Bug 58349 - Support OPENSSL_NO_SSL3 builds
Summary: Support OPENSSL_NO_SSL3 builds
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-09 13:11 UTC by stu-bz.apache
Modified: 2015-09-30 12:10 UTC (History)
1 user (show)



Attachments
Fix build/runtime with SSLv3 disabled in libssl (1.25 KB, patch)
2015-09-09 13:11 UTC, stu-bz.apache
Details | Diff
Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option (6.24 KB, patch)
2015-09-13 11:46 UTC, Kaspar Brand
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description stu-bz.apache 2015-09-09 13:11:18 UTC
Created attachment 33085 [details]
Fix build/runtime with SSLv3 disabled in libssl

ab.c and mod_ssl unconditionally use SSLv3_method() functions. Attached diffs guard these with ifdefs. The ab.c diff is my own, mod_ssl is from Jérémie Courrèges-Anglas.
Comment 1 Kaspar Brand 2015-09-13 11:46:42 UTC
Created attachment 33101 [details]
Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option

We need to address this somewhat more comprehensively, IMO - similar to what was done for OPENSSL_NO_SSL2 in r1090367.

I'm attaching a preliminary version of a potential patch, basically untested for the time being. Testing feedback welcome.

The SSLProtocol documentation would also need an update in this case ("all" no longer including SSLv3 for OPENSSL_NO_SSL3 builds).
Comment 2 stu-bz.apache 2015-09-13 12:14:46 UTC
Thanks, that's indeed better. There's a missing ifdef guard for ssl_engine_init.c:527, other than that it's good for me.
Comment 3 Kaspar Brand 2015-09-13 12:24:11 UTC
(In reply to stu-bz.apache from comment #2)
> There's a missing ifdef guard for
> ssl_engine_init.c:527, other than that it's good for me.

The patch is against trunk, where that code is slightly different (hunk #3 is rejected when applying to 2.4.x). Will have to be adjusted in the backport proposal.
Comment 4 Kaspar Brand 2015-09-19 08:48:37 UTC
Comment on attachment 33101 [details]
Support {Open,Libre}SSL versions with the OPENSSL_NO_SSL3 build-time option

Slightly extended version committed to trunk with r1703952 (also addresses bug 57120).

Unless there are objections on the dev list, I will propose a backport to 2.4.x shortly (https://people.apache.org/~kbrand/mod_ssl-2.4.x-disable-sslv3.diff).
Comment 5 Kaspar Brand 2015-09-26 08:11:10 UTC
(In reply to Kaspar Brand from comment #4)
> will propose a backport to 2.4.x shortly

Done with r1705398.
Comment 6 Kaspar Brand 2015-09-30 12:10:35 UTC
Backported to 2.4.x with r1706008. To appear in 2.4.17.