Support compilation against libssl built with OPENSSL_NO_SSL3.

backport https://svn.apache.org/r1706008 from 2.4.x

Submitted by: kbrand
Reviewed by: ylavic, wrowe, covener

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1777494 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b14e61bfac0465839fffa4de54173ed11a5d9813..0516b34c13859fdbd434e32879487c1f31b8d833 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,9 @@ Changes with Apache 2.2.32
   *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
      directives.  [Mike Rumph <mike.rumph oracle.com>]
 
+  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
+     [Kaspar Brand]
+
   *) core: Limit to ten the number of tolerated empty lines between request.
      [Yann Ylavic]
 

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 1cf69c1600f0a00e3ab36204c4aed883140d348c..997311200d66588d2676534c666c84d9335251d6 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -151,10 +151,15 @@ static const command_rec ssl_config_cmds[] = {
 #else
 #define SSLv2_PROTO_PREFIX "SSLv2|"
 #endif
+#ifdef OPENSSL_NO_SSL3
+#define SSLv3_PROTO_PREFIX ""
+#else
+#define SSLv3_PROTO_PREFIX "SSLv3|"
+#endif
 #ifdef HAVE_TLSV1_X
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
 #else
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1"
 #endif
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols "

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 05d85114784ad5fe1b6d9aaac30322abdca526a9..4f7d01bb2cdfa727adb34e390a1ca85b868e6d52 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -1362,7 +1362,15 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
 #endif
         }
         else if (strcEQ(w, "SSLv3")) {
+#ifdef OPENSSL_NO_SSL3
+            if (action != '-') {
+                return "SSLv3 not supported by this version of OpenSSL";
+            }
+            /* Nothing to do, the flag is not present to be toggled */
+            continue;
+#else
             thisopt = SSL_PROTOCOL_SSLV3;
+#endif
         }
         else if (strcEQ(w, "TLSv1")) {
             thisopt = SSL_PROTOCOL_TLSV1;

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 854e6411722645dc762cb3c98c1f0cb43ac4e7c6..30cbc07f0ea68cc2204b6a2e1214571a097065ea 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -354,7 +354,9 @@ static void ssl_init_ctx_protocol(server_rec *s,
 #ifndef OPENSSL_NO_SSL2
                      (protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
 #endif
+#ifndef OPENSSL_NO_SSL3
                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+#endif
                      (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
 #ifdef HAVE_TLSV1_X
                      (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -374,6 +376,20 @@ static void ssl_init_ctx_protocol(server_rec *s,
     }
     else
 #endif
+#ifndef OPENSSL_NO_SSL3
+    if (protocol == SSL_PROTOCOL_SSLV3) {
+        method = mctx->pkp ?
+            SSLv3_client_method() : /* proxy */
+            SSLv3_server_method();  /* server */
+    }
+    else
+#endif
+    if (protocol == SSL_PROTOCOL_TLSV1) {
+        method = mctx->pkp ?
+            TLSv1_client_method() : /* proxy */
+            TLSv1_server_method();  /* server */
+    }
+    else
 #ifdef HAVE_TLSV1_X
     if (protocol == SSL_PROTOCOL_TLSV1_1) {
         method = mctx->pkp ?
@@ -404,9 +420,11 @@ static void ssl_init_ctx_protocol(server_rec *s,
     }
 #endif
 
+#ifndef OPENSSL_NO_SSL3
     if (!(protocol & SSL_PROTOCOL_SSLV3)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
     }
+#endif
 
     if (!(protocol & SSL_PROTOCOL_TLSV1)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);

diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 800f0f99185d3e147725fb6051b61778de31a0d7..d6016d32ecd08f4157ce9f746e2086df494434ce 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1083,7 +1083,9 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
          * protocol-wise).
          */
         if (hostname_note &&
+#ifndef OPENSSL_NO_SSL3
             sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+#endif
             apr_ipsubnet_create(&ip, hostname_note, NULL,
                                 c->pool) != APR_SUCCESS) {
             if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index ca115582389d262a7b22b68da50265117fe3687b..4e5f33e6c66cf6de9d20124a6c5d10367d0917de 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -241,19 +241,24 @@ typedef int ssl_opt_t;
 #ifndef OPENSSL_NO_SSL2
 #define SSL_PROTOCOL_SSLV2 (1<<0)
 #endif
+#ifndef OPENSSL_NO_SSL3
 #define SSL_PROTOCOL_SSLV3 (1<<1)
+#endif
 #define SSL_PROTOCOL_TLSV1 (1<<2)
-#ifdef OPENSSL_NO_SSL2
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#elif !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
 #else
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
 #endif
 #ifdef HAVE_TLSV1_X
 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC| \
+                            SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
 #else
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL)
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC)
 #endif
 typedef int ssl_proto_t;
 

diff --git a/support/ab.c b/support/ab.c
index c9d4cb306db15b5a303c33d75f3961ed85c78a45..2ba9600b063df889590f60e28a7997326045a4e4 100644 (file)
--- a/support/ab.c
+++ b/support/ab.c
@@ -1895,6 +1895,12 @@ static void usage(const char *progname)
 #define SSL2_HELP_MSG ""
 #endif
 
+#ifndef OPENSSL_NO_SSL3
+#define SSL3_HELP_MSG "SSL3, "
+#else
+#define SSL3_HELP_MSG ""
+#endif
+
 #ifdef HAVE_TLSV1_X
 #define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
 #else
@@ -1903,7 +1909,7 @@ static void usage(const char *progname)
 
     fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
     fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n"); 
-    fprintf(stderr, "                    (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
+    fprintf(stderr, "                    (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
 #endif
     exit(EINVAL);
 }
@@ -2240,8 +2246,10 @@ int main(int argc, const char * const argv[])
                 } else if (strncasecmp(optarg, "SSL2", 4) == 0) {
                     meth = SSLv2_client_method();
 #endif
+#ifndef OPENSSL_NO_SSL3
                 } else if (strncasecmp(optarg, "SSL3", 4) == 0) {
                     meth = SSLv3_client_method();
+#endif
 #ifdef HAVE_TLSV1_X
                 } else if (strncasecmp(optarg, "TLS1.1", 6) == 0) {
                     meth = TLSv1_1_client_method();