From: Joe Orton Date: Tue, 15 Oct 2024 14:30:19 +0000 (+0000) Subject: mod_ssl: Disallow SSLOpenSSLConfCmd within vhost context since it X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbf57b8bef3b66f817144b655cac7ac3ca463deb;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: Disallow SSLOpenSSLConfCmd within vhost context since it has global effect. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd): Disallow use within vhost context. PR: 69397 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/pr69397.txt b/changes-entries/pr69397.txt new file mode 100644 index 00000000000..32ae57e1f2a --- /dev/null +++ b/changes-entries/pr69397.txt @@ -0,0 +1,2 @@ + *) mod_ssl: Disallow use of "SSLOpenSSLConfCmd" in + context. PR 69397. [Joe Orton] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index b28ec9df4b7..3bc2063da82 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2935,8 +2935,7 @@ forward secrecy.

SSLOpenSSLConfCmd Configure OpenSSL parameters through its SSL_CONF API SSLOpenSSLConfCmd command-name command-value -server config -virtual host +server config Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 43593d799c7..a9e98b9c5bf 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -2162,6 +2162,10 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *err; ssl_ctx_param_t *param; + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + return err; + } + if (value_type == SSL_CONF_TYPE_UNKNOWN) { return apr_psprintf(cmd->pool, "'%s': invalid OpenSSL configuration command",