mod_ssl: Disallow SSLOpenSSLConfCmd within vhost context since it

has global effect. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd): Disallow use within vhost context. PR: 69397 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68
apache · Oct 15, 2024 · fbf57b8 · fbf57b8
1 parent 584ed86
commit fbf57b8
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/changes-entries/pr69397.txt b/changes-entries/pr69397.txt
@@ -0,0 +1,2 @@
+  *) mod_ssl: Disallow use of "SSLOpenSSLConfCmd" in <VirtualHost>
+     context.  PR 69397.  [Joe Orton]
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
@@ -2935,8 +2935,7 @@ forward secrecy.</p>
 <name>SSLOpenSSLConfCmd</name>
 <description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description>
 <syntax>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></syntax>
-<contextlist><context>server config</context>
-<context>virtual host</context></contextlist>
+<contextlist><context>server config</context></contextlist>
 <compatibility>Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later</compatibility>
 
 <usage>

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
@@ -2162,6 +2162,10 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
     const char *err;
     ssl_ctx_param_t *param;
 
+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+        return err;
+    }
+
     if (value_type == SSL_CONF_TYPE_UNKNOWN) {
         return apr_psprintf(cmd->pool,
                             "'%s': invalid OpenSSL configuration command",