-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]
+
*) mod_lua: Stop losing track of all but the most specific LuaHook* directives
when multiple per-directory config sections are used. Adds LuaInherit
directive to control how parent sections are merged. [Eric Covener]
<th>Description:</th>
</tr>
<tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr>
-<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr>
+<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv3, TLSv1)</td></tr>
<tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
<tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
<directivesynopsis>
<name>SSLProtocol</name>
-<description>Configure usable SSL protocol versions</description>
+<description>Configure usable SSL/TLS protocol versions</description>
<syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
<default>SSLProtocol all</default>
<contextlist><context>server config</context>
<usage>
<p>
-This directive can be used to control which versions of the SSL protocol
+This directive can be used to control which versions of the SSL/TLS protocol
will be accepted in new connections.</p>
<p>
The available (case-insensitive) <em>protocol</em>s are:</p>
<ul>
-<li><code>SSLv2</code>
- <p>
- This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
- original SSL protocol as designed by Netscape Corporation. Though it's
- use has been deprecated, because of weaknesses in the security of the protocol.</p></li>
-
<li><code>SSLv3</code>
<p>
This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
<li><code>TLSv1</code>
<p>
This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
- successor to SSLv3 and is defined in <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC2246</a>.
- Which has been obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC4346</a>.</p></li>
+ successor to SSLv3 and was originally defined in <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>
+ (obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC 4346</a>
+ and <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a> in
+ the meantime).</p></li>
-<li><code>All</code>
+<li><code>all</code>
<p>
- This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' and a
- convenient way for enabling all protocols except one when used in
- combination with the minus sign on a protocol as the example above
- shows.</p></li>
+ This is a shortcut for ``<code>+SSLv3 +TLSv1</code>''.</p></li>
</ul>
<example><title>Example</title>
-# enable SSLv3 and TLSv1, but not SSLv2<br />
-SSLProtocol all -SSLv2
+SSLProtocol TLSv1
</example>
</usage>
</directivesynopsis>
<li><module>mod_ssl</module>: The default format of the <code>*_DN</code>
variables has changed. The old format can still be used with the new
<code>LegacyDNStringFormat</code> argument to <directive
- module="mod_ssl">SSLOptions</directive>.</li>
+ module="mod_ssl">SSLOptions</directive>. The SSLv2 protocol is
+ no longer supported.</li>
<li><program>htpasswd</program> now uses MD5 hash by default on
all platforms.</li>
}
if (strcEQ(w, "SSLv2")) {
-#ifdef OPENSSL_NO_SSL2
- if (action != '-') {
- return "SSLv2 not supported by this version of OpenSSL";
+ if (action == '-') {
+ continue;
+ }
+ else {
+ return "SSLProtocol: SSLv2 is no longer supported";
}
-#endif
- thisopt = SSL_PROTOCOL_SSLV2;
}
else if (strcEQ(w, "SSLv3")) {
thisopt = SSL_PROTOCOL_SSLV3;
}
cp = apr_pstrcat(p,
- (protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
NULL);
SSLv3_client_method() : /* proxy */
SSLv3_server_method(); /* server */
}
-#ifndef OPENSSL_NO_SSL2
- else if (protocol == SSL_PROTOCOL_SSLV2) {
- method = mctx->pkp ?
- SSLv2_client_method() : /* proxy */
- SSLv2_server_method(); /* server */
- }
-#endif
else if (protocol == SSL_PROTOCOL_TLSV1) {
method = mctx->pkp ?
TLSv1_client_method() : /* proxy */
SSL_CTX_set_options(ctx, SSL_OP_ALL);
- if (!(protocol & SSL_PROTOCOL_SSLV2)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- }
+ /* always disable SSLv2, as per RFC 6176 */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
if (!(protocol & SSL_PROTOCOL_SSLV3)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
#ifndef OPENSSL_NO_TLSEXT
/*
* Enable SNI for backend requests. Make sure we don't do it for
- * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
+ * pure SSLv3 connections, and also prevent IP addresses
* from being included in the SNI extension. (OpenSSL would simply
* pass them on, but RFC 6066 is quite clear on this: "Literal
* IPv4 and IPv6 addresses are not permitted".)
*/
if (hostname_note &&
- sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) {
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
-#ifndef OPENSSL_NO_SSL2
-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
-#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
-#endif
typedef int ssl_proto_t;
/**
projects / apache / commitdiff