Merge r1537535 from trunk:

For better compatibility with mod_nss:

* modules/ssl/ssl_engine_config.c (ssl_config_server_new): Default
  sc->enabled to UNSET.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Only override
  sc->enabled based on the protocol iff sc->enabled is UNSET; allows
  "SSLEngine off" to override the Listen-based default.

Submitted by: jorton
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1608759 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 796e3d311cc10b894710be05d9e9eac4e6225edc..53e5ff733cbc0acf04d62ea75d11e4f778e2ab2f 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -100,18 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
-     OCSP requests should use a nonce to be checked against the responder's
-     one. PR 56233.
-     trunk patch: http://svn.apache.org/r1583191
-                  http://svn.apache.org/r1584098
-                  http://svn.apache.org/r1584665 (manual: use 2.4's backport
-                                                  version instead of temporary
-                                                  2.5-dev <compatibility> ref)
-                  http://svn.apache.org/r1591401
-     2.4.x patch: https://people.apache.org/~ylavic/httpd-2.4.x-SSLOCSPUseRequestNonce+manual-2.4.10-v2.patch
-     +1: ylavic, kbrand, jorton
-
    * mod_proxy_http: Avoid useless functions calls.
      trunk patch: http://svn.apache.org/r1572561
      2.4.x patch: trunk works
@@ -124,13 +112,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works (modulo CHANGES)
      +1: ylavic, covener, jim
 
-   * mod_ssl: Improve compatibility with mod_nss; allow "SSLEngine off" to override
-              Listen-based default.
-     trunk patch: http://svn.apache.org/r1537535
-     2.4.x patch: trunk patch works
-     +1: jorton, trawick, , jim
-
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index ccff11aae6e53b1c7c4c0accb886d8f6dad545d5..e1470d1b6de3aeba2c6a9d5d0344966bfe87700f 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -203,7 +203,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
     SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
 
     sc->mc                     = NULL;
-    sc->enabled                = SSL_ENABLED_FALSE;
+    sc->enabled                = SSL_ENABLED_UNSET;
     sc->proxy_enabled          = UNSET;
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 8744181d0469fffdc3af64d9bf59552c98086f9a..70930ea740f847e6ad445c34d628ce7330246f12 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -117,13 +117,16 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
         sc->vhost_id = ssl_util_vhostid(p, s);
         sc->vhost_id_len = strlen(sc->vhost_id);
 
-        if (ap_get_server_protocol(s) &&
-            strcmp("https", ap_get_server_protocol(s)) == 0) {
+        /* Default to enabled if SSLEngine is not set explicitly, and
+         * the protocol is https. */
+        if (ap_get_server_protocol(s) 
+            && strcmp("https", ap_get_server_protocol(s)) == 0
+            && sc->enabled == SSL_ENABLED_UNSET) {
             sc->enabled = SSL_ENABLED_TRUE;
         }
 
-        /* If sc->enabled is UNSET, then SSL is optional on this vhost  */
-        /* Fix up stuff that may not have been set */
+        /* Fix up stuff that may not have been set.  If sc->enabled is
+         * UNSET, then SSL is disabled on this vhost.  */
         if (sc->enabled == SSL_ENABLED_UNSET) {
             sc->enabled = SSL_ENABLED_FALSE;
         }