VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-06 11:06:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

merge r1222921 from trunk:

Browse Source 
SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when
compiled against OpenSSL 1.0.1 or later. Update documentation.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1222922 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2011-12-24 06:43:48 +00:00
parent ea32bc39c2
commit 6eb443666c
6 changed files with 74 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
modules/ssl/ssl_engine_init.c
View File

@ -501,6 +501,10 @@ static void ssl_init_ctx_protocol(server_rec *s,
cp = apr_pstrcat(p,
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
(protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
#endif
NULL);
cp[strlen(cp)-2] = NUL;
@ -517,6 +521,18 @@ static void ssl_init_ctx_protocol(server_rec *s,
TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */
}
#ifdef HAVE_TLSV1_X
else if (protocol == SSL_PROTOCOL_TLSV1_1) {
method = mctx->pkp ?
TLSv1_1_client_method() : /* proxy */
TLSv1_1_server_method(); /* server */
}
else if (protocol == SSL_PROTOCOL_TLSV1_2) {
method = mctx->pkp ?
TLSv1_2_client_method() : /* proxy */
TLSv1_2_server_method(); /* server */
}
#endif
else { /* For multiple protocols, we need a flexible method */
method = mctx->pkp ?
SSLv23_client_method() : /* proxy */
@ -539,6 +555,16 @@ static void ssl_init_ctx_protocol(server_rec *s,
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
}
#ifdef HAVE_TLSV1_X
if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
}
if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
}
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (sc->cipher_server_pref == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);