Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3", in accordance with RFC 7568. PR 58349, PR 57120. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1703952 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2015-09-19 08:40:56 +00:00
parent fab37e8e26
commit 4c9b3c3b35
8 changed files with 61 additions and 13 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -514,7 +514,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
    }

    cp = apr_pstrcat(p,
+#ifndef OPENSSL_NO_SSL3
                     (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+#endif
                     (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
 #ifdef HAVE_TLSV1_X
                     (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -526,12 +528,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
                 "Creating new SSL context (protocols: %s)", cp);

+#ifndef OPENSSL_NO_SSL3
    if (protocol == SSL_PROTOCOL_SSLV3) {
        method = mctx->pkp ?
            SSLv3_client_method() : /* proxy */
            SSLv3_server_method();  /* server */
    }
-    else if (protocol == SSL_PROTOCOL_TLSV1) {
+    else
+#endif
+    if (protocol == SSL_PROTOCOL_TLSV1) {
        method = mctx->pkp ?
            TLSv1_client_method() : /* proxy */
            TLSv1_server_method();  /* server */
@@ -562,8 +567,10 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
    /* always disable SSLv2, as per RFC 6176 */
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);

+#ifndef OPENSSL_NO_SSL3
    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
                                protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
+#endif
    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
                                protocol & SSL_PROTOCOL_TLSV1, "TLSv1");