mod_ssl: Disallow SSLOpenSSLConfCmd within vhost context since it

has global effect.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd):
  Disallow use within vhost context.

PR: 69397

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/changes-entries/pr69397.txt b/changes-entries/pr69397.txt
new file mode 100644 (file)
index 0000000..32ae57e
--- /dev/null
+++ b/changes-entries/pr69397.txt
@@ -0,0 +1,2 @@
+  *) mod_ssl: Disallow use of "SSLOpenSSLConfCmd" in <VirtualHost>
+     context.  PR 69397.  [Joe Orton]

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index b28ec9df4b7869574262e0a4ffe50d06a89c02eb..3bc2063da82f1dcc963a7251cee3936da803890c 100644 (file)
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2935,8 +2935,7 @@ forward secrecy.</p>
 <name>SSLOpenSSLConfCmd</name>
 <description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description>
 <syntax>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></syntax>
-<contextlist><context>server config</context>
-<context>virtual host</context></contextlist>
+<contextlist><context>server config</context></contextlist>
 <compatibility>Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later</compatibility>
 
 <usage>

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 43593d799c750cb22fbffd5efd843c389e85e0bd..a9e98b9c5bf3fa952a2a13f2a3cfcae73bd5bd6c 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -2162,6 +2162,10 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
     const char *err;
     ssl_ctx_param_t *param;
 
+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+        return err;
+    }
+
     if (value_type == SSL_CONF_TYPE_UNKNOWN) {
         return apr_psprintf(cmd->pool,
                             "'%s': invalid OpenSSL configuration command",