New releases of OpenSSL will only allow secure renegotiation by

default.  Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
  insecure_reneg field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
  ssl_config_server_merge): Handle the insecure_reneg flag.
  (ssl_cmd_SSLInsecureRenegotiation): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
  SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
  enabled.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
  support for secure reneg.

* modules/ssl/mod_ssl.c: Add the directive definition.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_init.c

@@ -414,6 +414,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
     MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
     char *cp;
     int protocol = mctx->protocol;
+    SSLSrvConfigRec *sc = mySrvConfig(s);
 
     /*
      *  Create the new per-server SSL context
@@ -473,11 +474,14 @@ static void ssl_init_ctx_protocol(server_rec *s,
     }
 
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-    {
-        SSLSrvConfigRec *sc = mySrvConfig(s);
-        if (sc->cipher_server_pref == TRUE) {
-            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-        }
+    if (sc->cipher_server_pref == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif
+
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    if (sc->insecure_reneg == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
     }
 #endif