On Wed, Oct 29, 2014 at 2:15 AM, Eric Covener <cove...@gmail.com> wrote:
> They had a year-old httpd2.4 from EPEL / RH software collections but it's
> built against an old openssl, so it isn't aware of tls1.1 and tls1.2 and
> that same block of code ends up locking you into exactly TLSv1.0 once you
> remove sslv2 and sslv3. If you leave sslv2, it gets disabled below that
> block and none of the equality checks match. They didn't get to test that
> for me yet.
I think that's what happening without TLSv1.1 and TLSv1.2 available
(eg. openssl 0.9.8).
There remain only TLSv1.0 since SSLv2 is forcibly disabled in 2.4.x.
Maybe we should introduce another protocol keywork, namely ANY, which
would opt-in SSLv23 (SSLv2Hello), and not disable single protocol
configuration in any case like in the patch proposed by Mikhail.
Something like the following patch :
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h (revision 1635012)
+++ modules/ssl/ssl_private.h (working copy)
@@ -295,8 +295,10 @@ typedef int ssl_opt_t;
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+#define SSL_PROTOCOL_ANY (1<<5)
#else
#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#define SSL_PROTOCOL_ANY (1<<3)
#endif
typedef int ssl_proto_t;
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1635012)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -490,6 +490,7 @@ static apr_status_t ssl_init_ctx_protocol(server_r
}
cp = apr_pstrcat(p,
+ (protocol & SSL_PROTOCOL_ANY ? "SSLv23, " : ""),
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c (revision 1635012)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -1311,6 +1311,9 @@ static const char *ssl_cmd_protocol_parse(cmd_parm
else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL;
}
+ else if (strcEQ(w, "any")) {
+ thisopt = SSL_PROTOCOL_ANY;
+ }
else {
return apr_pstrcat(parms->temp_pool,
parms->cmd->name,
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 1635012)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -1137,6 +1137,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
* IPv4 and IPv6 addresses are not permitted".)
*/
if (hostname_note &&
+ !(sc->proxy->protocol & SSL_PROTOCOL_ANY) &&
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) {
[END]
>
> Kaspar, does the v2open require sslv2method? What do you think of the patch
> above?
I don't think so, SSLv23 seams to use the lowest non-disabled method,
and we explicitely disable the ones not configured. So it should work.
Kaspar has probably a better understanding than me on this though.
Regards,
Yann.
