mirror of
https://github.com/apache/httpd.git
synced 2025-08-08 15:02:10 +03:00
Fix CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a correct cipher suite has been negotiated, else deny access. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable) cipher suite. Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105396 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
5
CHANGES
5
CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
|
|||||||
|
|
||||||
[Remove entries to the current 2.0 section below, when backported]
|
[Remove entries to the current 2.0 section below, when backported]
|
||||||
|
|
||||||
|
*) SECURITY: CAN-2004-0885 (cve.mitre.org)
|
||||||
|
mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
|
||||||
|
bypassed during an SSL renegotiation. PR 31505.
|
||||||
|
[Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
|
||||||
|
|
||||||
*) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
|
*) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
|
||||||
library handles special characters. PR 24437 [Jess Holle]
|
library handles special characters. PR 24437 [Jess Holle]
|
||||||
|
|
||||||
|
|||||||
@@ -443,6 +443,14 @@ static void ssl_init_ctx_protocol(server_rec *s,
|
|||||||
* Configure additional context ingredients
|
* Configure additional context ingredients
|
||||||
*/
|
*/
|
||||||
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
|
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
|
||||||
|
|
||||||
|
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
|
||||||
|
/*
|
||||||
|
* Disallow a session from being resumed during a renegotiation,
|
||||||
|
* so that an acceptable cipher suite can be negotiated.
|
||||||
|
*/
|
||||||
|
SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
static void ssl_init_ctx_session_cache(server_rec *s,
|
static void ssl_init_ctx_session_cache(server_rec *s,
|
||||||
|
|||||||
@@ -733,6 +733,21 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
X509_free(peercert);
|
X509_free(peercert);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Also check that SSLCipherSuite has been enforced as expected.
|
||||||
|
*/
|
||||||
|
if (cipher_list) {
|
||||||
|
cipher = SSL_get_current_cipher(ssl);
|
||||||
|
if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
|
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
||||||
|
"SSL cipher suite not renegotiated: "
|
||||||
|
"access to %s denied using cipher %s",
|
||||||
|
r->filename,
|
||||||
|
SSL_CIPHER_get_name(cipher));
|
||||||
|
return HTTP_FORBIDDEN;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
Reference in New Issue
Block a user