httpd/httpd-2.4.34-enable-sslv3.patch


https://bugzilla.redhat.com/show_bug.cgi?id=1623165

--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.enable-sslv3
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -1474,6 +1474,10 @@
 #endif
         else if (strcEQ(w, "all")) {
             thisopt = SSL_PROTOCOL_ALL;
+#ifndef OPENSSL_NO_SSL3
+            /* by default, ALL kw doesn't turn on SSLv3 */
+            thisopt &= ~SSL_PROTOCOL_SSLV3;
+#endif
         }
         else {
             return apr_pstrcat(parms->temp_pool,
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.enable-sslv3
+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
@@ -537,6 +537,28 @@
 }
 #endif
 
+/*
+ * Enable/disable SSLProtocol. If the mod_ssl enables protocol
+ * which is disabled by default by OpenSSL, show a warning.
+ * "option" is for example SSL_OP_NO_SSLv3.
+ */
+static void ssl_set_ctx_protocol_option(server_rec *s,
+                                        SSL_CTX *ctx,
+                                        long option,
+                                        int enabled,
+                                        const char *name)
+{
+      if (!enabled) {
+                SSL_CTX_set_options(ctx, option);
+      }
+      else if (SSL_CTX_get_options(ctx) & option) {
+                    SSL_CTX_clear_options(ctx, option);
+                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904)
+                                 "Allowing SSLProtocol %s even though it is disabled "
+                                 "by OpenSSL by default on this system", name);
+      }
+}
+
 static apr_status_t ssl_init_ctx_protocol(server_rec *s,
                                           apr_pool_t *p,
                                           apr_pool_t *ptemp,
@@ -687,9 +709,13 @@
     }
     if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
         prot = TLS1_VERSION;
+        ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
+                                    protocol & SSL_PROTOCOL_TLSV1, "TLSv1");
     }
 #ifndef OPENSSL_NO_SSL3
     if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
+        ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
+                                    protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
         prot = SSL3_VERSION;
     }
 #endif
fix build if OpenSSL built w/o SSLv3 support 2018-09-25 08:43:59 +00:00
			`https://bugzilla.redhat.com/show_bug.cgi?id=1623165`

			`--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.enable-sslv3`
			`+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c`
			`@@ -1474,6 +1474,10 @@`
mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All" configuration (#1624777) Resolves: #1624777 2018-09-03 09:29:22 +00:00			`#endif`
			`else if (strcEQ(w, "all")) {`
			`thisopt = SSL_PROTOCOL_ALL;`
fix build if OpenSSL built w/o SSLv3 support 2018-09-25 08:43:59 +00:00			`+#ifndef OPENSSL_NO_SSL3`
			`+ /* by default, ALL kw doesn't turn on SSLv3 */`
mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All" configuration (#1624777) Resolves: #1624777 2018-09-03 09:29:22 +00:00			`+ thisopt &= ~SSL_PROTOCOL_SSLV3;`
fix build if OpenSSL built w/o SSLv3 support 2018-09-25 08:43:59 +00:00			`+#endif`
mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All" configuration (#1624777) Resolves: #1624777 2018-09-03 09:29:22 +00:00			`}`
			`else {`
			`return apr_pstrcat(parms->temp_pool,`
fix build if OpenSSL built w/o SSLv3 support 2018-09-25 08:43:59 +00:00			`--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.enable-sslv3`
			`+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c`
			`@@ -537,6 +537,28 @@`
mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All" configuration (#1624777) Resolves: #1624777 2018-09-03 09:29:22 +00:00			`}`
			`#endif`

			`+/*`
			`+ * Enable/disable SSLProtocol. If the mod_ssl enables protocol`
			`+ * which is disabled by default by OpenSSL, show a warning.`
			`+ * "option" is for example SSL_OP_NO_SSLv3.`
			`+ */`
			`+static void ssl_set_ctx_protocol_option(server_rec *s,`
			`+ SSL_CTX *ctx,`
			`+ long option,`
			`+ int enabled,`
			`+ const char *name)`
			`+{`
			`+ if (!enabled) {`
			`+ SSL_CTX_set_options(ctx, option);`
			`+ }`
			`+ else if (SSL_CTX_get_options(ctx) & option) {`
			`+ SSL_CTX_clear_options(ctx, option);`
			`+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904)`
			`+ "Allowing SSLProtocol %s even though it is disabled "`
			`+ "by OpenSSL by default on this system", name);`
			`+ }`
			`+}`
			`+`
			`static apr_status_t ssl_init_ctx_protocol(server_rec *s,`
			`apr_pool_t *p,`
			`apr_pool_t *ptemp,`
fix build if OpenSSL built w/o SSLv3 support 2018-09-25 08:43:59 +00:00			`@@ -687,9 +709,13 @@`
mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All" configuration (#1624777) Resolves: #1624777 2018-09-03 09:29:22 +00:00			`}`
			`if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {`
			`prot = TLS1_VERSION;`
			`+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,`
			`+ protocol & SSL_PROTOCOL_TLSV1, "TLSv1");`
			`}`
			`#ifndef OPENSSL_NO_SSL3`
			`if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {`
			`+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,`
			`+ protocol & SSL_PROTOCOL_SSLV3, "SSLv3");`
			`prot = SSL3_VERSION;`
			`}`
			`#endif`