SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when

compiled against OpenSSL 1.0.1 or later. Update documentation.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1222921 13f79535-47bb-0310-9956-ffa450edef68

docs/manual/mod/mod_ssl.xml

@@ -61,7 +61,7 @@ compatibility variables.</p>
  <th>Description:</th>
 </tr>
 <tr><td><code>HTTPS</code></td>                         <td>flag</td>      <td>HTTPS is being used.</td></tr>
-<tr><td><code>SSL_PROTOCOL</code></td>                  <td>string</td>    <td>The SSL protocol version (SSLv3, TLSv1)</td></tr>
+<tr><td><code>SSL_PROTOCOL</code></td>                  <td>string</td>    <td>The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr>
 <tr><td><code>SSL_SESSION_ID</code></td>                <td>string</td>    <td>The hex-encoded SSL session id</td></tr>
 <tr><td><code>SSL_SESSION_RESUMED</code></td>           <td>string</td>    <td>Initial or Resumed SSL Session.  Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
 <tr><td><code>SSL_SECURE_RENEG</code></td>              <td>string</td>    <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
@@ -588,15 +588,25 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
 
 <li><code>TLSv1</code>
     <p>
-    This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
+    This is the Transport Layer Security (TLS) protocol, version 1.0.
-    successor to SSLv3 and was originally defined in <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>
+    It is the successor to SSLv3 and is defined in
-    (obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC 4346</a>
+    <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>.</p></li>
-    and <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a> in
+
-    the meantime).</p></li>
+<li><code>TLSv1.1</code> (when using OpenSSL 1.0.1 and later)
+    <p>
+    A revision of the TLS 1.0 protocol, as defined in
+    <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC 4346</a>.</p></li>
+
+<li><code>TLSv1.2</code> (when using OpenSSL 1.0.1 and later)
+    <p>
+    A revision of the TLS 1.1 protocol, as defined in
+    <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
 
 <li><code>all</code>
     <p>
-    This is a shortcut for ``<code>+SSLv3 +TLSv1</code>''.</p></li>
+    This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
+    - when using OpenSSL 1.0.1 and later -
+    ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
 </ul>
 <example><title>Example</title>
 SSLProtocol TLSv1

modules/ssl/mod_ssl.c

@@ -130,7 +130,11 @@ static const command_rec ssl_config_cmds[] = {
                 "('N' - number of seconds)")
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols"
-                "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+                "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+                "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
     SSL_CMD_SRV(HonorCipherOrder, FLAG,
                 "Use the server's cipher ordering preference")
     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
@@ -148,7 +152,11 @@ static const command_rec ssl_config_cmds[] = {
                 "('on', 'off')")
     SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
                "SSL Proxy: enable or disable SSL protocol flavors "
-               "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+                "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+                "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
     SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
                "SSL Proxy: colon-delimited list of permitted SSL ciphers "
                "('XXX:...:XXX' - see manual)")

modules/ssl/ssl_engine_config.c

@@ -1283,6 +1283,12 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
         else if (strcEQ(w, "TLSv1")) {
             thisopt = SSL_PROTOCOL_TLSV1;
         }
+        else if (strcEQ(w, "TLSv1.1")) {
+            thisopt = SSL_PROTOCOL_TLSV1_1;
+        }
+        else if (strcEQ(w, "TLSv1.2")) {
+            thisopt = SSL_PROTOCOL_TLSV1_2;
+        }
         else if (strcEQ(w, "all")) {
             thisopt = SSL_PROTOCOL_ALL;
         }

modules/ssl/ssl_engine_init.c

@@ -501,6 +501,10 @@ static void ssl_init_ctx_protocol(server_rec *s,
     cp = apr_pstrcat(p,
                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
                      (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
+#ifdef HAVE_TLSV1_X
+                     (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
+                     (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
+#endif
                      NULL);
     cp[strlen(cp)-2] = NUL;
 
@@ -517,6 +521,18 @@ static void ssl_init_ctx_protocol(server_rec *s,
             TLSv1_client_method() : /* proxy */
             TLSv1_server_method();  /* server */
     }
+#ifdef HAVE_TLSV1_X
+    else if (protocol == SSL_PROTOCOL_TLSV1_1) {
+        method = mctx->pkp ?
+            TLSv1_1_client_method() : /* proxy */
+            TLSv1_1_server_method();  /* server */
+    }
+    else if (protocol == SSL_PROTOCOL_TLSV1_2) {
+        method = mctx->pkp ?
+            TLSv1_2_client_method() : /* proxy */
+            TLSv1_2_server_method();  /* server */
+    }
+#endif
     else { /* For multiple protocols, we need a flexible method */
         method = mctx->pkp ?
             SSLv23_client_method() : /* proxy */
@@ -539,6 +555,16 @@ static void ssl_init_ctx_protocol(server_rec *s,
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
     }
 
+#ifdef HAVE_TLSV1_X
+    if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
+        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
+    }
+
+    if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
+        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
+    }
+#endif
+
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
     if (sc->cipher_server_pref == TRUE) {
         SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

modules/ssl/ssl_private.h

@@ -176,6 +176,10 @@
 #endif
 #endif
 
+#ifdef SSL_OP_NO_TLSv1_2
+#define HAVE_TLSV1_X
+#endif
+
 /* mod_ssl headers */
 #include "ssl_util_ssl.h"
 
@@ -316,7 +320,14 @@ typedef int ssl_opt_t;
 #define SSL_PROTOCOL_SSLV2 (1<<0)
 #define SSL_PROTOCOL_SSLV3 (1<<1)
 #define SSL_PROTOCOL_TLSV1 (1<<2)
+#ifdef HAVE_TLSV1_X
+#define SSL_PROTOCOL_TLSV1_1 (1<<3)
+#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
+                            SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#else
 #define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#endif
 typedef int ssl_proto_t;
 
 /**