Append :!aNULL:!eNULL:!EXP to the cipher string settings,

instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7 and later). Enables support for configuring the SUITEB* cipher strings introduced in OpenSSL 1.0.2. PR 58213. Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1702643 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2015-09-12 15:33:28 +00:00
parent fa96de5f32
commit 0a30649059
4 changed files with 16 additions and 6 deletions
--- a/5
+++ b/5
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.0

+  *) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
+     instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
+     and later). Enables support for configuring the SUITEB* cipher
+     strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
+
  *) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
     loaded. [Eric Covener]

--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -742,8 +742,8 @@ prefixes are:</p>
 <title><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code>
 ciphers are always disabled</title>
 <p>Beginning with version 2.4.7, null and export-grade
-ciphers are always disabled, as mod_ssl unconditionally prepends any supplied
-cipher suite string with <code>!aNULL:!eNULL:!EXP:</code> at initialization.</p>
+ciphers are always disabled, as mod_ssl unconditionally adds
+<code>!aNULL:!eNULL:!EXP</code> to any cipher string at initialization.</p>
 </note>

 <p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -671,7 +671,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
    SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;

    /* always disable null and export ciphers */
-    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);

    if (cmd->path) {
        dc->szCipherSuite = arg;
@@ -1394,7 +1394,7 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    /* always disable null and export ciphers */
-    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);

    sc->proxy->auth.cipher_suite = arg;

@@ -1850,6 +1850,11 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
            return err;
    }

+    if (strcEQ(arg1, "CipherString")) {
+        /* always disable null and export ciphers */
+        arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
+    }
+
    param = apr_array_push(sc->server->ssl_ctx_param);
    param->name = arg1;
    param->value = arg2;
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -768,11 +768,11 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
     *  Configure SSL Cipher Suite. Always disable NULL and export ciphers,
     *  see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
-     *  and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support
+     *  and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so append them while we support
     *  earlier versions.
     */
    suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
-            apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST,
+            apr_pstrcat(ptemp, SSL_DEFAULT_CIPHER_LIST, ":!aNULL:!eNULL:!EXP",
                        NULL);

    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,