View | Details | Raw Unified | Return to bug 58349
Collapse All | Expand All

(-)modules/ssl/ssl_private.h (-3 / +9 lines)
Lines 287-302 typedef int ssl_opt_t; Link Here
287
 * Define the SSL Protocol options
287
 * Define the SSL Protocol options
288
 */
288
 */
289
#define SSL_PROTOCOL_NONE  (0)
289
#define SSL_PROTOCOL_NONE  (0)
290
#define SSL_PROTOCOL_SSLV2 (1<<0)
290
#ifndef OPENSSL_NO_SSL3
291
#define SSL_PROTOCOL_SSLV3 (1<<1)
291
#define SSL_PROTOCOL_SSLV3 (1<<1)
292
#endif
292
#define SSL_PROTOCOL_TLSV1 (1<<2)
293
#define SSL_PROTOCOL_TLSV1 (1<<2)
294
#ifndef OPENSSL_NO_SSL3
295
#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
296
#else
297
#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
298
#endif
293
#ifdef HAVE_TLSV1_X
299
#ifdef HAVE_TLSV1_X
294
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
300
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
295
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
301
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
296
#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
302
#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC| \
297
                            SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
303
                            SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
298
#else
304
#else
299
#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
305
#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_BASIC)
300
#endif
306
#endif
301
typedef int ssl_proto_t;
307
typedef int ssl_proto_t;
302
308
(-)modules/ssl/ssl_engine_init.c (-1 / +8 lines)
Lines 514-520 static apr_status_t ssl_init_ctx_protocol(server_r Link Here
514
    }
514
    }
515
515
516
    cp = apr_pstrcat(p,
516
    cp = apr_pstrcat(p,
517
#ifndef OPENSSL_NO_SSL3
517
                     (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
518
                     (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
519
#endif
518
                     (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
520
                     (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
519
#ifdef HAVE_TLSV1_X
521
#ifdef HAVE_TLSV1_X
520
                     (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
522
                     (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
Lines 526-537 static apr_status_t ssl_init_ctx_protocol(server_r Link Here
526
    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
528
    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
527
                 "Creating new SSL context (protocols: %s)", cp);
529
                 "Creating new SSL context (protocols: %s)", cp);
528
530
531
#ifndef OPENSSL_NO_SSL3
529
    if (protocol == SSL_PROTOCOL_SSLV3) {
532
    if (protocol == SSL_PROTOCOL_SSLV3) {
530
        method = mctx->pkp ?
533
        method = mctx->pkp ?
531
            SSLv3_client_method() : /* proxy */
534
            SSLv3_client_method() : /* proxy */
532
            SSLv3_server_method();  /* server */
535
            SSLv3_server_method();  /* server */
533
    }
536
    }
534
    else if (protocol == SSL_PROTOCOL_TLSV1) {
537
    else
538
#endif
539
    if (protocol == SSL_PROTOCOL_TLSV1) {
535
        method = mctx->pkp ?
540
        method = mctx->pkp ?
536
            TLSv1_client_method() : /* proxy */
541
            TLSv1_client_method() : /* proxy */
537
            TLSv1_server_method();  /* server */
542
            TLSv1_server_method();  /* server */
Lines 562-569 static apr_status_t ssl_init_ctx_protocol(server_r Link Here
562
    /* always disable SSLv2, as per RFC 6176 */
567
    /* always disable SSLv2, as per RFC 6176 */
563
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
568
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
564
569
570
#ifndef OPENSSL_NO_SSL3
565
    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
571
    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
566
                                protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
572
                                protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
573
#endif
567
    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
574
    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
568
                                protocol & SSL_PROTOCOL_TLSV1, "TLSv1");
575
                                protocol & SSL_PROTOCOL_TLSV1, "TLSv1");
569
576
(-)modules/ssl/ssl_engine_config.c (+8 lines)
Lines 1316-1322 static const char *ssl_cmd_protocol_parse(cmd_parm Link Here
1316
            }
1316
            }
1317
        }
1317
        }
1318
        else if (strcEQ(w, "SSLv3")) {
1318
        else if (strcEQ(w, "SSLv3")) {
1319
#ifdef OPENSSL_NO_SSL3
1320
            if (action != '-') {
1321
                return "SSLv3 not supported by this version of OpenSSL";
1322
            }
1323
            /* Nothing to do, the flag is not present to be toggled */
1324
            continue;
1325
#else
1319
            thisopt = SSL_PROTOCOL_SSLV3;
1326
            thisopt = SSL_PROTOCOL_SSLV3;
1327
#endif
1320
        }
1328
        }
1321
        else if (strcEQ(w, "TLSv1")) {
1329
        else if (strcEQ(w, "TLSv1")) {
1322
            thisopt = SSL_PROTOCOL_TLSV1;
1330
            thisopt = SSL_PROTOCOL_TLSV1;
(-)modules/ssl/ssl_engine_io.c (+2 lines)
Lines 1139-1145 static apr_status_t ssl_io_filter_handshake(ssl_fi Link Here
1139
         * IPv4 and IPv6 addresses are not permitted".)
