www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Support compilation against libssl built with OPENSSL_NO_SSL3,

Browse Source 
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1703952 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2015-09-19 08:40:56 +00:00
parent fab37e8e26
commit 4c9b3c3b35
8 changed files with 61 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,6 +1,10 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.0 Changes with Apache 2.5.0
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
*) mod_proxy: Fix ProxySourceAddress binding failure with AH00938. *) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl> PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>

11
docs/manual/mod/mod_ssl.xml
View File

@@ -581,7 +581,7 @@ by the applicable Security Policy.
<name>SSLProtocol</name> <name>SSLProtocol</name>
<description>Configure usable SSL/TLS protocol versions</description> <description>Configure usable SSL/TLS protocol versions</description>
<syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax> <syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
<default>SSLProtocol all</default> <default>SSLProtocol all -SSLv3</default>
<contextlist><context>server config</context> <contextlist><context>server config</context>
<context>virtual host</context></contextlist> <context>virtual host</context></contextlist>
@@ -596,7 +596,8 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
<p> <p>
This is the Secure Sockets Layer (SSL) protocol, version 3.0, from This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
the Netscape Corporation. the Netscape Corporation.
It is the successor to SSLv2 and the predecessor to TLSv1.</p></li> It is the successor to SSLv2 and the predecessor to TLSv1, but is
deprecated in <a href="http://www.ietf.org/rfc/rfc7568.txt">RFC 7568</a>.</p></li>
<li><code>TLSv1</code> <li><code>TLSv1</code>
<p> <p>
@@ -619,7 +620,9 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
<p> <p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
- when using OpenSSL 1.0.1 and later - - when using OpenSSL 1.0.1 and later -
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li> ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively
(except for OpenSSL versions compiled with the ``no-ssl3'' configuration
option, where <code>all</code> does not include <code>+SSLv3</code>).</p></li>
</ul> </ul>
<example><title>Example</title> <example><title>Example</title>
<highlight language="config"> <highlight language="config">
@@ -1940,7 +1943,7 @@ proxy SSL/TLS requests.</p>
<name>SSLProxyProtocol</name> <name>SSLProxyProtocol</name>
<description>Configure usable SSL protocol flavors for proxy usage</description> <description>Configure usable SSL protocol flavors for proxy usage</description>
<syntax>SSLProxyProtocol [+|-]<em>protocol</em> ...</syntax> <syntax>SSLProxyProtocol [+|-]<em>protocol</em> ...</syntax>
<default>SSLProxyProtocol all</default> <default>SSLProxyProtocol all -SSLv3</default>
<contextlist><context>server config</context> <contextlist><context>server config</context>
<context>virtual host</context></contextlist> <context>virtual host</context></contextlist>
<override>Options</override> <override>Options</override>

11
modules/ssl/mod_ssl.c
View File

@@ -135,10 +135,15 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(SessionCacheTimeout, TAKE1, SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL Session Cache object lifetime " "SSL Session Cache object lifetime "
"('N' - number of seconds)") "('N' - number of seconds)")
#ifdef HAVE_TLSV1_X #ifdef OPENSSL_NO_SSL3
#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2" #define SSLv3_PROTO_PREFIX ""
#else #else
#define SSL_PROTOCOLS "SSLv3|TLSv1" #define SSLv3_PROTO_PREFIX "SSLv3|"
#endif
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
#else
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
#endif #endif
SSL_CMD_SRV(Protocol, RAW_ARGS, SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols " "Enable or disable various SSL protocols "

10
modules/ssl/ssl_engine_config.c
View File

@@ -111,7 +111,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->ticket_key = NULL; mctx->ticket_key = NULL;
#endif #endif
mctx->protocol = SSL_PROTOCOL_ALL; mctx->protocol = SSL_PROTOCOL_DEFAULT;
mctx->protocol_set = 0; mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
@@ -1316,7 +1316,15 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
} }
} }
else if (strcEQ(w, "SSLv3")) { else if (strcEQ(w, "SSLv3")) {
#ifdef OPENSSL_NO_SSL3
if (action != '-') {
return "SSLv3 not supported by this version of OpenSSL";
}
/* Nothing to do, the flag is not present to be toggled */
continue;
#else
thisopt = SSL_PROTOCOL_SSLV3; thisopt = SSL_PROTOCOL_SSLV3;
#endif
} }
else if (strcEQ(w, "TLSv1")) { else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1; thisopt = SSL_PROTOCOL_TLSV1;

