You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2018/03/28 11:15:19 UTC
svn commit: r1827912 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_policies.h modules/ssl/ssl_private.h
modules/ssl/update_policies.py
Author: icing
Date: Wed Mar 28 11:15:18 2018
New Revision: 1827912
URL: http://svn.apache.org/viewvc?rev=1827912&view=rev
Log:
On the trunk:
mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
need more sugar).
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_policies.h
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/update_policies.py
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1827912&r1=1827911&r2=1827912&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Mar 28 11:15:18 2018
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
+ need more sugar). [Stefan Eissing]
+
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
[Eric Covener]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1827912&r1=1827911&r2=1827912&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Mar 28 11:15:18 2018
@@ -1537,6 +1537,9 @@ static const char *ssl_cmd_protocol_pars
else if (strcEQ(w, "TLSv1.2")) {
thisopt = SSL_PROTOCOL_TLSV1_2;
}
+ else if (SSL_HAVE_PROTOCOL_TLSV1_3 && strcEQ(w, "TLSv1.3")) {
+ thisopt = SSL_PROTOCOL_TLSV1_3;
+ }
#endif
else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL;
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18 2018
@@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
(protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
+#if SSL_HAVE_PROTOCOL_TLSV1_3
+ (protocol & SSL_PROTOCOL_TLSV1_3 ? "TLSv1.3, " : ""),
+#endif
#endif
NULL);
cp[strlen(cp)-2] = NUL;
@@ -633,6 +636,13 @@ static apr_status_t ssl_init_ctx_protoco
TLSv1_2_client_method() : /* proxy */
TLSv1_2_server_method(); /* server */
}
+#ifdef SSL_OP_NO_TLSv1_3
+ else if (protocol == SSL_PROTOCOL_TLSV1_3) {
+ method = mctx->pkp ?
+ TLSv1_3_client_method() : /* proxy */
+ TLSv1_3_server_method(); /* server */
+ }
+#endif
#endif
else { /* For multiple protocols, we need a flexible method */
method = mctx->pkp ?
@@ -667,11 +677,17 @@ static apr_status_t ssl_init_ctx_protoco
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2,
protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
+#ifdef SSL_OP_NO_TLSv1_3
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
+ protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
+#endif
#endif
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
/* We first determine the maximum protocol version we should provide */
- if (protocol & SSL_PROTOCOL_TLSV1_2) {
+ if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
+ prot = TLS1_3_VERSION;
+ } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
prot = TLS1_2_VERSION;
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
prot = TLS1_1_VERSION;
@@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
+ if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
+ prot = TLS1_2_VERSION;
+ }
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
prot = TLS1_1_VERSION;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_policies.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_policies.h?rev=1827912&r1=1827911&r2=1827912&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_policies.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_policies.h Wed Mar 28 11:15:18 2018
@@ -66,18 +66,18 @@
#ifdef HAVE_TLSV1_X
#define SSL_POLICY_MODERN 1
#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
-#define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2
+#define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
#else /* ifdef HAVE_TLSV1_X */
#define SSL_POLICY_MODERN 0
#endif /* ifdef HAVE_TLSV1_X, else part */
#define SSL_POLICY_INTERMEDIATE 1
#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
-#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_CONSTANTS_SSLV3))
+#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3))
#define SSL_POLICY_OLD 1
#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
-#define SSL_POLICY_OLD_PROTOCOLS SSL_PROTOCOL_ALL
+#define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3))
#endif /* __SSL_POLICIES_H__ */
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1827912&r1=1827911&r2=1827912&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Wed Mar 28 11:15:18 2018
@@ -356,8 +356,17 @@ typedef int ssl_opt_t;
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+#define SSL_PROTOCOL_TLSV1_3 (1<<5)
+
+#ifdef SSL_OP_NO_TLSv1_3
+#define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
+ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
+#else
+#define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#endif
#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
#endif
Modified: httpd/httpd/trunk/modules/ssl/update_policies.py
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/update_policies.py?rev=1827912&r1=1827911&r2=1827912&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/update_policies.py (original)
+++ httpd/httpd/trunk/modules/ssl/update_policies.py Wed Mar 28 11:15:18 2018
@@ -27,12 +27,15 @@ KEY_VERSION = 'version'
# TLS Versions we know how to handle
#
TLS_VERSIONS = {
- 'TLSv1.2' : "SSL_PROTOCOL_TLSV1_2",
+ 'TLSv1.3' : "SSL_PROTOCOL_TLSV1_3",
+# Mozilla does not list TLSv1.3 yet, but we want it in there!
