git.ipfire.org Git - thirdparty/apache/httpd.git/commit

author	Stefan Eissing <icing@apache.org>
	Wed, 5 Sep 2018 11:28:15 +0000 (11:28 +0000)
committer	Stefan Eissing <icing@apache.org>
	Wed, 5 Sep 2018 11:28:15 +0000 (11:28 +0000)
commit	223f607038e242e8f80045d39a1f0d608de05d11
tree	906ddaef20bc006a51e68323bcb64f664c46692b	tree
parent	c1f9c42593bb5bf5be50bdd63f7fdfe13842c22f	commit \| diff

On the tlsv1.3-for-2.4.x branch:

Merged 1827912,1827924,1827992,1828222,1828720,1828723,1833588,1833589,1839920,1839946 from trunk

  *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9.
     SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
     Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
     Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
     as this would need to trigger the master connection thread - which we do not support
     right now.
     Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
     does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
     TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
     Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they
     can match their needs onto the TLSv1.3 protocol.
     [Yann Ylavic, Stefan Eissing]

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840120 13f79535-47bb-0310-9956-ffa450edef68

CHANGES		diff \| blob \| blame \| history
docs/manual/mod/mod_ssl.xml		diff \| blob \| blame \| history
modules/ssl/mod_ssl.c		diff \| blob \| blame \| history
modules/ssl/ssl_engine_config.c		diff \| blob \| blame \| history
modules/ssl/ssl_engine_init.c		diff \| blob \| blame \| history
modules/ssl/ssl_engine_kernel.c		diff \| blob \| blame \| history
modules/ssl/ssl_private.h		diff \| blob \| blame \| history