize: require user: Can't evaluate expression: %s",
++                      err);
++        return AUTHZ_DENIED;
++    }
++
+     /*
+      * First do a whole-line compare, in case it's something like
+      *   require user Babs Jensen
+      */
+-    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args);
++    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require);
+     switch(result) {
+         case LDAP_COMPARE_TRUE: {
+             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)
+@@ -704,7 +716,7 @@ static authz_status ldapuser_check_authorization(request_rec *r,
+     /*
+      * Now break apart the line and compare each word on it
+      */
+-    t = require_args;
++    t = require;
+     while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+         result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
+         switch(result) {
+@@ -744,6 +756,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
+ 
+     util_ldap_connection_t *ldc = NULL;
+ 
++    const char *err = NULL;
++    const ap_expr_info_t *expr = parsed_require_args;
++    const char *require;
++
+     const char *t;
+ 
+     char filtbuf[FILTER_LENGTH];
+@@ -863,7 +879,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
+         }
+     }
+ 
+-    t = require_args;
++    require = ap_expr_str_exec(r, expr, &err);
++    if (err) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)
++                      "auth_ldap authorize: require group: Can't evaluate expression: %s",
++                      err);
++        return AUTHZ_DENIED;
++    }
++
++    t = require;
+ 
+     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)
+                   "auth_ldap authorize: require group: testing for group "
+@@ -959,6 +983,10 @@ static authz_status ldapdn_check_authorization(request_rec *r,
+ 
+     util_ldap_connection_t *ldc = NULL;
+ 
++    const char *err = NULL;
++    const ap_expr_info_t *expr = parsed_require_args;
++    const char *require;
++
+     const char *t;
+ 
+     char filtbuf[FILTER_LENGTH];
+@@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authorization(request_rec *r,
+         req->user = r->user;
+     }
+ 
+-    t = require_args;
++    require = ap_expr_str_exec(r, expr, &err);
++    if (err) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)
++                      "auth_ldap authorize: require dn: Can't evaluate expression: %s",
++                      err);
++        return AUTHZ_DENIED;
++    }
++
++    t = require;
+ 
+     if (req->dn == NULL || strlen(req->dn) == 0) {
+         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)
+@@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
+ 
+     util_ldap_connection_t *ldc = NULL;
+ 
++    const char *err = NULL;
++    const ap_expr_info_t *expr = parsed_require_args;
++    const char *require;
++
+     const char *t;
+     char *w, *value;
+ 
+@@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
+         return AUTHZ_DENIED;
+     }
+ 
+-    t = require_args;
++    require = ap_expr_str_exec(r, expr, &err);
++    if (err) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)
++                      "auth_ldap authorize: require ldap-attribute: Can't "
++                      "evaluate expression: %s", err);
++        return AUTHZ_DENIED;
++    }
++
++    t = require;
++
+     while (t[0]) {
+         w = ap_getword(r->pool, &t, '=');
+         value = ap_getword_conf(r->pool, &t);
+@@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
+         (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+ 
+     util_ldap_connection_t *ldc = NULL;
++
++    const char *err = NULL;
++    const ap_expr_info_t *expr = parsed_require_args;
++    const char *require;
++
+     const char *t;
+ 
+     char filtbuf[FILTER_LENGTH];
+@@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
+         return AUTHZ_DENIED;
+     }
+ 
+-    t = require_args;
++    require = ap_expr_str_exec(r, expr, &err);
++    if (err) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)
++                      "auth_ldap authorize: require ldap-filter: Can't "
++                      "evaluate require expression: %s", err);
++        return AUTHZ_DENIED;
++    }
++
++    t = require;
+ 
+     if (t[0]) {
+         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)
+@@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
+     return AUTHZ_DENIED;
+ }
+ 
++static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line,
++                                     const void **parsed_require_line)
++{
++    const char *expr_err = NULL;
++    ap_expr_info_t *expr;
++
++    expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
++            &expr_err, NULL);
++
++    if (expr_err)
++        return apr_pstrcat(cmd->temp_pool,
++                           "Cannot parse expression in require line: ",
++                           expr_err, NULL);
++
++    *parsed_require_line = expr;
++
++    return NULL;
++}
++
+ 
+ /*
+  * Use the ldap url parsing routines to break up the ldap url into
+@@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_provider =
+ static const authz_provider authz_ldapuser_provider =
+ {
+     &ldapuser_check_authorization,
+-    NULL,
++    &ldap_parse_config,
+ };
+ static const authz_provider authz_ldapgroup_provider =
+ {
+     &ldapgroup_check_authorization,
+-    NULL,
++    &ldap_parse_config,
+ };
+ 
+ static const authz_provider authz_ldapdn_provider =
+ {
+     &ldapdn_check_authorization,
+-    NULL,
++    &ldap_parse_config,
+ };
+ 
+ static const authz_provider authz_ldapattribute_provider =
+ {
+     &ldapattribute_check_authorization,
+-    NULL,
++    &ldap_parse_config,
+ };
+ 
+ static const authz_provider authz_ldapfilter_provider =
+ {
+     &ldapfilter_check_authorization,
+-    NULL,
++    &ldap_parse_config,
+ };
+ 
+ static void ImportULDAPOptFn(void)
diff --git a/SOURCES/httpd-2.4.6-r1737363.patch b/SOURCES/httpd-2.4.6-r1737363.patch
new file mode 100644
index 0000000..90d3101
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1737363.patch
@@ -0,0 +1,26 @@
+# ./pullrev.sh 1737363
+http://svn.apache.org/viewvc?view=revision&revision=1737363
+
+--- httpd-2.4.6/modules/proxy/mod_proxy_express.c
++++ httpd-2.4.6/modules/proxy/mod_proxy_express.c
+@@ -145,16 +145,14 @@
+     key.dsize = strlen(key.dptr);
+ 
+     rv = apr_dbm_fetch(db, key, &val);
++    if (rv == APR_SUCCESS) {
++        backend = apr_pstrmemdup(r->pool, val.dptr, val.dsize);
