patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds
I've opened a ticket for this already (bz 58349) but it was suggested that I send mail here as well. Currently httpd builds fail with libressl as SSLv3 has been disabled (OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method() functions. ab.c fails at build time, mod_ssl is slightly nastier as this isn't picked up until trying to start a server with ssl enabled. Thanks, Stuart --- support/ab.c.orig Fri Jul 17 22:55:57 2015 +++ support/ab.cFri Jul 17 22:56:13 2015 @@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[]) } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) { meth = SSLv2_client_method(); #endif +#ifndef OPENSSL_NO_SSL3 } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { meth = SSLv3_client_method(); +#endif #ifdef HAVE_TLSV1_X } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { meth = TLSv1_1_client_method(); --- modules/ssl/ssl_engine_init.c.orig Sun Sep 6 15:23:52 2015 +++ modules/ssl/ssl_engine_init.c Sun Sep 6 15:57:35 2015 @@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec * "Creating new SSL context (protocols: %s)", cp); if (protocol == SSL_PROTOCOL_SSLV3) { +#ifndef OPENSSL_NO_SSL3 method = mctx->pkp ? SSLv3_client_method() : /* proxy */ SSLv3_server_method(); /* server */ +#else +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, +"SSLv3 protocol not available"); +return ssl_die(s); +#endif } else if (protocol == SSL_PROTOCOL_TLSV1) { method = mctx->pkp ?
Re: patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds
On Thu, Sep 10, 2015 at 10:37:44AM +, Stuart Henderson wrote: > I've opened a ticket for this already (bz 58349) but it was suggested > that I send mail here as well. > > Currently httpd builds fail with libressl as SSLv3 has been disabled > (OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method() > functions. > > ab.c fails at build time, mod_ssl is slightly nastier as this isn't > picked up until trying to start a server with ssl enabled. > > Thanks, > Stuart Does OpenSSL use the name OPENSSL_NO_SSL3 too? Or is this macro defined by LibreSSL only? > --- support/ab.c.orig Fri Jul 17 22:55:57 2015 > +++ support/ab.c Fri Jul 17 22:56:13 2015 > @@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[]) > } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) { > meth = SSLv2_client_method(); > #endif > +#ifndef OPENSSL_NO_SSL3 > } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { > meth = SSLv3_client_method(); > +#endif > #ifdef HAVE_TLSV1_X > } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { > meth = TLSv1_1_client_method(); > > --- modules/ssl/ssl_engine_init.c.origSun Sep 6 15:23:52 2015 > +++ modules/ssl/ssl_engine_init.c Sun Sep 6 15:57:35 2015 > @@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec * > "Creating new SSL context (protocols: %s)", cp); > > if (protocol == SSL_PROTOCOL_SSLV3) { > +#ifndef OPENSSL_NO_SSL3 > method = mctx->pkp ? > SSLv3_client_method() : /* proxy */ > SSLv3_server_method(); /* server */ > +#else > +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, > +"SSLv3 protocol not available"); > +return ssl_die(s); > +#endif > } > else if (protocol == SSL_PROTOCOL_TLSV1) { > method = mctx->pkp ? >
Re: patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds
On 2015/09/10 13:40, Stefan Sperling wrote: > On Thu, Sep 10, 2015 at 10:37:44AM +, Stuart Henderson wrote: > > I've opened a ticket for this already (bz 58349) but it was suggested > > that I send mail here as well. > > > > Currently httpd builds fail with libressl as SSLv3 has been disabled > > (OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method() > > functions. > > > > ab.c fails at build time, mod_ssl is slightly nastier as this isn't > > picked up until trying to start a server with ssl enabled. > > > > Thanks, > > Stuart > > Does OpenSSL use the name OPENSSL_NO_SSL3 too? > Or is this macro defined by LibreSSL only? With OpenSSL this is defined when it's built with the no-ssl3 option, it works the same as building with no-rc5, no-ssl2, etc. This patch is similar to previous patches which were added to various projects when various OS (e.g. Debian, OpenBSD) disabled ssl2 in their standard builds of OpenSSL. For LibreSSL the functions have just been removed completely, it's no longer a build option, but the effect is exactly the same as an OpenSSL build with no-ssl3.