www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

On the trunk:

Browse Source 
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
2018-03-29 14:10:12 +00:00
parent 8b305c8397
commit 352d92c698
9 changed files with 112 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -2,9 +2,8 @@
Changes with Apache 2.5.1 Changes with Apache 2.5.1
*) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
need more sugar). Added configuration directives for TLSv1.3 cipher suites (which need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity protocol the ciphers are for.
to find a better name.
[Stefan Eissing] [Stefan Eissing]
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard). *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).

30
docs/manual/mod/mod_ssl.xml
View File

@@ -650,6 +650,11 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
A revision of the TLS 1.1 protocol, as defined in A revision of the TLS 1.1 protocol, as defined in
<a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li> <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
<li><code>TLSv1.3</code> (when using OpenSSL 1.1.1 and later)
<p>
A new version of the TLS protocol, as defined in
<a href="https://github.com/tlswg/tls13-spec">RFC TBD</a>.</p></li>
<li><code>all</code> <li><code>all</code>
<p> <p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
@@ -670,7 +675,7 @@ SSLProtocol TLSv1
<name>SSLCipherSuite</name> <name>SSLCipherSuite</name>
<description>Cipher Suite available for negotiation in SSL <description>Cipher Suite available for negotiation in SSL
handshake</description> handshake</description>
<syntax>SSLCipherSuite <em>cipher-spec</em></syntax> <syntax>SSLCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
<default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default> <default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default>
<contextlist><context>server config</context> <contextlist><context>server config</context>
<context>virtual host</context> <context>virtual host</context>
@@ -682,12 +687,25 @@ handshake</description>
<p> <p>
This complex directive uses a colon-separated <em>cipher-spec</em> string This complex directive uses a colon-separated <em>cipher-spec</em> string
consisting of OpenSSL cipher specifications to configure the Cipher Suite the consisting of OpenSSL cipher specifications to configure the Cipher Suite the
client is permitted to negotiate in the SSL handshake phase. Notice that this client is permitted to negotiate in the SSL handshake phase. The optional
directive can be used both in per-server and per-directory context. In protocol specifier can configure the Cipher Suite for a specific SSL version.
per-server context it applies to the standard SSL handshake when a connection Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2.
<p>
Notice that this
directive can be used both in per-server and per-directory context.
In per-server context it applies to the standard SSL handshake when a connection
is established. In per-directory context it forces a SSL renegotiation with the is established. In per-directory context it forces a SSL renegotiation with the
reconfigured Cipher Suite after the HTTP request was read but before the HTTP reconfigured Cipher Suite after the HTTP request was read but before the HTTP
response is sent.</p> response is sent. (Since renegotiation is not</p>
<p>
If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol
specifier "TLSv1.3" can be used to configure the cipher suites for that protocol.
Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in
a directory context is not allowed.</p>
<p>
For a list of TLSv1.3 cipher names, see
<a href="https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html">the OpenSSL
documentation</a>.</p>
<p> <p>
An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
attributes plus a few extra minor ones:</p> attributes plus a few extra minor ones:</p>
@@ -2071,7 +2089,7 @@ for additional information.
<name>SSLProxyCipherSuite</name> <name>SSLProxyCipherSuite</name>
<description>Cipher Suite available for negotiation in SSL <description>Cipher Suite available for negotiation in SSL
proxy handshake</description> proxy handshake</description>
<syntax>SSLProxyCipherSuite <em>cipher-spec</em></syntax> <syntax>SSLProxyCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
<default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</default> <default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</default>
<contextlist><context>server config</context> <context>virtual host</context> <contextlist><context>server config</context> <context>virtual host</context>
<context>proxy section</context></contextlist> <context>proxy section</context></contextlist>

20
modules/ssl/mod_ssl.c
View File

@@ -97,14 +97,9 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(FIPS, FLAG, SSL_CMD_SRV(FIPS, FLAG,
"Enable FIPS-140 mode " "Enable FIPS-140 mode "
"(`on', `off')") "(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1, SSL_CMD_ALL(CipherSuite, TAKE12,
"Colon-delimited list of permitted SSL Ciphers " "Colon-delimited list of permitted SSL Ciphers, optional preceeded "
"('XXX:...:XXX' - see manual)") "by protocol identifier ('XXX:...:XXX' - see manual)")
#ifdef SSL_OP_NO_TLSv1_3
SSL_CMD_SRV(CipherSuiteV1_3, TAKE1,
"Colon-delimited list of permitted TLSv1.3 Ciphers "
"('XXX:...:XXX' - see manual)")
#endif
SSL_CMD_SRV(CertificateFile, TAKE1, SSL_CMD_SRV(CertificateFile, TAKE1,
"SSL Server Certificate file " "SSL Server Certificate file "
"('/path/to/file' - PEM or DER encoded)") "('/path/to/file' - PEM or DER encoded)")
@@ -194,14 +189,9 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_PXY(ProxyProtocol, RAW_ARGS, SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors " "SSL Proxy: enable or disable SSL protocol flavors "
"('[+-][" SSL_PROTOCOLS "] ...' - see manual)") "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
SSL_CMD_PXY(ProxyCipherSuite, TAKE1, SSL_CMD_PXY(ProxyCipherSuite, TAKE12,
"SSL Proxy: colon-delimited list of permitted SSL ciphers " "SSL Proxy: colon-delimited list of permitted SSL ciphers "
"('XXX:...:XXX' - see manual)") ", optionally preceeded by protocol specifier ('XXX:...:XXX' - see manual)")
#ifdef SSL_OP_NO_TLSv1_3
SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1,
"SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers "
"('XXX:...:XXX' - see manual)")
#endif
SSL_CMD_PXY(ProxyVerify, TAKE1, SSL_CMD_PXY(ProxyVerify, TAKE1,
"SSL Proxy: whether to verify the remote certificate " "SSL Proxy: whether to verify the remote certificate "
"('on' or 'off')") "('on' or 'off')")

