From: Jan Kaluža Date: Wed, 22 Jul 2015 12:08:01 +0000 (+0000) Subject: mod_ssl: allow enabling of SSLProtocols even though they are disabled by OpenSSL X-Git-Tag: 2.5.0-alpha~2993 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ce587ed02f2b5d5069c99116417d4297cb3f9877;p=apache mod_ssl: allow enabling of SSLProtocols even though they are disabled by OpenSSL by default. Show warning in that case. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1692258 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index 01d6fdc12a..60ca853552 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2904 +2905 diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index d48da637d6..ff02a76faf 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -471,6 +471,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, } #endif +/* + * Enable/disable SSLProtocol. If the mod_ssl enables protocol + * which is disabled by default by OpenSSL, show a warning. + * "option" is for example SSL_OP_NO_SSLv3. + */ +static void ssl_set_ctx_protocol_option(server_rec *s, + SSL_CTX *ctx, + long option, + int enabled, + const char *name) +{ + if (!enabled) { + SSL_CTX_set_options(ctx, option); + } + else if (SSL_CTX_get_options(ctx) & option) { + SSL_CTX_clear_options(ctx, option); + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904) + "Allowing SSLProtocol %s even though it is disabled " + "by OpenSSL by default on this system", name); + } +} + static apr_status_t ssl_init_ctx_protocol(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -540,22 +562,17 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, /* always disable SSLv2, as per RFC 6176 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); - if (!(protocol & SSL_PROTOCOL_SSLV3)) { - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); - } - - if (!(protocol & SSL_PROTOCOL_TLSV1)) { - SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); - } + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3, + protocol & SSL_PROTOCOL_SSLV3, "SSLv3"); + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1, + protocol & SSL_PROTOCOL_TLSV1, "TLSv1"); #ifdef HAVE_TLSV1_X - if (!(protocol & SSL_PROTOCOL_TLSV1_1)) { - SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); - } + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_1, + protocol & SSL_PROTOCOL_TLSV1_1, "TLSv1.1"); - if (!(protocol & SSL_PROTOCOL_TLSV1_2)) { - SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); - } + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2, + protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2"); #endif #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE