All good now thanks! Luca
2018-04-03 13:49 GMT+02:00 Stefan Eissing <[email protected]>: > My bad. Please try again with r1828220 or later. > > Cheers, Stefan > > > Am 01.04.2018 um 18:57 schrieb Luca Toscano <[email protected]>: > > > > Hi Stefan > > > > 2018-03-28 13:15 GMT+02:00 <[email protected]>: > > Author: icing > > Date: Wed Mar 28 11:15:18 2018 > > New Revision: 1827912 > > > > URL: http://svn.apache.org/viewvc?rev=1827912&view=rev > > Log: > > On the trunk: > > mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other > libs may > > need more sugar). > > > > > > Modified: > > httpd/httpd/trunk/CHANGES > > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > > httpd/httpd/trunk/modules/ssl/ssl_policies.h > > httpd/httpd/trunk/modules/ssl/ssl_private.h > > httpd/httpd/trunk/modules/ssl/update_policies.py > > > > > > > > > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ > ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff > > ============================================================ > ================== > > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) > > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18 > 2018 > > @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco > > > > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ > > /* We first determine the maximum protocol version we should > provide */ > > - if (protocol & SSL_PROTOCOL_TLSV1_2) { > > + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) > { > > + prot = TLS1_3_VERSION; > > + } else if (protocol & SSL_PROTOCOL_TLSV1_2) { > > prot = TLS1_2_VERSION; > > } else if (protocol & SSL_PROTOCOL_TLSV1_1) { > > prot = TLS1_1_VERSION; > > @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco > > > > /* Next we scan for the minimal protocol version we should provide, > > * but we do not allow holes between max and min */ > > + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { > > + prot = TLS1_2_VERSION; > > + } > > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { > > prot = TLS1_1_VERSION; > > } > > > > > > it may be a misconfig from my side, but I get the following with openssl > 1.1.0f (not TLS 1.3 afaics): > > > > ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’: > > ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use > in this function) > > prot = TLS1_3_VERSION; > > ^~~~~~~~~~~~~~ > > > > Adding the following bits makes everything work: > > > > Index: modules/ssl/ssl_engine_init.c > > =================================================================== > > --- modules/ssl/ssl_engine_init.c (revision 1828144) > > +++ modules/ssl/ssl_engine_init.c (working copy) > > @@ -685,9 +685,12 @@ > > > > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ > > /* We first determine the maximum protocol version we should > provide */ > > +#if SSL_HAVE_PROTOCOL_TLSV1_3 > > if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) > { > > prot = TLS1_3_VERSION; > > - } else if (protocol & SSL_PROTOCOL_TLSV1_2) { > > + } else > > +#endif > > + if (protocol & SSL_PROTOCOL_TLSV1_2) { > > prot = TLS1_2_VERSION; > > } else if (protocol & SSL_PROTOCOL_TLSV1_1) { > > prot = TLS1_1_VERSION; > > @@ -708,9 +711,11 @@ > > > > /* Next we scan for the minimal protocol version we should provide, > > * but we do not allow holes between max and min */ > > +#if SSL_HAVE_PROTOCOL_TLSV1_3 > > if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { > > prot = TLS1_2_VERSION; > > } > > +#endif > > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { > > prot = TLS1_1_VERSION; > > } > > > > > > Luca > >
