VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-06 11:06:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

merge r1702643 from trunk

Browse Source 
Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2015-09-30 11:42:54 +00:00
parent 5e6194b6f4
commit 181e083ddb
4 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -2,6 +2,11 @@
Changes with Apache 2.4.17 Changes with Apache 2.4.17
*) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
*) mod_ssl: Add support for extracting the msUPN and dnsSRV forms *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment

4
docs/manual/mod/mod_ssl.xml
View File

@ -747,8 +747,8 @@ prefixes are:</p>
<title><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code> <title><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code>
ciphers are always disabled</title> ciphers are always disabled</title>
<p>Beginning with version 2.4.7, null and export-grade <p>Beginning with version 2.4.7, null and export-grade
ciphers are always disabled, as mod_ssl unconditionally prepends any supplied ciphers are always disabled, as mod_ssl unconditionally adds
cipher suite string with <code>!aNULL:!eNULL:!EXP:</code> at initialization.</p> <code>!aNULL:!eNULL:!EXP</code> to any cipher string at initialization.</p>
</note> </note>
<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers <p>A simpler way to look at all of this is to use the ``<code>openssl ciphers

9
modules/ssl/ssl_engine_config.c
View File

@ -709,7 +709,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
/* always disable null and export ciphers */ /* always disable null and export ciphers */
arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
if (cmd->path) { if (cmd->path) {
dc->szCipherSuite = arg; dc->szCipherSuite = arg;
@ -1421,7 +1421,7 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
/* always disable null and export ciphers */ /* always disable null and export ciphers */
arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
sc->proxy->auth.cipher_suite = arg; sc->proxy->auth.cipher_suite = arg;
@ -1877,6 +1877,11 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
return err; return err;
} }
if (strcEQ(arg1, "CipherString")) {
/* always disable null and export ciphers */
arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
}
param = apr_array_push(sc->server->ssl_ctx_param); param = apr_array_push(sc->server->ssl_ctx_param);
param->name = arg1; param->name = arg1;
param->value = arg2; param->value = arg2;

4
modules/ssl/ssl_engine_init.c
View File

@ -730,11 +730,11 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
* Configure SSL Cipher Suite. Always disable NULL and export ciphers, * Configure SSL Cipher Suite. Always disable NULL and export ciphers,
* see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
* OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f, * OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
* and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so append them while we support
* earlier versions. * earlier versions.
*/ */
suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST, apr_pstrcat(ptemp, SSL_DEFAULT_CIPHER_LIST, ":!aNULL:!eNULL:!EXP",
NULL); NULL);
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,