Resolves: #1652678 - TLS connection allowed while all protocols are forbidden

2018-11-23 11:11:59 +01:00 · 2018-11-23 11:11:59 +01:00 · affd30da6f
commit affd30da6f
parent f7bb212f40
3 changed files with 103 additions and 55 deletions
--- a/httpd-2.4.34-sslprotdefault.patch
+++ b/httpd-2.4.34-sslprotdefault.patch
@ -1,53 +0,0 @@
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1618371 
-
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault
-+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
-@@ -119,7 +119,7 @@
-     mctx->ticket_key          = NULL;
- #endif
- 
-    mctx->protocol            = SSL_PROTOCOL_DEFAULT;
-+    mctx->protocol            = SSL_PROTOCOL_NONE;
-     mctx->protocol_set        = 0;
- 
-     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault
-+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
-@@ -555,9 +555,8 @@
-      *  Create the new per-server SSL context
-      */
-     if (protocol == SSL_PROTOCOL_NONE) {
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
-                "No SSL protocols available [hint: SSLProtocol]");
-        return ssl_die(s);
-+        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, 
-+                     "Using OpenSSL/system default SSL/TLS protocols");
-     }
- 
-     cp = apr_pstrcat(p,
-@@ -673,14 +672,8 @@
-     } else if (protocol & SSL_PROTOCOL_SSLV3) {
-         prot = SSL3_VERSION;
- #endif
-    } else {
-        SSL_CTX_free(ctx);
-        mctx->ssl_ctx = NULL;
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
-                "No SSL protocols available [hint: SSLProtocol]");
-        return ssl_die(s);
-     }
-    SSL_CTX_set_max_proto_version(ctx, prot);
-+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
- 
-     /* Next we scan for the minimal protocol version we should provide,
-      * but we do not allow holes between max and min */
-@@ -700,7 +693,7 @@
-         prot = SSL3_VERSION;
-     }
- #endif
-    SSL_CTX_set_min_proto_version(ctx, prot);
-+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
- #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
- 
- #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
--- a/httpd-2.4.37-sslprotdefault.patch
+++ b/httpd-2.4.37-sslprotdefault.patch
@ -0,0 +1,98 @@
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 55c237e..5467d23 100644
+--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
+@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
+     mctx->ticket_key          = NULL;
+ #endif
+ 
+-    mctx->protocol            = SSL_PROTOCOL_DEFAULT;
+    mctx->protocol            = SSL_PROTOCOL_NONE;
+     mctx->protocol_set        = 0;
+ 
+     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
+@@ -262,6 +262,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
+ {
+     if (add->protocol_set) {
+         mrg->protocol = add->protocol;
+        mrg->protocol_set = 1;
+     }
+     else {
+         mrg->protocol = base->protocol;
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index e3f62fe..31fc0e6 100644
+--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
+@@ -568,6 +568,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
+     char *cp;
+     int protocol = mctx->protocol;
+    int protocol_set = mctx->protocol_set;
+     SSLSrvConfigRec *sc = mySrvConfig(s);
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+     int prot;
+@@ -577,12 +578,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+      *  Create the new per-server SSL context
+      */
+     if (protocol == SSL_PROTOCOL_NONE) {
+-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
+-                "No SSL protocols available [hint: SSLProtocol]");
+-        return ssl_die(s);
+-    }
+        if (protocol_set) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
+                    "No SSL protocols available [hint: SSLProtocol]");
+            return ssl_die(s);
+        }
+ 
+-    cp = apr_pstrcat(p,
+        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, 
+                     "Using OpenSSL/system default SSL/TLS protocols");
+        cp = "default";
+    }
+    else {
+        cp = apr_pstrcat(p,
+ #ifndef OPENSSL_NO_SSL3
+                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+ #endif
+@@ -595,7 +602,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ #endif
+ #endif
+                      NULL);
+-    cp[strlen(cp)-2] = NUL;
+        cp[strlen(cp)-2] = NUL;
+    }
+ 
+     ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+                  "Creating new SSL context (protocols: %s)", cp);
+@@ -696,13 +704,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+         prot = SSL3_VERSION;
+ #endif
+     } else {
+-        SSL_CTX_free(ctx);
+-        mctx->ssl_ctx = NULL;
+-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
+-                "No SSL protocols available [hint: SSLProtocol]");
+-        return ssl_die(s);
+        if (protocol_set) {
+            SSL_CTX_free(ctx);
+            mctx->ssl_ctx = NULL;
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
+                    "No SSL protocols available [hint: SSLProtocol]");
+            return ssl_die(s);
+        }
+     }
+-    SSL_CTX_set_max_proto_version(ctx, prot);
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
+ 
+     /* Next we scan for the minimal protocol version we should provide,
+      * but we do not allow holes between max and min */
+@@ -726,7 +736,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+         prot = SSL3_VERSION;
+     }
+ #endif
+-    SSL_CTX_set_min_proto_version(ctx, prot);
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
+ #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -76,7 +76,7 @@ Patch31: httpd-2.4.33-sslmultiproxy.patch
 Patch34: httpd-2.4.17-socket-activation.patch
 Patch36: httpd-2.4.33-r1830819+.patch
 Patch38: httpd-2.4.34-sslciphdefault.patch
-Patch39: httpd-2.4.34-sslprotdefault.patch
+Patch39: httpd-2.4.37-sslprotdefault.patch

 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@ -739,6 +739,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Thu Nov 22 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-5
+- Resolves: #1652678 - TLS connection allowed while all protocols are forbidden
+
 * Thu Nov  8 2018 Joe Orton <jorton@redhat.com> - 2.4.37-4
 - add httpd.conf(5) (#1611361)