++    }
+     apr_dbm_close(db);
+-    if (rv != APR_SUCCESS) {
++    if (rv != APR_SUCCESS || !backend) {
+         return DECLINED;
+     }
+ 
+-    backend = apr_pstrmemdup(r->pool, val.dptr, val.dsize);
+-    if (!backend) {
+-        return DECLINED;
+-    }
+-
+     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01004)
+                   "proxy_express: found %s -> %s", name, backend);
+     r->filename = apr_pstrcat(r->pool, "proxy:", backend, r->uri, NULL);
diff --git a/SOURCES/httpd-2.4.6-r1824872.patch b/SOURCES/httpd-2.4.6-r1824872.patch
new file mode 100644
index 0000000..2cec77f
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1824872.patch
@@ -0,0 +1,25 @@
+--- a/modules/ldap/util_ldap.c 2018/02/20 13:00:39 1824871
++++ b/modules/ldap/util_ldap.c 2018/02/20 13:02:54 1824872
+@@ -2858,7 +2858,6 @@
+     st->search_cache_size = base->search_cache_size;
+     st->compare_cache_ttl = base->compare_cache_ttl;
+     st->compare_cache_size = base->compare_cache_size;
+-    st->util_ldap_cache_lock = base->util_ldap_cache_lock;
+ 
+     st->connections = NULL;
+     st->ssl_supported = 0; /* not known until post-config and re-merged */
+@@ -2977,12 +2976,12 @@
+             st_vhost = (util_ldap_state_t *)
+                        ap_get_module_config(s_vhost->module_config,
+                                             &ldap_module);
+-
++            st_vhost->util_ldap_cache = st->util_ldap_cache;
++            st_vhost->util_ldap_cache_lock = st->util_ldap_cache_lock;
+ #if APR_HAS_SHARED_MEMORY
+             st_vhost->cache_shm = st->cache_shm;
+             st_vhost->cache_rmm = st->cache_rmm;
+             st_vhost->cache_file = st->cache_file;
+-            st_vhost->util_ldap_cache = st->util_ldap_cache;
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, result, s, APLOGNO(01316)
+                          "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp "
+                          "for VHOST: %s", st->cache_shm, st->cache_rmm,
diff --git a/SOURCES/httpd-2.4.6-r1825120.patch b/SOURCES/httpd-2.4.6-r1825120.patch
new file mode 100644
index 0000000..f490839
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1825120.patch
@@ -0,0 +1,96 @@
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 57b76c0..814ec4f 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -1522,70 +1522,18 @@ void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_poo
+     }
+ }
+ 
+-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
+-                                           const X509_NAME * const *b)
+-{
+-    return(X509_NAME_cmp(*a, *b));
+-}
+-
+-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
+-                                server_rec *s, apr_pool_t *ptemp,
+-                                const char *file)
+-{
+-    int n;
+-    STACK_OF(X509_NAME) *sk;
+-
+-    sk = (STACK_OF(X509_NAME) *)
+-             SSL_load_client_CA_file(file);
+-
+-    if (!sk) {
+-        return;
+-    }
+-
+-    for (n = 0; n < sk_X509_NAME_num(sk); n++) {
+-        X509_NAME *name = sk_X509_NAME_value(sk, n);
+-
+-        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
+-                     "CA certificate: %s",
+-                     SSL_X509_NAME_to_string(ptemp, name, 0));
+-
+-        /*
+-         * note that SSL_load_client_CA_file() checks for duplicates,
+-         * but since we call it multiple times when reading a directory
+-         * we must also check for duplicates ourselves.
+-         */
+-
+-        if (sk_X509_NAME_find(ca_list, name) < 0) {
+-            /* this will be freed when ca_list is */
+-            sk_X509_NAME_push(ca_list, name);
+-        }
+-        else {
+-            /* need to free this ourselves, else it will leak */
+-            X509_NAME_free(name);
+-        }
+-    }
+-
+-    sk_X509_NAME_free(sk);
+-}
+-
+ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
+                                          apr_pool_t *ptemp,
+                                          const char *ca_file,
+                                          const char *ca_path)
+ {
+-    STACK_OF(X509_NAME) *ca_list;
+-
+-    /*
+-     * Start with a empty stack/list where new
+-     * entries get added in sorted order.
+-     */
+-    ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
++    STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();;
+ 
+     /*
+      * Process CA certificate bundle file
+      */
+     if (ca_file) {
+-        ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
++        SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
+         /*
+          * If ca_list is still empty after trying to load ca_file
+          * then the file failed to load, and users should hear about that.
+@@ -1619,17 +1567,12 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
+                 continue; /* don't try to load directories */
+             }
+             file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL);
+-            ssl_init_PushCAList(ca_list, s, ptemp, file);
++            SSL_add_file_cert_subjects_to_stack(ca_list, file);
+         }
+ 
+         apr_dir_close(dir);
+     }
+ 
+-    /*
+-     * Cleanup
+-     */
+-    (void) sk_X509_NAME_set_cmp_func(ca_list, NULL);
+-
+     return ca_list;
+ }
+ 
diff --git a/SOURCES/httpd-2.4.6-r1826995.patch b/SOURCES/httpd-2.4.6-r1826995.patch
new file mode 100644
index 0000000..abbcb33
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1826995.patch
@@ -0,0 +1,198 @@
+diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
+index 4580f1c..fb8202e 100644
+--- a/docs/manual/mod/mod_ssl.html.en
++++ b/docs/manual/mod/mod_ssl.html.en
+@@ -991,7 +991,8 @@ the certificate being verified.</p>
+ <p>This option enables OCSP validation of the client certificate
+ chain.  If this option is enabled, certificates in the client's
+ certificate chain will be validated against an OCSP responder after
+-normal verification (including CRL checks) have taken place.</p>
++normal verification (including CRL checks) have taken place. In 
++mode 'leaf', only the client certificate itself will be validated.</p>
+ 
+ <p>The OCSP responder used is either extracted from the certificate
+ itself, or derived by configuration; see the
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 4a8b661..e637a9d 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -227,8 +227,8 @@ static const command_rec ssl_config_cmds[] = {
