Summary: | Support OPENSSL_NO_SSL3 builds | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | stu-bz.apache |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | brnrd |
Priority: | P2 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: |
Fix build/runtime with SSLv3 disabled in libssl
Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option |
Created attachment 33101 [details] Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option We need to address this somewhat more comprehensively, IMO - similar to what was done for OPENSSL_NO_SSL2 in r1090367. I'm attaching a preliminary version of a potential patch, basically untested for the time being. Testing feedback welcome. The SSLProtocol documentation would also need an update in this case ("all" no longer including SSLv3 for OPENSSL_NO_SSL3 builds). Thanks, that's indeed better. There's a missing ifdef guard for ssl_engine_init.c:527, other than that it's good for me. (In reply to stu-bz.apache from comment #2) > There's a missing ifdef guard for > ssl_engine_init.c:527, other than that it's good for me. The patch is against trunk, where that code is slightly different (hunk #3 is rejected when applying to 2.4.x). Will have to be adjusted in the backport proposal. Comment on attachment 33101 [details] Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option Slightly extended version committed to trunk with r1703952 (also addresses bug 57120). Unless there are objections on the dev list, I will propose a backport to 2.4.x shortly (https://people.apache.org/~kbrand/mod_ssl-2.4.x-disable-sslv3.diff). (In reply to Kaspar Brand from comment #4) > will propose a backport to 2.4.x shortly Done with r1705398. |
Created attachment 33085 [details] Fix build/runtime with SSLv3 disabled in libssl ab.c and mod_ssl unconditionally use SSLv3_method() functions. Attached diffs guard these with ifdefs. The ab.c diff is my own, mod_ssl is from Jérémie Courrèges-Anglas.