From: Stefan Fritsch Date: Fri, 8 Apr 2011 17:56:20 +0000 (+0000) Subject: mod_ssl, ab: Support OpenSSL compiled without SSLv2 support X-Git-Tag: 2.3.12~69 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ded32d4e378a9f7fdc01c3c69f87739bd4bc26db;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl, ab: Support OpenSSL compiled without SSLv2 support git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1090367 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e39bd08f20c..33f4a0a9fac 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.12 + *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. + [Stefan Fritsch] + *) core: Abort if the MPM is changed across restart. [Jeff Trawick] *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 89270bf4ec7..6042bacb2c8 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1208,6 +1208,11 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, } if (strcEQ(w, "SSLv2")) { +#ifdef OPENSSL_NO_SSL2 + if (action != '-') { + return "SSLv2 not supported by this version of OpenSSL"; + } +#endif thisopt = SSL_PROTOCOL_SSLV2; } else if (strcEQ(w, "SSLv3")) { diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index c8df81ee03d..67f72eaa29b 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -500,16 +500,18 @@ static void ssl_init_ctx_protocol(server_rec *s, ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "Creating new SSL context (protocols: %s)", cp); - if (protocol == SSL_PROTOCOL_SSLV2) { - method = mctx->pkp ? - SSLv2_client_method() : /* proxy */ - SSLv2_server_method(); /* server */ - } - else if (protocol == SSL_PROTOCOL_SSLV3) { + if (protocol == SSL_PROTOCOL_SSLV3) { method = mctx->pkp ? SSLv3_client_method() : /* proxy */ SSLv3_server_method(); /* server */ } +#ifndef OPENSSL_NO_SSL2 + else if (protocol == SSL_PROTOCOL_SSLV2) { + method = mctx->pkp ? + SSLv2_client_method() : /* proxy */ + SSLv2_server_method(); /* server */ + } +#endif else if (protocol == SSL_PROTOCOL_TLSV1) { method = mctx->pkp ? TLSv1_client_method() : /* proxy */ diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 89051adcd52..5dcc65e90f7 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -236,7 +236,11 @@ typedef int ssl_opt_t; #define SSL_PROTOCOL_SSLV2 (1<<0) #define SSL_PROTOCOL_SSLV3 (1<<1) #define SSL_PROTOCOL_TLSV1 (1<<2) +#ifndef OPENSSL_NO_SSL2 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) +#else +#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) +#endif typedef int ssl_proto_t; /** diff --git a/support/ab.c b/support/ab.c index 59461dd53b5..601fadc8ccc 100644 --- a/support/ab.c +++ b/support/ab.c @@ -1890,7 +1890,11 @@ static void usage(const char *progname) fprintf(stderr, " -h Display usage information (this message)\n"); #ifdef USE_SSL fprintf(stderr, " -Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)\n"); +#ifndef OPENSSL_NO_SSL2 fprintf(stderr, " -f protocol Specify SSL/TLS protocol (SSL2, SSL3, TLS1, or ALL)\n"); +#else + fprintf(stderr, " -f protocol Specify SSL/TLS protocol (SSL3, TLS1, or ALL)\n"); +#endif #endif exit(EINVAL); } @@ -2219,8 +2223,10 @@ int main(int argc, const char * const argv[]) case 'f': if (strncasecmp(opt_arg, "ALL", 3) == 0) { meth = SSLv23_client_method(); +#ifndef OPENSSL_NO_SSL2 } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) { meth = SSLv2_client_method(); +#endif } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { meth = SSLv3_client_method(); } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {