diff --git a/config.h.in b/config.h.in index 6205d39cf4..427d2d77c6 100644 --- a/config.h.in +++ b/config.h.in @@ -1149,6 +1149,10 @@ /* Define if OpenSSL SSL read ahead support, if available, should be used. */ #undef PR_USE_OPENSSL_SSL_READ_AHEAD +/* Define if OpenSSL SSL session ID context set support, if available, should + be used. */ +#undef PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT + /* Define if OpenSSL SSL session ticket callback support, if available, * should be used. */ #undef PR_USE_OPENSSL_SSL_SESSION_TICKET_CALLBACK diff --git a/configure b/configure index 5eec09b9d6..7251ca1ecd 100755 --- a/configure +++ b/configure @@ -41766,6 +41766,74 @@ sed 's/^/| /' conftest.$ac_ext >&5 echo "${ECHO_T}no" >&6; } +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + LIBS="$saved_libs" + + { echo "$as_me:$LINENO: checking whether OpenSSL has SSL session ID context set support" >&5 +echo $ECHO_N "checking whether OpenSSL has SSL session ID context set support... $ECHO_C" >&6; } + saved_libs="$LIBS" + + LIBS=`echo "$LIBS" | sed -e 's/-lsupp//g'`; + LIBS="-lcrypto -lssl $LIBS" + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + #include + +int +main () +{ + + (void) SSL_SESSION_set1_id_context(NULL, NULL, 0); + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + + { echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6; } + +cat >>confdefs.h <<\_ACEOF +#define PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT 1 +_ACEOF + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } + + fi rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ diff --git a/configure.in b/configure.in index 366d4f0a26..ce620a388a 100644 --- a/configure.in +++ b/configure.in @@ -3612,6 +3612,30 @@ if test x"$pr_use_openssl" = xyes; then ) LIBS="$saved_libs" + AC_MSG_CHECKING([whether OpenSSL has SSL session ID context set support]) + saved_libs="$LIBS" + + dnl Splice out -lsupp, since that library hasn't been built yet + LIBS=`echo "$LIBS" | sed -e 's/-lsupp//g'`; + LIBS="-lcrypto -lssl $LIBS" + + AC_TRY_LINK( + [ + #include + ], + [ + (void) SSL_SESSION_set1_id_context(NULL, NULL, 0); + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT, 1, [Define if your OpenSSL supports setting SSL session ID context]) + ], + [ + AC_MSG_RESULT(no) + ] + ) + LIBS="$saved_libs" + AC_MSG_CHECKING([whether OpenSSL has SSL session ticket callback support]) saved_libs="$LIBS" diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c index 5dbb8d187a..fc5140c8e8 100644 --- a/contrib/mod_tls.c +++ b/contrib/mod_tls.c @@ -16223,15 +16223,16 @@ static int tls_ssl_set_psks(SSL *ssl) { } static int tls_ssl_set_options(SSL *ssl) { - SSL_clear_options(ssl, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); - SSL_clear_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); #if OPENSSL_VERSION_NUMBER > 0x009080cfL + SSL_clear_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); + /* The OpenSSL team realized that the flag added in 0.9.8l, the * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag, was a bad idea. * So in later versions, it was changed to a context flag, * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION. */ + SSL_clear_options(ssl, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); if (tls_opts & TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS) { int ssl_opts; @@ -16346,7 +16347,9 @@ static int tls_ssl_set_protocol(server_rec *s, SSL *ssl) { * This is more convoluted than it should be, because of the expression * of enabled protocol versions via OP_NO_ negations, and bitmasking. */ +#if OPENSSL_VERSION_NUMBER > 0x000908000L SSL_clear_options(ssl, all_proto|disabled_proto); +#endif SSL_set_options(ssl, disabled_proto); return 0; @@ -16422,6 +16425,7 @@ static int tls_ssl_set_session_id_context(server_rec *s, SSL *ssl) { sizeof(s->sid), ssl); SSL_set_session_id_context(ssl, (unsigned char *) &(s->sid), sizeof(s->sid)); +#if defined(PR_USE_OPENSSL_SSL_SESSION_SET1_ID_CONTEXT) sess = SSL_get_session(ssl); if (sess != NULL) { pr_trace_msg(trace_channel, 19, @@ -16430,6 +16434,7 @@ static int tls_ssl_set_session_id_context(server_rec *s, SSL *ssl) { SSL_SESSION_set1_id_context(sess, (unsigned char *) &(s->sid), sizeof(s->sid)); } +#endif return 0; } @@ -16675,11 +16680,13 @@ static int tls_ssl_set_all(server_rec *s, SSL *ssl) { return -1; } +#if OPENSSL_VERSION_NUMBER > 0x009080cfL /* Note that it is important that we update the SSL with the new SSL_CTX * AFTER it has been provisioned. That way, the new/changed certs in the * SSL_CTX will be properly copied/updated in the SSL object. */ ctx = SSL_set_SSL_CTX(ssl, ctx); +#endif if (ssl_ctx != NULL) { /* Try not to leak memory. */ @@ -17609,7 +17616,9 @@ static int tls_ctx_set_protocol(server_rec *s, SSL_CTX *ctx) { * This is more convoluted than it should be, because of the expression * of enabled protocol versions via OP_NO_ negations, and bitmasking. */ +#if OPENSSL_VERSION_NUMBER > 0x009080cfL SSL_CTX_clear_options(ctx, all_proto|disabled_proto); +#endif SSL_CTX_set_options(ctx, disabled_proto); return 0;