On Tue, May 5, 2020 at 2:40 PM <jor...@apache.org> wrote: > > Author: jorton > Date: Tue May 5 12:40:38 2020 > New Revision: 1877397 > > URL: http://svn.apache.org/viewvc?rev=1877397&view=rev > Log: > mod_ssl: Switch to using SSL_OP_NO_RENEGOTATION (where available) to > block client-initiated renegotiation with TLSv1.2 and earlier.
Somehow this change (bisected) broke many framework tests for me: t/ssl/* and t/security/CVE-*, the ones using mod_ssl I suppose. This is with openssl 1.1.1, and "SSLProtocol all -TLSv1.3" (which is the default $sslproto in "Apache-Test/lib/Apache/TestSSLCA.pm"). Everything works if TLSv1.3 is left alone (i.e. active), either by using openssl < 1.1.1, or by removing "-TLSv1.3" from $sslproto in TestSSLCA.pm. Any idea? Regards; Yann. PS: By the way the "-TLSv1.3" set by TestSSLCA.pm by default will prevent httpd from starting with openssl < 1.1.1 since "TLSv1.3" is not a recognized token then...