111
modules/ssl/ssl_engine_config.c
View File

@@ -140,7 +140,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->auth.cipher_suite = NULL; mctx->auth.cipher_suite = NULL;
mctx->auth.verify_depth = UNSET; mctx->auth.verify_depth = UNSET;
mctx->auth.verify_mode = SSL_CVERIFY_UNSET; mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
mctx->auth.cipher_suite_tlsv1_3 = NULL; mctx->auth.tls13_ciphers = NULL;
mctx->ocsp_mask = UNSET; mctx->ocsp_mask = UNSET;
mctx->ocsp_force_default = UNSET; mctx->ocsp_force_default = UNSET;
@@ -285,7 +285,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
cfgMergeString(auth.cipher_suite); cfgMergeString(auth.cipher_suite);
cfgMergeInt(auth.verify_depth); cfgMergeInt(auth.verify_depth);
cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
cfgMergeString(auth.cipher_suite_tlsv1_3); cfgMergeString(auth.tls13_ciphers);
cfgMergeInt(ocsp_mask); cfgMergeInt(ocsp_mask);
cfgMergeBool(ocsp_force_default); cfgMergeBool(ocsp_force_default);
@@ -501,7 +501,7 @@ void ssl_config_proxy_merge(apr_pool_t *p,
*/ */
static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name, static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name,
int protocols, const char *ciphers, int protocols, const char *ssl_ciphers, const char *tls13_ciphers,
int honor_order, int compression, int session_tickets) int honor_order, int compression, int session_tickets)
{ {
SSLPolicyRec *policy; SSLPolicyRec *policy;
@@ -510,13 +510,15 @@ static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name,
policy->name = name; policy->name = name;
policy->sc = ssl_config_server_new(p); policy->sc = ssl_config_server_new(p);
if (protocols || ciphers) { if (protocols) {
policy->sc->server->protocol_set = 1; policy->sc->server->protocol_set = 1;
policy->sc->server->protocol = protocols; policy->sc->server->protocol = protocols;
} }
if (ssl_ciphers) {
if (ciphers) { policy->sc->server->auth.cipher_suite = ssl_ciphers;
policy->sc->server->auth.cipher_suite = ciphers; }
if (tls13_ciphers) {
policy->sc->server->auth.tls13_ciphers = tls13_ciphers;
} }
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
@@ -542,7 +544,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create)
#if SSL_POLICY_MODERN #if SSL_POLICY_MODERN
add_policy(policies, p, "modern", add_policy(policies, p, "modern",
SSL_POLICY_MODERN_PROTOCOLS, SSL_POLICY_MODERN_PROTOCOLS,
SSL_POLICY_MODERN_CIPHERS, SSL_POLICY_MODERN_SSL_CIPHERS,
SSL_POLICY_MODERN_TLS13_CIPHERS,
SSL_POLICY_HONOR_ORDER, SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION, SSL_POLICY_COMPRESSION,
SSL_POLICY_SESSION_TICKETS); SSL_POLICY_SESSION_TICKETS);
@@ -550,7 +553,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create)
#if SSL_POLICY_INTERMEDIATE #if SSL_POLICY_INTERMEDIATE
add_policy(policies, p, "intermediate", add_policy(policies, p, "intermediate",
SSL_POLICY_INTERMEDIATE_PROTOCOLS, SSL_POLICY_INTERMEDIATE_PROTOCOLS,
SSL_POLICY_INTERMEDIATE_CIPHERS, SSL_POLICY_INTERMEDIATE_SSL_CIPHERS,
SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS,
SSL_POLICY_HONOR_ORDER, SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION, SSL_POLICY_COMPRESSION,
SSL_POLICY_SESSION_TICKETS); SSL_POLICY_SESSION_TICKETS);
@@ -558,7 +562,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create)
#if SSL_POLICY_OLD #if SSL_POLICY_OLD
add_policy(policies, p, "old", add_policy(policies, p, "old",
SSL_POLICY_OLD_PROTOCOLS, SSL_POLICY_OLD_PROTOCOLS,
SSL_POLICY_OLD_CIPHERS, SSL_POLICY_OLD_SSL_CIPHERS,
SSL_POLICY_OLD_TLS13_CIPHERS,
SSL_POLICY_HONOR_ORDER, SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION, SSL_POLICY_COMPRESSION,
SSL_POLICY_SESSION_TICKETS); SSL_POLICY_SESSION_TICKETS);
@@ -852,33 +857,37 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
void *dcfg, void *dcfg,
const char *arg) const char *arg1, const char *arg2)
{ {
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
/* always disable null and export ciphers */ if (arg2 == NULL) {
arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); arg2 = arg1;
arg1 = "SSL";
if (cmd->path) {
dc->szCipherSuite = arg;
}
else {
sc->server->auth.cipher_suite = arg;
} }
return NULL; if (!strcmp("SSL", arg1)) {
} /* always disable null and export ciphers */
arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd, if (cmd->path) {
void *dcfg, dc->szCipherSuite = arg2;
const char *arg) }
{ else {
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->server->auth.cipher_suite = arg2;
}
sc->server->auth.cipher_suite_tlsv1_3 = arg; return NULL;
}
return NULL; #ifdef SSL_OP_NO_TLSv1_3
else if (!strcmp("TLSv1.3", arg1)) {
if (cmd->path) {
return "TLSv1.3 ciphers cannot be set inside a directory context";
}
sc->server->auth.tls13_ciphers = arg2;
return NULL;
}
#endif
return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
} }
#define SSL_FLAGS_CHECK_FILE \ #define SSL_FLAGS_CHECK_FILE \
@@ -1614,27 +1623,28 @@ const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd,
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
void *dcfg, void *dcfg,
const char *arg) const char *arg1, const char *arg2)
{ {
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
/* always disable null and export ciphers */ if (arg2 == NULL) {
arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); arg2 = arg1;
arg1 = "SSL";
}
dc->proxy->auth.cipher_suite = arg; if (!strcmp("SSL", arg1)) {
/* always disable null and export ciphers */
return NULL; arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
} dc->proxy->auth.cipher_suite = arg2;
return NULL;
const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd, }
void *dcfg, #ifdef SSL_OP_NO_TLSv1_3
const char *arg) else if (!strcmp("TLSv1.3", arg1)) {
{ dc->proxy->auth.tls13_ciphers = arg2;
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; return NULL;
}
dc->proxy->auth.cipher_suite_tlsv1_3 = arg; #endif
return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
return NULL;
} }
const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd, const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
@@ -2512,7 +2522,10 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro
{ {
DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite); DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3); if (auth->tls13_ciphers) {
DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite",
apr_pstrcat(p, "TLSv1.3 ", auth->tls13_ciphers, NULL));
}
#endif #endif
DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode); DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode);
DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth); DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth);

