From 6d730fb7ed6c2da3e9f1c966c35a32b478a8bbfe Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 15 Jun 2018 11:25:46 +0000
Subject: [PATCH] mod_ssl: use SSL_HAVE_PROTOCOL_TLSV1_3 to check for compiled
 in TLS 1.3.

More meaningful than SSL_OP_NO_TLSv1_3, hopefully...


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833589 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/ssl_engine_config.c |  6 +++---
 modules/ssl/ssl_engine_init.c   | 10 +++++-----
 modules/ssl/ssl_engine_kernel.c |  4 ++--
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 927caa931f..d26d0f0d64 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -881,7 +881,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
         }
         return NULL;
     }
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     else if (!strcmp("TLSv1.3", arg1)) {
         if (cmd->path) {
             return "TLSv1.3 ciphers cannot be set inside a directory context";
@@ -1645,7 +1645,7 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
         dc->proxy->auth.cipher_suite = arg2;
         return NULL;
     }
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     else if (!strcmp("TLSv1.3", arg1)) {
         dc->proxy->auth.tls13_ciphers = arg2;
         return NULL;
@@ -2528,7 +2528,7 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro
                                  apr_file_t *out, const char *indent, const char **psep)
 {
     DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     if (auth->tls13_ciphers) {
         DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", 
             apr_pstrcat(p, "TLSv1.3 ", auth->tls13_ciphers, NULL));
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 514825f914..e63d42c350 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -639,7 +639,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
             TLSv1_2_client_method() : /* proxy */
             TLSv1_2_server_method();  /* server */
     }
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     else if (protocol == SSL_PROTOCOL_TLSV1_3) {
         method = mctx->pkp ?
             TLSv1_3_client_method() : /* proxy */
@@ -681,7 +681,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
 
     ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2,
                                 protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
                                 protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
 #endif
@@ -689,7 +689,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
 
 #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
     /* We first determine the maximum protocol version we should provide */
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
         prot = TLS1_3_VERSION;
     } else
@@ -715,7 +715,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
 
     /* Next we scan for the minimal protocol version we should provide,
      * but we do not allow holes between max and min */
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
         prot = TLS1_2_VERSION;
     }
@@ -944,7 +944,7 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
         return ssl_die(s);
     }
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     if (mctx->auth.tls13_ciphers 
         && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10127)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 4fbcb0ba45..2b0bc75a22 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1126,7 +1126,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
     return DECLINED;
 }
 
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
 /*
  *  Access Handler, modern flavour, for SSL/TLS v1.3 and onward. 
  *  Only client certificates can be requested, everything else stays.
@@ -1305,7 +1305,7 @@ int ssl_hook_Access(request_rec *r)
         return DECLINED;
     }
 
-#ifdef SSL_OP_NO_TLSv1_3
+#if SSL_HAVE_PROTOCOL_TLSV1_3
     /* TLSv1.3+ is less complicated here. Branch off into a new codeline
      * and avoid messing with the past. */
     if (SSL_version(ssl) >= TLS1_3_VERSION) {