mirror of
https://github.com/apache/httpd.git
synced 2025-08-08 15:02:10 +03:00
On the trunk:
mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
need more sugar).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827912 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
3
CHANGES
3
CHANGES
@@ -1,6 +1,9 @@
|
|||||||
-*- coding: utf-8 -*-
|
-*- coding: utf-8 -*-
|
||||||
Changes with Apache 2.5.1
|
Changes with Apache 2.5.1
|
||||||
|
|
||||||
|
*) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
|
||||||
|
need more sugar). [Stefan Eissing]
|
||||||
|
|
||||||
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
|
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
|
||||||
[Eric Covener]
|
[Eric Covener]
|
||||||
|
|
||||||
|
|||||||
@@ -1537,6 +1537,9 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
|
|||||||
else if (strcEQ(w, "TLSv1.2")) {
|
else if (strcEQ(w, "TLSv1.2")) {
|
||||||
thisopt = SSL_PROTOCOL_TLSV1_2;
|
thisopt = SSL_PROTOCOL_TLSV1_2;
|
||||||
}
|
}
|
||||||
|
else if (SSL_HAVE_PROTOCOL_TLSV1_3 && strcEQ(w, "TLSv1.3")) {
|
||||||
|
thisopt = SSL_PROTOCOL_TLSV1_3;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
else if (strcEQ(w, "all")) {
|
else if (strcEQ(w, "all")) {
|
||||||
thisopt = SSL_PROTOCOL_ALL;
|
thisopt = SSL_PROTOCOL_ALL;
|
||||||
|
|||||||
@@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|||||||
#ifdef HAVE_TLSV1_X
|
#ifdef HAVE_TLSV1_X
|
||||||
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
|
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
|
||||||
(protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
|
(protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
|
||||||
|
#if SSL_HAVE_PROTOCOL_TLSV1_3
|
||||||
|
(protocol & SSL_PROTOCOL_TLSV1_3 ? "TLSv1.3, " : ""),
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
NULL);
|
NULL);
|
||||||
cp[strlen(cp)-2] = NUL;
|
cp[strlen(cp)-2] = NUL;
|
||||||
@@ -633,6 +636,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|||||||
TLSv1_2_client_method() : /* proxy */
|
TLSv1_2_client_method() : /* proxy */
|
||||||
TLSv1_2_server_method(); /* server */
|
TLSv1_2_server_method(); /* server */
|
||||||
}
|
}
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_3
|
||||||
|
else if (protocol == SSL_PROTOCOL_TLSV1_3) {
|
||||||
|
method = mctx->pkp ?
|
||||||
|
TLSv1_3_client_method() : /* proxy */
|
||||||
|
TLSv1_3_server_method(); /* server */
|
||||||
|
}
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
else { /* For multiple protocols, we need a flexible method */
|
else { /* For multiple protocols, we need a flexible method */
|
||||||
method = mctx->pkp ?
|
method = mctx->pkp ?
