mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All"

configuration (#1624777)

Resolves: #1624777

httpd-2.4.34-enable-sslv3.patch

@@ -0,0 +1,60 @@
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 517ce30..075f7e1 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -1474,6 +1474,8 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
+ #endif
+         else if (strcEQ(w, "all")) {
+             thisopt = SSL_PROTOCOL_ALL;
++            // by default, ALL kw doesn't turn on SSLv3
++            thisopt &= ~SSL_PROTOCOL_SSLV3;
+         }
+         else {
+             return apr_pstrcat(parms->temp_pool,
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 60df45f..f6645c2 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -537,6 +537,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
+ }
+ #endif
+ 
++/*
++ * Enable/disable SSLProtocol. If the mod_ssl enables protocol
++ * which is disabled by default by OpenSSL, show a warning.
++ * "option" is for example SSL_OP_NO_SSLv3.
++ */
++static void ssl_set_ctx_protocol_option(server_rec *s,
++                                        SSL_CTX *ctx,
++                                        long option,
++                                        int enabled,
++                                        const char *name)
++{
++      if (!enabled) {
++                SSL_CTX_set_options(ctx, option);
++      }
++      else if (SSL_CTX_get_options(ctx) & option) {
++                    SSL_CTX_clear_options(ctx, option);
++                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904)
++                                 "Allowing SSLProtocol %s even though it is disabled "
++                                 "by OpenSSL by default on this system", name);
++      }
++}
++
+ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+                                           apr_pool_t *p,
+                                           apr_pool_t *ptemp,
+@@ -695,9 +719,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     }
+     if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
+         prot = TLS1_VERSION;
++        ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1,
++                                    protocol & SSL_PROTOCOL_TLSV1, "TLSv1");
+     }
+ #ifndef OPENSSL_NO_SSL3
+     if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
++        ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3,
++                                    protocol & SSL_PROTOCOL_SSLV3, "SSLv3");
+         prot = SSL3_VERSION;
+     }
+ #endif

httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.34
-Release: 5%{?dist}
+Release: 6%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -81,6 +81,7 @@ Patch37: httpd-2.4.34-r1827912+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
 Patch58: httpd-2.4.34-r1738878.patch
 Patch59: httpd-2.4.34-r1555631.patch
+Patch60: httpd-2.4.34-enable-sslv3.patch
 
 # Security fixes
 
@@ -241,6 +242,7 @@ interface for storing and accessing per-user session data.
 
 %patch58 -p1 -b .r1738878
 %patch59 -p1 -b .r1555631
+%patch60 -p1 -b .enablesslv3
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -729,6 +731,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Aug 28 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.34-6
+- mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All"
+  configuration (#1624777)
+
 * Tue Aug 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-5
 - mod_ssl: further TLSv1.3 fix (#1619389)