httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stuart Henderson <st...@openbsd.org>
Subject patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds
Date Thu, 10 Sep 2015 10:37:44 GMT
I've opened a ticket for this already (bz 58349) but it was suggested
that I send mail here as well.

Currently httpd builds fail with libressl as SSLv3 has been disabled
(OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method()
functions.

ab.c fails at build time, mod_ssl is slightly nastier as this isn't
picked up until trying to start a server with ssl enabled.

Thanks,
Stuart

--- support/ab.c.orig	Fri Jul 17 22:55:57 2015
+++ support/ab.c	Fri Jul 17 22:56:13 2015
@@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[])
                 } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
                     meth = SSLv2_client_method();
 #endif
+#ifndef OPENSSL_NO_SSL3
                 } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
                     meth = SSLv3_client_method();
+#endif
 #ifdef HAVE_TLSV1_X
                 } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
                     meth = TLSv1_1_client_method();

--- modules/ssl/ssl_engine_init.c.orig	Sun Sep  6 15:23:52 2015
+++ modules/ssl/ssl_engine_init.c	Sun Sep  6 15:57:35 2015
@@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
                  "Creating new SSL context (protocols: %s)", cp);
 
     if (protocol == SSL_PROTOCOL_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
         method = mctx->pkp ?
             SSLv3_client_method() : /* proxy */
             SSLv3_server_method();  /* server */
+#else
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+            "SSLv3 protocol not available");
+        return ssl_die(s);
+#endif
     }
     else if (protocol == SSL_PROTOCOL_TLSV1) {
         method = mctx->pkp ?



Mime
View raw message