altarch-user / rpms / httpd

Forked from rpms/httpd 2 years ago
Clone

Blame SOURCES/httpd-2.4.37-sslprotdefault.patch

59234c
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
59234c
index 55c237e..5467d23 100644
59234c
--- a/modules/ssl/ssl_engine_config.c
59234c
+++ b/modules/ssl/ssl_engine_config.c
59234c
@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
59234c
     mctx->ticket_key          = NULL;
59234c
 #endif
59234c
 
59234c
-    mctx->protocol            = SSL_PROTOCOL_DEFAULT;
59234c
+    mctx->protocol            = SSL_PROTOCOL_NONE;
59234c
     mctx->protocol_set        = 0;
59234c
 
59234c
     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
59234c
@@ -262,6 +262,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
59234c
 {
59234c
     if (add->protocol_set) {
59234c
         mrg->protocol = add->protocol;
59234c
+        mrg->protocol_set = 1;
59234c
     }
59234c
     else {
59234c
         mrg->protocol = base->protocol;
59234c
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
59234c
index e3f62fe..31fc0e6 100644
59234c
--- a/modules/ssl/ssl_engine_init.c
59234c
+++ b/modules/ssl/ssl_engine_init.c
59234c
@@ -568,6 +568,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
59234c
     MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
59234c
     char *cp;
59234c
     int protocol = mctx->protocol;
59234c
+    int protocol_set = mctx->protocol_set;
59234c
     SSLSrvConfigRec *sc = mySrvConfig(s);
59234c
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
59234c
     int prot;
59234c
@@ -577,12 +578,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
59234c
      *  Create the new per-server SSL context
59234c
      */
59234c
     if (protocol == SSL_PROTOCOL_NONE) {
59234c
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
59234c
-                "No SSL protocols available [hint: SSLProtocol]");
59234c
-        return ssl_die(s);
59234c
-    }
59234c
+        if (protocol_set) {
59234c
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
59234c
+                    "No SSL protocols available [hint: SSLProtocol]");
59234c
+            return ssl_die(s);
59234c
+        }
59234c
 
59234c
-    cp = apr_pstrcat(p,
59234c
+        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, 
59234c
+                     "Using OpenSSL/system default SSL/TLS protocols");
59234c
+        cp = "default";
59234c
+    }
59234c
+    else {
59234c
+        cp = apr_pstrcat(p,
59234c
 #ifndef OPENSSL_NO_SSL3
59234c
                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
59234c
 #endif
59234c
@@ -595,7 +602,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
59234c
 #endif
59234c
 #endif
59234c
                      NULL);
59234c
-    cp[strlen(cp)-2] = NUL;
59234c
+        cp[strlen(cp)-2] = NUL;
59234c
+    }
59234c
 
59234c
     ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
59234c
                  "Creating new SSL context (protocols: %s)", cp);
59234c
@@ -696,13 +704,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
59234c
         prot = SSL3_VERSION;
59234c
 #endif
59234c
     } else {
59234c
-        SSL_CTX_free(ctx);
59234c
-        mctx->ssl_ctx = NULL;
59234c
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
59234c
-                "No SSL protocols available [hint: SSLProtocol]");
59234c
-        return ssl_die(s);
59234c
+        if (protocol_set) {
59234c
+            SSL_CTX_free(ctx);
59234c
+            mctx->ssl_ctx = NULL;
59234c
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
59234c
+                    "No SSL protocols available [hint: SSLProtocol]");
59234c
+            return ssl_die(s);
59234c
+        }
59234c
     }
59234c
-    SSL_CTX_set_max_proto_version(ctx, prot);
59234c
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
59234c
 
59234c
     /* Next we scan for the minimal protocol version we should provide,
59234c
      * but we do not allow holes between max and min */
59234c
@@ -726,7 +736,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
59234c
         prot = SSL3_VERSION;
59234c
     }
59234c
 #endif
59234c
-    SSL_CTX_set_min_proto_version(ctx, prot);
59234c
+    if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
59234c
 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
59234c
 
59234c
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE