diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 517ce30..075f7e1 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1474,6 +1474,8 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, #endif else if (strcEQ(w, "all")) { thisopt = SSL_PROTOCOL_ALL; + // by default, ALL kw doesn't turn on SSLv3 + thisopt &= ~SSL_PROTOCOL_SSLV3; } else { return apr_pstrcat(parms->temp_pool, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 60df45f..f6645c2 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -537,6 +537,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, } #endif +/* + * Enable/disable SSLProtocol. If the mod_ssl enables protocol + * which is disabled by default by OpenSSL, show a warning. + * "option" is for example SSL_OP_NO_SSLv3. + */ +static void ssl_set_ctx_protocol_option(server_rec *s, + SSL_CTX *ctx, + long option, + int enabled, + const char *name) +{ + if (!enabled) { + SSL_CTX_set_options(ctx, option); + } + else if (SSL_CTX_get_options(ctx) & option) { + SSL_CTX_clear_options(ctx, option); + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904) + "Allowing SSLProtocol %s even though it is disabled " + "by OpenSSL by default on this system", name); + } +} + static apr_status_t ssl_init_ctx_protocol(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -695,9 +719,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, } if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { prot = TLS1_VERSION; + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1, + protocol & SSL_PROTOCOL_TLSV1, "TLSv1"); } #ifndef OPENSSL_NO_SSL3 if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) { + ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3, + protocol & SSL_PROTOCOL_SSLV3, "SSLv3"); prot = SSL3_VERSION; } #endif