From 63840edb440a2caaea46091afbc92a0ed72e7b5e Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Fri, 22 Apr 2022 13:04:51 +0000 Subject: ab: Allow for TLSv1.3 when the SSL library supports it. When TLS1_3_VERSION is defined by the SSL library, bump the maximum TLS protocol to that and use it for "-f ALL" or "-f TLSv1.3". This mixes proposed patches from BZ 63594 and 64699. BZ: 63594, 64699 Submitted by: abhilash Submitted by: xiaolongx.jiang intel.com Submitted & Reviewed by: ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900157 13f79535-47bb-0310-9956-ffa450edef68 --- changes-entries/ab_tls13.txt | 2 ++ support/ab.c | 84 +++++++++++++++++++++++++++++--------------- 2 files changed, 57 insertions(+), 29 deletions(-) create mode 100644 changes-entries/ab_tls13.txt diff --git a/changes-entries/ab_tls13.txt b/changes-entries/ab_tls13.txt new file mode 100644 index 0000000000..3b6a00f462 --- /dev/null +++ b/changes-entries/ab_tls13.txt @@ -0,0 +1,2 @@ + *) ab: Allow for TLSv1.3 when the SSL library supports it. + [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic] diff --git a/support/ab.c b/support/ab.c index d7b6938849..d467ffa4a1 100644 --- a/support/ab.c +++ b/support/ab.c @@ -158,6 +158,14 @@ #include "ap_config_auto.h" #endif +#include +#if APR_HAVE_CTYPE_H +#include +#endif +#if APR_HAVE_LIMITS_H +#include +#endif + #if defined(HAVE_OPENSSL) #include @@ -168,6 +176,7 @@ #include #include #define USE_SSL + #define SK_NUM(x) sk_X509_num(x) #define SK_VALUE(x,y) sk_X509_value(x,y) typedef STACK_OF(X509) X509_STACK_TYPE; @@ -180,9 +189,6 @@ typedef STACK_OF(X509) X509_STACK_TYPE; #include #endif -#endif - -#if defined(USE_SSL) #if (OPENSSL_VERSION_NUMBER >= 0x00909000) #define AB_SSL_METHOD_CONST const #else @@ -199,6 +205,7 @@ typedef STACK_OF(X509) X509_STACK_TYPE; #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) #define HAVE_TLSEXT #endif + #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f #define SSL_CTRL_SET_MIN_PROTO_VERSION 123 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124 @@ -207,15 +214,21 @@ typedef STACK_OF(X509) X509_STACK_TYPE; #define SSL_CTX_set_max_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) #endif -#endif -#include -#if APR_HAVE_CTYPE_H -#include +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#ifdef TLS1_3_VERSION +#define MAX_SSL_PROTO TLS1_3_VERSION +#else +#define MAX_SSL_PROTO TLS1_2_VERSION #endif -#if APR_HAVE_LIMITS_H -#include +#ifndef OPENSSL_NO_SSL3 +#define MIN_SSL_PROTO SSL3_VERSION +#else +#define MIN_SSL_PROTO TLS1_VERSION #endif +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + +#endif /* HAVE_OPENSSL */ /* ------------------- DEFINITIONS -------------------------- */ @@ -2286,7 +2299,13 @@ static void usage(const char *progname) #endif #ifdef HAVE_TLSV1_X + +#ifdef TLS1_3_VERSION +#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2, TLS1.3" +#else #define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2" +#endif + #else #define TLS1_X_HELP_MSG "" #endif @@ -2418,17 +2437,13 @@ int main(int argc, const char * const argv[]) apr_getopt_t *opt; const char *opt_arg; char c; +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x10100000L - int max_prot = TLS1_2_VERSION; -#ifndef OPENSSL_NO_SSL3 - int min_prot = SSL3_VERSION; -#else - int min_prot = TLS1_VERSION; -#endif + int max_prot = MAX_SSL_PROTO; + int min_prot = MIN_SSL_PROTO; #endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */ -#ifdef USE_SSL AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method(); -#endif +#endif /* USE_SSL */ /* table defaults */ tablestring = ""; @@ -2687,12 +2702,8 @@ int main(int argc, const char * const argv[]) #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ meth = TLS_client_method(); if (strncasecmp(opt_arg, "ALL", 3) == 0) { - max_prot = TLS1_2_VERSION; -#ifndef OPENSSL_NO_SSL3 - min_prot = SSL3_VERSION; -#else - min_prot = TLS1_VERSION; -#endif + max_prot = MAX_SSL_PROTO; + min_prot = MIN_SSL_PROTO; #ifndef OPENSSL_NO_SSL3 } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { max_prot = SSL3_VERSION; @@ -2704,6 +2715,11 @@ int main(int argc, const char * const argv[]) } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) { max_prot = TLS1_2_VERSION; min_prot = TLS1_2_VERSION; +#ifdef TLS1_3_VERSION + } else if (strncasecmp(opt_arg, "TLS1.3", 6) == 0) { + max_prot = TLS1_3_VERSION; + min_prot = TLS1_3_VERSION; +#endif } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { max_prot = TLS1_VERSION; min_prot = TLS1_VERSION; @@ -2715,7 +2731,7 @@ int main(int argc, const char * const argv[]) tls_use_sni = 0; break; #endif -#endif +#endif /* USE_SSL */ } } @@ -2797,13 +2813,23 @@ int main(int argc, const char * const argv[]) /* Keep memory usage as low as possible */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); #endif + if (ssl_cipher != NULL) { - if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) { - fprintf(stderr, "error setting cipher list [%s]\n", ssl_cipher); - ERR_print_errors_fp(stderr); - exit(1); - } + int ok; +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && defined(TLS1_3_VERSION) + if (min_prot >= TLS1_3_VERSION) + ok = SSL_CTX_set_ciphersuites(ssl_ctx, ssl_cipher); + else +#endif + ok = SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher); + if (!ok) { + BIO_printf(bio_err, "error setting ciphersuite list [%s]\n", + ssl_cipher); + ERR_print_errors(bio_err); + exit(1); + } } + if (verbosity >= 3) { SSL_CTX_set_info_callback(ssl_ctx, ssl_state_cb); } -- cgit v1.2.1