Changes with Apache 2.4.17
+ *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
+ and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
+ in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
+
*) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
<name>SSLProtocol</name>
<description>Configure usable SSL/TLS protocol versions</description>
<syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
-<default>SSLProtocol all</default>
+<default>SSLProtocol all -SSLv3 (up to 2.4.16: all)</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<p>
This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
the Netscape Corporation.
- It is the successor to SSLv2 and the predecessor to TLSv1.</p></li>
+ It is the successor to SSLv2 and the predecessor to TLSv1, but is
+ deprecated in <a href="http://www.ietf.org/rfc/rfc7568.txt">RFC 7568</a>.</p></li>
<li><code>TLSv1</code>
<p>
<p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
- when using OpenSSL 1.0.1 and later -
- ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
+ ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively
+ (except for OpenSSL versions compiled with the ``no-ssl3'' configuration
+ option, where <code>all</code> does not include <code>+SSLv3</code>).</p></li>
</ul>
<example><title>Example</title>
<highlight language="config">
<name>SSLProxyProtocol</name>
<description>Configure usable SSL protocol flavors for proxy usage</description>
<syntax>SSLProxyProtocol [+|-]<em>protocol</em> ...</syntax>
-<default>SSLProxyProtocol all</default>
+<default>SSLProxyProtocol all -SSLv3 (up to 2.4.16: all)</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<override>Options</override>
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL Session Cache object lifetime "
"('N' - number of seconds)")
+#ifdef OPENSSL_NO_SSL3
+#define SSLv3_PROTO_PREFIX ""
+#else
+#define SSLv3_PROTO_PREFIX "SSLv3|"
+#endif
#ifdef HAVE_TLSV1_X
-#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
+#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
#else
-#define SSL_PROTOCOLS "SSLv3|TLSv1"
+#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
#endif
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols "
mctx->ticket_key = NULL;
#endif
- mctx->protocol = SSL_PROTOCOL_ALL;
+ mctx->protocol = SSL_PROTOCOL_DEFAULT;
mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
}
}
else if (strcEQ(w, "SSLv3")) {
+#ifdef OPENSSL_NO_SSL3
+ if (action != '-') {
+ return "SSLv3 not supported by this version of OpenSSL";
+ }
+ /* Nothing to do, the flag is not present to be toggled */
+ continue;
+#else
thisopt = SSL_PROTOCOL_SSLV3;
+#endif
}
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
}
cp = apr_pstrcat(p,
+#ifndef OPENSSL_NO_SSL3
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+#endif
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp);
+#ifndef OPENSSL_NO_SSL3
if (protocol == SSL_PROTOCOL_SSLV3) {
method = mctx->pkp ?
SSLv3_client_method() : /* proxy */
SSLv3_server_method(); /* server */
}
- else if (protocol == SSL_PROTOCOL_TLSV1) {
+ else
+#endif
+ if (protocol == SSL_PROTOCOL_TLSV1) {
method = mctx->pkp ?
TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#ifndef OPENSSL_NO_SSL3
if (!(protocol & SSL_PROTOCOL_SSLV3)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
}
+#endif
if (!(protocol & SSL_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
* IPv4 and IPv6 addresses are not permitted".)
*/
if (hostname_note &&
+#ifndef OPENSSL_NO_SSL3
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+#endif
apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) {
if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
* Define the SSL Protocol options
*/
#define SSL_PROTOCOL_NONE (0)
-#define SSL_PROTOCOL_SSLV2 (1<<0)
+#ifndef OPENSSL_NO_SSL3
#define SSL_PROTOCOL_SSLV3 (1<<1)
+#endif
#define SSL_PROTOCOL_TLSV1 (1<<2)
+#ifndef OPENSSL_NO_SSL3
+#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#else
+#define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
+#endif
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#else
-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
+#endif
+#ifndef OPENSSL_NO_SSL3
+#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
+#else
+#define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
#endif
typedef int ssl_proto_t;
#define SSL2_HELP_MSG ""
#endif
+#ifndef OPENSSL_NO_SSL3
+#define SSL3_HELP_MSG "SSL3, "
+#else
+#define SSL3_HELP_MSG ""
+#endif
+
#ifdef HAVE_TLSV1_X
#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
#else
fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n");
fprintf(stderr, " -f protocol Specify SSL/TLS protocol\n");
- fprintf(stderr, " (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
+ fprintf(stderr, " (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
#endif
exit(EINVAL);
}
} else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
meth = SSLv2_client_method();
#endif
+#ifndef OPENSSL_NO_SSL3
} else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
meth = SSLv3_client_method();
+#endif
#ifdef HAVE_TLSV1_X
} else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
meth = TLSv1_1_client_method();
projects / thirdparty / apache / httpd.git / commitdiff
