httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject [Update] Support for OpenSSL 1.1.0
Date Sat, 13 Feb 2016 11:24:57 GMT
I have send a candidate patch for the "talking http on https" patch to 
the OpenSSL project. Using this patch and another fix I applied to trunk 
for reneg handling in the proxy client case (mod_proxy talking https to 
a backend), I'm now down to one remaining test suite failure.

More precisely the following points are open

- reneg for ECDHE and maybe other ciphers
   IMHO broken in OpenSSL itself. Opened a case there, because I can 
reproduce with openssl command s_server and s_client, ie. without any 
Apache involvement. Steve has already taken the ticket there.

- "talking http on https": The patch for OpenSSL is not big and mostly 
consists of the older OpenSSL 1.0.2 code but they have to check, whether 
I have put it at the right place. I verified it works by running the 
Apache test suite, which contains tests using the "talking http on 
https" feature.

- Test suite failure test 3 in t/security/CVE-2009-3555.t. The test 
sends two requests pipelined, where the first one needs a reneg. 
Pre-1.1.0 the first requests succeeds and then the connection is closed. 
Using 1.1.0 the reneg fails, the first request get a 403 and the 
connection is closed. For this there's still some analysis needed on our 

All other tests succeed, some non-SSL tests fails for prefork and 
worker, but they did before the changes and they fail with OpenSSL 1.0.2 

Once the last test breakage is fixed, I plan to go through the changes 
in order to remove pre-1.1.0 OpenSSL specific code where these versions 
can use the newer as well. Currently pre-1.1.0 OpenSSL versions use the 
exact same code path as before the changes.

If you want to do tests on your own, what you need is:

- OpenSSL 1.1.0pre2 plus two patches:

- Fix to use a non-ECDHE cipher in the test suite

--- t/conf/ssl/  2016-02-12 17:21:44.857749000 +0100
+++ t/conf/ssl/        2016-02-12 23:15:18.493357000 +0100
@@ -33,7 +33,8 @@
          CustomLog logs/ssl_request_log ssl

+    SSLCipherSuite 
+    SSLHonorCipherOrder On


- Depending on how you link apr-util crypto build also against OpenSSL 
1.1.0. apr trunk but also apr-util 1.5.x head supports this.



View raw message