|
|
59234c |
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
|
|
|
59234c |
index 55c237e..5467d23 100644
|
|
|
59234c |
--- a/modules/ssl/ssl_engine_config.c
|
|
|
59234c |
+++ b/modules/ssl/ssl_engine_config.c
|
|
|
59234c |
@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
|
|
|
59234c |
mctx->ticket_key = NULL;
|
|
|
59234c |
#endif
|
|
|
59234c |
|
|
|
59234c |
- mctx->protocol = SSL_PROTOCOL_DEFAULT;
|
|
|
59234c |
+ mctx->protocol = SSL_PROTOCOL_NONE;
|
|
|
59234c |
mctx->protocol_set = 0;
|
|
|
59234c |
|
|
|
59234c |
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
|
|
|
59234c |
@@ -262,6 +262,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
|
|
|
59234c |
{
|
|
|
59234c |
if (add->protocol_set) {
|
|
|
59234c |
mrg->protocol = add->protocol;
|
|
|
59234c |
+ mrg->protocol_set = 1;
|
|
|
59234c |
}
|
|
|
59234c |
else {
|
|
|
59234c |
mrg->protocol = base->protocol;
|
|
|
59234c |
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
|
|
|
59234c |
index e3f62fe..31fc0e6 100644
|
|
|
59234c |
--- a/modules/ssl/ssl_engine_init.c
|
|
|
59234c |
+++ b/modules/ssl/ssl_engine_init.c
|
|
|
59234c |
@@ -568,6 +568,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|
|
59234c |
MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
|
|
|
59234c |
char *cp;
|
|
|
59234c |
int protocol = mctx->protocol;
|
|
|
59234c |
+ int protocol_set = mctx->protocol_set;
|
|
|
59234c |
SSLSrvConfigRec *sc = mySrvConfig(s);
|
|
|
59234c |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
59234c |
int prot;
|
|
|
59234c |
@@ -577,12 +578,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|
|
59234c |
* Create the new per-server SSL context
|
|
|
59234c |
*/
|
|
|
59234c |
if (protocol == SSL_PROTOCOL_NONE) {
|
|
|
59234c |
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
|
|
|
59234c |
- "No SSL protocols available [hint: SSLProtocol]");
|
|
|
59234c |
- return ssl_die(s);
|
|
|
59234c |
- }
|
|
|
59234c |
+ if (protocol_set) {
|
|
|
59234c |
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
|
|
|
59234c |
+ "No SSL protocols available [hint: SSLProtocol]");
|
|
|
59234c |
+ return ssl_die(s);
|
|
|
59234c |
+ }
|
|
|
59234c |
|
|
|
59234c |
- cp = apr_pstrcat(p,
|
|
|
59234c |
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
|
|
|
59234c |
+ "Using OpenSSL/system default SSL/TLS protocols");
|
|
|
59234c |
+ cp = "default";
|
|
|
59234c |
+ }
|
|
|
59234c |
+ else {
|
|
|
59234c |
+ cp = apr_pstrcat(p,
|
|
|
59234c |
#ifndef OPENSSL_NO_SSL3
|
|
|
59234c |
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
|
|
|
59234c |
#endif
|
|
|
59234c |
@@ -595,7 +602,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|
|
59234c |
#endif
|
|
|
59234c |
#endif
|
|
|
59234c |
NULL);
|
|
|
59234c |
- cp[strlen(cp)-2] = NUL;
|
|
|
59234c |
+ cp[strlen(cp)-2] = NUL;
|
|
|
59234c |
+ }
|
|
|
59234c |
|
|
|
59234c |
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
|
|
|
59234c |
"Creating new SSL context (protocols: %s)", cp);
|
|
|
59234c |
@@ -696,13 +704,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|
|
59234c |
prot = SSL3_VERSION;
|
|
|
59234c |
#endif
|
|
|
59234c |
} else {
|
|
|
59234c |
- SSL_CTX_free(ctx);
|
|
|
59234c |
- mctx->ssl_ctx = NULL;
|
|
|
59234c |
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
|
|
|
59234c |
- "No SSL protocols available [hint: SSLProtocol]");
|
|
|
59234c |
- return ssl_die(s);
|
|
|
59234c |
+ if (protocol_set) {
|
|
|
59234c |
+ SSL_CTX_free(ctx);
|
|
|
59234c |
+ mctx->ssl_ctx = NULL;
|
|
|
59234c |
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
|
|
|
59234c |
+ "No SSL protocols available [hint: SSLProtocol]");
|
|
|
59234c |
+ return ssl_die(s);
|
|
|
59234c |
+ }
|
|
|
59234c |
}
|
|
|
59234c |
- SSL_CTX_set_max_proto_version(ctx, prot);
|
|
|
59234c |
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
|
|
|
59234c |
|
|
|
59234c |
/* Next we scan for the minimal protocol version we should provide,
|
|
|
59234c |
* but we do not allow holes between max and min */
|
|
|
59234c |
@@ -726,7 +736,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|
|
59234c |
prot = SSL3_VERSION;
|
|
|
59234c |
}
|
|
|
59234c |
#endif
|
|
|
59234c |
- SSL_CTX_set_min_proto_version(ctx, prot);
|
|
|
59234c |
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
|
|
|
59234c |
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
|
|
|
59234c |
|
|
|
59234c |
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
|