rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

mod_ssl: follow OpenSSL protocol defaults if SSLProtocol

Browse Source 
is not configured (Rob Crittenden, #1618371)
Resolves: rhbz#1618371
This commit is contained in:
Joe Orton 2018-09-21 13:07:38 +01:00
parent 369db50dd0
commit 86433978a1
2 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
httpd-2.4.34-sslprotdefault.patch Normal file
View File

@ -0,0 +1,53 @@
https://bugzilla.redhat.com/show_bug.cgi?id=1618371
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -119,7 +119,7 @@
mctx->ticket_key = NULL;
#endif
- mctx->protocol = SSL_PROTOCOL_DEFAULT;
+ mctx->protocol = SSL_PROTOCOL_NONE;
mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
@@ -555,9 +555,8 @@
* Create the new per-server SSL context
*/
if (protocol == SSL_PROTOCOL_NONE) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+ "Using OpenSSL/system default SSL/TLS protocols");
}
cp = apr_pstrcat(p,
@@ -673,14 +672,8 @@
} else if (protocol & SSL_PROTOCOL_SSLV3) {
prot = SSL3_VERSION;
#endif
- } else {
- SSL_CTX_free(ctx);
- mctx->ssl_ctx = NULL;
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
}
- SSL_CTX_set_max_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
@@ -700,7 +693,7 @@
prot = SSL3_VERSION;
}
#endif
- SSL_CTX_set_min_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

8
httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.34 Version: 2.4.34
Release: 6%{?dist} Release: 7%{?dist}
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html Source1: index.html
@ -76,6 +76,7 @@ Patch34: httpd-2.4.17-socket-activation.patch
Patch36: httpd-2.4.33-r1830819+.patch Patch36: httpd-2.4.33-r1830819+.patch
Patch37: httpd-2.4.34-r1827912+.patch Patch37: httpd-2.4.34-r1827912+.patch
Patch38: httpd-2.4.34-sslciphdefault.patch Patch38: httpd-2.4.34-sslciphdefault.patch
Patch39: httpd-2.4.34-sslprotdefault.patch
# Bug fixes # Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@ -238,6 +239,7 @@ interface for storing and accessing per-user session data.
%patch36 -p1 -b .r1830819+ %patch36 -p1 -b .r1830819+
%patch37 -p1 -b .r1827912+ %patch37 -p1 -b .r1827912+
%patch38 -p1 -b .sslciphdefault %patch38 -p1 -b .sslciphdefault
%patch39 -p1 -b .sslprotdefault
%patch58 -p1 -b .r1738878 %patch58 -p1 -b .r1738878
%patch59 -p1 -b .r1555631 %patch59 -p1 -b .r1555631
@ -729,6 +731,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Fri Sep 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-7
- mod_ssl: follow OpenSSL protocol defaults if SSLProtocol
is not configured (Rob Crittenden, #1618371)
* Tue Sep 18 2018 Joe Orton <jorton@redhat.com> - 2.4.34-6 * Tue Sep 18 2018 Joe Orton <jorton@redhat.com> - 2.4.34-6
- mod_ssl: more TLSv1.3 fixes (#1619389) - mod_ssl: more TLSv1.3 fixes (#1619389)