Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B67269689 for ; Sat, 24 Dec 2011 06:44:12 +0000 (UTC) Received: (qmail 24318 invoked by uid 500); 24 Dec 2011 06:44:12 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 24200 invoked by uid 500); 24 Dec 2011 06:44:11 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 24193 invoked by uid 99); 24 Dec 2011 06:44:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 Dec 2011 06:44:11 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_FRT_SLUT X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 Dec 2011 06:44:09 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 1789223888CD; Sat, 24 Dec 2011 06:43:49 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1222922 - in /httpd/httpd/branches/2.4.x: ./ CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h Date: Sat, 24 Dec 2011 06:43:48 -0000 To: cvs@httpd.apache.org From: kbrand@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20111224064349.1789223888CD@eris.apache.org> Author: kbrand Date: Sat Dec 24 06:43:48 2011 New Revision: 1222922 URL: http://svn.apache.org/viewvc?rev=1222922&view=rev Log: merge r1222921 from trunk: SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when compiled against OpenSSL 1.0.1 or later. Update documentation. Modified: httpd/httpd/branches/2.4.x/ (props changed) httpd/httpd/branches/2.4.x/CHANGES httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Propchange: httpd/httpd/branches/2.4.x/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Sat Dec 24 06:43:48 2011 @@ -1,3 +1,3 @@ /httpd/httpd/branches/revert-ap-ldap:1150158-1150173 /httpd/httpd/branches/wombat-integration:723609-723841 -/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202236,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1206850,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210080,1210124,1210130,1210219,1210221,1210252,1210284,1210378,1210725,1210892,1210951,1210954,1211528,1211663,1211680,1212883,1213338,1213567,1214003,1214005,1214015,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221292,1222335,1222370,1222473,1222915,1222917 +/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202236,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1206850,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210080,1210124,1210130,1210219,1210221,1210252,1210284,1210378,1210725,1210892,1210951,1210954,1211528,1211663,1211680,1212883,1213338,1213567,1214003,1214005,1214015,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221292,1222335,1222370,1222473,1222915,1222917,1222921 Modified: httpd/httpd/branches/2.4.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1222922&r1=1222921&r2=1222922&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sat Dec 24 06:43:48 2011 @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.0 + *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit + control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive. + [Kaspar Brand] + *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 or later, to improve binary compatibility with future OpenSSL releases. [Kaspar Brand] Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1222922&r1=1222921&r2=1222922&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Sat Dec 24 06:43:48 2011 @@ -61,7 +61,7 @@ compatibility variables.

Description: HTTPS flag HTTPS is being used. -SSL_PROTOCOL string The SSL protocol version (SSLv3, TLSv1) +SSL_PROTOCOL string The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2) SSL_SESSION_ID string The hex-encoded SSL session id SSL_SESSION_RESUMED string Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use SSL_SECURE_RENEG string true if secure renegotiation is supported, else false @@ -588,15 +588,25 @@ The available (case-insensitive) pro
  • TLSv1

    - This is the Transport Layer Security (TLS) protocol, version 1.0. It is the - successor to SSLv3 and was originally defined in RFC 2246 - (obsoleted by RFC 4346 - and RFC 5246 in - the meantime).

    • + This is the Transport Layer Security (TLS) protocol, version 1.0. + It is the successor to SSLv3 and is defined in + RFC 2246.

    + +
  • TLSv1.1 (when using OpenSSL 1.0.1 and later) +

    + A revision of the TLS 1.0 protocol, as defined in + RFC 4346.

    • + +
  • TLSv1.2 (when using OpenSSL 1.0.1 and later) +

    + A revision of the TLS 1.1 protocol, as defined in + RFC 5246.

  • all

    - This is a shortcut for ``+SSLv3 +TLSv1''.

    • + This is a shortcut for ``+SSLv3 +TLSv1'' or + - when using OpenSSL 1.0.1 and later - + ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively.

