VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-07-25 17:01:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

merge r1703952 from trunk

Browse Source 
Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2015-09-30 11:50:30 +00:00
parent 181e083ddb
commit ecf6758840
8 changed files with 61 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -2,6 +2,10 @@
Changes with Apache 2.4.17
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
*) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher

11
docs/manual/mod/mod_ssl.xml
View File

@ -586,7 +586,7 @@ by the applicable Security Policy.
<name>SSLProtocol</name>
<description>Configure usable SSL/TLS protocol versions</description>
<syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
<default>SSLProtocol all</default>
<default>SSLProtocol all -SSLv3 (up to 2.4.16: all)</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
@ -601,7 +601,8 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
<p>
This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
the Netscape Corporation.
It is the successor to SSLv2 and the predecessor to TLSv1.</p></li>
It is the successor to SSLv2 and the predecessor to TLSv1, but is
deprecated in <a href="http://www.ietf.org/rfc/rfc7568.txt">RFC 7568</a>.</p></li>
<li><code>TLSv1</code>
<p>
@ -624,7 +625,9 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
<p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
- when using OpenSSL 1.0.1 and later -
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively
(except for OpenSSL versions compiled with the ``no-ssl3'' configuration
option, where <code>all</code> does not include <code>+SSLv3</code>).</p></li>
</ul>
<example><title>Example</title>
<highlight language="config">
@ -1943,7 +1946,7 @@ proxy SSL/TLS requests.</p>
<name>SSLProxyProtocol</name>
<description>Configure usable SSL protocol flavors for proxy usage</description>
<syntax>SSLProxyProtocol [+|-]<em>protocol</em> ...</syntax>
<default>SSLProxyProtocol all</default>
<default>SSLProxyProtocol all -SSLv3 (up to 2.4.16: all)</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<override>Options</override>

11
modules/ssl/mod_ssl.c
View File

@ -125,10 +125,15 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL Session Cache object lifetime "
"('N' - number of seconds)")
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
#ifdef OPENSSL_NO_SSL3
#define SSLv3_PROTO_PREFIX ""
#else
#define SSL_PROTOCOLS "SSLv3|TLSv1"
#define SSLv3_PROTO_PREFIX "SSLv3|"
#endif
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
#else
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
#endif
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols "

10
modules/ssl/ssl_engine_config.c
View File

@ -111,7 +111,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->ticket_key = NULL;
#endif
mctx->protocol = SSL_PROTOCOL_ALL;
mctx->protocol = SSL_PROTOCOL_DEFAULT;
mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
@ -1343,7 +1343,15 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
}
}
else if (strcEQ(w, "SSLv3")) {
#ifdef OPENSSL_NO_SSL3
if (action != '-') {
return "SSLv3 not supported by this version of OpenSSL";
}
/* Nothing to do, the flag is not present to be toggled */
continue;
#else
thisopt = SSL_PROTOCOL_SSLV3;
#endif
}
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;

9
modules/ssl/ssl_engine_init.c
View File

@ -471,7 +471,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
}
cp = apr_pstrcat(p,
#ifndef OPENSSL_NO_SSL3
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
#endif
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@ -483,12 +485,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp);
#ifndef OPENSSL_NO_SSL3
if (protocol == SSL_PROTOCOL_SSLV3) {
method = mctx->pkp ?
SSLv3_client_method() : /* proxy */
SSLv3_server_method(); /* server */
}
else if (protocol == SSL_PROTOCOL_TLSV1) {
else
#endif
if (protocol == SSL_PROTOCOL_TLSV1) {
method = mctx->pkp ?
TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */
@ -519,9 +524,11 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
#ifndef OPENSSL_NO_SSL3
if (!(protocol & SSL_PROTOCOL_SSLV3)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
}
#endif
if (!(protocol & SSL_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);

2
modules/ssl/ssl_engine_io.c
View File

@ -1081,7 +1081,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
* IPv4 and IPv6 addresses are not permitted".)
*/
if (hostname_note &&
#ifndef OPENSSL_NO_SSL3
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
#endif
apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) {
if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {

17
modules/ssl/ssl_private.h
View File

@ -297,16 +297,27 @@ typedef int ssl_opt_t;
* Define the SSL Protocol options
*/
#define SSL_PROTOCOL_NONE (0)
#define SSL_PROTOCOL_SSLV2 (1<<0)
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_SSLV3 (1<<1)
#endif
#define SSL_PROTOCOL_TLSV1 (1<<2)
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
#else
#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
#endif
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
#endif
#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
#else
#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
#endif
typedef int ssl_proto_t;

10
support/ab.c
View File

@ -1961,6 +1961,12 @@ static void usage(const char *progname)
#define SSL2_HELP_MSG ""
#endif
#ifndef OPENSSL_NO_SSL3
#define SSL3_HELP_MSG "SSL3, "
#else
#define SSL3_HELP_MSG ""
#endif
#ifdef HAVE_TLSV1_X
#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
#else
@ -1969,7 +1975,7 @@ static void usage(const char *progname)
fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");
fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n");
fprintf(stderr, " (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
fprintf(stderr, " (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
#endif
exit(EINVAL);
}
@ -2314,8 +2320,10 @@ int main(int argc, const char * const argv[])
} else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
meth = SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
} else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
meth = SSLv3_client_method();
#endif
#ifdef HAVE_TLSV1_X
} else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
meth = TLSv1_1_client_method();