|
||||||
@@ -667,11 +677,17 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|||||||
|
|
||||||
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2,
|
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2,
|
||||||
protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
|
protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_3
|
||||||
|
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
|
||||||
|
protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
|
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
|
||||||
/* We first determine the maximum protocol version we should provide */
|
/* We first determine the maximum protocol version we should provide */
|
||||||
if (protocol & SSL_PROTOCOL_TLSV1_2) {
|
if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
|
||||||
|
prot = TLS1_3_VERSION;
|
||||||
|
} else if (protocol & SSL_PROTOCOL_TLSV1_2) {
|
||||||
prot = TLS1_2_VERSION;
|
prot = TLS1_2_VERSION;
|
||||||
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
|
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
|
||||||
prot = TLS1_1_VERSION;
|
prot = TLS1_1_VERSION;
|
||||||
@@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|||||||
|
|
||||||
/* Next we scan for the minimal protocol version we should provide,
|
/* Next we scan for the minimal protocol version we should provide,
|
||||||
* but we do not allow holes between max and min */
|
* but we do not allow holes between max and min */
|
||||||
|
if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
|
||||||
|
prot = TLS1_2_VERSION;
|
||||||
|
}
|
||||||
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
|
if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
|
||||||
prot = TLS1_1_VERSION;
|
prot = TLS1_1_VERSION;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -66,18 +66,18 @@
|
|||||||
#ifdef HAVE_TLSV1_X
|
#ifdef HAVE_TLSV1_X
|
||||||
#define SSL_POLICY_MODERN 1
|
#define SSL_POLICY_MODERN 1
|
||||||
#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
||||||
#define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2
|
#define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
|
||||||
#else /* ifdef HAVE_TLSV1_X */
|
#else /* ifdef HAVE_TLSV1_X */
|
||||||
#define SSL_POLICY_MODERN 0
|
#define SSL_POLICY_MODERN 0
|
||||||
#endif /* ifdef HAVE_TLSV1_X, else part */
|
#endif /* ifdef HAVE_TLSV1_X, else part */
|
||||||
|
|
||||||
#define SSL_POLICY_INTERMEDIATE 1
|
#define SSL_POLICY_INTERMEDIATE 1
|
||||||
#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
|
#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
|
||||||
#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_CONSTANTS_SSLV3))
|
#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3))
|
||||||
|
|
||||||
#define SSL_POLICY_OLD 1
|
#define SSL_POLICY_OLD 1
|
||||||
#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
|
#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
|
||||||
#define SSL_POLICY_OLD_PROTOCOLS SSL_PROTOCOL_ALL
|
#define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3))
|
||||||
|
|
||||||
|
|
||||||
#endif /* __SSL_POLICIES_H__ */
|
#endif /* __SSL_POLICIES_H__ */
|
||||||
|
|||||||
@@ -356,8 +356,17 @@ typedef int ssl_opt_t;
|
|||||||
#ifdef HAVE_TLSV1_X
|
#ifdef HAVE_TLSV1_X
|
||||||
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
|
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
|
||||||
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
|
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
|
||||||
|
#define SSL_PROTOCOL_TLSV1_3 (1<<5)
|
||||||
|
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_3
|
||||||
|
#define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
|
||||||
|
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
|
||||||
|
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
|
||||||
|
#else
|
||||||
|
#define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
|
||||||
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
|
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
|
||||||
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
|
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
|
||||||
|
#endif
|
||||||
#else
|
#else
|
||||||
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
|
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -27,12 +27,15 @@ KEY_VERSION = 'version'
|
|||||||
# TLS Versions we know how to handle
|
# TLS Versions we know how to handle
|
||||||
#
|
#
|
||||||
TLS_VERSIONS = {
|
TLS_VERSIONS = {
|
||||||
'TLSv1.2' : "SSL_PROTOCOL_TLSV1_2",
|
'TLSv1.3' : "SSL_PROTOCOL_TLSV1_3",
|
||||||
|
# Mozilla does not list TLSv1.3 yet, but we want it in there!
|
||||||
|
'TLSv1.2' : "(SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)",
|
||||||
|
#'TLSv1.2' : "SSL_PROTOCOL_TLSV1_2",
|
||||||
'TLSv1.1' : "SSL_PROTOCOL_TLSV1_1",
|
'TLSv1.1' : "SSL_PROTOCOL_TLSV1_1",
|
||||||
'TLSv1' : "SSL_PROTOCOL_TLSV1",
|
'TLSv1' : "SSL_PROTOCOL_TLSV1",
|
||||||
'SSLv3' : "SSL_PROTOCOL_CONSTANTS_SSLV3",
|
'SSLv3' : "SSL_PROTOCOL_CONSTANTS_SSLV3",
|
||||||
}
|
}
|
||||||
TLS_1_X_VERSIONS = [ 'TLSv1.2' ]
|
TLS_1_X_VERSIONS = [ 'TLSv1.2', 'TLSv1.3' ]
|
||||||
|
|
||||||
# the Security configurations to extract
|
# the Security configurations to extract
|
||||||
POLICY_NAMES = [ 'modern', 'intermediate', 'old' ]
|
POLICY_NAMES = [ 'modern', 'intermediate', 'old' ]
|
||||||
|
|||||||
Reference in New Issue
Block a user