From f4489c95c54d85cd8d0c543732a11064f53be096 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 8 Jul 2014 13:14:08 +0000 Subject: [PATCH] Merge r1537535 from trunk: For better compatibility with mod_nss: * modules/ssl/ssl_engine_config.c (ssl_config_server_new): Default sc->enabled to UNSET. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Only override sc->enabled based on the protocol iff sc->enabled is UNSET; allows "SSLEngine off" to override the Listen-based default. Submitted by: jorton Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1608759 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 19 ------------------- modules/ssl/ssl_engine_config.c | 2 +- modules/ssl/ssl_engine_init.c | 11 +++++++---- 3 files changed, 8 insertions(+), 24 deletions(-) diff --git a/STATUS b/STATUS index 796e3d311c..53e5ff733c 100644 --- a/STATUS +++ b/STATUS @@ -100,18 +100,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not - OCSP requests should use a nonce to be checked against the responder's - one. PR 56233. - trunk patch: http://svn.apache.org/r1583191 - http://svn.apache.org/r1584098 - http://svn.apache.org/r1584665 (manual: use 2.4's backport - version instead of temporary - 2.5-dev ref) - http://svn.apache.org/r1591401 - 2.4.x patch: https://people.apache.org/~ylavic/httpd-2.4.x-SSLOCSPUseRequestNonce+manual-2.4.10-v2.patch - +1: ylavic, kbrand, jorton - * mod_proxy_http: Avoid useless functions calls. trunk patch: http://svn.apache.org/r1572561 2.4.x patch: trunk works @@ -124,13 +112,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: 2.4.x patch: trunk works (modulo CHANGES) +1: ylavic, covener, jim - * mod_ssl: Improve compatibility with mod_nss; allow "SSLEngine off" to override - Listen-based default. - trunk patch: http://svn.apache.org/r1537535 - 2.4.x patch: trunk patch works - +1: jorton, trawick, , jim - - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index ccff11aae6..e1470d1b6d 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -203,7 +203,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc)); sc->mc = NULL; - sc->enabled = SSL_ENABLED_FALSE; + sc->enabled = SSL_ENABLED_UNSET; sc->proxy_enabled = UNSET; sc->vhost_id = NULL; /* set during module init */ sc->vhost_id_len = 0; /* set during module init */ diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 8744181d04..70930ea740 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -117,13 +117,16 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->vhost_id = ssl_util_vhostid(p, s); sc->vhost_id_len = strlen(sc->vhost_id); - if (ap_get_server_protocol(s) && - strcmp("https", ap_get_server_protocol(s)) == 0) { + /* Default to enabled if SSLEngine is not set explicitly, and + * the protocol is https. */ + if (ap_get_server_protocol(s) + && strcmp("https", ap_get_server_protocol(s)) == 0 + && sc->enabled == SSL_ENABLED_UNSET) { sc->enabled = SSL_ENABLED_TRUE; } - /* If sc->enabled is UNSET, then SSL is optional on this vhost */ - /* Fix up stuff that may not have been set */ + /* Fix up stuff that may not have been set. If sc->enabled is + * UNSET, then SSL is disabled on this vhost. */ if (sc->enabled == SSL_ENABLED_UNSET) { sc->enabled = SSL_ENABLED_FALSE; } -- 2.50.1