From: Eric Covener <covener@apache.org>
Date: Thu, 5 Jan 2017 18:57:49 +0000 (+0000)
Subject: Support compilation against libssl built with OPENSSL_NO_SSL3.
X-Git-Tag: 2.2.32~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4e7f274bda29c7cf732dca713927a94d832140a;p=thirdparty%2Fapache%2Fhttpd.git

Support compilation against libssl built with OPENSSL_NO_SSL3.

backport https://svn.apache.org/r1706008 from 2.4.x

Submitted by: kbrand
Reviewed by: ylavic, wrowe, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1777494 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index b14e61bfac0..0516b34c138 100644
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,9 @@ Changes with Apache 2.2.32
   *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
      directives.  [Mike Rumph <mike.rumph oracle.com>]
 
+  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
+     [Kaspar Brand]
+
   *) core: Limit to ten the number of tolerated empty lines between request.
      [Yann Ylavic]
 
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 1cf69c1600f..997311200d6 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -151,10 +151,15 @@ static const command_rec ssl_config_cmds[] = {
 #else
 #define SSLv2_PROTO_PREFIX "SSLv2|"
 #endif
+#ifdef OPENSSL_NO_SSL3
+#define SSLv3_PROTO_PREFIX ""
+#else
+#define SSLv3_PROTO_PREFIX "SSLv3|"
+#endif
 #ifdef HAVE_TLSV1_X
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
 #else
-#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX "SSLv3|TLSv1"
+#define SSL_PROTOCOLS SSLv2_PROTO_PREFIX SSLv3_PROTO_PREFIX "TLSv1"
 #endif
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols "
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 05d85114784..4f7d01bb2cd 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -1362,7 +1362,15 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
 #endif
         }
         else if (strcEQ(w, "SSLv3")) {
+#ifdef OPENSSL_NO_SSL3
+            if (action != '-') {
+                return "SSLv3 not supported by this version of OpenSSL";
+            }
+            /* Nothing to do, the flag is not present to be toggled */
+            continue;
+#else
             thisopt = SSL_PROTOCOL_SSLV3;
+#endif
         }
         else if (strcEQ(w, "TLSv1")) {
             thisopt = SSL_PROTOCOL_TLSV1;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 854e6411722..30cbc07f0ea 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -354,7 +354,9 @@ static void ssl_init_ctx_protocol(server_rec *s,
 #ifndef OPENSSL_NO_SSL2
                      (protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
 #endif
+#ifndef OPENSSL_NO_SSL3
                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+#endif
                      (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
 #ifdef HAVE_TLSV1_X
                      (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -374,6 +376,20 @@ static void ssl_init_ctx_protocol(server_rec *s,
     }
     else
 #endif
+#ifndef OPENSSL_NO_SSL3
+    if (protocol == SSL_PROTOCOL_SSLV3) {
+        method = mctx->pkp ?
+            SSLv3_client_method() : /* proxy */
+            SSLv3_server_method();  /* server */
+    }
+    else
+#endif
+    if (protocol == SSL_PROTOCOL_TLSV1) {
+        method = mctx->pkp ?
+            TLSv1_client_method() : /* proxy */
+            TLSv1_server_method();  /* server */
+    }
+    else
 #ifdef HAVE_TLSV1_X
     if (protocol == SSL_PROTOCOL_TLSV1_1) {
         method = mctx->pkp ?
@@ -404,9 +420,11 @@ static void ssl_init_ctx_protocol(server_rec *s,
     }
 #endif
 
+#ifndef OPENSSL_NO_SSL3
     if (!(protocol & SSL_PROTOCOL_SSLV3)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
     }
+#endif
 
     if (!(protocol & SSL_PROTOCOL_TLSV1)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 800f0f99185..d6016d32ecd 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1083,7 +1083,9 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
          * protocol-wise).
          */
         if (hostname_note &&
+#ifndef OPENSSL_NO_SSL3
             sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+#endif
             apr_ipsubnet_create(&ip, hostname_note, NULL,
                                 c->pool) != APR_SUCCESS) {
             if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index ca115582389..4e5f33e6c66 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -241,19 +241,24 @@ typedef int ssl_opt_t;
 #ifndef OPENSSL_NO_SSL2
 #define SSL_PROTOCOL_SSLV2 (1<<0)
 #endif
+#ifndef OPENSSL_NO_SSL3
 #define SSL_PROTOCOL_SSLV3 (1<<1)
+#endif
 #define SSL_PROTOCOL_TLSV1 (1<<2)
-#ifdef OPENSSL_NO_SSL2
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#elif !defined(OPENSSL_NO_SSL3)
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
 #else
-#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
+#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
 #endif
 #ifdef HAVE_TLSV1_X
 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC| \
+                            SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
 #else
-#define SSL_PROTOCOL_ALL (SSL_MOST_ALL)
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC)
 #endif
 typedef int ssl_proto_t;
 
diff --git a/support/ab.c b/support/ab.c
index c9d4cb306db..2ba9600b063 100644
--- a/support/ab.c
+++ b/support/ab.c
@@ -1895,6 +1895,12 @@ static void usage(const char *progname)
 #define SSL2_HELP_MSG ""
 #endif
 
+#ifndef OPENSSL_NO_SSL3
+#define SSL3_HELP_MSG "SSL3, "
+#else
+#define SSL3_HELP_MSG ""
+#endif
+
 #ifdef HAVE_TLSV1_X
 #define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
 #else
@@ -1903,7 +1909,7 @@ static void usage(const char *progname)
 
     fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
     fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n"); 
-    fprintf(stderr, "                    (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
+    fprintf(stderr, "                    (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
 #endif
     exit(EINVAL);
 }
@@ -2240,8 +2246,10 @@ int main(int argc, const char * const argv[])
                 } else if (strncasecmp(optarg, "SSL2", 4) == 0) {
                     meth = SSLv2_client_method();
 #endif
+#ifndef OPENSSL_NO_SSL3
                 } else if (strncasecmp(optarg, "SSL3", 4) == 0) {
                     meth = SSLv3_client_method();
+#endif
 #ifdef HAVE_TLSV1_X
                 } else if (strncasecmp(optarg, "TLS1.1", 6) == 0) {
                     meth = TLSv1_1_client_method();