You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2017/01/05 18:57:50 UTC
svn commit: r1777494 - in /httpd/httpd/branches/2.2.x: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h support/ab.c

Author: covener
Date: Thu Jan  5 18:57:49 2017
New Revision: 1777494

URL: http://svn.apache.org/viewvc?rev=1777494&view=rev
Log:
Support compilation against libssl built with OPENSSL_NO_SSL3.

backport https://svn.apache.org/r1706008 from 2.4.x

Submitted by: kbrand
Reviewed by: ylavic, wrowe, covener

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
    httpd/httpd/branches/2.2.x/support/ab.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Thu Jan  5 18:57:49 2017
@@ -39,6 +39,9 @@ Changes with Apache 2.2.32
   *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
      directives.  [Mike Rumph <mike.rumph oracle.com>]
 
+  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
+     [Kaspar Brand]
+
   *) core: Limit to ten the number of tolerated empty lines between request.
      [Yann Ylavic]
 

Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Thu Jan  5 18:57:49 2017
@@ -151,10 +151,15 @@ static const command_rec ssl_config_cmds
 #else
 #define SSLv2_PROTO_PREFIX "SSLv2|"
 #endif
+#ifdef OPENSSL_NO_SSL3
+#define SSLv3_PROTO_PREFIX ""
+#else
+#define SSLv3_PROTO_PREFIX "SSLv3|"
+#endif
 #ifdef HAVE_TLSV1_X
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
 #else
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1"
 #endif
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols "

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Thu Jan  5 18:57:49 2017
@@ -1362,7 +1362,15 @@ static const char *ssl_cmd_protocol_pars
 #endif
         }
         else if (strcEQ(w, "SSLv3")) {
+#ifdef OPENSSL_NO_SSL3
+            if (action != '-') {
+                return "SSLv3 not supported by this version of OpenSSL";
+            }
+            /* Nothing to do, the flag is not present to be toggled */
+            continue;
+#else
             thisopt = SSL_PROTOCOL_SSLV3;
+#endif
         }
         else if (strcEQ(w, "TLSv1")) {
             thisopt = SSL_PROTOCOL_TLSV1;

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Thu Jan  5 18:57:49 2017
@@ -354,7 +354,9 @@ static void ssl_init_ctx_protocol(server
 #ifndef OPENSSL_NO_SSL2
                      (protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
 #endif
+#ifndef OPENSSL_NO_SSL3
                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+#endif
                      (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
 #ifdef HAVE_TLSV1_X
                      (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -374,6 +376,20 @@ static void ssl_init_ctx_protocol(server
     }
     else
 #endif
+#ifndef OPENSSL_NO_SSL3
+    if (protocol == SSL_PROTOCOL_SSLV3) {
+        method = mctx->pkp ?
+            SSLv3_client_method() : /* proxy */
+            SSLv3_server_method();  /* server */
+    }
+    else
+#endif
+    if (protocol == SSL_PROTOCOL_TLSV1) {
+        method = mctx->pkp ?
+            TLSv1_client_method() : /* proxy */
+            TLSv1_server_method();  /* server */
+    }
+    else
 #ifdef HAVE_TLSV1_X
     if (protocol == SSL_PROTOCOL_TLSV1_1) {
         method = mctx->pkp ?
@@ -404,9 +420,11 @@ static void ssl_init_ctx_protocol(server
     }
 #endif
 
+#ifndef OPENSSL_NO_SSL3
     if (!(protocol & SSL_PROTOCOL_SSLV3)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
     }
+#endif
 
     if (!(protocol & SSL_PROTOCOL_TLSV1)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Thu Jan  5 18:57:49 2017
@@ -1083,7 +1083,9 @@ static int ssl_io_filter_connect(ssl_fil
          * protocol-wise).
          */
         if (hostname_note &&
+#ifndef OPENSSL_NO_SSL3
             sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+#endif
             apr_ipsubnet_create(&ip, hostname_note, NULL,
                                 c->pool) != APR_SUCCESS) {
             if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Thu Jan  5 18:57:49 2017
@@ -241,19 +241,24 @@ typedef int ssl_opt_t;
 #ifndef OPENSSL_NO_SSL2
 #define SSL_PROTOCOL_SSLV2 (1<<0)
 #endif
+#ifndef OPENSSL_NO_SSL3
 #define SSL_PROTOCOL_SSLV3 (1<<1)
+#endif
 #define SSL_PROTOCOL_TLSV1 (1<<2)
-#ifdef OPENSSL_NO_SSL2
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#elif !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
 #else
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
 #endif
 #ifdef HAVE_TLSV1_X
 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC| \
+                            SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
 #else
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL)
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC)
 #endif
 typedef int ssl_proto_t;
 

Modified: httpd/httpd/branches/2.2.x/support/ab.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/support/ab.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/support/ab.c (original)
+++ httpd/httpd/branches/2.2.x/support/ab.c Thu Jan  5 18:57:49 2017
@@ -1895,6 +1895,12 @@ static void usage(const char *progname)
 #define SSL2_HELP_MSG ""
 #endif
 
+#ifndef OPENSSL_NO_SSL3
+#define SSL3_HELP_MSG "SSL3, "
+#else
+#define SSL3_HELP_MSG ""
+#endif
+
 #ifdef HAVE_TLSV1_X
 #define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
 #else
@@ -1903,7 +1909,7 @@ static void usage(const char *progname)
 
     fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
     fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n"); 
-    fprintf(stderr, "                    (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
+    fprintf(stderr, "                    (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
 #endif
     exit(EINVAL);
 }
@@ -2240,8 +2246,10 @@ int main(int argc, const char * const ar
                 } else if (strncasecmp(optarg, "SSL2", 4) == 0) {
                     meth = SSLv2_client_method();
 #endif
+#ifndef OPENSSL_NO_SSL3
                 } else if (strncasecmp(optarg, "SSL3", 4) == 0) {
                     meth = SSLv3_client_method();
+#endif
 #ifdef HAVE_TLSV1_X
                 } else if (strncasecmp(optarg, "TLS1.1", 6) == 0) {
                     meth = TLSv1_1_client_method();