Hi,
in Fedora, OpenSSL maintainers are setting SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3 options by default [1].
This disables both SSLv2 and SSLv3 by default in the SSLv23_method(),
which is what mod_ssl uses when more than one version is requested.
The side effect of this change in OpenSSL is that some configurations
that attempt to explicitly enable SSLv3 don't work correctly. While
this enables SSLv3, as it uses SSLv3_method:
SSLProtocol +SSLv3
the following two do not work:
SSLProtocol +SSLv3 +TLSv1
SSLProtocol all -TLSv1.1 -TLSv1.2
We have following options now:
1. Clear the SSL_OP_NO_SSLvX flags when there is "+SSLvX". It means
doing something like:
if (!(protocol & SSL_PROTOCOL_SSLV3)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
} else {
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
}
That overwrites the defaults set by the OpenSSL.
2. Same as 1., but print a warning we are overwriting the system OpenSSL
settings.
3. Respect the defaults set by OpenSSL and print a warning, that we
won't overwrite it. That's probably silly if you really want to enable
SSLv3 just in httpd.
[1] http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?id=80b5477
What would you choose? Or should that be handled differently?
Regards,
Jan Kaluza