+ 'TLSv1.2' : "(SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)",
+ #'TLSv1.2' : "SSL_PROTOCOL_TLSV1_2",
'TLSv1.1' : "SSL_PROTOCOL_TLSV1_1",
'TLSv1' : "SSL_PROTOCOL_TLSV1",
'SSLv3' : "SSL_PROTOCOL_CONSTANTS_SSLV3",
}
-TLS_1_X_VERSIONS = [ 'TLSv1.2' ]
+TLS_1_X_VERSIONS = [ 'TLSv1.2', 'TLSv1.3' ]
# the Security configurations to extract
POLICY_NAMES = [ 'modern', 'intermediate', 'old' ]
Re: svn commit: r1827912 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_policies.h modules/ssl/ssl_private.h modules/ssl/update_policies.py
Posted by Luca Toscano <to...@gmail.com>.
All good now thanks!
Luca
2018-04-03 13:49 GMT+02:00 Stefan Eissing <st...@greenbytes.de>:
> My bad. Please try again with r1828220 or later.
>
> Cheers, Stefan
>
> > Am 01.04.2018 um 18:57 schrieb Luca Toscano <to...@gmail.com>:
> >
> > Hi Stefan
> >
> > 2018-03-28 13:15 GMT+02:00 <ic...@apache.org>:
> > Author: icing
> > Date: Wed Mar 28 11:15:18 2018
> > New Revision: 1827912
> >
> > URL: http://svn.apache.org/viewvc?rev=1827912&view=rev
> > Log:
> > On the trunk:
> > mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other
> libs may
> > need more sugar).
> >
> >
> > Modified:
> > httpd/httpd/trunk/CHANGES
> > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> > httpd/httpd/trunk/modules/ssl/ssl_policies.h
> > httpd/httpd/trunk/modules/ssl/ssl_private.h
> > httpd/httpd/trunk/modules/ssl/update_policies.py
> >
> >
> >
> >
> > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/
> ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff
> > ============================================================
> ==================
> > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18
> 2018
> > @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco
> >
> > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> > /* We first determine the maximum protocol version we should
> provide */
> > - if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3))
> {
> > + prot = TLS1_3_VERSION;
> > + } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > prot = TLS1_2_VERSION;
> > } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco
> >
> > /* Next we scan for the minimal protocol version we should provide,
> > * but we do not allow holes between max and min */
> > + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> > + prot = TLS1_2_VERSION;
> > + }
> > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > }
> >
> >
> > it may be a misconfig from my side, but I get the following with openssl
> 1.1.0f (not TLS 1.3 afaics):
> >
> > ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’:
> > ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use
> in this function)
> > prot = TLS1_3_VERSION;
> > ^~~~~~~~~~~~~~
> >
> > Adding the following bits makes everything work:
> >
> > Index: modules/ssl/ssl_engine_init.c
> > ===================================================================
> > --- modules/ssl/ssl_engine_init.c (revision 1828144)
> > +++ modules/ssl/ssl_engine_init.c (working copy)
> > @@ -685,9 +685,12 @@
> >
> > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> > /* We first determine the maximum protocol version we should
> provide */
> > +#if SSL_HAVE_PROTOCOL_TLSV1_3
> > if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3))
> {
> > prot = TLS1_3_VERSION;
> > - } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > + } else
> > +#endif
> > + if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > prot = TLS1_2_VERSION;
> > } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > @@ -708,9 +711,11 @@
> >
> > /* Next we scan for the minimal protocol version we should provide,
> > * but we do not allow holes between max and min */
> > +#if SSL_HAVE_PROTOCOL_TLSV1_3
> > if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> > prot = TLS1_2_VERSION;
> > }
> > +#endif
> > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > }
> >
> >
> > Luca
>
>
Re: svn commit: r1827912 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_policies.h modules/ssl/ssl_private.h
modules/ssl/update_policies.py
Posted by Stefan Eissing <st...@greenbytes.de>.
