Bug 58349

Summary: Support OPENSSL_NO_SSL3 builds
Product: Apache httpd-2 Reporter: stu-bz.apache
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: brnrd
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Fix build/runtime with SSLv3 disabled in libssl
Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option

Description stu-bz.apache 2015-09-09 13:11:18 UTC
Created attachment 33085 [details]
Fix build/runtime with SSLv3 disabled in libssl

ab.c and mod_ssl unconditionally use SSLv3_method() functions. Attached diffs guard these with ifdefs. The ab.c diff is my own, mod_ssl is from Jérémie Courrèges-Anglas.
Comment 1 Kaspar Brand 2015-09-13 11:46:42 UTC
Created attachment 33101 [details]
Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option

We need to address this somewhat more comprehensively, IMO - similar to what was done for OPENSSL_NO_SSL2 in r1090367.

I'm attaching a preliminary version of a potential patch, basically untested for the time being. Testing feedback welcome.

The SSLProtocol documentation would also need an update in this case ("all" no longer including SSLv3 for OPENSSL_NO_SSL3 builds).
Comment 2 stu-bz.apache 2015-09-13 12:14:46 UTC
Thanks, that's indeed better. There's a missing ifdef guard for ssl_engine_init.c:527, other than that it's good for me.
Comment 3 Kaspar Brand 2015-09-13 12:24:11 UTC
(In reply to stu-bz.apache from comment #2)
> There's a missing ifdef guard for
> ssl_engine_init.c:527, other than that it's good for me.

The patch is against trunk, where that code is slightly different (hunk #3 is rejected when applying to 2.4.x). Will have to be adjusted in the backport proposal.
Comment 4 Kaspar Brand 2015-09-19 08:48:37 UTC
Comment on attachment 33101 [details]
Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option

Slightly extended version committed to trunk with r1703952 (also addresses bug 57120).

Unless there are objections on the dev list, I will propose a backport to 2.4.x shortly (https://people.apache.org/~kbrand/mod_ssl-2.4.x-disable-sslv3.diff).
Comment 5 Kaspar Brand 2015-09-26 08:11:10 UTC
(In reply to Kaspar Brand from comment #4)
> will propose a backport to 2.4.x shortly

Done with r1705398.
Comment 6 Kaspar Brand 2015-09-30 12:10:35 UTC
Backported to 2.4.x with r1706008. To appear in 2.4.17.