You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Luca Toscano <to...@gmail.com> on 2018/04/01 16:57:49 UTC
Re: svn commit: r1827912 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_policies.h modules/ssl/ssl_private.h modules/ssl/update_policies.py
Hi Stefan
2018-03-28 13:15 GMT+02:00 <ic...@apache.org>:
> Author: icing
> Date: Wed Mar 28 11:15:18 2018
> New Revision: 1827912
>
> URL: http://svn.apache.org/viewvc?rev=1827912&view=rev
> Log:
> On the trunk:
> mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other
> libs may
> need more sugar).
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_policies.h
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/update_policies.py
>
>
>
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/
> ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff
> ============================================================
> ==================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18
> 2018
> @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> /* We first determine the maximum protocol version we should provide
> */
> - if (protocol & SSL_PROTOCOL_TLSV1_2) {
> + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
> + prot = TLS1_3_VERSION;
> + } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> /* Next we scan for the minimal protocol version we should provide,
> * but we do not allow holes between max and min */
> + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> + prot = TLS1_2_VERSION;
> + }
> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> }
>
>
it may be a misconfig from my side, but I get the following with
openssl 1.1.0f (not TLS 1.3 afaics):
ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’:
ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use in
this function)
prot = TLS1_3_VERSION;
^~~~~~~~~~~~~~
Adding the following bits makes everything work:
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1828144)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -685,9 +685,12 @@
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
/* We first determine the maximum protocol version we should provide */
+#if SSL_HAVE_PROTOCOL_TLSV1_3
if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
prot = TLS1_3_VERSION;
- } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
+ } else
+#endif
+ if (protocol & SSL_PROTOCOL_TLSV1_2) {
prot = TLS1_2_VERSION;
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
prot = TLS1_1_VERSION;
@@ -708,9 +711,11 @@
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
+#if SSL_HAVE_PROTOCOL_TLSV1_3
if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
prot = TLS1_2_VERSION;
}
+#endif
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
prot = TLS1_1_VERSION;
}
Luca
Re: svn commit: r1827912 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_policies.h modules/ssl/ssl_private.h modules/ssl/update_policies.py
Posted by Luca Toscano <to...@gmail.com>.
All good now thanks!
Luca
2018-04-03 13:49 GMT+02:00 Stefan Eissing <st...@greenbytes.de>:
> My bad. Please try again with r1828220 or later.
>
> Cheers, Stefan
>
> > Am 01.04.2018 um 18:57 schrieb Luca Toscano <to...@gmail.com>:
> >
> > Hi Stefan
> >
> > 2018-03-28 13:15 GMT+02:00 <ic...@apache.org>:
> > Author: icing
> > Date: Wed Mar 28 11:15:18 2018
> > New Revision: 1827912
> >
> > URL: http://svn.apache.org/viewvc?rev=1827912&view=rev
> > Log:
> > On the trunk:
> > mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other
> libs may
> > need more sugar).
> >
> >
> > Modified:
> > httpd/httpd/trunk/CHANGES
> > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> > httpd/httpd/trunk/modules/ssl/ssl_policies.h
> > httpd/httpd/trunk/modules/ssl/ssl_private.h
> > httpd/httpd/trunk/modules/ssl/update_policies.py
> >
> >
> >
> >
> > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/
> ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff
> > ============================================================
> ==================
> > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18
> 2018
> > @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco
> >
> > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> > /* We first determine the maximum protocol version we should
> provide */
> > - if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3))
> {
> > + prot = TLS1_3_VERSION;
> > + } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > prot = TLS1_2_VERSION;
> > } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco
> >
> > /* Next we scan for the minimal protocol version we should provide,
> > * but we do not allow holes between max and min */
> > + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> > + prot = TLS1_2_VERSION;
> > + }
> > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > }
> >
> >
> > it may be a misconfig from my side, but I get the following with openssl
> 1.1.0f (not TLS 1.3 afaics):
> >
> > ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’:
> > ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use
> in this function)
> > prot = TLS1_3_VERSION;
> > ^~~~~~~~~~~~~~
> >
> > Adding the following bits makes everything work:
> >
> > Index: modules/ssl/ssl_engine_init.c
> > ===================================================================
> > --- modules/ssl/ssl_engine_init.c (revision 1828144)
> > +++ modules/ssl/ssl_engine_init.c (working copy)
> > @@ -685,9 +685,12 @@
> >
> > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> > /* We first determine the maximum protocol version we should
> provide */
> > +#if SSL_HAVE_PROTOCOL_TLSV1_3
> > if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3))
> {
> > prot = TLS1_3_VERSION;
> > - } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > + } else
> > +#endif
> > + if (protocol & SSL_PROTOCOL_TLSV1_2) {
> > prot = TLS1_2_VERSION;
> > } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > @@ -708,9 +711,11 @@
> >
> > /* Next we scan for the minimal protocol version we should provide,
> > * but we do not allow holes between max and min */
> > +#if SSL_HAVE_PROTOCOL_TLSV1_3
> > if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> > prot = TLS1_2_VERSION;
> > }
> > +#endif
> > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> > prot = TLS1_1_VERSION;
> > }
> >
> >
> > Luca
>
>
Re: svn commit: r1827912 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_policies.h modules/ssl/ssl_private.h
modules/ssl/update_policies.py
Posted by Stefan Eissing <st...@greenbytes.de>.
My bad. Please try again with r1828220 or later.
Cheers, Stefan
> Am 01.04.2018 um 18:57 schrieb Luca Toscano <to...@gmail.com>:
>
> Hi Stefan
>
> 2018-03-28 13:15 GMT+02:00 <ic...@apache.org>:
> Author: icing
> Date: Wed Mar 28 11:15:18 2018
> New Revision: 1827912
>
> URL: http://svn.apache.org/viewvc?rev=1827912&view=rev
> Log:
> On the trunk:
> mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
> need more sugar).
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_policies.h
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/update_policies.py
>
>
>
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18 2018
> @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> /* We first determine the maximum protocol version we should provide */
> - if (protocol & SSL_PROTOCOL_TLSV1_2) {
> + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
> + prot = TLS1_3_VERSION;
> + } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco
>
> /* Next we scan for the minimal protocol version we should provide,
> * but we do not allow holes between max and min */
> + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> + prot = TLS1_2_VERSION;
> + }
> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> }
>
>
> it may be a misconfig from my side, but I get the following with openssl 1.1.0f (not TLS 1.3 afaics):
>
> ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’:
> ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use in this function)
> prot = TLS1_3_VERSION;
> ^~~~~~~~~~~~~~
>
> Adding the following bits makes everything work:
>
> Index: modules/ssl/ssl_engine_init.c
> ===================================================================
> --- modules/ssl/ssl_engine_init.c (revision 1828144)
> +++ modules/ssl/ssl_engine_init.c (working copy)
> @@ -685,9 +685,12 @@
>
> #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> /* We first determine the maximum protocol version we should provide */
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
> prot = TLS1_3_VERSION;
> - } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
> + } else
> +#endif
> + if (protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> @@ -708,9 +711,11 @@
>
> /* Next we scan for the minimal protocol version we should provide,
> * but we do not allow holes between max and min */
> +#if SSL_HAVE_PROTOCOL_TLSV1_3
> if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
> prot = TLS1_2_VERSION;
> }
> +#endif
> if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
> prot = TLS1_1_VERSION;
> }
>
>
> Luca