Noticed in the development of fips-enabled mod_ssl, when we are

configured to support exactly one protocol, use that explicit server and client mechansim to handshake with the client or proxied machine, rather than the generic SSLv23_[client|server]_method(). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@264621 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2005-08-29 19:59:46 +00:00
parent 146fd39a5a
commit 010f409bdc
1 changed files with 12 additions and 3 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -409,14 +409,23 @@ static void ssl_init_ctx_protocol(server_rec *s,
        method = mctx->pkp ?
            SSLv2_client_method() : /* proxy */
            SSLv2_server_method();  /* server */
-        ctx = SSL_CTX_new(method);  /* only SSLv2 is left */
    }
-    else {
+    else if (protocol == SSL_PROTOCOL_SSLV3) {
+        method = mctx->pkp ?
+            SSLv3_client_method() : /* proxy */
+            SSLv3_server_method();  /* server */
+    }
+    else if (protocol == SSL_PROTOCOL_TLSV1) {
+        method = mctx->pkp ?
+            TLSv1_client_method() : /* proxy */
+            TLSv1_server_method();  /* server */
+    }
+    else { /* For multiple protocols, we need a flexible method */
        method = mctx->pkp ?
            SSLv23_client_method() : /* proxy */
            SSLv23_server_method();  /* server */
-        ctx = SSL_CTX_new(method); /* be more flexible */
    }
+    ctx = SSL_CTX_new(method);

    mctx->ssl_ctx = ctx;