4
modules/ssl/ssl_engine_init.c
View File

@@ -936,8 +936,8 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
return ssl_die(s); return ssl_die(s);
} }
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
if (mctx->auth.cipher_suite_tlsv1_3 if (mctx->auth.tls13_ciphers
&& !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) { && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO() ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
"Unable to configure permitted TLSv1.3 ciphers"); "Unable to configure permitted TLSv1.3 ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);

6
modules/ssl/ssl_engine_kernel.c
View File

@@ -189,9 +189,9 @@ static int ssl_auth_compatible(modssl_auth_ctx_t *a1,
return 0; return 0;
} }
/* both have the same ca cipher suite string */ /* both have the same ca cipher suite string */
if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3) if ((a1->tls13_ciphers != a2->tls13_ciphers)
&& (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3 && (!a1->tls13_ciphers || !a2->tls13_ciphers
|| strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) { || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
return 0; return 0;
} }
return 1; return 1;

9
modules/ssl/ssl_policies.h
View File

@@ -65,18 +65,21 @@
#ifdef HAVE_TLSV1_X #ifdef HAVE_TLSV1_X
#define SSL_POLICY_MODERN 1 #define SSL_POLICY_MODERN 1
#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" #define SSL_POLICY_MODERN_SSL_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
#define SSL_POLICY_MODERN_TLS13_CIPHERS NULL
#define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3) #define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
#else /* ifdef HAVE_TLSV1_X */ #else /* ifdef HAVE_TLSV1_X */
#define SSL_POLICY_MODERN 0 #define SSL_POLICY_MODERN 0
#endif /* ifdef HAVE_TLSV1_X, else part */ #endif /* ifdef HAVE_TLSV1_X, else part */
#define SSL_POLICY_INTERMEDIATE 1 #define SSL_POLICY_INTERMEDIATE 1
#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" #define SSL_POLICY_INTERMEDIATE_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
#define SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS NULL
#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3)) #define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3))
#define SSL_POLICY_OLD 1 #define SSL_POLICY_OLD 1
#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP" #define SSL_POLICY_OLD_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
#define SSL_POLICY_OLD_TLS13_CIPHERS NULL
#define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3)) #define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3))

8
modules/ssl/ssl_private.h
View File

@@ -644,7 +644,7 @@ typedef struct {
/** TLSv1.3 has its separate cipher list, separate from the /** TLSv1.3 has its separate cipher list, separate from the
settings for older TLS protocol versions. Since which one takes settings for older TLS protocol versions. Since which one takes
effect is a matter of negotiation, we need separate settings */ effect is a matter of negotiation, we need separate settings */
const char *cipher_suite_tlsv1_3; const char *tls13_ciphers;
} modssl_auth_ctx_t; } modssl_auth_ctx_t;
#ifdef HAVE_TLS_SESSION_TICKETS #ifdef HAVE_TLS_SESSION_TICKETS
@@ -810,8 +810,7 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -840,8 +839,7 @@ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int fla
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);

4
modules/ssl/update_policies.py
View File

@@ -99,7 +99,9 @@ def printPolicies(doc):
print "#ifdef %s" % ifdef print "#ifdef %s" % ifdef
print "#define %s 1" % prefix print "#define %s 1" % prefix
print "#define %s_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS]) print "#define %s_SSL_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS])
# Mozilla has not specced this yet
print "#define %s_TLS13_CIPHERS NULL" % (prefix)
print "#define %s_PROTOCOLS %s" % (prefix, proto_conf(p[KEY_TLS_VERSIONS])) print "#define %s_PROTOCOLS %s" % (prefix, proto_conf(p[KEY_TLS_VERSIONS]))
if ifdef: if ifdef: