On 5/15/20 6:50 PM, Yann Ylavic wrote:
> On Tue, May 5, 2020 at 2:40 PM <jor...@apache.org> wrote:
>>
>> Author: jorton
>> Date: Tue May 5 12:40:38 2020
>> New Revision: 1877397
>>
>> URL: http://svn.apache.org/viewvc?rev=1877397&view=rev
>> Log:
>> mod_ssl: Switch to using SSL_OP_NO_RENEGOTATION (where available) to
>> block client-initiated renegotiation with TLSv1.2 and earlier.
>
> Somehow this change (bisected) broke many framework tests for me:
> t/ssl/* and t/security/CVE-*, the ones using mod_ssl I suppose.
> This is with openssl 1.1.1, and "SSLProtocol all -TLSv1.3" (which is
> the default $sslproto in "Apache-Test/lib/Apache/TestSSLCA.pm").
Good catch that it fails with these settings, I and I guess Travis as well
use more recent versions of Net::SSLeay such that $sslproto is set to "all".
Regards
RĂ¼diger
