Hi Stefan 2018-03-28 13:15 GMT+02:00 <ic...@apache.org>:
> Author: icing > Date: Wed Mar 28 11:15:18 2018 > New Revision: 1827912 > > URL: http://svn.apache.org/viewvc?rev=1827912&view=rev > Log: > On the trunk: > mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other > libs may > need more sugar). > > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > httpd/httpd/trunk/modules/ssl/ssl_policies.h > httpd/httpd/trunk/modules/ssl/ssl_private.h > httpd/httpd/trunk/modules/ssl/update_policies.py > > > > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ > ssl_engine_init.c?rev=1827912&r1=1827911&r2=1827912&view=diff > ============================================================ > ================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 28 11:15:18 > 2018 > @@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protoco > > #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ > /* We first determine the maximum protocol version we should provide > */ > - if (protocol & SSL_PROTOCOL_TLSV1_2) { > + if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) { > + prot = TLS1_3_VERSION; > + } else if (protocol & SSL_PROTOCOL_TLSV1_2) { > prot = TLS1_2_VERSION; > } else if (protocol & SSL_PROTOCOL_TLSV1_1) { > prot = TLS1_1_VERSION; > @@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protoco > > /* Next we scan for the minimal protocol version we should provide, > * but we do not allow holes between max and min */ > + if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { > + prot = TLS1_2_VERSION; > + } > if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { > prot = TLS1_1_VERSION; > } > > it may be a misconfig from my side, but I get the following with openssl 1.1.0f (not TLS 1.3 afaics): ssl_engine_init.c: In function ‘ssl_init_ctx_protocol’: ssl_engine_init.c:690:16: error: ‘TLS1_3_VERSION’ undeclared (first use in this function) prot = TLS1_3_VERSION; ^~~~~~~~~~~~~~ Adding the following bits makes everything work: Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c (revision 1828144) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -685,9 +685,12 @@ #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ /* We first determine the maximum protocol version we should provide */ +#if SSL_HAVE_PROTOCOL_TLSV1_3 if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) { prot = TLS1_3_VERSION; - } else if (protocol & SSL_PROTOCOL_TLSV1_2) { + } else +#endif + if (protocol & SSL_PROTOCOL_TLSV1_2) { prot = TLS1_2_VERSION; } else if (protocol & SSL_PROTOCOL_TLSV1_1) { prot = TLS1_1_VERSION; @@ -708,9 +711,11 @@ /* Next we scan for the minimal protocol version we should provide, * but we do not allow holes between max and min */ +#if SSL_HAVE_PROTOCOL_TLSV1_3 if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) { prot = TLS1_2_VERSION; } +#endif if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { prot = TLS1_1_VERSION; } Luca
