diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-11-06 16:44:20 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2014-11-12 11:35:06 -0500 |
commit | f8b6ab7dab90e92537de3cddc01d915d31bb87fc (patch) | |
tree | e36414fa4a54c121e2ffdcadc7783f1472549255 /nss_engine_init.c | |
parent | b5d1505fc81a33aa10d013efd247d00f631fc681 (diff) | |
download | mod_nss-f8b6ab7dab90e92537de3cddc01d915d31bb87fc.tar.gz mod_nss-f8b6ab7dab90e92537de3cddc01d915d31bb87fc.tar.xz mod_nss-f8b6ab7dab90e92537de3cddc01d915d31bb87fc.zip |
Completely remove support for SSLv2
Diffstat (limited to 'nss_engine_init.c')
-rw-r--r-- | nss_engine_init.c | 49 |
1 files changed, 12 insertions, 37 deletions
diff --git a/nss_engine_init.c b/nss_engine_init.c index 50b623d..4259cfb 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -36,13 +36,6 @@ char* INTERNAL_TOKEN_NAME = "internal "; cipher_properties ciphers_def[ciphernum] = { - /* SSL2 cipher suites */ - {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2}, - {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2}, - {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2}, - {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2}, - {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2}, - {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2}, /* SSL3/TLS cipher suites */ {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS}, {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS}, @@ -338,8 +331,14 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, /* * Fix up any global settings that aren't in the configuration */ - if (mc->session_cache_timeout == UNSET) { - mc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT; + if (mc->session_cache_timeout != UNSET) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, + "NSSSessionCacheTimeout is deprecated. Ignoring."); + + /* We still need to pass in a legal value to + * SSL_ConfigMPServerSIDCache() and SSL_ConfigServerSessionIDCache() + * / + mc->session_cache_timeout = 0; /* use NSS default */ } if (mc->ssl3_session_cache_timeout == UNSET) { @@ -509,7 +508,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1); ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, - "Initializing SSL Session Cache of size %d. SSL2 timeout = %d, SSL3/TLS timeout = %d.", mc->session_cache_size, mc->session_cache_timeout, mc->ssl3_session_cache_timeout); + "Initializing SSL Session Cache of size %d. SSL3/TLS timeout = %d.", mc->session_cache_size, mc->ssl3_session_cache_timeout); ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded); if (!threaded) SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); @@ -621,13 +620,13 @@ static void nss_init_ctx_protocol(server_rec *s, apr_pool_t *ptemp, modnss_ctx_t *mctx) { - int ssl2, ssl3, tls, tls1_1, tls1_2; + int ssl3, tls, tls1_1, tls1_2; char *protocol_marker = NULL; char *lprotocols = NULL; SECStatus stat; SSLVersionRange enabledVersions; - ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 0; + ssl3 = tls = tls1_1 = tls1_2 = 0; /* * Since this routine will be invoked individually for every thread @@ -659,11 +658,7 @@ static void nss_init_ctx_protocol(server_rec *s, ap_str_tolower(lprotocols); if (strstr(lprotocols, "all") != NULL) { -#ifdef WANT_SSL2 - ssl2 = ssl3 = tls = tls1_1 = tls1_2 = 1; -#else ssl3 = tls = tls1_1 = tls1_2 = 1; -#endif } else { char *protocol_list = NULL; char *saveptr = NULL; @@ -674,16 +669,9 @@ static void nss_init_ctx_protocol(server_rec *s, if (token == NULL) { break; } else if (strcmp(token, "sslv2") == 0) { -#ifdef WANT_SSL2 - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "%s: Enabling SSL2", - protocol_marker); - ssl2 = 1; -#else ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%s: SSL2 is not supported", protocol_marker); -#endif } else if (strcmp(token, "sslv3") == 0) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s: Enabling SSL3", @@ -725,11 +713,7 @@ static void nss_init_ctx_protocol(server_rec *s, stat = SECSuccess; - if (ssl2 == 1) { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_TRUE); - } else { - stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); - } + stat = SSL_OptionSet(mctx->model, SSL_ENABLE_SSL2, PR_FALSE); /* Set protocol version ranges: * @@ -826,7 +810,6 @@ static void nss_init_ctx_protocol(server_rec *s, nss_die(); } - mctx->ssl2 = ssl2; mctx->ssl3 = ssl3; mctx->tls = tls || tls1_1 || tls1_2; } @@ -1042,14 +1025,6 @@ static void nss_init_ctx_cipher_suite(server_rec *s, } } - /* See if any ciphers have been enabled for a given protocol */ - if (mctx->ssl2 && countciphers(cipher_state, SSL2) == 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: SSL2 is enabled but no SSL2 ciphers are enabled.", - cipher_suite_marker); - nss_die(); - } - if (mctx->ssl3 && countciphers(cipher_state, SSL3) == 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "%s: SSL3 is enabled but no SSL3 ciphers are enabled.", |