|
|
1f748ac |
|
|
|
1f748ac |
https://bugzilla.redhat.com/show_bug.cgi?id=1623165
|
|
|
1f748ac |
|
|
|
1f748ac |
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.enable-sslv3
|
|
|
1f748ac |
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
|
|
|
1f748ac |
@@ -1474,6 +1474,10 @@
|
|
|
5bf30dc |
#endif
|
|
|
5bf30dc |
else if (strcEQ(w, "all")) {
|
|
|
5bf30dc |
thisopt = SSL_PROTOCOL_ALL;
|
|
|
1f748ac |
+#ifndef OPENSSL_NO_SSL3
|
|
|
1f748ac |
+ /* by default, ALL kw doesn't turn on SSLv3 */
|
|
|
5bf30dc |
+ thisopt &= ~SSL_PROTOCOL_SSLV3;
|
|
|
1f748ac |
+#endif
|
|
|
5bf30dc |
}
|
|
|
5bf30dc |
else {
|
|
|
5bf30dc |
return apr_pstrcat(parms->temp_pool,
|
|
|
1f748ac |
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.enable-sslv3
|
|
|
1f748ac |
+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
|
|
|
1f748ac |
@@ -537,6 +537,28 @@
|
|
|
5bf30dc |
}
|
|
|
5bf30dc |
#endif
|
|
|
5bf30dc |
|
|
|
5bf30dc |
+/*
|
|
|
5bf30dc |
+ * Enable/disable SSLProtocol. If the mod_ssl enables protocol
|
|
|
5bf30dc |
+ * which is disabled by default by OpenSSL, show a warning.
|
|
|
5bf30dc |
+ * "option" is for example SSL_OP_NO_SSLv3.
|
|
|
5bf30dc |
+ */
|
|
|
5bf30dc |
+static void ssl_set_ctx_protocol_option(server_rec *s,
|
|
|
5bf30dc |
+ SSL_CTX *ctx,
|
|
|
5bf30dc |
+ long option,
|
|
|
5bf30dc |
+ int enabled,
|
|
|
5bf30dc |
+ const char *name)
|
|
|
5bf30dc |
+{
|
|
|
5bf30dc |
+ if (!enabled) {
|
|
|
5bf30dc |
+ SSL_CTX_set_options(ctx, option);
|
|
|
5bf30dc |
+ }
|
|
|
5bf30dc |
+ else if (SSL_CTX_get_options(ctx) & option) {
|
|
|
5bf30dc |
+ SSL_CTX_clear_options(ctx, option);
|
|
|
5bf30dc |
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904)
|
|
|
5bf30dc |
+ "Allowing SSLProtocol %s even though it is disabled "
|
|
|
5bf30dc |
+ "by OpenSSL by default on this system", name);
|
|
|
5bf30dc |
+ }
|
|
|
5bf30dc |
+}
|
|
|
5bf30dc |
+
|
|
|
5bf30dc |
static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|
|
5bf30dc |
apr_pool_t *p,
|
|
|
5bf30dc |
apr_pool_t *ptemp,
|
|
|
1f748ac |
@@ -687,9 +709,13 @@
|
|
|
5bf30dc |
}
|
|
|
5bf30dc |
if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
|
|
|
5bf30dc |
prot = TLS1_VERSION;
|
|
|
5bf30dc |
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
|
|
|
5bf30dc |
+ protocol & SSL_PROTOCOL_TLSV1, "TLSv1");
|
|
|
5bf30dc |
}
|
|
|
5bf30dc |
#ifndef OPENSSL_NO_SSL3
|
|
|
5bf30dc |
if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
|
|
|
5bf30dc |
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
|
|
|
5bf30dc |
+ protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
|
|
|
5bf30dc |
prot = SSL3_VERSION;
|
|
|
5bf30dc |
}
|
|
|
5bf30dc |
#endif
|