Support compilation against libssl built with OPENSSL_NO_SSL3. (c68dec81) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+3 −0

Original line number	Diff line number	Diff line
		@@ -39,6 +39,9 @@ Changes with Apache 2.2.32
		*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
		directives. [Mike Rumph <mike.rumph oracle.com>]

		*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
		[Kaspar Brand]

		*) core: Limit to ten the number of tolerated empty lines between request.
		[Yann Ylavic]

+7 −2

Original line number	Diff line number	Diff line
		@@ -151,10 +151,15 @@ static const command_rec ssl_config_cmds[] = {
		#else
		#define SSLv2_PROTO_PREFIX "SSLv2\|"
		#endif
		#ifdef OPENSSL_NO_SSL3
		#define SSLv3_PROTO_PREFIX ""
		#else
		#define SSLv3_PROTO_PREFIX "SSLv3\|"
		#endif
		#ifdef HAVE_TLSV1_X
		#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3\|TLSv1\|TLSv1.1\|TLSv1.2"
		#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1\|TLSv1.1\|TLSv1.2"
		#else
		#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3\|TLSv1"
		#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1"
		#endif
		SSL_CMD_SRV(Protocol, RAW_ARGS,
		"Enable or disable various SSL protocols "

+8 −0

Original line number	Diff line number	Diff line
		@@ -1362,7 +1362,15 @@ static const char ssl_cmd_protocol_parse(cmd_parms parms,
		#endif
		}
		else if (strcEQ(w, "SSLv3")) {
		#ifdef OPENSSL_NO_SSL3
		if (action != '-') {
		return "SSLv3 not supported by this version of OpenSSL";
		}
		/* Nothing to do, the flag is not present to be toggled */
		continue;
		#else
		thisopt = SSL_PROTOCOL_SSLV3;
		#endif
		}
		else if (strcEQ(w, "TLSv1")) {
		thisopt = SSL_PROTOCOL_TLSV1;

+18 −0

Original line number	Diff line number	Diff line
		@@ -354,7 +354,9 @@ static void ssl_init_ctx_protocol(server_rec *s,
		#ifndef OPENSSL_NO_SSL2
		(protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
		#endif
		#ifndef OPENSSL_NO_SSL3
		(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
		#endif
		(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
		#ifdef HAVE_TLSV1_X
		(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
		@@ -374,6 +376,20 @@ static void ssl_init_ctx_protocol(server_rec *s,
		}
		else
		#endif
		#ifndef OPENSSL_NO_SSL3
		if (protocol == SSL_PROTOCOL_SSLV3) {
		method = mctx->pkp ?
		SSLv3_client_method() : /* proxy */
		SSLv3_server_method(); /* server */
		}
		else
		#endif
		if (protocol == SSL_PROTOCOL_TLSV1) {
		method = mctx->pkp ?
		TLSv1_client_method() : /* proxy */
		TLSv1_server_method(); /* server */
		}
		else
		#ifdef HAVE_TLSV1_X
		if (protocol == SSL_PROTOCOL_TLSV1_1) {
		method = mctx->pkp ?
		@@ -404,9 +420,11 @@ static void ssl_init_ctx_protocol(server_rec *s,
		}
		#endif

		#ifndef OPENSSL_NO_SSL3
		if (!(protocol & SSL_PROTOCOL_SSLV3)) {
		SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
		}
		#endif

		if (!(protocol & SSL_PROTOCOL_TLSV1)) {
		SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);

+2 −0

Original line number	Diff line number	Diff line
		@@ -1083,7 +1083,9 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		* protocol-wise).
		*/
		if (hostname_note &&
		#ifndef OPENSSL_NO_SSL3
		sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
		#endif
		apr_ipsubnet_create(&ip, hostname_note, NULL,
		c->pool) != APR_SUCCESS) {
		if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {