diff options
author | William A. Rowe Jr <wrowe@apache.org> | 2005-08-29 19:57:26 +0000 |
---|---|---|
committer | William A. Rowe Jr <wrowe@apache.org> | 2005-08-29 19:57:26 +0000 |
commit | 2a33727b397add3e766ffede4ace67423da9ddbf (patch) | |
tree | 68c4f5970f5d300757ef78a82a93f9630fe3f2cb | |
parent | decaaf6ca57ed8dac02c65a60b22149a55406d0b (diff) | |
download | httpd-fips-dev.tar.gz |
While eliminating all but TLSv1 (the only FIPS-complient handshakingfips-dev
mechansim), I noticed that we have several other single-case methods
similar to the SSLv2 exception; use the explicit method in preference
to the generic SSLv23_client|server_method() calls if exactly one
method is supported.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev@264620 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | modules/ssl/ssl_engine_init.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 2e7993986f..78d4162a28 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -446,14 +446,23 @@ static void ssl_init_ctx_protocol(server_rec *s, method = mctx->pkp ? SSLv2_client_method() : /* proxy */ SSLv2_server_method(); /* server */ - ctx = SSL_CTX_new(method); /* only SSLv2 is left */ } - else { + else if (protocol == SSL_PROTOCOL_SSLV3) { + method = mctx->pkp ? + SSLv3_client_method() : /* proxy */ + SSLv3_server_method(); /* server */ + } + else if (protocol == SSL_PROTOCOL_TLSV1) { + method = mctx->pkp ? + TLSv1_client_method() : /* proxy */ + TLSv1_server_method(); /* server */ + } + else { /* For multiple protocols, we need a flexible method */ method = mctx->pkp ? SSLv23_client_method() : /* proxy */ SSLv23_server_method(); /* server */ - ctx = SSL_CTX_new(method); /* be more flexible */ } + ctx = SSL_CTX_new(method); mctx->ssl_ctx = ctx; |