You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2012/08/19 21:04:07 UTC

svn commit: r1374818 - /httpd/httpd/branches/2.2.x/STATUS

Author: rjung
Date: Sun Aug 19 19:04:07 2012
New Revision: 1374818

URL: http://svn.apache.org/viewvc?rev=1374818&view=rev
Log:
Vote and correct comment.

Modified:
    httpd/httpd/branches/2.2.x/STATUS

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1374818&r1=1374817&r2=1374818&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sun Aug 19 19:04:07 2012
@@ -146,7 +146,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
       http://svn.apache.org/viewvc?view=revision&revision=1225792
     Backport version for 2.2.x of the patches above:
       http://people.apache.org/~wrowe/tls11-12-patch-2.2-kbrand-wrowe.2.patch
-    +1: wrowe, sf, kbrand
+    +1: wrowe, sf, kbrand, rjung
     kbrand: explicitly including <openssl/opensslconf.h> in ssl_toolkit_compat.h
             would make sense, since we're relying on OPENSSL_NO_SSL2 being
             properly reported by OpenSSL (currently opensslconf.h is only
@@ -156,27 +156,11 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
         Minor (CTR) issues:
         - The "/* only SSLv2 is left */" comment is now obsolete.
         - Needs CHANGES entry.
-    rjung: Doesn't the following block in modules/ssl/ssl_engine_init.c
-    switch SSLv2 *OFF*, but now only if Apache is compiled with SSLv2:
-        +#ifndef OPENSSL_NO_SSL2
-             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
-                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
-             }
-        +#endif
-    But OpenSSL itself might well have SSLv2 support, so we should add
-    (taken from 2.4.x):
-        +#ifndef OPENSSL_NO_SSL2
-             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
-                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
-             }
-        +#else
-             /* always disable SSLv2, as per RFC 6176 */
-             SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
-        +#endif
-    When testing your patch after compiling with OPENSSL_NO_SSL2 in fact
-    I can make a SSLv2 connect after setting the SSLProtocol and
-    SSLCipherSuite directives both to "All" resp. "ALL".
-    Apart from that the patch looks good (I would vote +1 with this fixed).
+    rjung: Voted on the basis, that OPENSSL_NO_SSL2 is not meant
+           to be set for the web server compile only but instead
+           would only be retrieved from OpenSSL. Otherwise
+           setting OPENSSL_NO_SSL2 only for the web server compile
+           does *not* disable SSLv2 (see r1374734).
 
    * mod_ssl: Add RFC 5878 support. This allows support of mechanisms
               such as Certificate Transparency. Note that new