From 1af61dfb2ed89e4b8816bc6988fe4ac6558dbb70 Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Sat, 24 Dec 2011 06:40:10 +0000 Subject: [PATCH] SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when compiled against OpenSSL 1.0.1 or later. Update documentation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1222921 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_ssl.xml | 24 +++++++++++++++++------- modules/ssl/mod_ssl.c | 12 ++++++++++-- modules/ssl/ssl_engine_config.c | 6 ++++++ modules/ssl/ssl_engine_init.c | 26 ++++++++++++++++++++++++++ modules/ssl/ssl_private.h | 11 +++++++++++ 5 files changed, 70 insertions(+), 9 deletions(-) diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 5bf2438752..f54aa34c9d 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -61,7 +61,7 @@ compatibility variables.

Description: HTTPS flag HTTPS is being used. -SSL_PROTOCOL string The SSL protocol version (SSLv3, TLSv1) +SSL_PROTOCOL string The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2) SSL_SESSION_ID string The hex-encoded SSL session id SSL_SESSION_RESUMED string Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use SSL_SECURE_RENEG string true if secure renegotiation is supported, else false @@ -588,15 +588,25 @@ The available (case-insensitive) protocols are:

  • TLSv1

    - This is the Transport Layer Security (TLS) protocol, version 1.0. It is the - successor to SSLv3 and was originally defined in RFC 2246 - (obsoleted by RFC 4346 - and RFC 5246 in - the meantime).

  • + This is the Transport Layer Security (TLS) protocol, version 1.0. + It is the successor to SSLv3 and is defined in + RFC 2246.

    + +
  • TLSv1.1 (when using OpenSSL 1.0.1 and later) +

    + A revision of the TLS 1.0 protocol, as defined in + RFC 4346.

  • + +
  • TLSv1.2 (when using OpenSSL 1.0.1 and later) +

    + A revision of the TLS 1.1 protocol, as defined in + RFC 5246.

  • all

    - This is a shortcut for ``+SSLv3 +TLSv1''.

  • + This is a shortcut for ``+SSLv3 +TLSv1'' or + - when using OpenSSL 1.0.1 and later - + ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively.

    Example SSLProtocol TLSv1 diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 57bf2d949b..0140b6182d 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -130,7 +130,11 @@ static const command_rec ssl_config_cmds[] = { "('N' - number of seconds)") SSL_CMD_SRV(Protocol, RAW_ARGS, "Enable or disable various SSL protocols" - "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") +#ifdef HAVE_TLSV1_X + "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") +#else + "('[+-][SSLv3|TLSv1] ...' - see manual)") +#endif SSL_CMD_SRV(HonorCipherOrder, FLAG, "Use the server's cipher ordering preference") SSL_CMD_SRV(InsecureRenegotiation, FLAG, @@ -148,7 +152,11 @@ static const command_rec ssl_config_cmds[] = { "('on', 'off')") SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, "SSL Proxy: enable or disable SSL protocol flavors " - "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") +#ifdef HAVE_TLSV1_X + "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") +#else + "('[+-][SSLv3|TLSv1] ...' - see manual)") +#endif SSL_CMD_SRV(ProxyCipherSuite, TAKE1, "SSL Proxy: colon-delimited list of permitted SSL ciphers " "('XXX:...:XXX' - see manual)") diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 8b2d53ad17..3934ae140c 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1283,6 +1283,12 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, else if (strcEQ(w, "TLSv1")) { thisopt = SSL_PROTOCOL_TLSV1; } + else if (strcEQ(w, "TLSv1.1")) { + thisopt = SSL_PROTOCOL_TLSV1_1; + } + else if (strcEQ(w, "TLSv1.2")) { + thisopt = SSL_PROTOCOL_TLSV1_2; + } else if (strcEQ(w, "all")) { thisopt = SSL_PROTOCOL_ALL; } diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 39b083be08..78a2bd0529 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -501,6 +501,10 @@ static void ssl_init_ctx_protocol(server_rec *s, cp = apr_pstrcat(p, (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), +#ifdef HAVE_TLSV1_X + (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""), + (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""), +#endif NULL); cp[strlen(cp)-2] = NUL; @@ -517,6 +521,18 @@ static void ssl_init_ctx_protocol(server_rec *s, TLSv1_client_method() : /* proxy */ TLSv1_server_method(); /* server */ } +#ifdef HAVE_TLSV1_X + else if (protocol == SSL_PROTOCOL_TLSV1_1) { + method = mctx->pkp ? + TLSv1_1_client_method() : /* proxy */ + TLSv1_1_server_method(); /* server */ + } + else if (protocol == SSL_PROTOCOL_TLSV1_2) { + method = mctx->pkp ? + TLSv1_2_client_method() : /* proxy */ + TLSv1_2_server_method(); /* server */ + } +#endif else { /* For multiple protocols, we need a flexible method */ method = mctx->pkp ? SSLv23_client_method() : /* proxy */ @@ -539,6 +555,16 @@ static void ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); } +#ifdef HAVE_TLSV1_X + if (!(protocol & SSL_PROTOCOL_TLSV1_1)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); + } + + if (!(protocol & SSL_PROTOCOL_TLSV1_2)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); + } +#endif + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE if (sc->cipher_server_pref == TRUE) { SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 31b9c8956f..fb9ac2611b 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -176,6 +176,10 @@ #endif #endif +#ifdef SSL_OP_NO_TLSv1_2 +#define HAVE_TLSV1_X +#endif + /* mod_ssl headers */ #include "ssl_util_ssl.h" @@ -316,7 +320,14 @@ typedef int ssl_opt_t; #define SSL_PROTOCOL_SSLV2 (1<<0) #define SSL_PROTOCOL_SSLV3 (1<<1) #define SSL_PROTOCOL_TLSV1 (1<<2) +#ifdef HAVE_TLSV1_X +#define SSL_PROTOCOL_TLSV1_1 (1<<3) +#define SSL_PROTOCOL_TLSV1_2 (1<<4) +#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \ + SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) +#else #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) +#endif typedef int ssl_proto_t; /** -- 2.40.0