Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5038F17242 for ; Thu, 10 Sep 2015 11:40:25 +0000 (UTC) Received: (qmail 43340 invoked by uid 500); 10 Sep 2015 11:40:24 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 43276 invoked by uid 500); 10 Sep 2015 11:40:24 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 43267 invoked by uid 99); 10 Sep 2015 11:40:24 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Sep 2015 11:40:24 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 05735C01AB for ; Thu, 10 Sep 2015 11:40:24 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=6.31 tests=[UNPARSEABLE_RELAY=0.001] autolearn=disabled Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id DuEL5Lvv1OLj for ; Thu, 10 Sep 2015 11:40:23 +0000 (UTC) Received: from einhorn.in-berlin.de (einhorn.in-berlin.de [192.109.42.8]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id AFE1620103 for ; Thu, 10 Sep 2015 11:40:22 +0000 (UTC) X-Envelope-From: stsp@apache.org Received: from jim.stsp.name (jim.stsp.name [217.197.84.42]) (authenticated bits=0) by einhorn.in-berlin.de (8.14.4/8.14.4/Debian-4) with ESMTP id t8ABeCcX006465 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Sep 2015 13:40:13 +0200 Received: from localhost (jim.stsp.name [local]) by jim.stsp.name (OpenSMTPD) with ESMTPA id 789fc6a1; Thu, 10 Sep 2015 13:40:11 +0200 (CEST) Date: Thu, 10 Sep 2015 13:40:11 +0200 From: Stefan Sperling To: dev@httpd.apache.org Cc: Stuart Henderson Subject: Re: patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds Message-ID: <20150910114011.GJ24023@jim.stsp.name> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) On Thu, Sep 10, 2015 at 10:37:44AM +0000, Stuart Henderson wrote: > I've opened a ticket for this already (bz 58349) but it was suggested > that I send mail here as well. > > Currently httpd builds fail with libressl as SSLv3 has been disabled > (OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method() > functions. > > ab.c fails at build time, mod_ssl is slightly nastier as this isn't > picked up until trying to start a server with ssl enabled. > > Thanks, > Stuart Does OpenSSL use the name OPENSSL_NO_SSL3 too? Or is this macro defined by LibreSSL only? > --- support/ab.c.orig Fri Jul 17 22:55:57 2015 > +++ support/ab.c Fri Jul 17 22:56:13 2015 > @@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[]) > } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) { > meth = SSLv2_client_method(); > #endif > +#ifndef OPENSSL_NO_SSL3 > } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { > meth = SSLv3_client_method(); > +#endif > #ifdef HAVE_TLSV1_X > } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { > meth = TLSv1_1_client_method(); > > --- modules/ssl/ssl_engine_init.c.orig Sun Sep 6 15:23:52 2015 > +++ modules/ssl/ssl_engine_init.c Sun Sep 6 15:57:35 2015 > @@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec * > "Creating new SSL context (protocols: %s)", cp); > > if (protocol == SSL_PROTOCOL_SSLV3) { > +#ifndef OPENSSL_NO_SSL3 > method = mctx->pkp ? > SSLv3_client_method() : /* proxy */ > SSLv3_server_method(); /* server */ > +#else > + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, > + "SSLv3 protocol not available"); > + return ssl_die(s); > +#endif > } > else if (protocol == SSL_PROTOCOL_TLSV1) { > method = mctx->pkp ? >