I've opened a ticket for this already (bz 58349) but it was suggested
that I send mail here as well.
Currently httpd builds fail with libressl as SSLv3 has been disabled
(OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method()
functions.
ab.c fails at build time, mod_ssl is slightly nastier as this isn't
picked up until trying to start a server with ssl enabled.
Thanks,
Stuart
--- support/ab.c.orig Fri Jul 17 22:55:57 2015
+++ support/ab.c Fri Jul 17 22:56:13 2015
@@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[])
} else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
meth = SSLv2_client_method();
#endif
+#ifndef OPENSSL_NO_SSL3
} else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
meth = SSLv3_client_method();
+#endif
#ifdef HAVE_TLSV1_X
} else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
meth = TLSv1_1_client_method();
--- modules/ssl/ssl_engine_init.c.orig Sun Sep 6 15:23:52 2015
+++ modules/ssl/ssl_engine_init.c Sun Sep 6 15:57:35 2015
@@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
"Creating new SSL context (protocols: %s)", cp);
if (protocol == SSL_PROTOCOL_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
method = mctx->pkp ?
SSLv3_client_method() : /* proxy */
SSLv3_server_method(); /* server */
+#else
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+ "SSLv3 protocol not available");
+ return ssl_die(s);
+#endif
}
else if (protocol == SSL_PROTOCOL_TLSV1) {
method = mctx->pkp ?
