You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/08/29 21:59:50 UTC

svn commit: r264621 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

Author: wrowe
Date: Mon Aug 29 12:59:46 2005
New Revision: 264621

URL: http://svn.apache.org/viewcvs?rev=264621&view=rev
Log:

  Noticed in the development of fips-enabled mod_ssl, when we are
  configured to support exactly one protocol, use that explicit server
  and client mechansim to handshake with the client or proxied machine,
  rather than the generic SSLv23_[client|server]_method().

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=264621&r1=264620&r2=264621&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Mon Aug 29 12:59:46 2005
@@ -409,14 +409,23 @@
         method = mctx->pkp ?
             SSLv2_client_method() : /* proxy */
             SSLv2_server_method();  /* server */
-        ctx = SSL_CTX_new(method);  /* only SSLv2 is left */
     }
-    else {
+    else if (protocol == SSL_PROTOCOL_SSLV3) {
+        method = mctx->pkp ?
+            SSLv3_client_method() : /* proxy */
+            SSLv3_server_method();  /* server */
+    }
+    else if (protocol == SSL_PROTOCOL_TLSV1) {
+        method = mctx->pkp ?
+            TLSv1_client_method() : /* proxy */
+            TLSv1_server_method();  /* server */
+    }
+    else { /* For multiple protocols, we need a flexible method */
         method = mctx->pkp ?
             SSLv23_client_method() : /* proxy */
             SSLv23_server_method();  /* server */
-        ctx = SSL_CTX_new(method); /* be more flexible */
     }
+    ctx = SSL_CTX_new(method);
 
     mctx->ssl_ctx = ctx;