From 352d92c698802e57b4bb5d8be0c85ab6ec7d46b3 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Thu, 29 Mar 2018 14:10:12 +0000 Subject: [PATCH] On the trunk: mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +- docs/manual/mod/mod_ssl.xml | 30 +++++++-- modules/ssl/mod_ssl.c | 20 ++---- modules/ssl/ssl_engine_config.c | 115 ++++++++++++++++++-------------- modules/ssl/ssl_engine_init.c | 4 +- modules/ssl/ssl_engine_kernel.c | 6 +- modules/ssl/ssl_policies.h | 9 ++- modules/ssl/ssl_private.h | 8 +-- modules/ssl/update_policies.py | 4 +- 9 files changed, 112 insertions(+), 89 deletions(-) diff --git a/CHANGES b/CHANGES index 672d5b4b9d..8e64e1a875 100644 --- a/CHANGES +++ b/CHANGES @@ -2,9 +2,8 @@ Changes with Apache 2.5.1 *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may - need more sugar). Added configuration directives for TLSv1.3 cipher suites (which - are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity - to find a better name. + need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the + protocol the ciphers are for. [Stefan Eissing] *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard). diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index a5a4172f69..5ad451e524 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -650,6 +650,11 @@ The available (case-insensitive) protocols are:

A revision of the TLS 1.1 protocol, as defined in RFC 5246.

+
  • TLSv1.3 (when using OpenSSL 1.1.1 and later) +

    + A new version of the TLS protocol, as defined in + RFC TBD.

    • +
  • all

    This is a shortcut for ``+SSLv3 +TLSv1'' or @@ -670,7 +675,7 @@ SSLProtocol TLSv1 SSLCipherSuite Cipher Suite available for negotiation in SSL handshake -SSLCipherSuite cipher-spec +SSLCipherSuite [protocol] cipher-spec SSLCipherSuite DEFAULT (depends on OpenSSL version) server config virtual host @@ -682,12 +687,25 @@ handshake

    This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the -client is permitted to negotiate in the SSL handshake phase. Notice that this -directive can be used both in per-server and per-directory context. In -per-server context it applies to the standard SSL handshake when a connection +client is permitted to negotiate in the SSL handshake phase. The optional +protocol specifier can configure the Cipher Suite for a specific SSL version. +Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2. +

    +Notice that this +directive can be used both in per-server and per-directory context. +In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP -response is sent.

    +response is sent. (Since renegotiation is not

    +

    +If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol +specifier "TLSv1.3" can be used to configure the cipher suites for that protocol. +Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in +a directory context is not allowed.

    +

    +For a list of TLSv1.3 cipher names, see +the OpenSSL +documentation.

    An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones:

