httpd/httpd-2.4.34-sslprotdefault.patch


https://bugzilla.redhat.com/show_bug.cgi?id=1618371 

--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -119,7 +119,7 @@
     mctx->ticket_key          = NULL;
 #endif
 
-    mctx->protocol            = SSL_PROTOCOL_DEFAULT;
+    mctx->protocol            = SSL_PROTOCOL_NONE;
     mctx->protocol_set        = 0;
 
     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
@@ -555,9 +555,8 @@
      *  Create the new per-server SSL context
      */
     if (protocol == SSL_PROTOCOL_NONE) {
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
-                "No SSL protocols available [hint: SSLProtocol]");
-        return ssl_die(s);
+        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, 
+                     "Using OpenSSL/system default SSL/TLS protocols");
     }
 
     cp = apr_pstrcat(p,
@@ -673,14 +672,8 @@
     } else if (protocol & SSL_PROTOCOL_SSLV3) {
         prot = SSL3_VERSION;
 #endif
-    } else {
-        SSL_CTX_free(ctx);
-        mctx->ssl_ctx = NULL;
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
-                "No SSL protocols available [hint: SSLProtocol]");
-        return ssl_die(s);
     }
-    SSL_CTX_set_max_proto_version(ctx, prot);
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
 
     /* Next we scan for the minimal protocol version we should provide,
      * but we do not allow holes between max and min */
@@ -700,7 +693,7 @@
         prot = SSL3_VERSION;
     }
 #endif
-    SSL_CTX_set_min_proto_version(ctx, prot);
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
mod_ssl: follow OpenSSL protocol defaults if SSLProtocol is not configured (Rob Crittenden, #1618371) Resolves: rhbz#1618371 2018-09-21 12:07:38 +00:00
			`https://bugzilla.redhat.com/show_bug.cgi?id=1618371`

			`--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault`
			`+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c`
			`@@ -119,7 +119,7 @@`
			`mctx->ticket_key = NULL;`
			`#endif`

			`- mctx->protocol = SSL_PROTOCOL_DEFAULT;`
			`+ mctx->protocol = SSL_PROTOCOL_NONE;`
			`mctx->protocol_set = 0;`

			`mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;`
			`--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault`
			`+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c`
			`@@ -555,9 +555,8 @@`
			`* Create the new per-server SSL context`
			`*/`
			`if (protocol == SSL_PROTOCOL_NONE) {`
			`- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)`
			`- "No SSL protocols available [hint: SSLProtocol]");`
			`- return ssl_die(s);`
			`+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,`
			`+ "Using OpenSSL/system default SSL/TLS protocols");`
			`}`

			`cp = apr_pstrcat(p,`
			`@@ -673,14 +672,8 @@`
			`} else if (protocol & SSL_PROTOCOL_SSLV3) {`
			`prot = SSL3_VERSION;`
			`#endif`
			`- } else {`
			`- SSL_CTX_free(ctx);`
			`- mctx->ssl_ctx = NULL;`
			`- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)`
			`- "No SSL protocols available [hint: SSLProtocol]");`
			`- return ssl_die(s);`
			`}`
			`- SSL_CTX_set_max_proto_version(ctx, prot);`
			`+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);`

			`/* Next we scan for the minimal protocol version we should provide,`
			`* but we do not allow holes between max and min */`
			`@@ -700,7 +693,7 @@`
			`prot = SSL3_VERSION;`
			`}`
			`#endif`
			`- SSL_CTX_set_min_proto_version(ctx, prot);`
			`+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);`
			`#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */`

			`#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE`