You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2018/02/16 15:45:08 UTC
svn commit: r1824511 - /httpd/httpd/patches/2.4.x/mod_ssl_policy.diff
Author: icing
Date: Fri Feb 16 15:45:08 2018
New Revision: 1824511
URL: http://svn.apache.org/viewvc?rev=1824511&view=rev
Log:
fixed patch to include complete new files (svn diff --patch-compatible)
Modified:
httpd/httpd/patches/2.4.x/mod_ssl_policy.diff
Modified: httpd/httpd/patches/2.4.x/mod_ssl_policy.diff
URL: http://svn.apache.org/viewvc/httpd/httpd/patches/2.4.x/mod_ssl_policy.diff?rev=1824511&r1=1824510&r2=1824511&view=diff
==============================================================================
--- httpd/httpd/patches/2.4.x/mod_ssl_policy.diff (original)
+++ httpd/httpd/patches/2.4.x/mod_ssl_policy.diff Fri Feb 16 15:45:08 2018
@@ -1,6 +1,6 @@
Index: docs/conf/extra/httpd-ssl.conf.in
===================================================================
---- docs/conf/extra/httpd-ssl.conf.in (revision 1824437)
+--- docs/conf/extra/httpd-ssl.conf.in (revision 1824509)
+++ docs/conf/extra/httpd-ssl.conf.in (working copy)
@@ -42,6 +42,34 @@
## the main server and all SSL-enabled virtual hosts.
@@ -39,7 +39,7 @@ Index: docs/conf/extra/httpd-ssl.conf.in
# and that httpd will negotiate as the client of a proxied server.
Index: docs/manual/mod/mod_ssl.xml
===================================================================
---- docs/manual/mod/mod_ssl.xml (revision 1824437)
+--- docs/manual/mod/mod_ssl.xml (revision 1824510)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -2827,4 +2827,206 @@
</usage>
@@ -48,7 +48,7 @@ Index: docs/manual/mod/mod_ssl.xml
+<directivesynopsis type="section" idtype="section">
+<name>SSLPolicyDefine</name>
+<description>Define a named set of SSL configurations</description>
-+<syntax><SSLPolicy <em>name</em>></syntax>
++<syntax><SSLPolicyDefine <em>name</em>></syntax>
+<contextlist><context>server config</context></contextlist>
+<compatibility>Available in httpd 2.4.30 and later</compatibility>
+
@@ -250,7 +250,7 @@ Index: docs/manual/mod/mod_ssl.xml
</modulesynopsis>
Index: docs/manual/sections.xml
===================================================================
---- docs/manual/sections.xml (revision 1824437)
+--- docs/manual/sections.xml (revision 1824510)
+++ docs/manual/sections.xml (working copy)
@@ -54,6 +54,7 @@
<directive type="section" idtype="section" module="mod_md">MDomainSet</directive>
@@ -262,7 +262,7 @@ Index: docs/manual/sections.xml
</related>
Index: modules/ssl/mod_ssl.c
===================================================================
---- modules/ssl/mod_ssl.c (revision 1824437)
+--- modules/ssl/mod_ssl.c (revision 1824509)
+++ modules/ssl/mod_ssl.c (working copy)
@@ -308,6 +308,15 @@
AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
@@ -282,7 +282,7 @@ Index: modules/ssl/mod_ssl.c
Index: modules/ssl/mod_ssl.dsp
===================================================================
---- modules/ssl/mod_ssl.dsp (revision 1824437)
+--- modules/ssl/mod_ssl.dsp (revision 1824509)
+++ modules/ssl/mod_ssl.dsp (working copy)
@@ -180,6 +180,10 @@
# End Source File
@@ -297,7 +297,7 @@ Index: modules/ssl/mod_ssl.dsp
# Begin Source File
Index: modules/ssl/ssl_engine_config.c
===================================================================
---- modules/ssl/ssl_engine_config.c (revision 1824437)
+--- modules/ssl/ssl_engine_config.c (revision 1824509)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -26,7 +26,11 @@
/* ``Damned if you do,
@@ -390,7 +390,7 @@ Index: modules/ssl/ssl_engine_config.c
return mrg;
}
-@@ -526,6 +551,268 @@
+@@ -526,6 +551,274 @@
modssl_ctx_cfg_merge_proxy(p, base->proxy, conf->proxy, conf->proxy);
}
@@ -514,7 +514,13 @@ Index: modules/ssl/ssl_engine_config.c
+SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name)
+{
+ apr_hash_t *policies = get_policies(pool, 1);
-+ return apr_hash_get(policies, name, APR_HASH_KEY_STRING);
++ if (policies) {
++ return apr_hash_get(policies, name, APR_HASH_KEY_STRING);
++ }
++ else if ((pool = apr_pool_parent_get(pool))) {
++ return ssl_policy_lookup(pool, name);
++ }
++ return NULL;
+}
+
+static void ssl_policy_set(apr_pool_t *pool, SSLPolicyRec *policy)
@@ -659,7 +665,7 @@ Index: modules/ssl/ssl_engine_config.c
/*
* Configuration functions for particular directives
*/
-@@ -589,6 +876,9 @@
+@@ -589,6 +882,9 @@
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
@@ -669,7 +675,7 @@ Index: modules/ssl/ssl_engine_config.c
if (strcEQ(arg, "builtin")) {
mc->szCryptoDevice = NULL;
-@@ -626,9 +916,13 @@
+@@ -626,9 +922,13 @@
ssl_randseed_t *seed;
int arg2len = strlen(arg2);
@@ -683,7 +689,7 @@ Index: modules/ssl/ssl_engine_config.c
if (ssl_config_global_isfixed(mc)) {
return NULL;
-@@ -1198,6 +1492,9 @@
+@@ -1198,6 +1498,9 @@
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
@@ -693,7 +699,7 @@ Index: modules/ssl/ssl_engine_config.c
/* The OpenSSL session cache mode must have both the flags
* SSL_SESS_CACHE_SERVER and SSL_SESS_CACHE_NO_INTERNAL set if a
-@@ -1822,6 +2119,9 @@
+@@ -1822,6 +2125,9 @@
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
@@ -703,7 +709,7 @@ Index: modules/ssl/ssl_engine_config.c
/* Argument is of form 'name:args' or just 'name'. */
sep = ap_strchr_c(arg, ':');
-@@ -2034,6 +2334,13 @@
+@@ -2034,6 +2340,13 @@
return NULL;
}
@@ -717,7 +723,7 @@ Index: modules/ssl/ssl_engine_config.c
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{
apr_file_t *out = NULL;
-@@ -2064,4 +2371,412 @@
+@@ -2064,4 +2377,412 @@
s = s->next;
}
@@ -1132,7 +1138,7 @@ Index: modules/ssl/ssl_engine_config.c
+
Index: modules/ssl/ssl_engine_init.c
===================================================================
---- modules/ssl/ssl_engine_init.c (revision 1824437)
+--- modules/ssl/ssl_engine_init.c (revision 1824509)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -284,6 +284,13 @@
sc->fips = FALSE;
@@ -1150,30 +1156,174 @@ Index: modules/ssl/ssl_engine_init.c
#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
Index: modules/ssl/ssl_policies.h
