I have send a candidate patch for the "talking http on https" patch to
the OpenSSL project. Using this patch and another fix I applied to trunk
for reneg handling in the proxy client case (mod_proxy talking https to
a backend), I'm now down to one remaining test suite failure.
More precisely the following points are open
- reneg for ECDHE and maybe other ciphers
IMHO broken in OpenSSL itself. Opened a case there, because I can
reproduce with openssl command s_server and s_client, ie. without any
Apache involvement. Steve has already taken the ticket there.
https://rt.openssl.org/Ticket/Display.html?id=4303
- "talking http on https": The patch for OpenSSL is not big and mostly
consists of the older OpenSSL 1.0.2 code but they have to check, whether
I have put it at the right place. I verified it works by running the
Apache test suite, which contains tests using the "talking http on
https" feature.
https://rt.openssl.org/Ticket/Display.html?id=4304
- Test suite failure test 3 in t/security/CVE-2009-3555.t. The test
sends two requests pipelined, where the first one needs a reneg.
Pre-1.1.0 the first requests succeeds and then the connection is closed.
Using 1.1.0 the reneg fails, the first request get a 403 and the
connection is closed. For this there's still some analysis needed on our
side.
All other tests succeed, some non-SSL tests fails for prefork and
worker, but they did before the changes and they fail with OpenSSL 1.0.2
also.
Once the last test breakage is fixed, I plan to go through the changes
in order to remove pre-1.1.0 OpenSSL specific code where these versions
can use the newer as well. Currently pre-1.1.0 OpenSSL versions use the
exact same code path as before the changes.
If you want to do tests on your own, what you need is:
- OpenSSL 1.1.0pre2 plus two patches:
https://github.com/openssl/openssl/commit/311f27852a18fb9c10f0c1283b639f12eea06de2
https://rt.openssl.org/Ticket/Attachment/62645/38635/http-on-https.patch
- Fix to use a non-ECDHE cipher in the test suite
--- t/conf/ssl/ssl.conf.in 2016-02-12 17:21:44.857749000 +0100
+++ t/conf/ssl/ssl.conf.in 2016-02-12 23:15:18.493357000 +0100
@@ -33,7 +33,8 @@
CustomLog logs/ssl_request_log ssl
</IfModule>
- SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ SSLCipherSuite
AES128-SHA256:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ SSLHonorCipherOrder On
<IfDefine TEST_SSL_PASSPHRASE_EXEC>
SSLPassPhraseDialog
exec:@ServerRoot@/conf/ssl/httpd-passphrase.pl
- Depending on how you link apr-util crypto build also against OpenSSL
1.1.0. apr trunk but also apr-util 1.5.x head supports this.
Regards,
Rainer
