www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Follow-up fixes for r1526168:

Browse Source 
- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers
  for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527291 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2013-09-29 09:36:31 +00:00
parent df246e149e
commit 056e10bb4f
3 changed files with 11 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/ssl/ssl_engine_config.c
View File

@@ -651,6 +651,9 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
/* always disable null and export ciphers */
arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
if (cmd->path) { if (cmd->path) {
dc->szCipherSuite = arg; dc->szCipherSuite = arg;
} }
@@ -1397,6 +1400,9 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
{ {
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
/* always disable null and export ciphers */
arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
sc->proxy->auth.cipher_suite = arg; sc->proxy->auth.cipher_suite = arg;
return NULL; return NULL;

9
modules/ssl/ssl_engine_init.c
View File

@@ -668,11 +668,12 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
/* /*
* Configure SSL Cipher Suite. Always disable NULL and export ciphers, * Configure SSL Cipher Suite. Always disable NULL and export ciphers,
* no matter what SSLCipherSuite directive is appearing in the config. * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
* OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
* so only prepend !EXP in this case.
*/ */
suite = apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", mctx->auth.cipher_suite ? suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
mctx->auth.cipher_suite : SSL_DEFAULT_CIPHER_LIST, apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
NULL);
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
"Configuring permitted SSL ciphers [%s]", "Configuring permitted SSL ciphers [%s]",

16
modules/ssl/ssl_private.h
View File

@@ -312,22 +312,6 @@ typedef int ssl_algo_t;
#define SSL_AIDX_MAX (2) #define SSL_AIDX_MAX (2)
#endif #endif
/**
* Define IDs for the temporary RSA keys and DH params
*/
#define SSL_TMP_KEY_RSA_512 (0)
#define SSL_TMP_KEY_RSA_1024 (1)
#define SSL_TMP_KEY_DH_512 (2)
#define SSL_TMP_KEY_DH_1024 (3)
#ifndef OPENSSL_NO_EC
#define SSL_TMP_KEY_EC_256 (4)
#define SSL_TMP_KEY_MAX (5)
#else
#define SSL_TMP_KEY_MAX (4)
#endif
/** /**
* Define the SSL options * Define the SSL options
*/ */