===================================================================
---- modules/ssl/ssl_policies.h (revision 1808335)
+--- modules/ssl/ssl_policies.h (nonexistent)
+++ modules/ssl/ssl_policies.h (working copy)
-@@ -65,13 +65,13 @@
-
- #define SSL_POLICY_MOZILLA_VERSION 4.0
-
--#ifdef HAVE_TLS1_X
+@@ -0,0 +1,87 @@
++/* Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++/**
++ * @verbatim
++ _ _
++ _ __ ___ ___ __| | ___ ___| | mod_ssl
++ | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
++ | | | | | | (_) | (_| | \__ \__ \ |
++ |_| |_| |_|\___/ \__,_|___|___/___/_|
++ |_____|
++ @endverbatim
++ * @file ssl_policies.h
++ * @brief Additional Utility Functions for OpenSSL
++ *
++ * @defgroup MOD_SSL_UTIL Utilities
++ * @ingroup MOD_SSL
++ * @{
++ */
++
++#ifndef __SSL_POLICIES_H__
++#define __SSL_POLICIES_H__
++
++#define SSL_MOD_POLICIES_KEY "ssl_module_policies"
++
++#ifndef OPENSSL_NO_SSL3
++#define SSL_PROTOCOL_CONSTANTS_SSLV3 SSL_PROTOCOL_SSLV3
++#else
++#define SSL_PROTOCOL_CONSTANTS_SSLV3 0
++#endif
++
+#ifdef HAVE_TLSV1_X
- #define SSL_POLICY_MODERN 1
- #define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
- #define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2
--#else /* ifdef HAVE_TLS1_X */
++#define SSL_POLICY_LEGACY_PROTOCOLS \
++ (SSL_PROTOCOL_CONSTANTS_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1)
++#endif
++
++/* Settings for all policies */
++#define SSL_POLICY_HONOR_ORDER 1
++#define SSL_POLICY_COMPRESSION 0
++#define SSL_POLICY_SESSION_TICKETS 0
++#define SSL_POLICY_PROXY_VERIFY_MODE SSL_CVERIFY_REQUIRE
++#define SSL_POLICY_PROXY_VERIFY_DEPTH -1
++
++/**
++ * Define a core set of policies that are always there:
++ * - 'modern' from https://wiki.mozilla.org/Security/Server_Side_TLS
++ * - 'intermediate' from https://wiki.mozilla.org/Security/Server_Side_TLS
++ * - 'old' from https://wiki.mozilla.org/Security/Server_Side_TLS
++ * The JSON version can be retrieved here:
++ * https://statics.tls.security.mozilla.org/server-side-tls-conf.json
++ */
++
++#define SSL_POLICY_MOZILLA_VERSION 4.0
++
++#ifdef HAVE_TLSV1_X
++#define SSL_POLICY_MODERN 1
++#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
++#define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2
+#else /* ifdef HAVE_TLSV1_X */
- #define SSL_POLICY_MODERN 0
--#endif /* ifdef HAVE_TLS1_X, else part */
++#define SSL_POLICY_MODERN 0
+#endif /* ifdef HAVE_TLSV1_X, else part */
-
- #define SSL_POLICY_INTERMEDIATE 1
- #define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
++
++#define SSL_POLICY_INTERMEDIATE 1
++#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
++#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_CONSTANTS_SSLV3))
++
++#define SSL_POLICY_OLD 1
++#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
++#define SSL_POLICY_OLD_PROTOCOLS SSL_PROTOCOL_ALL
++
++
++#endif /* __SSL_POLICIES_H__ */
++/** @} */
++
Index: modules/ssl/ssl_policies.h.in
===================================================================
