You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2016/03/20 15:20:52 UTC
svn commit: r1735882 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Author: rjung
Date: Sun Mar 20 14:20:52 2016
New Revision: 1735882
URL: http://svn.apache.org/viewvc?rev=1735882&view=rev
Log:
Support for OpenSSL 1.1.0:
- use new API SSL_CTX_set_max_proto_version()
and SSL_CTX_set_min_proto_version() instead
of SSL_CTX_set_options()
- use new methods TLS_client_method() and
TLS_server_method()
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1735882&r1=1735881&r2=1735882&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Mar 20 14:20:52 2016
@@ -474,6 +474,7 @@ static apr_status_t ssl_init_ctx_tls_ext
}
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/*
* Enable/disable SSLProtocol. If the mod_ssl enables protocol
* which is disabled by default by OpenSSL, show a warning.
@@ -499,6 +500,7 @@ static void ssl_set_ctx_protocol_option(
"by OpenSSL by default on this system", name);
}
}
+#endif
static apr_status_t ssl_init_ctx_protocol(server_rec *s,
apr_pool_t *p,
@@ -510,6 +512,9 @@ static apr_status_t ssl_init_ctx_protoco
char *cp;
int protocol = mctx->protocol;
SSLSrvConfigRec *sc = mySrvConfig(s);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ int prot;
+#endif
/*
* Create the new per-server SSL context
@@ -535,6 +540,7 @@ static apr_status_t ssl_init_ctx_protoco
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_SSL3
if (protocol == SSL_PROTOCOL_SSLV3) {
method = mctx->pkp ?
@@ -565,12 +571,18 @@ static apr_status_t ssl_init_ctx_protoco
SSLv23_client_method() : /* proxy */
SSLv23_server_method(); /* server */
}
+#else
+ method = mctx->pkp ?
+ TLS_client_method() : /* proxy */
+ TLS_server_method(); /* server */
+#endif
ctx = SSL_CTX_new(method);
mctx->ssl_ctx = ctx;
SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
@@ -589,6 +601,43 @@ static apr_status_t ssl_init_ctx_protoco
protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
#endif
+#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ /* We first determine the maximum protocol version we should provide */
+ if (protocol & SSL_PROTOCOL_TLSV1_2) {
+ prot = TLS1_2_VERSION;
+ } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
+ prot = TLS1_1_VERSION;
+ } else if (protocol & SSL_PROTOCOL_TLSV1) {
+ prot = TLS1_VERSION;
+#ifndef OPENSSL_NO_SSL3
+ } else if (protocol & SSL_PROTOCOL_SSLV3) {
+ prot = SSL3_VERSION;
+#endif
+ } else {
+ SSL_CTX_free(ctx);
+ mctx->ssl_ctx = NULL;
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
+ "No SSL protocols available [hint: SSLProtocol]");
+ return ssl_die(s);
+ }
+ SSL_CTX_set_max_proto_version(ctx, prot);
+
+ /* Next we scan for the minimal protocol version we should provide,
+ * but we do not allow holes between max and min */
+ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
+ prot = TLS1_1_VERSION;
+ }
+ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
+ prot = TLS1_VERSION;
+ }
+#ifndef OPENSSL_NO_SSL3
+ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
+ prot = SSL3_VERSION;
+ }
+#endif
+ SSL_CTX_set_min_proto_version(ctx, prot);
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (sc->cipher_server_pref == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);