diff --git a/CHANGES b/CHANGES index e39bd08f20..33f4a0a9fa 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.12 + *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. + [Stefan Fritsch] + *) core: Abort if the MPM is changed across restart. [Jeff Trawick] *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 89270bf4ec..6042bacb2c 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1208,6 +1208,11 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, } if (strcEQ(w, "SSLv2")) { +#ifdef OPENSSL_NO_SSL2 + if (action != '-') { + return "SSLv2 not supported by this version of OpenSSL"; + } +#endif thisopt = SSL_PROTOCOL_SSLV2; } else if (strcEQ(w, "SSLv3")) { diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index c8df81ee03..67f72eaa29 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -500,16 +500,18 @@ static void ssl_init_ctx_protocol(server_rec *s, ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "Creating new SSL context (protocols: %s)", cp); - if (protocol == SSL_PROTOCOL_SSLV2) { - method = mctx->pkp ? - SSLv2_client_method() : /* proxy */ - SSLv2_server_method(); /* server */ - } - else if (protocol == SSL_PROTOCOL_SSLV3) { + if (protocol == SSL_PROTOCOL_SSLV3) { method = mctx->pkp ? SSLv3_client_method() : /* proxy */ SSLv3_server_method(); /* server */ } +#ifndef OPENSSL_NO_SSL2 + else if (protocol == SSL_PROTOCOL_SSLV2) { + method = mctx->pkp ? + SSLv2_client_method() : /* proxy */ + SSLv2_server_method(); /* server */ + } +#endif else if (protocol == SSL_PROTOCOL_TLSV1) { method = mctx->pkp ? TLSv1_client_method() : /* proxy */ diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 89051adcd5..5dcc65e90f 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -236,7 +236,11 @@ typedef int ssl_opt_t; #define SSL_PROTOCOL_SSLV2 (1<<0) #define SSL_PROTOCOL_SSLV3 (1<<1) #define SSL_PROTOCOL_TLSV1 (1<<2) +#ifndef OPENSSL_NO_SSL2 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) +#else +#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) +#endif typedef int ssl_proto_t; /** diff --git a/support/ab.c b/support/ab.c index 59461dd53b..601fadc8cc 100644 --- a/support/ab.c +++ b/support/ab.c @@ -1890,7 +1890,11 @@ static void usage(const char *progname) fprintf(stderr, " -h Display usage information (this message)\n"); #ifdef USE_SSL fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n"); +#ifndef OPENSSL_NO_SSL2 fprintf(stderr, " -f protocol Specify SSL/TLS protocol (SSL2, SSL3, TLS1, or ALL)\n"); +#else + fprintf(stderr, " -f protocol Specify SSL/TLS protocol (SSL3, TLS1, or ALL)\n"); +#endif #endif exit(EINVAL); } @@ -2219,8 +2223,10 @@ int main(int argc, const char * const argv[]) case 'f': if (strncasecmp(opt_arg, "ALL", 3) == 0) { meth = SSLv23_client_method(); +#ifndef OPENSSL_NO_SSL2 } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) { meth = SSLv2_client_method(); +#endif } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { meth = SSLv3_client_method(); } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {