httpd/httpd-2.4.34-sslprotdefault.patch
Joe Orton 86433978a1 mod_ssl: follow OpenSSL protocol defaults if SSLProtocol
is not configured (Rob Crittenden, #1618371)
Resolves: rhbz#1618371
2018-09-21 13:07:38 +01:00

54 lines
1.8 KiB
Diff

https://bugzilla.redhat.com/show_bug.cgi?id=1618371
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -119,7 +119,7 @@
mctx->ticket_key = NULL;
#endif
- mctx->protocol = SSL_PROTOCOL_DEFAULT;
+ mctx->protocol = SSL_PROTOCOL_NONE;
mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
@@ -555,9 +555,8 @@
* Create the new per-server SSL context
*/
if (protocol == SSL_PROTOCOL_NONE) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+ "Using OpenSSL/system default SSL/TLS protocols");
}
cp = apr_pstrcat(p,
@@ -673,14 +672,8 @@
} else if (protocol & SSL_PROTOCOL_SSLV3) {
prot = SSL3_VERSION;
#endif
- } else {
- SSL_CTX_free(ctx);
- mctx->ssl_ctx = NULL;
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
}
- SSL_CTX_set_max_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
@@ -700,7 +693,7 @@
prot = SSL3_VERSION;
}
#endif
- SSL_CTX_set_min_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE