Allow forced setting of TLS1.1 and TLS1.2 protocols with

author Rainer Jung <rjung@apache.org>

Tue, 12 Feb 2013 11:21:15 +0000 (11:21 +0000)

committer Rainer Jung <rjung@apache.org>

Tue, 12 Feb 2013 11:21:15 +0000 (11:21 +0000)
author Rainer Jung <rjung@apache.org>
Tue, 12 Feb 2013 11:21:15 +0000 (11:21 +0000)
committer Rainer Jung <rjung@apache.org>
Tue, 12 Feb 2013 11:21:15 +0000 (11:21 +0000)
diff --git a/CHANGES b/CHANGES

index c3afef9cac42b28cd356033aea97d643cd3d4a7d..cb817cc2ca182748e75d476492a83365bc04e9b8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.2.24
  
+  *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
+     to more accurately report the negotiated protocol. PR 53916.
+     [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
+
    *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
       Response if they so choose to do so. Previously an attempt to cache a 206
       was arbitrarily allowed if the response contained an Expires or
diff --git a/STATUS b/STATUS

index 713a6b5aa7d8711c3238abebf48d5533c6daa887..9dcc3fe103b02cc06fe2371e3d8860db0b3147bd 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -106,12 +106,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
               https://issues.apache.org/bugzilla/show_bug.cgi?id=53134#c10
               by the patch author)
  
-   * ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
-     to more accurately report the negotiated protocol. PR 53916.
-     trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1395225
-     2.2.x patch: https://people.apache.org/~kbrand/ab-tlsv1_x-2.2.x.patch
-     +1: kbrand, covener, wrowe
-
     * modules/ldap/util_ldap.c: Correct erroneous messages
       PR: 53402
       trunk and 2.4.x: Erroneous message about LDAPSharedCacheSize
diff --git a/support/ab.c b/support/ab.c

index 3744864eaf7d0ce0f278f3978fa237c934f76c35..25fc0e03c39e6fea007065674a38702ce688aca0 100644 (file)
--- a/support/ab.c
+++ b/support/ab.c
@@ -200,6 +200,9 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
  #else
  #define AB_SSL_CIPHER_CONST
  #endif
+#ifdef SSL_OP_NO_TLSv1_2
+#define HAVE_TLSV1_X
+#endif
  #endif
  
  #include <math.h>
@@ -496,6 +499,8 @@ static int ssl_print_connection_info(BIO *bio, SSL *ssl)
      AB_SSL_CIPHER_CONST SSL_CIPHER *c;
      int alg_bits,bits;
  
+    BIO_printf(bio,"Transport Protocol      :%s\n", SSL_get_version(ssl));
+
      c = SSL_get_current_cipher(ssl);
      BIO_printf(bio,"Cipher Suite Protocol   :%s\n", SSL_CIPHER_get_version(c));
      BIO_printf(bio,"Cipher Suite Name       :%s\n",SSL_CIPHER_get_name(c));
@@ -593,7 +598,7 @@ static void ssl_proceed_handshake(struct connection *c)
  
                  ssl_info = malloc(128);
                  apr_snprintf(ssl_info, 128, "%s,%s,%d,%d",
-                             SSL_CIPHER_get_version(ci),
+                             SSL_get_version(c->ssl),
                               SSL_CIPHER_get_name(ci),
                               pk_bits, sk_bits);
              }
@@ -1875,12 +1880,22 @@ static void usage(const char *progname)
      fprintf(stderr, "    -r              Don't exit on socket receive errors.\n");
      fprintf(stderr, "    -h              Display usage information (this message)\n");
  #ifdef USE_SSL
-    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
+
  #ifndef OPENSSL_NO_SSL2
-    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol (SSL2, SSL3, TLS1, or ALL)\n");
+#define SSL2_HELP_MSG "SSL2, "
+#else
+#define SSL2_HELP_MSG ""
+#endif
+
+#ifdef HAVE_TLSV1_X
+#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
  #else
-    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol (SSL3, TLS1, or ALL)\n");
+#define TLS1_X_HELP_MSG ""
  #endif
+
+    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
+    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n"); 
+    fprintf(stderr, "                    (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
  #endif
      exit(EINVAL);
  }
@@ -2219,6 +2234,12 @@ int main(int argc, const char * const argv[])
  #endif
                  } else if (strncasecmp(optarg, "SSL3", 4) == 0) {
                      meth = SSLv3_client_method();
+#ifdef HAVE_TLSV1_X
+                } else if (strncasecmp(optarg, "TLS1.1", 6) == 0) {
+                    meth = TLSv1_1_client_method();
+                } else if (strncasecmp(optarg, "TLS1.2", 6) == 0) {
+                    meth = TLSv1_2_client_method();
+#endif
                  } else if (strncasecmp(optarg, "TLS1", 4) == 0) {
                      meth = TLSv1_client_method();
                  }
author	Rainer Jung <rjung@apache.org>
	Tue, 12 Feb 2013 11:21:15 +0000 (11:21 +0000)
committer	Rainer Jung <rjung@apache.org>
	Tue, 12 Feb 2013 11:21:15 +0000 (11:21 +0000)
CHANGES		patch \| blob \| blame \| history
STATUS		patch \| blob \| blame \| history
support/ab.c		patch \| blob \| blame \| history