www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

mod_ssl: use SSL_HAVE_PROTOCOL_TLSV1_3 to check for compiled in TLS 1.3.

Browse Source 
More meaningful than SSL_OP_NO_TLSv1_3, hopefully...


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833589 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2018-06-15 11:25:46 +00:00
parent 35ca22d231
commit 6d730fb7ed
3 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/ssl/ssl_engine_config.c
View File

@@ -881,7 +881,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
} }
return NULL; return NULL;
} }
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
else if (!strcmp("TLSv1.3", arg1)) { else if (!strcmp("TLSv1.3", arg1)) {
if (cmd->path) { if (cmd->path) {
return "TLSv1.3 ciphers cannot be set inside a directory context"; return "TLSv1.3 ciphers cannot be set inside a directory context";
@@ -1645,7 +1645,7 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
dc->proxy->auth.cipher_suite = arg2; dc->proxy->auth.cipher_suite = arg2;
return NULL; return NULL;
} }
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
else if (!strcmp("TLSv1.3", arg1)) { else if (!strcmp("TLSv1.3", arg1)) {
dc->proxy->auth.tls13_ciphers = arg2; dc->proxy->auth.tls13_ciphers = arg2;
return NULL; return NULL;
@@ -2528,7 +2528,7 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro
apr_file_t *out, const char *indent, const char **psep) apr_file_t *out, const char *indent, const char **psep)
{ {
DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite); DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
if (auth->tls13_ciphers) { if (auth->tls13_ciphers) {
DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite",
apr_pstrcat(p, "TLSv1.3 ", auth->tls13_ciphers, NULL)); apr_pstrcat(p, "TLSv1.3 ", auth->tls13_ciphers, NULL));

10
modules/ssl/ssl_engine_init.c
View File

@@ -639,7 +639,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
TLSv1_2_client_method() : /* proxy */ TLSv1_2_client_method() : /* proxy */
TLSv1_2_server_method(); /* server */ TLSv1_2_server_method(); /* server */
} }
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
else if (protocol == SSL_PROTOCOL_TLSV1_3) { else if (protocol == SSL_PROTOCOL_TLSV1_3) {
method = mctx->pkp ? method = mctx->pkp ?
TLSv1_3_client_method() : /* proxy */ TLSv1_3_client_method() : /* proxy */
@@ -681,7 +681,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2, ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2,
protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2"); protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3, ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3"); protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
#endif #endif
@@ -689,7 +689,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
/* We first determine the maximum protocol version we should provide */ /* We first determine the maximum protocol version we should provide */
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) { if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
prot = TLS1_3_VERSION; prot = TLS1_3_VERSION;
} else } else
@@ -715,7 +715,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
/* Next we scan for the minimal protocol version we should provide, /* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */ * but we do not allow holes between max and min */
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
prot = TLS1_2_VERSION; prot = TLS1_2_VERSION;
} }
@@ -944,7 +944,7 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return ssl_die(s); return ssl_die(s);
} }
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
if (mctx->auth.tls13_ciphers if (mctx->auth.tls13_ciphers
&& !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) { && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10127) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10127)

4
modules/ssl/ssl_engine_kernel.c
View File

@@ -1126,7 +1126,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
return DECLINED; return DECLINED;
} }
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
/* /*
* Access Handler, modern flavour, for SSL/TLS v1.3 and onward. * Access Handler, modern flavour, for SSL/TLS v1.3 and onward.
* Only client certificates can be requested, everything else stays. * Only client certificates can be requested, everything else stays.
@@ -1305,7 +1305,7 @@ int ssl_hook_Access(request_rec *r)
return DECLINED; return DECLINED;
} }
#ifdef SSL_OP_NO_TLSv1_3 #if SSL_HAVE_PROTOCOL_TLSV1_3
/* TLSv1.3+ is less complicated here. Branch off into a new codeline /* TLSv1.3+ is less complicated here. Branch off into a new codeline
* and avoid messing with the past. */ * and avoid messing with the past. */
if (SSL_version(ssl) >= TLS1_3_VERSION) { if (SSL_version(ssl) >= TLS1_3_VERSION) {