From: Yann Ylavic Date: Thu, 21 May 2015 16:11:41 +0000 (+0000) Subject: Merge r1653997 from trunk. X-Git-Tag: 2.2.30~86 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e129c9c396fc53184f56ba7498b8dbaaeb5c48bb;p=thirdparty%2Fapache%2Fhttpd.git Merge r1653997 from trunk. r1653997 | ylavic | 2015-01-22 19:37:06 +0100 (Thu, 22 Jan 2015) | 7 lines mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored in virtualhost context (new version of r1653906 reverted by r1653993). Submitted By: Michael Kaufmann Committed/modified By: ylavic Reviewed by: ylavic, wrowe, rjung Backported by: ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680917 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 836cf44aa01..055722ef58a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.30 + *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. + PR 57100. [Michael Kaufmann , + Yann Ylavic] + *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by allowing custom parameters to be configured via SSLCertificateFile, and by adding standardized DH parameters for 1024/2048/3072/4096 bits. diff --git a/STATUS b/STATUS index cdfd983c62c..b9c3da5cbb3 100644 --- a/STATUS +++ b/STATUS @@ -108,15 +108,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: ylavic: trunk/2.4.x not concerned, 2.2.x only. +1: ylavic, jkaluza, wrowe - * mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. PR 57100. - trunk patch: http://svn.apache.org/r1653997 - 2.4.x patch: merged in http://svn.apache.org/r1663258 - 2.2.x patch: trunk works (modulo CHANGES) - +1: ylavic, wrowe, rjung - wrowe: good to fix inheritence. Unsure why ALL is the default on all - branches, I was sure it wasn't, but if we subvert ALL later, we - have done something odd. No impact on the validity of this patch. - * mod_ssl: Propose a more modern Cipher and Protocol list, honor server cipher priority and add explanations relative to RFC 7525 guidance. http://svn.apache.org/r1679428 diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 1f5d7cefdfc..05d85114784 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -113,6 +113,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx) #endif mctx->protocol = SSL_PROTOCOL_ALL; + mctx->protocol_set = 0; mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; mctx->pphrase_dialog_path = NULL; @@ -220,7 +221,12 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg) { - cfgMerge(protocol, SSL_PROTOCOL_ALL); + if (add->protocol_set) { + mrg->protocol = add->protocol; + } + else { + mrg->protocol = base->protocol; + } cfgMerge(pphrase_dialog_type, SSL_PPTYPE_UNSET); cfgMergeString(pphrase_dialog_path); @@ -1399,6 +1405,7 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *cmd, { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + sc->server->protocol_set = 1; return ssl_cmd_protocol_parse(cmd, arg, &sc->server->protocol); } @@ -1417,6 +1424,7 @@ const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd, { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + sc->proxy->protocol_set = 1; return ssl_cmd_protocol_parse(cmd, arg, &sc->proxy->protocol); } diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 8cb6233e542..ca115582389 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -504,6 +504,7 @@ typedef struct { #endif ssl_proto_t protocol; + int protocol_set; /** config for handling encrypted keys */ ssl_pphrase_t pphrase_dialog_type;