+--- modules/ssl/ssl_policies.h.in (nonexistent)
++++ modules/ssl/ssl_policies.h.in (working copy)
+@@ -0,0 +1,70 @@
++/* Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++/**
++ * @verbatim
++ _ _
++ _ __ ___ ___ __| | ___ ___| | mod_ssl
++ | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
++ | | | | | | (_) | (_| | \__ \__ \ |
++ |_| |_| |_|\___/ \__,_|___|___/___/_|
++ |_____|
++ @endverbatim
++ * @file ssl_policies.h
++ * @brief Additional Utility Functions for OpenSSL
++ *
++ * @defgroup MOD_SSL_UTIL Utilities
++ * @ingroup MOD_SSL
++ * @{
++ */
++
++#ifndef __SSL_POLICIES_H__
++#define __SSL_POLICIES_H__
++
++#define SSL_MOD_POLICIES_KEY "ssl_module_policies"
++
++#ifndef OPENSSL_NO_SSL3
++#define SSL_PROTOCOL_CONSTANTS_SSLV3 SSL_PROTOCOL_SSLV3
++#else
++#define SSL_PROTOCOL_CONSTANTS_SSLV3 0
++#endif
++
++#ifdef HAVE_TLSV1_X
++#define SSL_POLICY_LEGACY_PROTOCOLS \
++ (SSL_PROTOCOL_CONSTANTS_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1)
++#endif
++
++/* Settings for all policies */
++#define SSL_POLICY_HONOR_ORDER 1
++#define SSL_POLICY_COMPRESSION 0
++#define SSL_POLICY_SESSION_TICKETS 0
++#define SSL_POLICY_PROXY_VERIFY_MODE SSL_CVERIFY_REQUIRE
++#define SSL_POLICY_PROXY_VERIFY_DEPTH -1
++
++/**
++ * Define a core set of policies that are always there:
++ * - 'modern' from https://wiki.mozilla.org/Security/Server_Side_TLS
++ * - 'intermediate' from https://wiki.mozilla.org/Security/Server_Side_TLS
++ * - 'old' from https://wiki.mozilla.org/Security/Server_Side_TLS
++ * The JSON version can be retrieved here:
++ * https://statics.tls.security.mozilla.org/server-side-tls-conf.json
++ */
++
++@MOZILLA_SECURITY_POLICIES@
++
++#endif /* __SSL_POLICIES_H__ */
++/** @} */
++
Index: modules/ssl/ssl_private.h
===================================================================
---- modules/ssl/ssl_private.h (revision 1824437)
+--- modules/ssl/ssl_private.h (revision 1824509)
+++ modules/ssl/ssl_private.h (working copy)
@@ -596,6 +596,7 @@
apr_global_mutex_t *stapling_cache_mutex;
@@ -1233,24 +1383,139 @@ Index: modules/ssl/ssl_private.h
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
Index: modules/ssl/update_policies.py
===================================================================
---- modules/ssl/update_policies.py (revision 1808335)
+--- modules/ssl/update_policies.py (nonexistent)
+++ modules/ssl/update_policies.py (working copy)
-@@ -70,7 +70,7 @@
- # if it has a non-1_X protocol, it works without OpenSSL 1.0.2
- if not tlsv in TLS_1_X_VERSIONS:
- return None
-- return "HAVE_TLS1_X"
+@@ -0,0 +1,133 @@
++#!/usr/bin/env python
++
++import json
++import os
++import sys
++
++from httplib import HTTPSConnection
++
++# The location were Mozilla defines the *current* TLS Security in JSON format
++#
++MOZ_TLS_CONF_SERVER = "statics.tls.security.mozilla.org"
++MOZ_TLS_CONF_PATH = "/server-side-tls-conf.json"
++MOZ_TLS_CONF_URL = "https://%s%s" % (MOZ_TLS_CONF_SERVER, MOZ_TLS_CONF_PATH)
++
++# The version we already know. Accept nothing less.
