On the trunk:

author Stefan Eissing <icing@apache.org>

Tue, 3 Apr 2018 12:19:28 +0000 (12:19 +0000)

committer Stefan Eissing <icing@apache.org>

Tue, 3 Apr 2018 12:19:28 +0000 (12:19 +0000)
author Stefan Eissing <icing@apache.org>
Tue, 3 Apr 2018 12:19:28 +0000 (12:19 +0000)
committer Stefan Eissing <icing@apache.org>
Tue, 3 Apr 2018 12:19:28 +0000 (12:19 +0000)
diff --git a/CHANGES b/CHANGES

index a8b0ec17f26f42cfe5b773f650e43b5e445e673a..9bc8534427db745b92c09dd26af1c94b3b540c6e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.1
  
+  *) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.
+     [Bernard Spil <brnrd@freebsd.org>]
+  
    *) mod_http2: on level trace2, log any unsuccessful HTTP/2 direct connection upgrade
       with base64 encoding to unify its appearance in possible bug reports. [Stefan Eissing]
  
diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c

index 3651256cf0380448345626900ec7a30ae85c7fa6..fac6239cab2e2b88eb86b45cf5861e2de1d73a94 100644 (file)
--- a/modules/md/md_crypt.c
+++ b/modules/md/md_crypt.c
@@ -471,7 +471,7 @@ apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *spec)
      }
  }
  
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
  
  #ifndef NID_tlsfeature
  #define NID_tlsfeature          1020
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c

index 5e7c165e1e26d98eefe5fd2ebd57fc958d9b9bf7..a7f481697ef173f17a391c22ea0dc0ec424ffc41 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -407,7 +407,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
      /* We must register the library in full, to ensure our configuration
       * code can successfully test the SSL environment.
       */
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
+#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
      (void)CRYPTO_malloc_init();
  #else
      OPENSSL_malloc_init();
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index dd9036c18d8b1853b1fabfe683f058702dcc2b88..9dcfa42fbd1450840e248b6e036d139884bc371a 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -542,7 +542,8 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
  }
  #endif
  
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
+       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
  /*
   * Enable/disable SSLProtocol. If the mod_ssl enables protocol
   * which is disabled by default by OpenSSL, show a warning.
@@ -660,7 +661,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
  
      SSL_CTX_set_options(ctx, SSL_OP_ALL);
  
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L  || \
+       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
      /* always disable SSLv2, as per RFC 6176 */
      SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
  
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index cf5025788b3c41b05677aab6dfe0047e7c1ed6eb..c8f8c549f7f44eb9cc0f0e20dc1d15a9af54bf7e 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -132,13 +132,14 @@
          SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
  #define SSL_CTX_set_max_proto_version(ctx, version) \
          SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
-#endif
-/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
- * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
- * we have to work around this...
+#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
+/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
+ * include most changes from OpenSSL >= 1.1 (new functions, macros, 
+ * deprecations, ...), so we have to work around this...
   */
  #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
-#else
+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
  #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
  #endif
  
@@ -238,7 +239,8 @@ void init_bio_methods(void);
  void free_bio_methods(void);
  #endif
  
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || \
+       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
  #define X509_STORE_CTX_get0_store(x) (x->ctx)
  #endif
author	Stefan Eissing <icing@apache.org>
	Tue, 3 Apr 2018 12:19:28 +0000 (12:19 +0000)
committer	Stefan Eissing <icing@apache.org>
	Tue, 3 Apr 2018 12:19:28 +0000 (12:19 +0000)
CHANGES		patch \| blob \| blame \| history
modules/md/md_crypt.c		patch \| blob \| blame \| history
modules/ssl/mod_ssl.c		patch \| blob \| blame \| history
modules/ssl/ssl_engine_init.c		patch \| blob \| blame \| history
modules/ssl/ssl_private.h		patch \| blob \| blame \| history