9
modules/ssl/ssl_engine_init.c
View File

@@ -514,7 +514,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
} }
cp = apr_pstrcat(p, cp = apr_pstrcat(p,
#ifndef OPENSSL_NO_SSL3
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
#endif
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X #ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""), (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -526,12 +528,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp); "Creating new SSL context (protocols: %s)", cp);
#ifndef OPENSSL_NO_SSL3
if (protocol == SSL_PROTOCOL_SSLV3) { if (protocol == SSL_PROTOCOL_SSLV3) {
method = mctx->pkp ? method = mctx->pkp ?
SSLv3_client_method() : /* proxy */ SSLv3_client_method() : /* proxy */
SSLv3_server_method(); /* server */ SSLv3_server_method(); /* server */
} }
else if (protocol == SSL_PROTOCOL_TLSV1) { else
#endif
if (protocol == SSL_PROTOCOL_TLSV1) {
method = mctx->pkp ? method = mctx->pkp ?
TLSv1_client_method() : /* proxy */ TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */ TLSv1_server_method(); /* server */
@@ -562,8 +567,10 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
/* always disable SSLv2, as per RFC 6176 */ /* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
#ifndef OPENSSL_NO_SSL3
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3, ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
protocol & SSL_PROTOCOL_SSLV3, "SSLv3"); protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
#endif
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1, ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
protocol & SSL_PROTOCOL_TLSV1, "TLSv1"); protocol & SSL_PROTOCOL_TLSV1, "TLSv1");

2
modules/ssl/ssl_engine_io.c
View File

@@ -1139,7 +1139,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
* IPv4 and IPv6 addresses are not permitted".) * IPv4 and IPv6 addresses are not permitted".)
*/ */
if (hostname_note && if (hostname_note &&
#ifndef OPENSSL_NO_SSL3
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
#endif
apr_ipsubnet_create(&ip, hostname_note, NULL, apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) { c->pool) != APR_SUCCESS) {
if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) { if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {

17
modules/ssl/ssl_private.h
View File

@@ -287,16 +287,27 @@ typedef int ssl_opt_t;
* Define the SSL Protocol options * Define the SSL Protocol options
*/ */
#define SSL_PROTOCOL_NONE (0) #define SSL_PROTOCOL_NONE (0)
#define SSL_PROTOCOL_SSLV2 (1<<0) #ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_SSLV3 (1<<1) #define SSL_PROTOCOL_SSLV3 (1<<1)
#endif
#define SSL_PROTOCOL_TLSV1 (1<<2) #define SSL_PROTOCOL_TLSV1 (1<<2)
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
#else
#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
#endif
#ifdef HAVE_TLSV1_X #ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3) #define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4) #define SSL_PROTOCOL_TLSV1_2 (1<<4)
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \ #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#else #else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
#endif
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
#else
#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
#endif #endif
typedef int ssl_proto_t; typedef int ssl_proto_t;

10
support/ab.c
View File

@@ -1997,6 +1997,12 @@ static void usage(const char *progname)
#define SSL2_HELP_MSG "" #define SSL2_HELP_MSG ""
#endif #endif
#ifndef OPENSSL_NO_SSL3
#define SSL3_HELP_MSG "SSL3, "
#else
#define SSL3_HELP_MSG ""
#endif
#ifdef HAVE_TLSV1_X #ifdef HAVE_TLSV1_X
#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2" #define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
#else #else
@@ -2005,7 +2011,7 @@ static void usage(const char *progname)
fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n"); fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");
fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n"); fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n");
fprintf(stderr, " (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n"); fprintf(stderr, " (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
#endif #endif
exit(EINVAL); exit(EINVAL);
} }
@@ -2350,8 +2356,10 @@ int main(int argc, const char * const argv[])
} else if (strncasecmp(opt_arg, "SSL2", 4) == 0) { } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
meth = SSLv2_client_method(); meth = SSLv2_client_method();
#endif #endif
#ifndef OPENSSL_NO_SSL3
} else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
meth = SSLv3_client_method(); meth = SSLv3_client_method();
#endif
#ifdef HAVE_TLSV1_X #ifdef HAVE_TLSV1_X
} else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
meth = TLSv1_1_client_method(); meth = TLSv1_1_client_method();