mod_ssl: Check the SSLProtocol directive when loading the configuration

Previously, the SSLProtocol directive was checked at runtime. Apache quit if
the directive contained an invalid combination of protocols, and logged the
message "AH02231: No SSL protocols available [hint: SSLProtocol]".

With this change, most invalid SSLProtocol directives are detected when
checking the configuration, e.g. with \"httpd -t -f httpd.conf\".

Examples of invalid protocol combinations that are caught:
* SSLProtocol "-TLSv1"
* SSLProtocol "-all"
* SSLProtocol "TLSv1.2 -TLSv1.2"

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes #523

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924955 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/changes-entries/ssl-check-protoconf.txt b/changes-entries/ssl-check-protoconf.txt
new file mode 100644 (file)
index 0000000..7c125f8
--- /dev/null
+++ b/changes-entries/ssl-check-protoconf.txt
@@ -0,0 +1,3 @@
+  *) mod_ssl: Fail when parsing SSLProtocol if the configuration 
+     would prevent use of all protocols.
+     [Michael Kaufmann <mail michael-kaufmann.ch>]

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 43593d799c750cb22fbffd5efd843c389e85e0bd..40f0cfd488fa76bab38713a9927a2c916d0b44ed 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -1610,6 +1610,11 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
         }
     }
 
+    if (*options == SSL_PROTOCOL_NONE) {
+        return "SSLProtocol: No SSL protocols available";
+    }
+
+
     return NULL;
 }