From 86433978a1e5820ebe5ece19a64cebf77053910b Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Sep 21 2018 12:07:38 +0000
Subject: mod_ssl: follow OpenSSL protocol defaults if SSLProtocol

  is not configured (Rob Crittenden, #1618371)
Resolves: rhbz#1618371

---

diff --git a/httpd-2.4.34-sslprotdefault.patch b/httpd-2.4.34-sslprotdefault.patch
new file mode 100644
index 0000000..65f8d40
--- /dev/null
+++ b/httpd-2.4.34-sslprotdefault.patch
@@ -0,0 +1,53 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1618371 
+
+--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault
++++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
+@@ -119,7 +119,7 @@
+     mctx->ticket_key          = NULL;
+ #endif
+ 
+-    mctx->protocol            = SSL_PROTOCOL_DEFAULT;
++    mctx->protocol            = SSL_PROTOCOL_NONE;
+     mctx->protocol_set        = 0;
+ 
+     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
+--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault
++++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
+@@ -555,9 +555,8 @@
+      *  Create the new per-server SSL context
+      */
+     if (protocol == SSL_PROTOCOL_NONE) {
+-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
+-                "No SSL protocols available [hint: SSLProtocol]");
+-        return ssl_die(s);
++        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, 
++                     "Using OpenSSL/system default SSL/TLS protocols");
+     }
+ 
+     cp = apr_pstrcat(p,
+@@ -673,14 +672,8 @@
+     } else if (protocol & SSL_PROTOCOL_SSLV3) {
+         prot = SSL3_VERSION;
+ #endif
+-    } else {
+-        SSL_CTX_free(ctx);
+-        mctx->ssl_ctx = NULL;
+-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
+-                "No SSL protocols available [hint: SSLProtocol]");
+-        return ssl_die(s);
+     }
+-    SSL_CTX_set_max_proto_version(ctx, prot);
++    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
+ 
+     /* Next we scan for the minimal protocol version we should provide,
+      * but we do not allow holes between max and min */
+@@ -700,7 +693,7 @@
+         prot = SSL3_VERSION;
+     }
+ #endif
+-    SSL_CTX_set_min_proto_version(ctx, prot);
++    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
+ #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
diff --git a/httpd.spec b/httpd.spec
index 6640f65..7b97a69 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.34
-Release: 6%{?dist}
+Release: 7%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -76,6 +76,7 @@ Patch34: httpd-2.4.17-socket-activation.patch
 Patch36: httpd-2.4.33-r1830819+.patch
 Patch37: httpd-2.4.34-r1827912+.patch
 Patch38: httpd-2.4.34-sslciphdefault.patch
+Patch39: httpd-2.4.34-sslprotdefault.patch
 
 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@@ -238,6 +239,7 @@ interface for storing and accessing per-user session data.
 %patch36 -p1 -b .r1830819+
 %patch37 -p1 -b .r1827912+
 %patch38 -p1 -b .sslciphdefault
+%patch39 -p1 -b .sslprotdefault
 
 %patch58 -p1 -b .r1738878
 %patch59 -p1 -b .r1555631
@@ -729,6 +731,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Sep 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-7
+- mod_ssl: follow OpenSSL protocol defaults if SSLProtocol
+  is not configured (Rob Crittenden, #1618371)
+
 * Tue Sep 18 2018 Joe Orton <jorton@redhat.com> - 2.4.34-6
 - mod_ssl: more TLSv1.3 fixes (#1619389)