    @@ -2071,7 +2089,7 @@ for additional information. SSLProxyCipherSuite Cipher Suite available for negotiation in SSL proxy handshake -SSLProxyCipherSuite cipher-spec +SSLProxyCipherSuite [protocol] cipher-spec SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP server config virtual host proxy section diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index f8caebd889..5e7c165e1e 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -97,14 +97,9 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(FIPS, FLAG, "Enable FIPS-140 mode " "(`on', `off')") - SSL_CMD_ALL(CipherSuite, TAKE1, - "Colon-delimited list of permitted SSL Ciphers " - "('XXX:...:XXX' - see manual)") -#ifdef SSL_OP_NO_TLSv1_3 - SSL_CMD_SRV(CipherSuiteV1_3, TAKE1, - "Colon-delimited list of permitted TLSv1.3 Ciphers " - "('XXX:...:XXX' - see manual)") -#endif + SSL_CMD_ALL(CipherSuite, TAKE12, + "Colon-delimited list of permitted SSL Ciphers, optional preceeded " + "by protocol identifier ('XXX:...:XXX' - see manual)") SSL_CMD_SRV(CertificateFile, TAKE1, "SSL Server Certificate file " "('/path/to/file' - PEM or DER encoded)") @@ -194,14 +189,9 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_PXY(ProxyProtocol, RAW_ARGS, "SSL Proxy: enable or disable SSL protocol flavors " "('[+-][" SSL_PROTOCOLS "] ...' - see manual)") - SSL_CMD_PXY(ProxyCipherSuite, TAKE1, + SSL_CMD_PXY(ProxyCipherSuite, TAKE12, "SSL Proxy: colon-delimited list of permitted SSL ciphers " - "('XXX:...:XXX' - see manual)") -#ifdef SSL_OP_NO_TLSv1_3 - SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1, - "SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers " - "('XXX:...:XXX' - see manual)") -#endif + ", optionally preceeded by protocol specifier ('XXX:...:XXX' - see manual)") SSL_CMD_PXY(ProxyVerify, TAKE1, "SSL Proxy: whether to verify the remote certificate " "('on' or 'off')") diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 83545b9369..c6ff191b56 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -140,7 +140,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->auth.cipher_suite = NULL; mctx->auth.verify_depth = UNSET; mctx->auth.verify_mode = SSL_CVERIFY_UNSET; - mctx->auth.cipher_suite_tlsv1_3 = NULL; + mctx->auth.tls13_ciphers = NULL; mctx->ocsp_mask = UNSET; mctx->ocsp_force_default = UNSET; @@ -285,7 +285,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, cfgMergeString(auth.cipher_suite); cfgMergeInt(auth.verify_depth); cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); - cfgMergeString(auth.cipher_suite_tlsv1_3); + cfgMergeString(auth.tls13_ciphers); cfgMergeInt(ocsp_mask); cfgMergeBool(ocsp_force_default); @@ -501,7 +501,7 @@ void ssl_config_proxy_merge(apr_pool_t *p, */ static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name, - int protocols, const char *ciphers, + int protocols, const char *ssl_ciphers, const char *tls13_ciphers, int honor_order, int compression, int session_tickets) { SSLPolicyRec *policy; @@ -510,13 +510,15 @@ static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name, policy->name = name; policy->sc = ssl_config_server_new(p); - if (protocols || ciphers) { + if (protocols) { policy->sc->server->protocol_set = 1; policy->sc->server->protocol = protocols; } - - if (ciphers) { - policy->sc->server->auth.cipher_suite = ciphers; + if (ssl_ciphers) { + policy->sc->server->auth.cipher_suite = ssl_ciphers; + } + if (tls13_ciphers) { + policy->sc->server->auth.tls13_ciphers = tls13_ciphers; } #ifndef OPENSSL_NO_COMP @@ -542,7 +544,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create) #if SSL_POLICY_MODERN add_policy(policies, p, "modern", SSL_POLICY_MODERN_PROTOCOLS, - SSL_POLICY_MODERN_CIPHERS, + SSL_POLICY_MODERN_SSL_CIPHERS, + SSL_POLICY_MODERN_TLS13_CIPHERS, SSL_POLICY_HONOR_ORDER, SSL_POLICY_COMPRESSION, SSL_POLICY_SESSION_TICKETS); @@ -550,7 +553,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create) #if SSL_POLICY_INTERMEDIATE add_policy(policies, p, "intermediate", SSL_POLICY_INTERMEDIATE_PROTOCOLS, - SSL_POLICY_INTERMEDIATE_CIPHERS, + SSL_POLICY_INTERMEDIATE_SSL_CIPHERS, + SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS, SSL_POLICY_HONOR_ORDER, SSL_POLICY_COMPRESSION, SSL_POLICY_SESSION_TICKETS); @@ -558,7 +562,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create) #if SSL_POLICY_OLD add_policy(policies, p, "old", SSL_POLICY_OLD_PROTOCOLS, - SSL_POLICY_OLD_CIPHERS, + SSL_POLICY_OLD_SSL_CIPHERS, + SSL_POLICY_OLD_TLS13_CIPHERS, SSL_POLICY_HONOR_ORDER, SSL_POLICY_COMPRESSION, SSL_POLICY_SESSION_TICKETS); @@ -852,33 +857,37 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *dcfg, - const char *arg) + const char *arg1, const char *arg2) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; - /* always disable null and export ciphers */ - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); - - if (cmd->path) { - dc->szCipherSuite = arg; + if (arg2 == NULL) { + arg2 = arg1; + arg1 = "SSL"; } - else { - sc->server->auth.cipher_suite = arg; + + if (!strcmp("SSL", arg1)) { + /* always disable null and export ciphers */ + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); + if (cmd->path) { + dc->szCipherSuite = arg2; + } + else { + sc->server->auth.cipher_suite = arg2; + } + return NULL; } - - return NULL; -} - -const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd, - void *dcfg, - const char *arg) -{ - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - - sc->server->auth.cipher_suite_tlsv1_3 = arg; - - return NULL; +#ifdef SSL_OP_NO_TLSv1_3 + else if (!strcmp("TLSv1.3", arg1)) { + if (cmd->path) { + return "TLSv1.3 ciphers cannot be set inside a directory context"; + } + sc->server->auth.tls13_ciphers = arg2; + return