Fix CAN-2004-0885:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a correct cipher suite has been negotiated, else deny access. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable) cipher suite. Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105396 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2004-10-08 11:59:33 +00:00
parent 286975c0b4
commit 0e5aa595c2
3 changed files with 28 additions and 0 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -443,6 +443,14 @@ static void ssl_init_ctx_protocol(server_rec *s,
     * Configure additional context ingredients
     */
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+    /* 
+     * Disallow a session from being resumed during a renegotiation,
+     * so that an acceptable cipher suite can be negotiated.
+     */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
 }

 static void ssl_init_ctx_session_cache(server_rec *s,