From 1af61dfb2ed89e4b8816bc6988fe4ac6558dbb70 Mon Sep 17 00:00:00 2001
From: Kaspar Brand
Date: Sat, 24 Dec 2011 06:40:10 +0000
Subject: [PATCH] SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2
flavors when compiled against OpenSSL 1.0.1 or later. Update documentation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1222921 13f79535-47bb-0310-9956-ffa450edef68
---
docs/manual/mod/mod_ssl.xml | 24 +++++++++++++++++-------
modules/ssl/mod_ssl.c | 12 ++++++++++--
modules/ssl/ssl_engine_config.c | 6 ++++++
modules/ssl/ssl_engine_init.c | 26 ++++++++++++++++++++++++++
modules/ssl/ssl_private.h | 11 +++++++++++
5 files changed, 70 insertions(+), 9 deletions(-)
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 5bf2438752..f54aa34c9d 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -61,7 +61,7 @@ compatibility variables.
Description: |
HTTPS | flag | HTTPS is being used. |
-SSL_PROTOCOL | string | The SSL protocol version (SSLv3, TLSv1) |
+SSL_PROTOCOL | string | The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2) |
SSL_SESSION_ID | string | The hex-encoded SSL session id |
SSL_SESSION_RESUMED | string | Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use |
SSL_SECURE_RENEG | string | true if secure renegotiation is supported, else false |
@@ -588,15 +588,25 @@ The available (case-insensitive) protocols are:
TLSv1
- This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
- successor to SSLv3 and was originally defined in RFC 2246
- (obsoleted by RFC 4346
- and RFC 5246 in
- the meantime).
+ This is the Transport Layer Security (TLS) protocol, version 1.0.
+ It is the successor to SSLv3 and is defined in
+ RFC 2246.
+
+TLSv1.1
(when using OpenSSL 1.0.1 and later)
+
+ A revision of the TLS 1.0 protocol, as defined in
+ RFC 4346.
+
+TLSv1.2
(when using OpenSSL 1.0.1 and later)
+
+ A revision of the TLS 1.1 protocol, as defined in
+ RFC 5246.
all
- This is a shortcut for ``+SSLv3 +TLSv1
''.
+ This is a shortcut for ``+SSLv3 +TLSv1
'' or
+ - when using OpenSSL 1.0.1 and later -
+ ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
, respectively.
Example
SSLProtocol TLSv1
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 57bf2d949b..0140b6182d 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -130,7 +130,11 @@ static const command_rec ssl_config_cmds[] = {
"('N' - number of seconds)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
- "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+ "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
@@ -148,7 +152,11 @@ static const command_rec ssl_config_cmds[] = {
"('on', 'off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
- "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef HAVE_TLSV1_X
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+#else
+ "('[+-][SSLv3|TLSv1] ...' - see manual)")
+#endif
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"('XXX:...:XXX' - see manual)")
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 8b2d53ad17..3934ae140c 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -1283,6 +1283,12 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
}
+ else if (strcEQ(w, "TLSv1.1")) {
+ thisopt = SSL_PROTOCOL_TLSV1_1;
+ }
+ else if (strcEQ(w, "TLSv1.2")) {
+ thisopt = SSL_PROTOCOL_TLSV1_2;
+ }
else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL;
}
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 39b083be08..78a2bd0529 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -501,6 +501,10 @@ static void ssl_init_ctx_protocol(server_rec *s,
cp = apr_pstrcat(p,
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
+#ifdef HAVE_TLSV1_X
+ (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
+ (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
+#endif
NULL);
cp[strlen(cp)-2] = NUL;
@@ -517,6 +521,18 @@ static void ssl_init_ctx_protocol(server_rec *s,
TLSv1_client_method() : /* proxy */
TLSv1_server_method(); /* server */
}
+#ifdef HAVE_TLSV1_X
+ else if (protocol == SSL_PROTOCOL_TLSV1_1) {
+ method = mctx->pkp ?
+ TLSv1_1_client_method() : /* proxy */
+ TLSv1_1_server_method(); /* server */
+ }
+ else if (protocol == SSL_PROTOCOL_TLSV1_2) {
+ method = mctx->pkp ?
+ TLSv1_2_client_method() : /* proxy */
+ TLSv1_2_server_method(); /* server */
+ }
+#endif
else { /* For multiple protocols, we need a flexible method */
method = mctx->pkp ?
SSLv23_client_method() : /* proxy */
@@ -539,6 +555,16 @@ static void ssl_init_ctx_protocol(server_rec *s,
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
}
+#ifdef HAVE_TLSV1_X
+ if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
+ }
+
+ if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
+
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (sc->cipher_server_pref == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 31b9c8956f..fb9ac2611b 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -176,6 +176,10 @@
#endif
#endif
+#ifdef SSL_OP_NO_TLSv1_2
+#define HAVE_TLSV1_X
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -316,7 +320,14 @@ typedef int ssl_opt_t;
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
+#ifdef HAVE_TLSV1_X
+#define SSL_PROTOCOL_TLSV1_1 (1<<3)
+#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
+ SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#endif
typedef int ssl_proto_t;
/**
--
2.40.0