1139
         * IPv4 and IPv6 addresses are not permitted".)
1140
         */
1140
         */
1141
        if (hostname_note &&
1141
        if (hostname_note &&
1142
#ifndef OPENSSL_NO_SSL3
1142
            sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
1143
            sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
1144
#endif
1143
            apr_ipsubnet_create(&ip, hostname_note, NULL,
1145
            apr_ipsubnet_create(&ip, hostname_note, NULL,
1144
                                c->pool) != APR_SUCCESS) {
1146
                                c->pool) != APR_SUCCESS) {
1145
            if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
1147
            if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
(-)modules/ssl/mod_ssl.c (-2 / +7 lines)
Lines 135-144 static const command_rec ssl_config_cmds[] = { Link Here
135
    SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
135
    SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
136
                "SSL Session Cache object lifetime "
136
                "SSL Session Cache object lifetime "
137
                "('N' - number of seconds)")
137
                "('N' - number of seconds)")
138
#ifdef OPENSSL_NO_SSL3
139
#define SSLv3_PROTO_PREFIX ""
140
#else
141
#define SSLv3_PROTO_PREFIX "SSLv3|"
142
#endif
138
#ifdef HAVE_TLSV1_X
143
#ifdef HAVE_TLSV1_X
139
#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
144
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
140
#else
145
#else
141
#define SSL_PROTOCOLS "SSLv3|TLSv1"
146
#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
142
#endif
147
#endif
143
    SSL_CMD_SRV(Protocol, RAW_ARGS,
148
    SSL_CMD_SRV(Protocol, RAW_ARGS,
144
                "Enable or disable various SSL protocols "
149
                "Enable or disable various SSL protocols "
(-)support/ab.c (-1 / +9 lines)
Lines 1997-2002 static void usage(const char *progname) Link Here
1997
#define SSL2_HELP_MSG ""
1997
#define SSL2_HELP_MSG ""
1998
#endif
1998
#endif
1999
1999
2000
#ifndef OPENSSL_NO_SSL3
2001
#define SSL3_HELP_MSG "SSL3, "
2002
#else
2003
#define SSL3_HELP_MSG ""
2004
#endif
2005
2000
#ifdef HAVE_TLSV1_X
2006
#ifdef HAVE_TLSV1_X
2001
#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
2007
#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2"
2002
#else
2008
#else
Lines 2005-2011 static void usage(const char *progname) Link Here
2005
2011
2006
    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
2012
    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
2007
    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");
2013
    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");
2008
    fprintf(stderr, "                    (" SSL2_HELP_MSG "SSL3, TLS1" TLS1_X_HELP_MSG " or ALL)\n");
2014
    fprintf(stderr, "                    (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
2009
#endif
2015
#endif
2010
    exit(EINVAL);
2016
    exit(EINVAL);
2011
}
2017
}
Lines 2350-2357 int main(int argc, const char * const argv[]) Link Here
2350
                } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
2356
                } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
2351
                    meth = SSLv2_client_method();
2357
                    meth = SSLv2_client_method();
2352
#endif
2358
#endif
2359
#ifndef OPENSSL_NO_SSL3
2353
                } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
2360
                } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
2354
                    meth = SSLv3_client_method();
2361
                    meth = SSLv3_client_method();
2362
#endif
2355
#ifdef HAVE_TLSV1_X
2363
#ifdef HAVE_TLSV1_X
2356
                } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
2364
                } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
2357
                    meth = TLSv1_1_client_method();
2365
                    meth = TLSv1_1_client_method();

Return to bug 58349