diff options
author | Joe Orton <jorton@apache.org> | 2020-05-07 10:34:12 +0000 |
---|---|---|
committer | Joe Orton <jorton@apache.org> | 2020-05-07 10:34:12 +0000 |
commit | c2321e5b8fa6792662deaaeb05f1c24bd71503eb (patch) | |
tree | 06e7a8d645cef674661d88e8df38ebd4a90a34cb /CHANGES | |
parent | e9945c13eee5c0a51eceb44665894fed0db4d354 (diff) | |
download | httpd-c2321e5b8fa6792662deaaeb05f1c24bd71503eb.tar.gz |
mod_ssl: Drop SSLRandomSeed implementation with OpenSSL 1.1.1.
Require that OpenSSL is configured with a suitable entropy source,
or fail startup otherwise.
* modules/ssl/ssl_private.h:
Define MODSSL_USE_SSLRAND for OpenSSL < 1.1.1.
(SSLModConfigRec): Only define pid, aRandSeed for <1.1.1.
(ssl_rand_seed): Define as noop if !MODSSL_USE_SSLRAND.
* modules/ssl/ssl_engine_init.c (ssl_init_Module):
Only initialize mc->pid for MODSSL_USE_SSLRAND.
Fail if RAND_status() returns zero.
(ssl_init_Child): Drop getpid and srand for !MODSSL_USE_SSLRAND.
* modules/ssl/ssl_engine_rand.c: ifdef-out for !MODSSL_USE_SSLRAND.
(ssl_rand_seed): Drop warning if PRNG not seeded (now a startup
error as above).
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Drop
aRandSeed initialization. (ssl_cmd_SSLRandomSeed): Log a warning if
used w/!MODSSL_USE_SSLRAND.
Github: closes #123
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877467 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: With OpenSSL 1.1.1 and later, SSLRandomSeed is now + ignored. OpenSSL must be configured with a suitable entropy + source, or mod_ssl will fail to start up. [Joe Orton] + *) mod_ssl: With OpenSSL 1.1.1 and later, client-initiated renegotiation in TLSv1.2 and earlier is blocked at SSL library level (with a TLS warning alert sent), rather than by aborting |