My bad. Please try again with r1828220 or later.
Cheers, Stefan
> Am 01.04.2018 um 18:57 schrieb Luca Toscano <to...@gmail.com>:
>
> Hi Stefan
>
> 2018-03-28 13:15 GMT+02:00 <ic...@apache.org>:
> Author: icing
> Date: Wed Mar 28 11:15:18 2018
> New Revision: 1827912
>
> URL: http://svn.apache.org/viewvc?rev=1827912&view=rev
> Log:
> On the trunk:
> mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
> need more sugar).
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_policies.h
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/update_policies.py
>
>
>
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18 2018
> @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> /* We first determine the maximum protocol version we should provide */
> - if (protocol & SSL_PROTOCOL_TLSV1_2) {
> + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
> + prot = TLS1_3_VERSION;
> + } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> /* Next we scan for the minimal protocol version we should provide,
> * but we do not allow holes between max and min */
> + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> + prot = TLS1_2_VERSION;
> + }
> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> }
>
>
> it may be a misconfig from my side, but I get the following with openssl 1.1.0f (not TLS 1.3 afaics):
>
> ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’:
> ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use in this function)
> prot = TLS1_3_VERSION;
> ^~~~~~~~~~~~~~
>
> Adding the following bits makes everything work:
>
> Index: modules/ssl/ssl_engine_init.c
> ===================================================================
> --- modules/ssl/ssl_engine_init.c (revision 1828144)
> +++ modules/ssl/ssl_engine_init.c (working copy)
> @@ -685,9 +685,12 @@
>
> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> /* We first determine the maximum protocol version we should provide */
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
> prot = TLS1_3_VERSION;
> - } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> + } else
> +#endif
> + if (protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> @@ -708,9 +711,11 @@
>
> /* Next we scan for the minimal protocol version we should provide,
> * but we do not allow holes between max and min */
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> }
> +#endif
> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> }
>
>
> Luca
Re: svn commit: r1827912 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_policies.h modules/ssl/ssl_private.h modules/ssl/update_policies.py
Posted by Luca Toscano <to...@gmail.com>.
Hi Stefan
2018-03-28 13:15 GMT+02:00 <ic...@apache.org>:
> Author: icing
> Date: Wed Mar 28 11:15:18 2018
> New Revision: 1827912
>
> URL: http://svn.apache.org/viewvc?rev=1827912&view=rev
> Log:
> On the trunk:
> mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other
> libs may
> need more sugar).
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_policies.h
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/update_policies.py
>
>
>
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/
> ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff
> ============================================================
> ==================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18
> 2018
> @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> /* We first determine the maximum protocol version we should provide
> */
> - if (protocol & SSL_PROTOCOL_TLSV1_2) {
> + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
> + prot = TLS1_3_VERSION;
> + } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> /* Next we scan for the minimal protocol version we should provide,
> * but we do not allow holes between max and min */
> + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> + prot = TLS1_2_VERSION;
> + }
> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> }
>
>
it may be a misconfig from my side, but I get the following with
openssl 1.1.0f (not TLS 1.3 afaics):
ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’:
ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use in
this function)
prot = TLS1_3_VERSION;
^~~~~~~~~~~~~~
Adding the following bits makes everything work:
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1828144)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -685,9 +685,12 @@
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
/* We first determine the maximum protocol version we should provide */
+#if SSL_HAVE_PROTOCOL_TLSV1_3
if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
prot = TLS1_3_VERSION;
- } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
+ } else
+#endif
+ if (protocol & SSL_PROTOCOL_TLSV1_2) {
prot = TLS1_2_VERSION;
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
prot = TLS1_1_VERSION;
@@ -708,9 +711,11 @@
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
+#if SSL_HAVE_PROTOCOL_TLSV1_3
if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
prot = TLS1_2_VERSION;
}
+#endif
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
prot = TLS1_1_VERSION;
}
Luca