You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jk...@apache.org on 2015/07/22 14:08:01 UTC
svn commit: r1692258 - in /httpd/httpd/trunk:
docs/log-message-tags/next-number modules/ssl/ssl_engine_init.c
Author: jkaluza
Date: Wed Jul 22 12:08:01 2015
New Revision: 1692258
URL: http://svn.apache.org/r1692258
Log:
mod_ssl: allow enabling of SSLProtocols even though they are disabled by OpenSSL
by default. Show warning in that case.
Modified:
httpd/httpd/trunk/docs/log-message-tags/next-number
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1692258&r1=1692257&r2=1692258&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Wed Jul 22 12:08:01 2015
@@ -1 +1 @@
-2904
+2905
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1692258&r1=1692257&r2=1692258&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Jul 22 12:08:01 2015
@@ -471,6 +471,28 @@ static apr_status_t ssl_init_ctx_tls_ext
}
#endif
+/*
+ * Enable/disable SSLProtocol. If the mod_ssl enables protocol
+ * which is disabled by default by OpenSSL, show a warning.
+ * "option" is for example SSL_OP_NO_SSLv3.
+ */
+static void ssl_set_ctx_protocol_option(server_rec *s,
+ SSL_CTX *ctx,
+ long option,
+ int enabled,
+ const char *name)
+{
+ if (!enabled) {
+ SSL_CTX_set_options(ctx, option);
+ }
+ else if (SSL_CTX_get_options(ctx) & option) {
+ SSL_CTX_clear_options(ctx, option);
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904)
+ "Allowing SSLProtocol %s even though it is disabled "
+ "by OpenSSL by default on this system", name);
+ }
+}
+
static apr_status_t ssl_init_ctx_protocol(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -540,22 +562,17 @@ static apr_status_t ssl_init_ctx_protoco
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- if (!(protocol & SSL_PROTOCOL_SSLV3)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
- }
-
- if (!(protocol & SSL_PROTOCOL_TLSV1)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
- }
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
+ protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
+ protocol & SSL_PROTOCOL_TLSV1, "TLSv1");
#ifdef HAVE_TLSV1_X
- if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
- }
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_1,
+ protocol & SSL_PROTOCOL_TLSV1_1, "TLSv1.1");
- if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
- }
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2,
+ protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE