You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2012/08/19 21:04:07 UTC
svn commit: r1374818 - /httpd/httpd/branches/2.2.x/STATUS
Author: rjung
Date: Sun Aug 19 19:04:07 2012
New Revision: 1374818
URL: http://svn.apache.org/viewvc?rev=1374818&view=rev
Log:
Vote and correct comment.
Modified:
httpd/httpd/branches/2.2.x/STATUS
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1374818&r1=1374817&r2=1374818&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sun Aug 19 19:04:07 2012
@@ -146,7 +146,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
http://svn.apache.org/viewvc?view=revision&revision=1225792
Backport version for 2.2.x of the patches above:
http://people.apache.org/~wrowe/tls11-12-patch-2.2-kbrand-wrowe.2.patch
- +1: wrowe, sf, kbrand
+ +1: wrowe, sf, kbrand, rjung
kbrand: explicitly including <openssl/opensslconf.h> in ssl_toolkit_compat.h
would make sense, since we're relying on OPENSSL_NO_SSL2 being
properly reported by OpenSSL (currently opensslconf.h is only
@@ -156,27 +156,11 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
Minor (CTR) issues:
- The "/* only SSLv2 is left */" comment is now obsolete.
- Needs CHANGES entry.
- rjung: Doesn't the following block in modules/ssl/ssl_engine_init.c
- switch SSLv2 *OFF*, but now only if Apache is compiled with SSLv2:
- +#ifndef OPENSSL_NO_SSL2
- if (!(protocol & SSL_PROTOCOL_SSLV2)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- }
- +#endif
- But OpenSSL itself might well have SSLv2 support, so we should add
- (taken from 2.4.x):
- +#ifndef OPENSSL_NO_SSL2
- if (!(protocol & SSL_PROTOCOL_SSLV2)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- }
- +#else
- /* always disable SSLv2, as per RFC 6176 */
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- +#endif
- When testing your patch after compiling with OPENSSL_NO_SSL2 in fact
- I can make a SSLv2 connect after setting the SSLProtocol and
- SSLCipherSuite directives both to "All" resp. "ALL".
- Apart from that the patch looks good (I would vote +1 with this fixed).
+ rjung: Voted on the basis, that OPENSSL_NO_SSL2 is not meant
+ to be set for the web server compile only but instead
+ would only be retrieved from OpenSSL. Otherwise
+ setting OPENSSL_NO_SSL2 only for the web server compile
+ does *not* disable SSLv2 (see r1374734).
* mod_ssl: Add RFC 5878 support. This allows support of mechanisms
such as Certificate Transparency. Note that new