You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2017/01/05 18:57:50 UTC
svn commit: r1777494 - in /httpd/httpd/branches/2.2.x: CHANGES
modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c
modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_io.c
modules/ssl/ssl_private.h support/ab.c
Author: covener
Date: Thu Jan 5 18:57:49 2017
New Revision: 1777494
URL: http://svn.apache.org/viewvc?rev=1777494&view=rev
Log:
Support compilation against libssl built with OPENSSL_NO_SSL3.
backport https://svn.apache.org/r1706008 from 2.4.x
Submitted by: kbrand
Reviewed by: ylavic, wrowe, covener
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
httpd/httpd/branches/2.2.x/support/ab.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Thu Jan 5 18:57:49 2017
@@ -39,6 +39,9 @@ Changes with Apache 2.2.32
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
directives. [Mike Rumph <mike.rumph oracle.com>]
+ *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
+ [Kaspar Brand]
+
*) core: Limit to ten the number of tolerated empty lines between request.
[Yann Ylavic]
Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Thu Jan 5 18:57:49 2017
@@ -151,10 +151,15 @@ static const command_rec ssl_config_cmds
#else
#define SSLv2_PROTO_PREFIX "SSLv2|"
#endif
+#ifdef OPENSSL_NO_SSL3
+#define SSLv3_PROTO_PREFIX ""
+#else
+#define SSLv3_PROTO_PREFIX "SSLv3|"
+#endif
#ifdef HAVE_TLSV1_X
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
#else
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1"
#endif
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols "
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Thu Jan 5 18:57:49 2017
@@ -1362,7 +1362,15 @@ static const char *ssl_cmd_protocol_pars
#endif
}
else if (strcEQ(w, "SSLv3")) {
+#ifdef OPENSSL_NO_SSL3
+ if (action != '-') {
+ return "SSLv3 not supported by this version of OpenSSL";
+ }
+ /* Nothing to do, the flag is not present to be toggled */
+ continue;
+#else
thisopt = SSL_PROTOCOL_SSLV3;
+#endif
}
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Thu Jan 5 18:57:49 2017
@@ -354,7 +354,9 @@ static void ssl_init_ctx_protocol(server
#ifndef OPENSSL_NO_SSL2
(protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
#endif
+#ifndef OPENSSL_NO_SSL3
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+#endif
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -374,6 +376,20 @@ static void ssl_init_ctx_protocol(server
}
else
#endif
+#ifndef OPENSSL_NO_SSL3
+ if (protocol == SSL_PROTOCOL_SSLV3) {
+ method = mctx->pkp ?
+ SSLv3_client_method() : /* proxy */
+ SSLv3_server_method(); /* server */
+ }
+ else
+#endif
+ if (protocol == SSL_PROTOCOL_TLSV1) {
+ method = mctx->pkp ?
+ TLSv1_client_method() : /* proxy */
+ TLSv1_server_method(); /* server */
+ }
+ else
#ifdef HAVE_TLSV1_X
if (protocol == SSL_PROTOCOL_TLSV1_1) {
method = mctx->pkp ?
@@ -404,9 +420,11 @@ static void ssl_init_ctx_protocol(server
}
#endif
+#ifndef OPENSSL_NO_SSL3
if (!(protocol & SSL_PROTOCOL_SSLV3)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
}
+#endif
if (!(protocol & SSL_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Thu Jan 5 18:57:49 2017
@@ -1083,7 +1083,9 @@ static int ssl_io_filter_connect(ssl_fil
* protocol-wise).
*/
if (hostname_note &&
+#ifndef OPENSSL_NO_SSL3
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+#endif
apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) {
if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Thu Jan 5 18:57:49 2017
@@ -241,19 +241,24 @@ typedef int ssl_opt_t;
#ifndef OPENSSL_NO_SSL2
#define SSL_PROTOCOL_SSLV2 (1<<0)
#endif
+#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_SSLV3 (1<<1)
+#endif
#define SSL_PROTOCOL_TLSV1 (1<<2)
-#ifdef OPENSSL_NO_SSL2
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#elif !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
#else
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
#endif
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
+ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#else
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
#endif
typedef int ssl_proto_t;
Modified: httpd/httpd/branches/2.2.x/support/ab.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/support/ab.c?rev=1777494&r1=1777493&r2=1777494&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/support/ab.c (original)
+++ httpd/httpd/branches/2.2.x/support/ab.c Thu Jan 5 18:57:49 2017
@@ -1895,6 +1895,12 @@ static void usage(const char *progname)
#define SSL2_HELP_MSG ""
#endif
+#ifndef OPENSSL_NO_SSL3
+#define SSL3_HELP_MSG "SSL3, "
+#else
+#define SSL3_HELP_MSG ""
+#endif
+
#ifdef HAVE_TLSV1_X
#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
#else
@@ -1903,7 +1909,7 @@ static void usage(const char *progname)
fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");
fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n");
- fprintf(stderr, " (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
+ fprintf(stderr, " (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
#endif
exit(EINVAL);
}
@@ -2240,8 +2246,10 @@ int main(int argc, const char * const ar
} else if (strncasecmp(optarg, "SSL2", 4) == 0) {
meth = SSLv2_client_method();
#endif
+#ifndef OPENSSL_NO_SSL3
} else if (strncasecmp(optarg, "SSL3", 4) == 0) {
meth = SSLv3_client_method();
+#endif
#ifdef HAVE_TLSV1_X
} else if (strncasecmp(optarg, "TLS1.1", 6) == 0) {
meth = TLSv1_1_client_method();