    Example SSLProtocol TLSv1 Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1222922&r1=1222921&r2=1222922&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original) +++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Sat Dec 24 06:43:48 2011 @@ -130,7 +130,11 @@ static const command_rec ssl_config_cmds "('N' - number of seconds)") SSL_CMD_SRV(Protocol, RAW_ARGS, "Enable or disable various SSL protocols" - "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") +#ifdef HAVE_TLSV1_X + "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") +#else + "('[+-][SSLv3|TLSv1] ...' - see manual)") +#endif SSL_CMD_SRV(HonorCipherOrder, FLAG, "Use the server's cipher ordering preference") SSL_CMD_SRV(InsecureRenegotiation, FLAG, @@ -148,7 +152,11 @@ static const command_rec ssl_config_cmds "('on', 'off')") SSL_CMD_SRV(ProxyProtocol, RAW_ARGS, "SSL Proxy: enable or disable SSL protocol flavors " - "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") +#ifdef HAVE_TLSV1_X + "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") +#else + "('[+-][SSLv3|TLSv1] ...' - see manual)") +#endif SSL_CMD_SRV(ProxyCipherSuite, TAKE1, "SSL Proxy: colon-delimited list of permitted SSL ciphers " "('XXX:...:XXX' - see manual)") Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1222922&r1=1222921&r2=1222922&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original) +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Sat Dec 24 06:43:48 2011 @@ -1283,6 +1283,12 @@ static const char *ssl_cmd_protocol_pars else if (strcEQ(w, "TLSv1")) { thisopt = SSL_PROTOCOL_TLSV1; } + else if (strcEQ(w, "TLSv1.1")) { + thisopt = SSL_PROTOCOL_TLSV1_1; + } + else if (strcEQ(w, "TLSv1.2")) { + thisopt = SSL_PROTOCOL_TLSV1_2; + } else if (strcEQ(w, "all")) { thisopt = SSL_PROTOCOL_ALL; } Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1222922&r1=1222921&r2=1222922&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original) +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Sat Dec 24 06:43:48 2011 @@ -501,6 +501,10 @@ static void ssl_init_ctx_protocol(server cp = apr_pstrcat(p, (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), +#ifdef HAVE_TLSV1_X + (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""), + (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""), +#endif NULL); cp[strlen(cp)-2] = NUL; @@ -517,6 +521,18 @@ static void ssl_init_ctx_protocol(server TLSv1_client_method() : /* proxy */ TLSv1_server_method(); /* server */ } +#ifdef HAVE_TLSV1_X + else if (protocol == SSL_PROTOCOL_TLSV1_1) { + method = mctx->pkp ? + TLSv1_1_client_method() : /* proxy */ + TLSv1_1_server_method(); /* server */ + } + else if (protocol == SSL_PROTOCOL_TLSV1_2) { + method = mctx->pkp ? + TLSv1_2_client_method() : /* proxy */ + TLSv1_2_server_method(); /* server */ + } +#endif else { /* For multiple protocols, we need a flexible method */ method = mctx->pkp ? SSLv23_client_method() : /* proxy */ @@ -539,6 +555,16 @@ static void ssl_init_ctx_protocol(server SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); } +#ifdef HAVE_TLSV1_X + if (!(protocol & SSL_PROTOCOL_TLSV1_1)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); + } + + if (!(protocol & SSL_PROTOCOL_TLSV1_2)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); + } +#endif + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE if (sc->cipher_server_pref == TRUE) { SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1222922&r1=1222921&r2=1222922&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original) +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Sat Dec 24 06:43:48 2011 @@ -176,6 +176,10 @@ #endif #endif +#ifdef SSL_OP_NO_TLSv1_2 +#define HAVE_TLSV1_X +#endif + /* mod_ssl headers */ #include "ssl_util_ssl.h" @@ -316,7 +320,14 @@ typedef int ssl_opt_t; #define SSL_PROTOCOL_SSLV2 (1<<0) #define SSL_PROTOCOL_SSLV3 (1<<1) #define SSL_PROTOCOL_TLSV1 (1<<2) +#ifdef HAVE_TLSV1_X +#define SSL_PROTOCOL_TLSV1_1 (1<<3) +#define SSL_PROTOCOL_TLSV1_2 (1<<4) +#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \ + SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) +#else #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) +#endif typedef int ssl_proto_t; /**