Merge r1653997 from trunk.

r1653997 | ylavic | 2015-01-22 19:37:06 +0100 (Thu, 22 Jan 2015) | 7 lines

mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored
in virtualhost context (new version of r1653906 reverted by r1653993).

Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Committed/modified By: ylavic

Reviewed by: ylavic, wrowe, rjung
Backported by: ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680917 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 836cf44aa015b1eaf13cd988c537a0c73918f336..055722ef58ad33f5553b571fbd5231ed45db1cc6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.30
 
+  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. 
+     PR 57100.  [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+     Yann Ylavic]
+
   *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
      allowing custom parameters to be configured via SSLCertificateFile,
      and by adding standardized DH parameters for 1024/2048/3072/4096 bits.

diff --git a/STATUS b/STATUS
index cdfd983c62cb373752c2948cd4a4861c06263718..b9c3da5cbb3c698cccfcaf21cc496c4faeaac49c 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -108,15 +108,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      ylavic: trunk/2.4.x not concerned, 2.2.x only.
      +1: ylavic, jkaluza, wrowe
 
-   * mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. PR 57100.
-     trunk patch: http://svn.apache.org/r1653997
-     2.4.x patch: merged in http://svn.apache.org/r1663258
-     2.2.x patch: trunk works (modulo CHANGES)
-     +1: ylavic, wrowe, rjung
-     wrowe: good to fix inheritence. Unsure why ALL is the default on all
-            branches, I was sure it wasn't, but if we subvert ALL later, we
-            have done something odd. No impact on the validity of this patch.
-
    * mod_ssl: Propose a more modern Cipher and Protocol list, honor server cipher
      priority and add explanations relative to RFC 7525 guidance.
                   http://svn.apache.org/r1679428

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 1f5d7cefdfcfe5644c9e5e5a9f09a654d10b2204..05d85114784ad5fe1b6d9aaac30322abdca526a9 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -113,6 +113,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
 #endif
 
     mctx->protocol            = SSL_PROTOCOL_ALL;
+    mctx->protocol_set        = 0;
 
     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
     mctx->pphrase_dialog_path = NULL;
@@ -220,7 +221,12 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
                                  modssl_ctx_t *add,
                                  modssl_ctx_t *mrg)
 {
-    cfgMerge(protocol, SSL_PROTOCOL_ALL);
+    if (add->protocol_set) {
+        mrg->protocol = add->protocol;
+    }
+    else {
+        mrg->protocol = base->protocol;
+    }
 
     cfgMerge(pphrase_dialog_type, SSL_PPTYPE_UNSET);
     cfgMergeString(pphrase_dialog_path);
@@ -1399,6 +1405,7 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *cmd,
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
 
+    sc->server->protocol_set = 1;
     return ssl_cmd_protocol_parse(cmd, arg, &sc->server->protocol);
 }
 
@@ -1417,6 +1424,7 @@ const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd,
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
 
+    sc->proxy->protocol_set = 1;
     return ssl_cmd_protocol_parse(cmd, arg, &sc->proxy->protocol);
 }
 

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 8cb6233e542f7f62e5f4b393d75e5a2893923b57..ca115582389d262a7b22b68da50265117fe3687b 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -504,6 +504,7 @@ typedef struct {
 #endif
 
     ssl_proto_t  protocol;
+    int protocol_set;
 
     /** config for handling encrypted keys */
     ssl_pphrase_t pphrase_dialog_type;