www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Support compilation against libssl built with OPENSSL_NO_SSL3,

Browse Source 
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1703952 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2015-09-19 08:40:56 +00:00
parent fab37e8e26
commit 4c9b3c3b35
8 changed files with 61 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
*) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>

11
docs/manual/mod/mod_ssl.xml
View File

@@ -581,7 +581,7 @@ by the applicable Security Policy.
<name>SSLProtocol</name>
<description>Configure usable SSL/TLS protocol versions</description>
<syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
<default>SSLProtocol all</default>
<default>SSLProtocol all -SSLv3</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
@@ -596,7 +596,8 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
<p>
This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
the Netscape Corporation.
It is the successor to SSLv2 and the predecessor to TLSv1.</p></li>
It is the successor to SSLv2 and the predecessor to TLSv1, but is
deprecated in <a href="http://www.ietf.org/rfc/rfc7568.txt">RFC 7568</a>.</p></li>
<li><code>TLSv1</code>
<p>
@@ -619,7 +620,9 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
<p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
- when using OpenSSL 1.0.1 and later -
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively
(except for OpenSSL versions compiled with the ``no-ssl3'' configuration
option, where <code>all</code> does not include <code>+SSLv3</code>).</p></li>
</ul>
<example><title>Example</title>
<highlight language="config">
@@ -1940,7 +1943,7 @@ proxy SSL/TLS requests.</p>
<name>SSLProxyProtocol</name>
<description>Configure usable SSL protocol flavors for proxy usage</description>
<syntax>SSLProxyProtocol [+|-]<em>protocol</em> ...</syntax>
<default>SSLProxyProtocol all</default>
<default>SSLProxyProtocol all -SSLv3</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<override>Options</override>

11
modules/ssl/mod_ssl.c
View File

@@ -135,10 +135,15 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL Session Cache object lifetime "
"('N' - number of seconds)")
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
#ifdef OPENSSL_NO_SSL3
#define SSLv3_PROTO_PREFIX ""
#else
#define SSL_PROTOCOLS "SSLv3|TLSv1"
#define SSLv3_PROTO_PREFIX "SSLv3|"
#endif
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
#else
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
#endif
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols "

10
modules/ssl/ssl_engine_config.c
View File

@@ -111,7 +111,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->ticket_key = NULL;
#endif
mctx->protocol = SSL_PROTOCOL_ALL;
mctx->protocol = SSL_PROTOCOL_DEFAULT;
mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
@@ -1316,7 +1316,15 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
}
}
else if (strcEQ(w, "SSLv3")) {
#ifdef OPENSSL_NO_SSL3
if (action != '-') {
return "SSLv3 not supported by this version of OpenSSL";
}
/* Nothing to do, the flag is not present to be toggled */
continue;
#else
thisopt = SSL_PROTOCOL_SSLV3;
#endif
}
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;

9
modules/ssl/ssl_engine_init.c
View File

@@ -514,7 +514,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
}
cp = apr_pstrcat(p,
#ifndef OPENSSL_NO_SSL3
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
#endif
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -526,12 +528,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp);
#ifndef OPENSSL_NO_SSL3
if (protocol == SSL_PROTOCOL_SSLV3) {
method = mctx->pkp ?
SSLv3_client_method() : /* proxy */
SSLv3_server_method(); /* server */
}
else if (protocol == SSL_PROTOCOL_TLSV1) {
else
#endif
if (protocol == SSL_PROTOCOL_TLSV1) {
method = mctx->pkp ?
TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */
@@ -562,8 +567,10 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
#ifndef OPENSSL_NO_SSL3
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
#endif
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
protocol & SSL_PROTOCOL_TLSV1, "TLSv1");

2
modules/ssl/ssl_engine_io.c
View File

@@ -1139,7 +1139,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
* IPv4 and IPv6 addresses are not permitted".)
*/
if (hostname_note &&
#ifndef OPENSSL_NO_SSL3
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
#endif
apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) {
if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {

17
modules/ssl/ssl_private.h
View File

@@ -287,16 +287,27 @@ typedef int ssl_opt_t;
* Define the SSL Protocol options
*/
#define SSL_PROTOCOL_NONE (0)
#define SSL_PROTOCOL_SSLV2 (1<<0)
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_SSLV3 (1<<1)
#endif
#define SSL_PROTOCOL_TLSV1 (1<<2)
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
#else
#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
#endif
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
#endif
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
#else
#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
#endif
typedef int ssl_proto_t;

10
support/ab.c
View File

@@ -1997,6 +1997,12 @@ static void usage(const char *progname)
#define SSL2_HELP_MSG ""
#endif
#ifndef OPENSSL_NO_SSL3
#define SSL3_HELP_MSG "SSL3, "
#else
#define SSL3_HELP_MSG ""
#endif
#ifdef HAVE_TLSV1_X
#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
#else
@@ -2005,7 +2011,7 @@ static void usage(const char *progname)
fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");
fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n");
fprintf(stderr, " (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
fprintf(stderr, " (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
#endif
exit(EINVAL);
}
@@ -2350,8 +2356,10 @@ int main(int argc, const char * const argv[])
} else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
meth = SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
} else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
meth = SSLv3_client_method();
#endif
#ifdef HAVE_TLSV1_X
} else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
meth = TLSv1_1_client_method();