NULL; + } +#endif + return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL); } #define SSL_FLAGS_CHECK_FILE \ @@ -1614,27 +1623,28 @@ const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd, const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, void *dcfg, - const char *arg) + const char *arg1, const char *arg2) { SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; - - /* always disable null and export ciphers */ - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); - - dc->proxy->auth.cipher_suite = arg; - - return NULL; -} - -const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd, - void *dcfg, - const char *arg) -{ - SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; - - dc->proxy->auth.cipher_suite_tlsv1_3 = arg; - - return NULL; + + if (arg2 == NULL) { + arg2 = arg1; + arg1 = "SSL"; + } + + if (!strcmp("SSL", arg1)) { + /* always disable null and export ciphers */ + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); + dc->proxy->auth.cipher_suite = arg2; + return NULL; + } +#ifdef SSL_OP_NO_TLSv1_3 + else if (!strcmp("TLSv1.3", arg1)) { + dc->proxy->auth.tls13_ciphers = arg2; + return NULL; + } +#endif + return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL); } const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd, @@ -2512,7 +2522,10 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro { DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite); #ifdef SSL_OP_NO_TLSv1_3 - DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3); + if (auth->tls13_ciphers) { + DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", + apr_pstrcat(p, "TLSv1.3 ", auth->tls13_ciphers, NULL)); + } #endif DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode); DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth); diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 4033bb7d82..35553f5eaf 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -936,8 +936,8 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, return ssl_die(s); } #ifdef SSL_OP_NO_TLSv1_3 - if (mctx->auth.cipher_suite_tlsv1_3 - && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) { + if (mctx->auth.tls13_ciphers + && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO() "Unable to configure permitted TLSv1.3 ciphers"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 3a63da0a85..36ed3c80c1 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -189,9 +189,9 @@ static int ssl_auth_compatible(modssl_auth_ctx_t *a1, return 0; } /* both have the same ca cipher suite string */ - if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3) - && (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3 - || strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) { + if ((a1->tls13_ciphers != a2->tls13_ciphers) + && (!a1->tls13_ciphers || !a2->tls13_ciphers + || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) { return 0; } return 1; diff --git a/modules/ssl/ssl_policies.h b/modules/ssl/ssl_policies.h index 0e9575678b..dd5d60726b 100644 --- a/modules/ssl/ssl_policies.h +++ b/modules/ssl/ssl_policies.h @@ -65,18 +65,21 @@ #ifdef HAVE_TLSV1_X #define SSL_POLICY_MODERN 1 -#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" +#define SSL_POLICY_MODERN_SSL_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" +#define SSL_POLICY_MODERN_TLS13_CIPHERS NULL #define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3) #else /* ifdef HAVE_TLSV1_X */ #define SSL_POLICY_MODERN 0 #endif /* ifdef HAVE_TLSV1_X, else part */ #define SSL_POLICY_INTERMEDIATE 1 -#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" +#define SSL_POLICY_INTERMEDIATE_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" +#define SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS NULL #define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3)) #define SSL_POLICY_OLD 1 -#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP" +#define SSL_POLICY_OLD_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP" +#define SSL_POLICY_OLD_TLS13_CIPHERS NULL #define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3)) diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 1247ee5310..cf5025788b 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -644,7 +644,7 @@ typedef struct { /** TLSv1.3 has its separate cipher list, separate from the settings for older TLS protocol versions. Since which one takes effect is a matter of negotiation, we need separate settings */ - const char *cipher_suite_tlsv1_3; + const char *tls13_ciphers; } modssl_auth_ctx_t; #ifdef HAVE_TLS_SESSION_TICKETS @@ -810,8 +810,7 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); -const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); -const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); @@ -840,8 +839,7 @@ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int fla const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); -const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *); -const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *); const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); diff --git a/modules/ssl/update_policies.py b/modules/ssl/update_policies.py index 9df5869532..c4a8fa978c 100644 --- a/modules/ssl/update_policies.py +++ b/modules/ssl/update_policies.py @@ -99,7 +99,9 @@ def printPolicies(doc): print "#ifdef %s" % ifdef print "#define %s 1" % prefix - print "#define %s_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS]) + print "#define %s_SSL_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS]) + # Mozilla has not specced this yet + print "#define %s_TLS13_CIPHERS NULL" % (prefix) print "#define %s_PROTOCOLS %s" % (prefix, proto_conf(p[KEY_TLS_VERSIONS])) if ifdef: