My bad. Please try again with r1828220 or later. Cheers, Stefan
> Am 01.04.2018 um 18:57 schrieb Luca Toscano <toscano.l...@gmail.com>: > > Hi Stefan > > 2018-03-28 13:15 GMT+02:00 <ic...@apache.org>: > Author: icing > Date: Wed Mar 28 11:15:18 2018 > New Revision: 1827912 > > URL: http://svn.apache.org/viewvc?rev=1827912&view=rev > Log: > On the trunk: > mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs > may > need more sugar). > > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > httpd/httpd/trunk/modules/ssl/ssl_policies.h > httpd/httpd/trunk/modules/ssl/ssl_private.h > httpd/httpd/trunk/modules/ssl/update_policies.py > > > > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18 2018 > @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco > > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ > /* We first determine the maximum protocol version we should provide */ > - if (protocol & SSL_PROTOCOL_TLSV1_2) { > + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) { > + prot = TLS1_3_VERSION; > + } else if (protocol & SSL_PROTOCOL_TLSV1_2) { > prot = TLS1_2_VERSION; > } else if (protocol & SSL_PROTOCOL_TLSV1_1) { > prot = TLS1_1_VERSION; > @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco > > /* Next we scan for the minimal protocol version we should provide, > * but we do not allow holes between max and min */ > + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { > + prot = TLS1_2_VERSION; > + } > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { > prot = TLS1_1_VERSION; > } > > > it may be a misconfig from my side, but I get the following with openssl > 1.1.0f (not TLS 1.3 afaics): > > ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’: > ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use in > this function) > prot = TLS1_3_VERSION; > ^~~~~~~~~~~~~~ > > Adding the following bits makes everything work: > > Index: modules/ssl/ssl_engine_init.c > =================================================================== > --- modules/ssl/ssl_engine_init.c (revision 1828144) > +++ modules/ssl/ssl_engine_init.c (working copy) > @@ -685,9 +685,12 @@ > > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ > /* We first determine the maximum protocol version we should provide */ > +#if SSL_HAVE_PROTOCOL_TLSV1_3 > if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) { > prot = TLS1_3_VERSION; > - } else if (protocol & SSL_PROTOCOL_TLSV1_2) { > + } else > +#endif > + if (protocol & SSL_PROTOCOL_TLSV1_2) { > prot = TLS1_2_VERSION; > } else if (protocol & SSL_PROTOCOL_TLSV1_1) { > prot = TLS1_1_VERSION; > @@ -708,9 +711,11 @@ > > /* Next we scan for the minimal protocol version we should provide, > * but we do not allow holes between max and min */ > +#if SSL_HAVE_PROTOCOL_TLSV1_3 > if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { > prot = TLS1_2_VERSION; > } > +#endif > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { > prot = TLS1_1_VERSION; > } > > > Luca
