www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

Follow-up fixes for r1526168:

Browse Source 
- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers
  for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527291 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2013-09-29 09:36:31 +00:00
parent df246e149e
commit 056e10bb4f
3 changed files with 11 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
modules/ssl/ssl_engine_init.c
View File

@@ -668,11 +668,12 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
/*
* Configure SSL Cipher Suite. Always disable NULL and export ciphers,
* no matter what SSLCipherSuite directive is appearing in the config.
* see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
* OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
* so only prepend !EXP in this case.
*/
suite = apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", mctx->auth.cipher_suite ?
mctx->auth.cipher_suite : SSL_DEFAULT_CIPHER_LIST,
NULL);
suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
"Configuring permitted SSL ciphers [%s]",