From: Joe Orton Date: Wed, 9 Apr 2025 08:01:24 +0000 (+0000) Subject: mod_ssl: Check the SSLProtocol directive when loading the configuration X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6cfbfa30d81bcfc9979fd5b49c0f0f8b5fe86a7;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: Check the SSLProtocol directive when loading the configuration Previously, the SSLProtocol directive was checked at runtime. Apache quit if the directive contained an invalid combination of protocols, and logged the message "AH02231: No SSL protocols available [hint: SSLProtocol]". With this change, most invalid SSLProtocol directives are detected when checking the configuration, e.g. with \"httpd -t -f httpd.conf\". Examples of invalid protocol combinations that are caught: * SSLProtocol "-TLSv1" * SSLProtocol "-all" * SSLProtocol "TLSv1.2 -TLSv1.2" Submitted by: Michael Kaufmann Github: closes #523 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924955 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/ssl-check-protoconf.txt b/changes-entries/ssl-check-protoconf.txt new file mode 100644 index 0000000000..7c125f8bf0 --- /dev/null +++ b/changes-entries/ssl-check-protoconf.txt @@ -0,0 +1,3 @@ + *) mod_ssl: Fail when parsing SSLProtocol if the configuration + would prevent use of all protocols. + [Michael Kaufmann ] diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 43593d799c..40f0cfd488 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1610,6 +1610,11 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, } } + if (*options == SSL_PROTOCOL_NONE) { + return "SSLProtocol: No SSL protocols available"; + } + + return NULL; }