+                 "request body if a per-location SSL renegotiation is required due to "
+                 "changed access control requirements")
+ 
+-    SSL_CMD_SRV(OCSPEnable, FLAG,
+-               "Enable use of OCSP to verify certificate revocation ('on', 'off')")
++    SSL_CMD_SRV(OCSPEnable, RAW_ARGS,
++               "Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')")
+     SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
+                "URL of the default OCSP Responder")
+     SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 86a7f0f..714aee9 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -130,7 +130,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
+     mctx->auth.verify_depth   = UNSET;
+     mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
+ 
+-    mctx->ocsp_enabled        = FALSE;
++    mctx->ocsp_mask           = UNSET;
+     mctx->ocsp_force_default  = FALSE;
+     mctx->ocsp_responder      = NULL;
+     mctx->ocsp_resptime_skew  = UNSET;
+@@ -264,7 +264,7 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
+     cfgMergeInt(auth.verify_depth);
+     cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
+ 
+-    cfgMergeBool(ocsp_enabled);
++    cfgMergeInt(ocsp_mask);
+     cfgMergeBool(ocsp_force_default);
+     cfgMerge(ocsp_responder, NULL);
+     cfgMergeInt(ocsp_resptime_skew);
+@@ -1575,11 +1575,46 @@ const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg,
+     return NULL;
+ }
+ 
+-const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag)
++static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms,
++                                           const char *arg,
++                                           int *mask)
+ {
+-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++    const char *w;
++
++    w = ap_getword_conf(parms->temp_pool, &arg);
++    if (strcEQ(w, "off")) {
++        *mask = SSL_OCSPCHECK_NONE;
++    }
++    else if (strcEQ(w, "leaf")) {
++        *mask = SSL_OCSPCHECK_LEAF;
++    }
++    else if (strcEQ(w, "on")) {
++        *mask = SSL_OCSPCHECK_CHAIN;
++    }
++    else {
++        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
++                           ": Invalid argument '", w, "'",
++                           NULL);
++    }
++
++    while (*arg) {
++        w = ap_getword_conf(parms->temp_pool, &arg);
++        if (strcEQ(w, "no_ocsp_for_cert_ok")) {
++            *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK;
++        }
++        else {
++            return apr_pstrcat(parms->temp_pool, parms->cmd->name,
++                               ": Invalid argument '", w, "'",
++                               NULL);
++        }
++    }
+ 
+-    sc->server->ocsp_enabled = flag ? TRUE : FALSE;
++    return NULL;
++}
++
++const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
++{
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ 
+ #ifdef OPENSSL_NO_OCSP
+     if (flag) {
+@@ -1588,7 +1623,7 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag)
+     }
+ #endif
+ 
+-    return NULL;
++    return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask);
+ }
+ 
+ const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 672760c..57b76c0 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -762,6 +762,10 @@ static void ssl_init_ctx_crl(server_rec *s,
+     unsigned long crlflags = 0;
+     char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
+ 
++    if (mctx->ocsp_mask == UNSET) {
++        mctx->ocsp_mask = SSL_OCSPCHECK_NONE;
++    }
++
+     /*
+      * Configure Certificate Revocation List (CRL) Details
+      */
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index 5ff35f5..9dc236c 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -1416,7 +1416,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
+     /*
+      * Perform OCSP-based revocation checks
+      */
+-    if (ok && sc->server->ocsp_enabled) {
++    if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
++         (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
+         /* If there was an optional verification error, it's not
+          * possible to perform OCSP validation since the issuer may be
+          * missing/untrusted.  Fail in that case. */
+diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
+index 90da5c2..58d267b 100644
+--- a/modules/ssl/ssl_engine_ocsp.c
++++ b/modules/ssl/ssl_engine_ocsp.c
+@@ -136,7 +136,14 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
+ 
+     ruri = determine_responder_uri(sc, cert, c, pool);
+     if (!ruri) {
+-        return V_OCSP_CERTSTATUS_UNKNOWN;
++        if (sc->server->ocsp_mask & SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK) {
++            ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, 
++                          "Skipping OCSP check for certificate cos no OCSP URL"
++                          " found and no_ocsp_for_cert_ok is set");
++            return V_OCSP_CERTSTATUS_GOOD;
++        } else {
++            return V_OCSP_CERTSTATUS_UNKNOWN;
++        }
+     }
+ 
+     request = create_request(ctx, cert, &certID, s, pool);
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index b601316..2d505f9 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -379,6 +379,16 @@ typedef enum {
+ } ssl_crlcheck_t;
+ 
+ /**
++  * OCSP checking mask (mode | flags)
++  */
++typedef enum {
++    SSL_OCSPCHECK_NONE  = (0),
++    SSL_OCSPCHECK_LEAF  = (1 << 0),
++    SSL_OCSPCHECK_CHAIN = (1 << 1),
++    SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2)
++} ssl_ocspcheck_t;
++
++/**
+  * Define the SSL pass phrase dialog types
+  */
+ typedef enum {
+@@ -668,7 +678,7 @@ typedef struct {
+ 
+     modssl_auth_ctx_t auth;
+ 
+-    BOOL ocsp_enabled; /* true if OCSP verification enabled */
++    int ocsp_mask;
+     BOOL ocsp_force_default; /* true if the default responder URL is
+                               * used regardless of per-cert URL */
+     const char *ocsp_responder; /* default responder URL */
+@@ -796,7 +806,7 @@ const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const ch
+ const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
+-const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
++const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *flag);
+ 
+ #ifndef OPENSSL_NO_SRP
+ const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf
index c1b6c11..5d1e452 100644
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -16,7 +16,3 @@
 </Directory>
 
 Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
-Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
-Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
-Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 9555865..296bca2 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -4,7 +4,7 @@
 %define mmn 20120211
 %define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
 %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
-%define vstring CentOS
+%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT})
 
 # Drop automatic provides for module DSOs
 %{?filter_setup:
@@ -15,10 +15,10 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.6
-Release: 80%{?dist}.1
+Release: 88%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source1: centos-noindex.tar.gz
+Source1: index.html
 Source2: httpd.logrotate
 Source3: httpd.sysconf
 Source4: httpd-ssl-pass-dialog
@@ -135,6 +135,7 @@ Patch111: httpd-2.4.6-r1348019.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1396197
 Patch112: httpd-2.4.6-r1587053.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1376835
+# https://bugzilla.redhat.com/show_bug.cgi?id=1527295
 Patch113: httpd-2.4.6-mpm-segfault.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1372692
 Patch114: httpd-2.4.6-r1681114.patch
@@ -174,6 +175,20 @@ Patch130: httpd-2.4.6-r1811976.patch
 Patch131: httpd-2.4.6-r1650310.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1557785
 Patch132: httpd-2.4.6-r1530999.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1533793
+Patch133: httpd-2.4.6-r1555539.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1523536
+Patch134: httpd-2.4.6-r1737363.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1548501
+Patch135: httpd-2.4.6-r1826995.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1556761
+Patch136: httpd-2.4.6-default-port-worker.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1493181
+Patch137: httpd-2.4.6-r1825120.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1458364
+Patch138: httpd-2.4.6-r1515372.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1458364
+Patch139: httpd-2.4.6-r1824872.patch
 
