httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: svn commit: r1500108 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_io.c
Date Wed, 10 Jul 2013 05:53:58 GMT
On Wed, 10 Jul 2013 07:41:35 +0200
Kaspar Brand <httpd-dev.2013@velox.ch> wrote:

> On 05.07.2013 21:25, rjung@apache.org wrote:
> > Author: rjung
> > Date: Fri Jul  5 19:25:28 2013
> > New Revision: 1500108
> > 
> > URL: http://svn.apache.org/r1500108
> > Log:
> > mod_ssl: Fix "SNI for backend" when compiled against
> > OpenSSL without support for SSLv2.
> > 
> > PR 55194.
> > 
> > Followup to r1497466. Does not apply to trunk or 2.4.x.
> 
> I missed the review of r1497466 (i.e. the backport of r1175416) in
> time, sorry... however, note that for 2.2.26, in the following code:
> 
> 
> > Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
> > URL:
> > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1500108&r1=1500107&r2=1500108&view=diff
> > ==============================================================================
> > --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
> > (original) +++
> > httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Fri Jul  5
> > 19:25:28 2013 @@ -1079,7 +1079,9 @@ static int
> > ssl_io_filter_connect(ssl_fil
> >           * IPv4 and IPv6 addresses are not permitted".)
> >           */
> >          if (hostname_note &&
> > +#ifndef OPENSSL_NO_SSL2
> >              sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
> > +#endif
> >              sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
> >              apr_ipsubnet_create(&ip, hostname_note, NULL,
> >                                  c->pool) != APR_SUCCESS) {
> > 
> > 
> 
> it might make more sense to completely drop the #ifndef block, since
> OpenSSL itself will never add TLS extensions for SSLv2
> connections (that's the reason why even in trunk/2.4 we only check for
> SSL_PROTOCOL_SSLV3).
> 
> Furthermore, with OpenSSL 1.0.0 and later, or 0.9.8m or later, the
> glitch of including an SNI extension in an SSLv3 ClientHello has been
> fixed in OpenSSL itself, so it's even debatable if we still need to
> guard against this (0.9.8m and 1.0.0 were released in February/March
> 2010). See
> 
> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1629
> 
> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=18f8258a87bd3b4099f5ab6f788c7bc2bfa00f9c
> 
> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5d577d7eb0f6cd2432b60e6abececc6f7c9bbb79
> 
> Kaspar

Color me confused.  Where SSLv2 alone is dropped from the stock OpenSSL
build, 2.2.25 would not compile.  The www.a.o/dist/httpd/Announcement
file calls out this patch as a workaround, which I will publish once
I have sorted why the binary win32 dbd drivers don't correspond to the
prior release.

Could you rephrase what you are getting at so we can correct the ANN
message? http://www.apache.org/dist/httpd/Announcement2.2.txt para 5.

Bill

Mime
View raw message