++#
++MOZ_TLS_CONF_VERSION_MIN = 4.0
++
++# keys inside the JSON document
++#
++KEY_CONF = 'configurations'
++KEY_HREF = 'href'
++KEY_OSSL_CIPHERS = 'openssl_ciphersuites'
++KEY_TLS_VERSIONS = 'tls_versions'
++KEY_VERSION = 'version'
++
++# TLS Versions we know how to handle
++#
++TLS_VERSIONS = {
++ 'TLSv1.2' : "SSL_PROTOCOL_TLSV1_2",
++ 'TLSv1.1' : "SSL_PROTOCOL_TLSV1_1",
++ 'TLSv1' : "SSL_PROTOCOL_TLSV1",
++ 'SSLv3' : "SSL_PROTOCOL_CONSTANTS_SSLV3",
++}
++TLS_1_X_VERSIONS = [ 'TLSv1.2' ]
++
++# the Security configurations to extract
++POLICY_NAMES = [ 'modern', 'intermediate', 'old' ]
++
++
++def fail(msg):
++ sys.stderr.write(msg)
++ sys.exit(1)
++
++
++def proto_string(tls_version):
++ if tls_version in TLS_VERSIONS:
++ return TLS_VERSIONS[tls_version]
++ fail("Unknown TLS protocol '%s'" % tls_version)
++
++
++def proto_conf(tls_versions):
++ if len(TLS_VERSIONS) < len(tls_versions):
++ fail("more TLS versions used than we know: %s" % tls_versions)
++ if len(tls_versions) == 1:
++ return proto_string(tls_versions[0])
++ missing = []
++ for tls in TLS_VERSIONS:
++ if not tls in tls_versions:
++ missing.append(proto_string(tls))
++ if len(missing):
++ return "(SSL_PROTOCOL_ALL & ~(%s))" % "|".join(missing)
++ return "SSL_PROTOCOL_ALL"
++
++
++# return an #ifdef required for a policy or None
++#
++def required_ifdef(conf):
++ for tlsv in conf[KEY_TLS_VERSIONS]:
++ # if it has a non-1_X protocol, it works without OpenSSL 1.0.2
++ if not tlsv in TLS_1_X_VERSIONS:
++ return None
+ return "HAVE_TLSV1_X"
-
-
- def getPolicyDef():
-Index: .
-===================================================================
---- . (revision 1824437)
-+++ . (working copy)
-
-Property changes on: .
-___________________________________________________________________
-Modified: svn:mergeinfo
-## -0,0 +0,1 ##
- Merged /httpd/httpd/trunk:r1805182,1805186,1808335,1811475,1817381,1817894
++
++
++def getPolicyDef():
++ c = HTTPSConnection(MOZ_TLS_CONF_SERVER)
++ c.request('GET', MOZ_TLS_CONF_PATH)
++ data = c.getresponse().read()
++ c.close()
++ return data
++
++
++def printPolicies(doc):
++ print "#define SSL_POLICY_MOZILLA_VERSION %s" % doc[KEY_VERSION]
++ print ""
++ for pname in POLICY_NAMES:
++ prefix = "SSL_POLICY_%s" % pname.upper()
++ if not pname in doc[KEY_CONF]:
++ vars[prefix] = 0
++ continue
++ p = doc[KEY_CONF][pname]
++
++ ifdef = required_ifdef(p)
++ if ifdef:
++ print "#ifdef %s" % ifdef
++
++ print "#define %s 1" % prefix
++ print "#define %s_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS])
++ print "#define %s_PROTOCOLS %s" % (prefix, proto_conf(p[KEY_TLS_VERSIONS]))
++
++ if ifdef:
++ print "#else /* ifdef %s */" % ifdef
++ print "#define %s 0" % prefix
++ print "#endif /* ifdef %s, else part */" % ifdef
++ print ""
++
++
++def main(argv):
++ data = getPolicyDef()
++ doc = json.loads(data)
++
++ if MOZ_TLS_CONF_URL != doc[KEY_HREF]:
++ fail("ERROR: Unexpected href in policy document: %s\n" % doc[KEY_HREF])
++ if doc[KEY_VERSION] < MOZ_TLS_CONF_VERSION_MIN:
++ fail("ERROR: Expected at least version %s, but policy document has %s\n" \
++ % (MOZ_TLS_CONF_VERSION_MIN, doc[KEY_VERSION]))
++
++ if 1 == len(argv):
++ printPolicies(doc)
++ elif 2 == len(argv):
++ with open(argv[1]) as f:
++ for line in f:
++ if line == "@MOZILLA_SECURITY_POLICIES@\n":
++ printPolicies(doc)
++ else:
++ sys.stdout.write(line)
++ else:
++ fail("usage: %s [file] \nDownload and print/replace the Mozilla TLS Security policies" % argv[0])
++
++
++if __name__ == "__main__":
++ main(sys.argv)