-*- coding: utf-8 -*-
Changes with Apache 2.4.0
+ *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
+ control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
+ [Kaspar Brand]
+
*) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, to improve binary compatibility with future OpenSSL releases.
[Kaspar Brand]
<th>Description:</th>
</tr>
<tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr>
-<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv3, TLSv1)</td></tr>
+<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr>
<tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
<tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
<li><code>TLSv1</code>
<p>
- This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
- successor to SSLv3 and was originally defined in <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>
- (obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC 4346</a>
- and <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a> in
- the meantime).</p></li>
+ This is the Transport Layer Security (TLS) protocol, version 1.0.
+ It is the successor to SSLv3 and is defined in
+ <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>.</p></li>
+
+<li><code>TLSv1.1</code> (when using OpenSSL 1.0.1 and later)
+ <p>
+ A revision of the TLS 1.0 protocol, as defined in
+ <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC 4346</a>.</p></li>
+
+<li><code>TLSv1.2</code> (when using OpenSSL 1.0.1 and later)
+ <p>
+ A revision of the TLS 1.1 protocol, as defined in
+ <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
<li><code>all</code>
<p>
- This is a shortcut for ``<code>+SSLv3 +TLSv1</code>''.</p></li>
+ This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
+ - when using OpenSSL 1.0.1 and later -
+ ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
</ul>
<example><title>Example</title>
SSLProtocol TLSv1
"('N' - number of seconds)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
- "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+ "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
"('on', 'off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
- "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+ "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"('XXX:...:XXX' - see manual)")
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
}
+ else if (strcEQ(w, "TLSv1.1")) {
+ thisopt = SSL_PROTOCOL_TLSV1_1;
+ }
+ else if (strcEQ(w, "TLSv1.2")) {
+ thisopt = SSL_PROTOCOL_TLSV1_2;
+ }
else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL;
}
cp = apr_pstrcat(p,
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
+#ifdef HAVE_TLSV1_X
+ (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
+ (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
+#endif
NULL);
cp[strlen(cp)-2] = NUL;
TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */
}
+#ifdef HAVE_TLSV1_X
+ else if (protocol == SSL_PROTOCOL_TLSV1_1) {
+ method = mctx->pkp ?
+ TLSv1_1_client_method() : /* proxy */
+ TLSv1_1_server_method(); /* server */
+ }
+ else if (protocol == SSL_PROTOCOL_TLSV1_2) {
+ method = mctx->pkp ?
+ TLSv1_2_client_method() : /* proxy */
+ TLSv1_2_server_method(); /* server */
+ }
+#endif
else { /* For multiple protocols, we need a flexible method */
method = mctx->pkp ?
SSLv23_client_method() : /* proxy */
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
}
+#ifdef HAVE_TLSV1_X
+ if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
+ }
+
+ if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
+
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (sc->cipher_server_pref == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
#endif
#endif
+#ifdef SSL_OP_NO_TLSv1_2
+#define HAVE_TLSV1_X
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
+#ifdef HAVE_TLSV1_X
+#define SSL_PROTOCOL_TLSV1_1 (1<<3)
+#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
+ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#endif
typedef int ssl_proto_t;
/**
projects / apache / commitdiff