httpd/SOURCES/httpd-2.4.37-sslprotdefault.patch

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 55c237e..5467d23 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->ticket_key          = NULL;
 #endif
 
-    mctx->protocol            = SSL_PROTOCOL_DEFAULT;
+    mctx->protocol            = SSL_PROTOCOL_NONE;
     mctx->protocol_set        = 0;
 
     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
@@ -262,6 +262,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
 {
     if (add->protocol_set) {
         mrg->protocol = add->protocol;
+        mrg->protocol_set = 1;
     }
     else {
         mrg->protocol = base->protocol;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e3f62fe..31fc0e6 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -568,6 +568,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
     MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
     char *cp;
     int protocol = mctx->protocol;
+    int protocol_set = mctx->protocol_set;
     SSLSrvConfigRec *sc = mySrvConfig(s);
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
     int prot;
@@ -577,12 +578,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
      *  Create the new per-server SSL context
      */
     if (protocol == SSL_PROTOCOL_NONE) {
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
-                "No SSL protocols available [hint: SSLProtocol]");
-        return ssl_die(s);
-    }
+        if (protocol_set) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
+                    "No SSL protocols available [hint: SSLProtocol]");
+            return ssl_die(s);
+        }
 
-    cp = apr_pstrcat(p,
+        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, 
+                     "Using OpenSSL/system default SSL/TLS protocols");
+        cp = "default";
+    }
+    else {
+        cp = apr_pstrcat(p,
 #ifndef OPENSSL_NO_SSL3
                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
 #endif
@@ -595,7 +602,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
 #endif
 #endif
                      NULL);
-    cp[strlen(cp)-2] = NUL;
+        cp[strlen(cp)-2] = NUL;
+    }
 
     ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
                  "Creating new SSL context (protocols: %s)", cp);
@@ -696,13 +704,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
         prot = SSL3_VERSION;
 #endif
     } else {
-        SSL_CTX_free(ctx);
-        mctx->ssl_ctx = NULL;
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
-                "No SSL protocols available [hint: SSLProtocol]");
-        return ssl_die(s);
+        if (protocol_set) {
+            SSL_CTX_free(ctx);
+            mctx->ssl_ctx = NULL;
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
+                    "No SSL protocols available [hint: SSLProtocol]");
+            return ssl_die(s);
+        }
     }
-    SSL_CTX_set_max_proto_version(ctx, prot);
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
 
     /* Next we scan for the minimal protocol version we should provide,
      * but we do not allow holes between max and min */
@@ -726,7 +736,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
         prot = SSL3_VERSION;
     }
 #endif
-    SSL_CTX_set_min_proto_version(ctx, prot);
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
import httpd-2.4.37-12.module+el8.0.0+4096+eb40e6da 2019-09-24 13:41:49 +00:00			`diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c`
			`index 55c237e..5467d23 100644`
			`--- a/modules/ssl/ssl_engine_config.c`
			`+++ b/modules/ssl/ssl_engine_config.c`
			`@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t mctx, apr_pool_t p)`
			`mctx->ticket_key = NULL;`
			`#endif`

			`- mctx->protocol = SSL_PROTOCOL_DEFAULT;`
			`+ mctx->protocol = SSL_PROTOCOL_NONE;`
			`mctx->protocol_set = 0;`

			`mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;`
			`@@ -262,6 +262,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,`
			`{`
			`if (add->protocol_set) {`
			`mrg->protocol = add->protocol;`
			`+ mrg->protocol_set = 1;`
			`}`
			`else {`
			`mrg->protocol = base->protocol;`
			`diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c`
			`index e3f62fe..31fc0e6 100644`
			`--- a/modules/ssl/ssl_engine_init.c`
			`+++ b/modules/ssl/ssl_engine_init.c`
			`@@ -568,6 +568,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,`
			`MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;`
			`char *cp;`
			`int protocol = mctx->protocol;`
			`+ int protocol_set = mctx->protocol_set;`
			`SSLSrvConfigRec *sc = mySrvConfig(s);`
			`#if OPENSSL_VERSION_NUMBER >= 0x10100000L`
			`int prot;`
			`@@ -577,12 +578,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,`
			`* Create the new per-server SSL context`
			`*/`
			`if (protocol == SSL_PROTOCOL_NONE) {`
			`- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)`
			`- "No SSL protocols available [hint: SSLProtocol]");`
			`- return ssl_die(s);`
			`- }`
			`+ if (protocol_set) {`
			`+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)`
			`+ "No SSL protocols available [hint: SSLProtocol]");`
			`+ return ssl_die(s);`
			`+ }`

			`- cp = apr_pstrcat(p,`
			`+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,`
			`+ "Using OpenSSL/system default SSL/TLS protocols");`
			`+ cp = "default";`
			`+ }`
			`+ else {`
			`+ cp = apr_pstrcat(p,`
			`#ifndef OPENSSL_NO_SSL3`
			`(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),`
			`#endif`
			`@@ -595,7 +602,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,`
			`#endif`
			`#endif`
			`NULL);`
			`- cp[strlen(cp)-2] = NUL;`
			`+ cp[strlen(cp)-2] = NUL;`
			`+ }`

			`ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,`
			`"Creating new SSL context (protocols: %s)", cp);`
			`@@ -696,13 +704,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,`
			`prot = SSL3_VERSION;`
			`#endif`
			`} else {`
			`- SSL_CTX_free(ctx);`
			`- mctx->ssl_ctx = NULL;`
			`- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)`
			`- "No SSL protocols available [hint: SSLProtocol]");`
			`- return ssl_die(s);`
			`+ if (protocol_set) {`
			`+ SSL_CTX_free(ctx);`
			`+ mctx->ssl_ctx = NULL;`
			`+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)`
			`+ "No SSL protocols available [hint: SSLProtocol]");`
			`+ return ssl_die(s);`
			`+ }`
			`}`
			`- SSL_CTX_set_max_proto_version(ctx, prot);`
			`+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);`

			`/* Next we scan for the minimal protocol version we should provide,`
			`* but we do not allow holes between max and min */`
			`@@ -726,7 +736,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,`
			`prot = SSL3_VERSION;`
			`}`
			`#endif`
			`- SSL_CTX_set_min_proto_version(ctx, prot);`
			`+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);`
			`#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */`

			`#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE`