From: Rainer Jung <rjung@apache.org>
Date: Sun, 19 Aug 2012 11:28:03 +0000 (+0000)
Subject: Comment on TLSv1.1/.2 patch.
X-Git-Tag: 2.2.23~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1456ec45a9d9f0801d18809e690581eafc2bf420;p=thirdparty%2Fapache%2Fhttpd.git

Comment on TLSv1.1/.2 patch.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374734 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 867a0f19c6e..1fe5e8af713 100644
--- a/STATUS
+++ b/STATUS
@@ -174,6 +174,27 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
         Minor (CTR) issues:
         - The "/* only SSLv2 is left */" comment is now obsolete.
         - Needs CHANGES entry.
+    rjung: Doesn't the following block in modules/ssl/ssl_engine_init.c
+    switch SSLv2 *OFF*, but now only if Apache is compiled with SSLv2:
+        +#ifndef OPENSSL_NO_SSL2
+             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
+                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+             }
+        +#endif
+    But OpenSSL itself might well have SSLv2 support, so we should add
+    (taken from 2.4.x):
+        +#ifndef OPENSSL_NO_SSL2
+             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
+                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+             }
+        +#else
+             /* always disable SSLv2, as per RFC 6176 */
+             SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+        +#endif
+    When testing your patch after compiling with OPENSSL_NO_SSL2 in fact
+    I can make a SSLv2 connect after setting the SSLProtocol and
+    SSLCipherSuite directives both to "All" resp. "ALL".
+    Apart from that the patch looks good (I would vote +1 with this fixed).
 
    * mod_ssl: Add RFC 5878 support. This allows support of mechanisms
               such as Certificate Transparency. Note that new