httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r1374734 - /httpd/httpd/branches/2.2.x/STATUS
Date Sun, 19 Aug 2012 11:28:04 GMT
Author: rjung
Date: Sun Aug 19 11:28:03 2012
New Revision: 1374734

URL: http://svn.apache.org/viewvc?rev=1374734&view=rev
Log:
Comment on TLSv1.1/.2 patch.

Modified:
    httpd/httpd/branches/2.2.x/STATUS

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1374734&r1=1374733&r2=1374734&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sun Aug 19 11:28:03 2012
@@ -174,6 +174,27 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
         Minor (CTR) issues:
         - The "/* only SSLv2 is left */" comment is now obsolete.
         - Needs CHANGES entry.
+    rjung: Doesn't the following block in modules/ssl/ssl_engine_init.c
+    switch SSLv2 *OFF*, but now only if Apache is compiled with SSLv2:
+        +#ifndef OPENSSL_NO_SSL2
+             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
+                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+             }
+        +#endif
+    But OpenSSL itself might well have SSLv2 support, so we should add
+    (taken from 2.4.x):
+        +#ifndef OPENSSL_NO_SSL2
+             if (!(protocol & SSL_PROTOCOL_SSLV2)) {
+                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+             }
+        +#else
+             /* always disable SSLv2, as per RFC 6176 */
+             SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+        +#endif
+    When testing your patch after compiling with OPENSSL_NO_SSL2 in fact
+    I can make a SSLv2 connect after setting the SSLProtocol and
+    SSLCipherSuite directives both to "All" resp. "ALL".
+    Apart from that the patch looks good (I would vote +1 with this fixed).
 
    * mod_ssl: Add RFC 5878 support. This allows support of mechanisms
               such as Certificate Transparency. Note that new



Mime
View raw message