diff options
| author | Joe Orton <jorton@apache.org> | 2024-10-15 16:30:19 +0200 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2024-10-15 16:30:19 +0200 |
| commit | fbf57b8bef3b66f817144b655cac7ac3ca463deb (patch) | |
| tree | 3dc01db4b5a863b0bfc2db87f340b57813ec3d03 | |
| parent | CI: Use the image version in the cache keys. This is likely a simpler (diff) | |
| download | apache2-fbf57b8bef3b66f817144b655cac7ac3ca463deb.tar.xz apache2-fbf57b8bef3b66f817144b655cac7ac3ca463deb.zip | |
mod_ssl: Disallow SSLOpenSSLConfCmd within vhost context since it
has global effect.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd):
Disallow use within vhost context.
PR: 69397
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | changes-entries/pr69397.txt | 2 | ||||
| -rw-r--r-- | docs/manual/mod/mod_ssl.xml | 3 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_config.c | 4 |
3 files changed, 7 insertions, 2 deletions
diff --git a/changes-entries/pr69397.txt b/changes-entries/pr69397.txt new file mode 100644 index 0000000000..32ae57e1f2 --- /dev/null +++ b/changes-entries/pr69397.txt @@ -0,0 +1,2 @@ + *) mod_ssl: Disallow use of "SSLOpenSSLConfCmd" in <VirtualHost> + context. PR 69397. [Joe Orton] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index b28ec9df4b..3bc2063da8 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2935,8 +2935,7 @@ forward secrecy.</p> <name>SSLOpenSSLConfCmd</name> <description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description> <syntax>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></syntax> -<contextlist><context>server config</context> -<context>virtual host</context></contextlist> +<contextlist><context>server config</context></contextlist> <compatibility>Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later</compatibility> <usage> diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 43593d799c..a9e98b9c5b 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -2162,6 +2162,10 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *err; ssl_ctx_param_t *param; + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + return err; + } + if (value_type == SSL_CONF_TYPE_UNKNOWN) { return apr_psprintf(cmd->pool, "'%s': invalid OpenSSL configuration command", |