Fix CAN-2004-0885:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a correct cipher suite has been negotiated, else deny access. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable) cipher suite. Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105396 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2004-10-08 11:59:33 +00:00
parent 286975c0b4
commit 0e5aa595c2
3 changed files with 28 additions and 0 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -733,6 +733,21 @@ int ssl_hook_Access(request_rec *r)
                X509_free(peercert);
            }
        }
+        
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected.
+         */
+        if (cipher_list) {
+            cipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                             "SSL cipher suite not renegotiated: "
+                             "access to %s denied using cipher %s",
+                              r->filename,
+                              SSL_CIPHER_get_name(cipher));
+                return HTTP_FORBIDDEN;
+            }
+        }
    }

    /*