Guard use of SSLv3*method. Die if SSLv3 forced in conf but unavail.

Fixes "undefined symbol" errors at dlopen time. Reported by Pedro de Oliveira, ok sthen@
2015-09-07 06:32:04 +00:00 · 2015-09-07 06:32:04 +00:00 · 805dbb689d
commit 805dbb689d
parent cceceb3585
2 changed files with 25 additions and 2 deletions
--- a/www/apache-httpd/Makefile
+++ b/www/apache-httpd/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.63 2015/07/18 20:01:13 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.64 2015/09/07 06:32:04 jca Exp $

 COMMENT-main=		apache HTTP server
 COMMENT-common=		shared files for Apache 1 and 2
@ -11,7 +11,7 @@ PKGNAME-main=		${PKGNAME}
 FULLPKGNAME-common=	apache-httpd-common-${V}
 FULLPKGPATH-common=	www/apache-httpd,-common

-REVISION-main=		1
+REVISION-main=		2

 CATEGORIES=		www net

--- a/www/apache-httpd/patches/patch-modules_ssl_ssl_engine_init_c
+++ b/www/apache-httpd/patches/patch-modules_ssl_ssl_engine_init_c
@ -0,0 +1,23 @@
+$OpenBSD: patch-modules_ssl_ssl_engine_init_c,v 1.6 2015/09/07 06:32:04 jca Exp $
+
+Don't attempt to use SSLv3_(client|server)_method, bail out if SSLv3 is
+the only protocol requested.
+
+--- modules/ssl/ssl_engine_init.c.orig	Sun Sep  6 15:23:52 2015
+++ modules/ssl/ssl_engine_init.c	Sun Sep  6 15:57:35 2015
+@@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
+                  "Creating new SSL context (protocols: %s)", cp);
+ 
+     if (protocol == SSL_PROTOCOL_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
+         method = mctx->pkp ?
+             SSLv3_client_method() : /* proxy */
+             SSLv3_server_method();  /* server */
+#else
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+            "SSLv3 protocol not available");
+        return ssl_die(s);
+#endif
+     }
+     else if (protocol == SSL_PROTOCOL_TLSV1) {
+         method = mctx->pkp ?