httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@apache.org>
Subject Re: patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds
Date Thu, 10 Sep 2015 11:40:11 GMT
On Thu, Sep 10, 2015 at 10:37:44AM +0000, Stuart Henderson wrote:
> I've opened a ticket for this already (bz 58349) but it was suggested
> that I send mail here as well.
> 
> Currently httpd builds fail with libressl as SSLv3 has been disabled
> (OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method()
> functions.
> 
> ab.c fails at build time, mod_ssl is slightly nastier as this isn't
> picked up until trying to start a server with ssl enabled.
> 
> Thanks,
> Stuart

Does OpenSSL use the name OPENSSL_NO_SSL3 too?
Or is this macro defined by LibreSSL only?

> --- support/ab.c.orig	Fri Jul 17 22:55:57 2015
> +++ support/ab.c	Fri Jul 17 22:56:13 2015
> @@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[])
>                  } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
>                      meth = SSLv2_client_method();
>  #endif
> +#ifndef OPENSSL_NO_SSL3
>                  } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
>                      meth = SSLv3_client_method();
> +#endif
>  #ifdef HAVE_TLSV1_X
>                  } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
>                      meth = TLSv1_1_client_method();
> 
> --- modules/ssl/ssl_engine_init.c.orig	Sun Sep  6 15:23:52 2015
> +++ modules/ssl/ssl_engine_init.c	Sun Sep  6 15:57:35 2015
> @@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
>                   "Creating new SSL context (protocols: %s)", cp);
>  
>      if (protocol == SSL_PROTOCOL_SSLV3) {
> +#ifndef OPENSSL_NO_SSL3
>          method = mctx->pkp ?
>              SSLv3_client_method() : /* proxy */
>              SSLv3_server_method();  /* server */
> +#else
> +        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
> +            "SSLv3 protocol not available");
> +        return ssl_die(s);
> +#endif
>      }
>      else if (protocol == SSL_PROTOCOL_TLSV1) {
>          method = mctx->pkp ?
> 

Mime
View raw message