From: Yann Ylavic Date: Thu, 22 Jan 2015 18:27:46 +0000 (+0000) Subject: mod_ssl: revert r1653906, will commit an alternative just after. X-Git-Tag: 2.5.0-alpha~3516 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4c52577a7f34d2576c38f1d06f17b0768859ea48;p=apache mod_ssl: revert r1653906, will commit an alternative just after. The issue with r1653906 is that existing configurations like "SSLProtocol -SSLv3" (where the default is assumed to be ALL) won't work anymore. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653993 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index efe67fa85b..1c8875bce5 100644 --- a/CHANGES +++ b/CHANGES @@ -4,9 +4,6 @@ Changes with Apache 2.5.0 *) mod_alias: Introduce expression parser support for Alias, ScriptAlias and Redirect. [Graham Leggett] - *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. - PR 57100. [Michael Kaufmann ] - *) mod_rewrite: Improve 'bad flag delimeters' startup error by showing how the input was tokenized. PR 56528. [Edward Lu ] diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 738a00cf6e..eed4e084c3 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -110,7 +110,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->ticket_key = NULL; #endif - mctx->protocol = SSL_PROTOCOL_UNSET; + mctx->protocol = SSL_PROTOCOL_ALL; mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; mctx->pphrase_dialog_path = NULL; @@ -254,7 +254,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, modssl_ctx_t *add, modssl_ctx_t *mrg) { - cfgMerge(protocol, SSL_PROTOCOL_UNSET); + cfgMerge(protocol, SSL_PROTOCOL_ALL); cfgMerge(pphrase_dialog_type, SSL_PPTYPE_UNSET); cfgMergeString(pphrase_dialog_path); diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 903a5477a1..b44e01f1c2 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -209,19 +209,10 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, if (sc->enabled == SSL_ENABLED_UNSET) { sc->enabled = SSL_ENABLED_FALSE; } - if (sc->proxy_enabled == UNSET) { sc->proxy_enabled = FALSE; } - if (sc->server && sc->server->protocol == SSL_PROTOCOL_UNSET) { - sc->server->protocol = SSL_PROTOCOL_ALL; - } - - if (sc->proxy && sc->proxy->protocol == SSL_PROTOCOL_UNSET) { - sc->proxy->protocol = SSL_PROTOCOL_ALL; - } - if (sc->session_cache_timeout == UNSET) { sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT; } diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 69c4704fda..140b9c3099 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -286,14 +286,13 @@ typedef int ssl_opt_t; /** * Define the SSL Protocol options */ -#define SSL_PROTOCOL_UNSET (0) -#define SSL_PROTOCOL_NONE (1<<0) -#define SSL_PROTOCOL_SSLV2 (1<<1) -#define SSL_PROTOCOL_SSLV3 (1<<2) -#define SSL_PROTOCOL_TLSV1 (1<<3) +#define SSL_PROTOCOL_NONE (0) +#define SSL_PROTOCOL_SSLV2 (1<<0) +#define SSL_PROTOCOL_SSLV3 (1<<1) +#define SSL_PROTOCOL_TLSV1 (1<<2) #ifdef HAVE_TLSV1_X -#define SSL_PROTOCOL_TLSV1_1 (1<<4) -#define SSL_PROTOCOL_TLSV1_2 (1<<5) +#define SSL_PROTOCOL_TLSV1_1 (1<<3) +#define SSL_PROTOCOL_TLSV1_2 (1<<4) #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) #else