wrowe at rowe-clan
Aug 17, 2012, 2:59 PM
Post #2 of 2
[.Not sure what happened but this didn't appear to make it to the list...]
Re: svn commit: r1370659 - /httpd/httpd/branches/2.2.x/STATUS
[In reply to]
Folks, since enabling and disabling tls v1.1 and v1.2 proved important with
mitigating the last openssl vulnerability, I'd really like to get this fix in
and consider it a showstopper.
Could you please review my revisions and commentary, especially sf and kbrand
who had raised the issues to address, and vote? I think I covered all of the
concerns adequately, and if we would like to enhance now-deprecated toolkit
compat header, a later patch would be welcome but not necessary for this code
We couldn't use the patch cleanly because we haven't dropped SSLv2 on the 2.2
branch, and that would be the sort of breaking behavior (dropping SSLv2) that
we normally reserve for the version major.minor bump.
Any eyeballs, esp the two of you would be most appreciated! I would rather
not delay this T&R any later than lunchtime tomorrow.
On 8/7/2012 10:55 PM, wrowe [at] apache wrote:
> Author: wrowe
> Date: Wed Aug 8 03:55:43 2012
> New Revision: 1370659
> URL: http://svn.apache.org/viewvc?rev=1370659&view=rev
> sf, kbrand please re-review, picked up on your suggested changes in
> a newly revised patch.
> Modified: httpd/httpd/branches/2.2.x/STATUS
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1370659&r1=1370658&r2=1370659&view=diff
> --- httpd/httpd/branches/2.2.x/STATUS (original)
> +++ httpd/httpd/branches/2.2.x/STATUS Wed Aug 8 03:55:43 2012
> @@ -179,20 +179,25 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
> Backport version for 2.2.x of the patches above:
> - http://people.apache.org/~wrowe/tls11-12-patch-2.2-kbrand-wrowe.patch
> + http://people.apache.org/~wrowe/tls11-12-patch-2.2-kbrand-wrowe.1.patch
> +1: wrowe,
> kbrand: might want to add a reference to PR 53114 in CHANGES.
> + [wrowe] agreed, changed in patch .1
> The #define HAVE_TLSV1_X stuff should go to ssl_toolkit_compat.h,
> + [wrowe] disagree, since that API was deprecated
> preferrably, and it would be good if mod_ssl.xml also includes
> the change to the section about the SSLProtocol directive
> (see r1222921).
> - -1: sf:
> + [wrowe] missed that, thanks, changed in patch .1
> + sf:
> - ssl_engine_init.c: misses two "ctx = SSL_CTX_new(method);" calls
> (or move the existing ones after the if blocks).
> + [wrowe] nice catch, later option is simpler, changed in patch .1
> - The handling of "SSLProtocol all -SSLv2" is broken,
> resulting in a "No SSL protocols available" error.
> This is due to the "thisopt = SSL_PROTOCOL_SSLV2" line being
> removed in the OPENSSL_NO_TLSEXT case.
> + [wrowe] fixed in patch .1 to gracefully accept -SSLv2
> * mod_ssl: Add RFC 5878 support. This allows support of mechanisms
> such as Certificate Transparency. Note that new