From 86433978a1e5820ebe5ece19a64cebf77053910b Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 21 Sep 2018 13:07:38 +0100 Subject: [PATCH] mod_ssl: follow OpenSSL protocol defaults if SSLProtocol is not configured (Rob Crittenden, #1618371) Resolves: rhbz#1618371 --- httpd-2.4.34-sslprotdefault.patch | 53 +++++++++++++++++++++++++++++++ httpd.spec | 8 ++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 httpd-2.4.34-sslprotdefault.patch diff --git a/httpd-2.4.34-sslprotdefault.patch b/httpd-2.4.34-sslprotdefault.patch new file mode 100644 index 0000000..65f8d40 --- /dev/null +++ b/httpd-2.4.34-sslprotdefault.patch @@ -0,0 +1,53 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=1618371 + +--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault ++++ httpd-2.4.34/modules/ssl/ssl_engine_config.c +@@ -119,7 +119,7 @@ + mctx->ticket_key = NULL; + #endif + +- mctx->protocol = SSL_PROTOCOL_DEFAULT; ++ mctx->protocol = SSL_PROTOCOL_NONE; + mctx->protocol_set = 0; + + mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; +--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault ++++ httpd-2.4.34/modules/ssl/ssl_engine_init.c +@@ -555,9 +555,8 @@ + * Create the new per-server SSL context + */ + if (protocol == SSL_PROTOCOL_NONE) { +- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231) +- "No SSL protocols available [hint: SSLProtocol]"); +- return ssl_die(s); ++ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, ++ "Using OpenSSL/system default SSL/TLS protocols"); + } + + cp = apr_pstrcat(p, +@@ -673,14 +672,8 @@ + } else if (protocol & SSL_PROTOCOL_SSLV3) { + prot = SSL3_VERSION; + #endif +- } else { +- SSL_CTX_free(ctx); +- mctx->ssl_ctx = NULL; +- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) +- "No SSL protocols available [hint: SSLProtocol]"); +- return ssl_die(s); + } +- SSL_CTX_set_max_proto_version(ctx, prot); ++ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot); + + /* Next we scan for the minimal protocol version we should provide, + * but we do not allow holes between max and min */ +@@ -700,7 +693,7 @@ + prot = SSL3_VERSION; + } + #endif +- SSL_CTX_set_min_proto_version(ctx, prot); ++ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot); + #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ + + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE diff --git a/httpd.spec b/httpd.spec index 6640f65..7b97a69 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.34 -Release: 6%{?dist} +Release: 7%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -76,6 +76,7 @@ Patch34: httpd-2.4.17-socket-activation.patch Patch36: httpd-2.4.33-r1830819+.patch Patch37: httpd-2.4.34-r1827912+.patch Patch38: httpd-2.4.34-sslciphdefault.patch +Patch39: httpd-2.4.34-sslprotdefault.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 @@ -238,6 +239,7 @@ interface for storing and accessing per-user session data. %patch36 -p1 -b .r1830819+ %patch37 -p1 -b .r1827912+ %patch38 -p1 -b .sslciphdefault +%patch39 -p1 -b .sslprotdefault %patch58 -p1 -b .r1738878 %patch59 -p1 -b .r1555631 @@ -729,6 +731,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Fri Sep 21 2018 Joe Orton - 2.4.34-7 +- mod_ssl: follow OpenSSL protocol defaults if SSLProtocol + is not configured (Rob Crittenden, #1618371) + * Tue Sep 18 2018 Joe Orton - 2.4.34-6 - mod_ssl: more TLSv1.3 fixes (#1619389)