1 Patch origin: in-house |
|
2 Patch status: unclear; so far they disable it just in configuration file |
|
3 |
|
4 https://bz.apache.org/bugzilla/show_bug.cgi?id=57120 |
|
5 |
|
6 --- modules/ssl/ssl_private.h |
|
7 +++ modules/ssl/ssl_private.h |
|
8 @@ -244,9 +244,9 @@ |
|
9 #define SSL_PROTOCOL_SSLV3 (1<<1) |
|
10 #define SSL_PROTOCOL_TLSV1 (1<<2) |
|
11 #ifdef OPENSSL_NO_SSL2 |
|
12 -#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1 |
|
13 +#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1 |
|
14 #else |
|
15 -#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1 |
|
16 +#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1 |
|
17 #endif |
|
18 #ifdef HAVE_TLSV1_X |
|
19 #define SSL_PROTOCOL_TLSV1_1 (1<<3) |
|
20 --- docs/manual/mod/mod_ssl.html.en |
|
21 +++ docs/manual/mod/mod_ssl.html.en |
|
22 @@ -1082,8 +1082,8 @@ |
|
23 <p> |
|
24 This is the Secure Sockets Layer (SSL) protocol, version 3.0, from |
|
25 the Netscape Corporation. |
|
26 - It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by |
|
27 - almost all popular browsers.</p></li> |
|
28 + It is the successor to SSLv2 and the predecessor to TLSv1. Though its |
|
29 + use has been deprecated, because of weaknesses in the security of the protocol.</p></li> |
|
30 |
|
31 <li><code>TLSv1</code> |
|
32 <p> |
|
33 @@ -1103,13 +1103,11 @@ |
|
34 |
|
35 <li><code>All</code> |
|
36 <p> |
|
37 - This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' or |
|
38 - - when using OpenSSL 1.0.1 and later - |
|
39 - ``<code>+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively.</p></li> |
|
40 + This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li> |
|
41 </ul> |
|
42 <div class="example"><h3>Example</h3><p><code> |
|
43 # enable SSLv3 and all available TLSv1 flavors, but not SSLv2<br /> |
|
44 -SSLProtocol All -SSLv2 |
|
45 +SSLProtocol All +SSLv3 |
|
46 </code></p></div> |
|
47 |
|
48 </div> |
|