Comment on TLSv1.1/.2 patch.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374734 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 867a0f19c6e5be9d63dad029121c85fe9dad54c4..1fe5e8af713fb265a71feacae8c52946af500da1 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -174,6 +174,27 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
         Minor (CTR) issues:
         - The "/* only SSLv2 is left */" comment is now obsolete.
         - Needs CHANGES entry.
+    rjung: Doesn't the following block in modules/ssl/ssl_engine_init.c
+    switch SSLv2 *OFF*, but now only if Apache is compiled with SSLv2:
+        +#ifndef OPENSSL_NO_SSL2
+             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
+                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+             }
+        +#endif
+    But OpenSSL itself might well have SSLv2 support, so we should add
+    (taken from 2.4.x):
+        +#ifndef OPENSSL_NO_SSL2
+             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
+                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+             }
+        +#else
+             /* always disable SSLv2, as per RFC 6176 */
+             SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+        +#endif
+    When testing your patch after compiling with OPENSSL_NO_SSL2 in fact
+    I can make a SSLv2 connect after setting the SSLProtocol and
+    SSLCipherSuite directives both to "All" resp. "ALL".
+    Apart from that the patch looks good (I would vote +1 with this fixed).
 
    * mod_ssl: Add RFC 5878 support. This allows support of mechanisms
               such as Certificate Transparency. Note that new