From 5bf30dc15619f53f8d281e3a35360d9c67bf9ea2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 3 Sep 2018 11:29:22 +0200 Subject: [PATCH] mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All" configuration (#1624777) Resolves: #1624777 --- httpd-2.4.34-enable-sslv3.patch | 60 +++++++++++++++++++++++++++++++++ httpd.spec | 8 ++++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 httpd-2.4.34-enable-sslv3.patch diff --git a/httpd-2.4.34-enable-sslv3.patch b/httpd-2.4.34-enable-sslv3.patch new file mode 100644 index 0000000..f559bf9 --- /dev/null +++ b/httpd-2.4.34-enable-sslv3.patch @@ -0,0 +1,60 @@ +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 517ce30..075f7e1 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -1474,6 +1474,8 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, + #endif + else if (strcEQ(w, "all")) { + thisopt = SSL_PROTOCOL_ALL; ++ // by default, ALL kw doesn't turn on SSLv3 ++ thisopt &= ~SSL_PROTOCOL_SSLV3; + } + else { + return apr_pstrcat(parms->temp_pool, +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 60df45f..f6645c2 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -537,6 +537,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, + } + #endif + ++/* ++ * Enable/disable SSLProtocol. If the mod_ssl enables protocol ++ * which is disabled by default by OpenSSL, show a warning. ++ * "option" is for example SSL_OP_NO_SSLv3. ++ */ ++static void ssl_set_ctx_protocol_option(server_rec *s, ++ SSL_CTX *ctx, ++ long option, ++ int enabled, ++ const char *name) ++{ ++ if (!enabled) { ++ SSL_CTX_set_options(ctx, option); ++ } ++ else if (SSL_CTX_get_options(ctx) & option) { ++ SSL_CTX_clear_options(ctx, option); ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904) ++ "Allowing SSLProtocol %s even though it is disabled " ++ "by OpenSSL by default on this system", name); ++ } ++} ++ + static apr_status_t ssl_init_ctx_protocol(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +@@ -695,9 +719,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + } + if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { + prot = TLS1_VERSION; ++ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1, ++ protocol & SSL_PROTOCOL_TLSV1, "TLSv1"); + } + #ifndef OPENSSL_NO_SSL3 + if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) { ++ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3, ++ protocol & SSL_PROTOCOL_SSLV3, "SSLv3"); + prot = SSL3_VERSION; + } + #endif diff --git a/httpd.spec b/httpd.spec index 697b97e..5d98218 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.34 -Release: 5%{?dist} +Release: 6%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -81,6 +81,7 @@ Patch37: httpd-2.4.34-r1827912+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch58: httpd-2.4.34-r1738878.patch Patch59: httpd-2.4.34-r1555631.patch +Patch60: httpd-2.4.34-enable-sslv3.patch # Security fixes @@ -241,6 +242,7 @@ interface for storing and accessing per-user session data. %patch58 -p1 -b .r1738878 %patch59 -p1 -b .r1555631 +%patch60 -p1 -b .enablesslv3 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -729,6 +731,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Aug 28 2018 Luboš Uhliarik - 2.4.34-6 +- mod_ssl: enable SSLv3 and change behavior of "SSLProtocol All" + configuration (#1624777) + * Tue Aug 21 2018 Joe Orton - 2.4.34-5 - mod_ssl: further TLSv1.3 fix (#1619389)