Hi,
is there a special reason to keep SSLv3 support on current httpd version
(CVE-2014-3566 POODLE attack) ?
It seems all mayor browsers have disabled SSLv3 already.
Are the attached patches sufficient to remove SSLv3 support the same way it was
done for SSLv2?
I'm not sure about SSLv23_(client|server)_method in ssl_engine_init.c, perhaps
also a candidate for removal.
--
Regards,
olli
Index: trunk/modules/ssl/mod_ssl.c
===================================================================
--- trunk/modules/ssl/mod_ssl.c (revision 1648994)
+++ trunk/modules/ssl/mod_ssl.c (working copy)
@@ -136,9 +136,9 @@
"SSL Session Cache object lifetime "
"('N' - number of seconds)")
#ifdef HAVE_TLSV1_X
-#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
+#define SSL_PROTOCOLS "TLSv1|TLSv1.1|TLSv1.2"
#else
-#define SSL_PROTOCOLS "SSLv3|TLSv1"
+#define SSL_PROTOCOLS "TLSv1"
#endif
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols "
Index: trunk/modules/ssl/ssl_engine_config.c
===================================================================
--- trunk/modules/ssl/ssl_engine_config.c (revision 1648994)
+++ trunk/modules/ssl/ssl_engine_config.c (working copy)
@@ -1295,7 +1295,12 @@
}
}
else if (strcEQ(w, "SSLv3")) {
- thisopt = SSL_PROTOCOL_SSLV3;
+ if (action == '-') {
+ continue;
+ }
+ else {
+ return "SSLProtocol: SSLv3 is no longer supported";
+ }
}
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
Index: trunk/modules/ssl/ssl_engine_init.c
===================================================================
--- trunk/modules/ssl/ssl_engine_init.c (revision 1648994)
+++ trunk/modules/ssl/ssl_engine_init.c (working copy)
@@ -490,7 +490,6 @@
}
cp = apr_pstrcat(p,
- (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -538,9 +537,8 @@
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- if (!(protocol & SSL_PROTOCOL_SSLV3)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
- }
+ /* always disable SSLv3, CVE-2014-3566 (POODLE attack) */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
if (!(protocol & SSL_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
Index: trunk/modules/ssl/ssl_private.h
===================================================================
--- trunk/modules/ssl/ssl_private.h (revision 1648994)
+++ trunk/modules/ssl/ssl_private.h (working copy)
@@ -293,10 +293,10 @@
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_TLSV1| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#else
-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_TLSV1)
#endif
typedef int ssl_proto_t;
Index: branches/2.4.x/modules/ssl/mod_ssl.c
===================================================================
--- branches/2.4.x/modules/ssl/mod_ssl.c (revision 1649021)
+++ branches/2.4.x/modules/ssl/mod_ssl.c (working copy)
@@ -126,9 +126,9 @@
"SSL Session Cache object lifetime "
"('N' - number of seconds)")
#ifdef HAVE_TLSV1_X
-#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
+#define SSL_PROTOCOLS "TLSv1|TLSv1.1|TLSv1.2"
#else
-#define SSL_PROTOCOLS "SSLv3|TLSv1"
+#define SSL_PROTOCOLS "TLSv1"
#endif
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols "
Index: branches/2.4.x/modules/ssl/ssl_engine_config.c
===================================================================
--- branches/2.4.x/modules/ssl/ssl_engine_config.c (revision 1649021)
+++ branches/2.4.x/modules/ssl/ssl_engine_config.c (working copy)
@@ -1322,7 +1322,12 @@
}
}
else if (strcEQ(w, "SSLv3")) {
- thisopt = SSL_PROTOCOL_SSLV3;
+ if (action == '-') {
+ continue;
+ }
+ else {
+ return "SSLProtocol: SSLv3 is no longer supported";
+ }
}
else if (strcEQ(w, "TLSv1")) {
thisopt = SSL_PROTOCOL_TLSV1;
Index: branches/2.4.x/modules/ssl/ssl_engine_init.c
===================================================================
--- branches/2.4.x/modules/ssl/ssl_engine_init.c (revision 1649021)
+++ branches/2.4.x/modules/ssl/ssl_engine_init.c (working copy)
@@ -469,7 +469,6 @@
}
cp = apr_pstrcat(p,
- (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
#ifdef HAVE_TLSV1_X
(protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
@@ -517,9 +516,8 @@
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- if (!(protocol & SSL_PROTOCOL_SSLV3)) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
- }
+ /* always disable SSLv3, CVE-2014-3566 (POODLE attack) */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
if (!(protocol & SSL_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
Index: branches/2.4.x/modules/ssl/ssl_private.h
===================================================================
--- branches/2.4.x/modules/ssl/ssl_private.h (revision 1649021)
+++ branches/2.4.x/modules/ssl/ssl_private.h (working copy)
@@ -298,10 +298,10 @@
#ifdef HAVE_TLSV1_X
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_TLSV1| \
SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#else
-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_TLSV1)
#endif
typedef int ssl_proto_t;
