Allow forced setting of TLS1.1 and TLS1.2 protocols with (1ffd51b2) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+4 −0

Original line number	Diff line number	Diff line
		-- coding: utf-8 --
		Changes with Apache 2.2.24

		*) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
		to more accurately report the negotiated protocol. PR 53916.
		[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]

		*) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
		Response if they so choose to do so. Previously an attempt to cache a 206
		was arbitrarily allowed if the response contained an Expires or

STATUS

+0 −6

Original line number	Diff line number	Diff line
		@@ -106,12 +106,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		https://issues.apache.org/bugzilla/show_bug.cgi?id=53134#c10
		by the patch author)

		* ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
		to more accurately report the negotiated protocol. PR 53916.
		trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1395225
		2.2.x patch: https://people.apache.org/~kbrand/ab-tlsv1_x-2.2.x.patch
		+1: kbrand, covener, wrowe

		* modules/ldap/util_ldap.c: Correct erroneous messages
		PR: 53402
		trunk and 2.4.x: Erroneous message about LDAPSharedCacheSize

support/ab.c

+25 −4

Original line number	Diff line number	Diff line
		@@ -200,6 +200,9 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
		#else
		#define AB_SSL_CIPHER_CONST
		#endif
		#ifdef SSL_OP_NO_TLSv1_2
		#define HAVE_TLSV1_X
		#endif
		#endif

		#include <math.h>
		@@ -496,6 +499,8 @@ static int ssl_print_connection_info(BIO bio, SSL ssl)
		AB_SSL_CIPHER_CONST SSL_CIPHER *c;
		int alg_bits,bits;

		BIO_printf(bio,"Transport Protocol :%s\n", SSL_get_version(ssl));

		c = SSL_get_current_cipher(ssl);
		BIO_printf(bio,"Cipher Suite Protocol :%s\n", SSL_CIPHER_get_version(c));
		BIO_printf(bio,"Cipher Suite Name :%s\n",SSL_CIPHER_get_name(c));
		@@ -593,7 +598,7 @@ static void ssl_proceed_handshake(struct connection *c)

		ssl_info = malloc(128);
		apr_snprintf(ssl_info, 128, "%s,%s,%d,%d",
		SSL_CIPHER_get_version(ci),
		SSL_get_version(c->ssl),
		SSL_CIPHER_get_name(ci),
		pk_bits, sk_bits);
		}
		@@ -1875,12 +1880,22 @@ static void usage(const char *progname)
		fprintf(stderr, " -r Don't exit on socket receive errors.\n");
		fprintf(stderr, " -h Display usage information (this message)\n");
		#ifdef USE_SSL
		fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");

		#ifndef OPENSSL_NO_SSL2
		fprintf(stderr, " -f protocol Specify SSL/TLS protocol (SSL2, SSL3, TLS1, or ALL)\n");
		#define SSL2_HELP_MSG "SSL2, "
		#else
		#define SSL2_HELP_MSG ""
		#endif

		#ifdef HAVE_TLSV1_X
		#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
		#else
		fprintf(stderr, " -f protocol Specify SSL/TLS protocol (SSL3, TLS1, or ALL)\n");
		#define TLS1_X_HELP_MSG ""
		#endif

		fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");
		fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n");
		fprintf(stderr, " (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
		#endif
		exit(EINVAL);
		}
		@@ -2219,6 +2234,12 @@ int main(int argc, const char * const argv[])
		#endif
		} else if (strncasecmp(optarg, "SSL3", 4) == 0) {
		meth = SSLv3_client_method();
		#ifdef HAVE_TLSV1_X
		} else if (strncasecmp(optarg, "TLS1.1", 6) == 0) {
		meth = TLSv1_1_client_method();
		} else if (strncasecmp(optarg, "TLS1.2", 6) == 0) {
		meth = TLSv1_2_client_method();
		#endif
		} else if (strncasecmp(optarg, "TLS1", 4) == 0) {
		meth = TLSv1_client_method();
		}

Admin message