 # Security fixes
 Patch200: httpd-2.4.6-CVE-2013-6438.patch
@@ -410,6 +425,14 @@ rm modules/ssl/ssl_engine_dh.c
 %patch130 -p1 -b .r1811976
 %patch131 -p1 -b .r1650310
 %patch132 -p1 -b .r1530999
+%patch133 -p1 -b .r1555539
+%patch134 -p1 -b .r1523536
+%patch135 -p1 -b .r1826995
+%patch136 -p1 -b .defaultport-proxy
+%patch137 -p1 -b .r1825120
+%patch138 -p1 -b .r1515372
+%patch139 -p1 -b .r1824872
+
 
 %patch200 -p1 -b .cve6438
 %patch201 -p1 -b .cve0098
@@ -585,10 +608,8 @@ EOF
 
 # Handle contentdir
 mkdir $RPM_BUILD_ROOT%{contentdir}/noindex
-tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \
-        -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \
-        --strip-components=1
-
+install -m 644 -p $RPM_SOURCE_DIR/index.html \
+        $RPM_BUILD_ROOT%{contentdir}/noindex/index.html
 rm -rf %{contentdir}/htdocs
 
 # remove manual sources
@@ -611,7 +632,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \
       $RPM_BUILD_ROOT%{docroot}/cgi-bin/*
 
 # Symlink for the powered-by-$DISTRO image:
-ln -s ../noindex/images/poweredby.png \
+ln -s ../../pixmaps/poweredby.png \
         $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png
 
 # symlinks for /etc/httpd
@@ -797,7 +818,7 @@ rm -rf $RPM_BUILD_ROOT
 %{contentdir}/error/README
 %{contentdir}/error/*.var
 %{contentdir}/error/include/*.html
-%{contentdir}/noindex/*
+%{contentdir}/noindex/index.html
 
 %dir %{docroot}
 %dir %{docroot}/cgi-bin
@@ -863,16 +884,32 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
-* Tue Jun 26 2018 CentOS Sources <bugs@centos.org> - 2.4.6-80.el7.centos.1
-- Remove index.html, add centos-noindex.tar.gz
-- change vstring
-- change symlink for poweredby.png
-- update welcome.conf with proper aliases
-
-* Mon May 28 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-80.1
-- Resolves: #1560609 - httpd: active connections being terminated when httpd
-  gets gracefully stopped/restarted, GracefulShutdownTimeout is not being
-  honored
+* Thu Jun 21 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-88
+- Resolves: #1527295 - httpd with worker/event mpm segfaults after multiple
+  SIGUSR1
+
+* Thu Jun 21 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-87
+- Resolves: #1458364 - RMM list corruption in ldap module results in server hang
+
+* Thu Jun 21 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-86
+- Resolves: #1493181 - RFE: mod_ssl: allow sending multiple CA names which
+  differ only in case
+
+* Wed Jun 20 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-85
+- Resolves: #1556761 - mod_proxy_wstunned config needs the default port number
+
+* Mon Jun 18 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-84
+- Resolves: #1548501 - Make OCSP more configurable (like CRL)
+
+* Mon Jun 11 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-83
+- Resolves: #1523536 - Backport Apache BZ#59230 mod_proxy_express uses db
+  after close
+
+* Mon Jun 11 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-82
+- Resolves: #1533793 - Use Variable with mod_authnz_ldap
+
+* Mon Mar 26 2018 Joe Orton <jorton@redhat.com> - 2.4.6-81
+- don't terminate connections during graceful stop/restart (#1557785)
 
 * Mon Jan 08 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-80
 - Related: #1288395 - httpd segfault when logrotate invoked