httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kalu┼ża <jkal...@redhat.com>
Subject mod_ssl: How to react on default OpenSSL SSL_CTX_set_options?
Date Tue, 21 Jul 2015 12:35:16 GMT
Hi,

in Fedora, OpenSSL maintainers are setting SSL_OP_NO_SSLv2 and 
SSL_OP_NO_SSLv3 options by default [1].

This disables both SSLv2 and SSLv3 by default in the SSLv23_method(), 
which is what mod_ssl uses when more than one version is requested.

The side effect of this change in OpenSSL is that some configurations 
that attempt to explicitly enable SSLv3 don't work correctly.  While 
this enables SSLv3, as it uses SSLv3_method:

SSLProtocol +SSLv3

the following two do not work:

SSLProtocol +SSLv3 +TLSv1
SSLProtocol all -TLSv1.1 -TLSv1.2

We have following options now:

1. Clear the SSL_OP_NO_SSLvX flags when there is "+SSLvX". It means 
doing something like:

if (!(protocol & SSL_PROTOCOL_SSLV3)) {
     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
} else {
     SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
}

That overwrites the defaults set by the OpenSSL.

2. Same as 1., but print a warning we are overwriting the system OpenSSL 
settings.

3. Respect the defaults set by OpenSSL and print a warning, that we 
won't overwrite it. That's probably silly if you really want to enable 
SSLv3 just in httpd.


[1] http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?id=80b5477

What would you choose? Or should that be handled differently?

Regards,
Jan Kaluza

Mime
View raw message