subject:"mod_ssl\: How to react on default OpenSSL SSL_CTX_set

Re: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

2015-07-22 Thread Jan Kaluža


On 07/21/2015 04:07 PM, Yann Ylavic wrote:

On Tue, Jul 21, 2015 at 2:50 PM, Plüm, Rüdiger, Vodafone Group
 wrote:


I would go for 2.


+1



Done in .

Regards,
Jan Kaluza

Re: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

2015-07-21 Thread Yann Ylavic

On Tue, Jul 21, 2015 at 2:50 PM, Plüm, Rüdiger, Vodafone Group
 wrote:
>
> I would go for 2.

+1

RE: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

2015-07-21 Thread Plüm , Rüdiger , Vodafone Group



> -Original Message-
> From: Jan Kaluža 
> Sent: Dienstag, 21. Juli 2015 14:35
> To: dev@httpd.apache.org
> Subject: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?
> 
> Hi,
> 
> in Fedora, OpenSSL maintainers are setting SSL_OP_NO_SSLv2 and
> SSL_OP_NO_SSLv3 options by default [1].
> 
> This disables both SSLv2 and SSLv3 by default in the SSLv23_method(),
> which is what mod_ssl uses when more than one version is requested.
> 
> The side effect of this change in OpenSSL is that some configurations
> that attempt to explicitly enable SSLv3 don't work correctly.  While
> this enables SSLv3, as it uses SSLv3_method:
> 
> SSLProtocol +SSLv3
> 
> the following two do not work:
> 
> SSLProtocol +SSLv3 +TLSv1
> SSLProtocol all -TLSv1.1 -TLSv1.2
> 
> We have following options now:
> 
> 1. Clear the SSL_OP_NO_SSLvX flags when there is "+SSLvX". It means
> doing something like:
> 
> if (!(protocol & SSL_PROTOCOL_SSLV3)) {
>  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
> } else {
>  SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
> }
> 
> That overwrites the defaults set by the OpenSSL.
> 
> 2. Same as 1., but print a warning we are overwriting the system OpenSSL
> settings.

I would go for 2.

Regards

Rüdiger

mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

2015-07-21 Thread Jan Kaluža


Hi,

in Fedora, OpenSSL maintainers are setting SSL_OP_NO_SSLv2 and 
SSL_OP_NO_SSLv3 options by default [1].


This disables both SSLv2 and SSLv3 by default in the SSLv23_method(), 
which is what mod_ssl uses when more than one version is requested.


The side effect of this change in OpenSSL is that some configurations 
that attempt to explicitly enable SSLv3 don't work correctly.  While 
this enables SSLv3, as it uses SSLv3_method:


SSLProtocol +SSLv3

the following two do not work:

SSLProtocol +SSLv3 +TLSv1
SSLProtocol all -TLSv1.1 -TLSv1.2

We have following options now:

1. Clear the SSL_OP_NO_SSLvX flags when there is "+SSLvX". It means 
doing something like:


if (!(protocol & SSL_PROTOCOL_SSLV3)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
} else {
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
}

That overwrites the defaults set by the OpenSSL.

2. Same as 1., but print a warning we are overwriting the system OpenSSL 
settings.


3. Respect the defaults set by OpenSSL and print a warning, that we 
won't overwrite it. That's probably silly if you really want to enable 
SSLv3 just in httpd.



[1] http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?id=80b5477

What would you choose? Or should that be handled differently?

Regards,
Jan Kaluza

Re: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

Re: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

RE: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?

4 matches

Site Navigation

Mail list logo

Footer information