On the trunk:

mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
     are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
     to find a better name.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -2,7 +2,10 @@
 Changes with Apache 2.5.1
 
   *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
-     need more sugar). [Stefan Eissing]
+     need more sugar). Added configuration directives for TLSv1.3 cipher suites (which
+     are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
+     to find a better name.
+     [Stefan Eissing]
 
   *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
      [Eric Covener]

modules/ssl/mod_ssl.c

@@ -100,6 +100,11 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_ALL(CipherSuite, TAKE1,
                 "Colon-delimited list of permitted SSL Ciphers "
                 "('XXX:...:XXX' - see manual)")
+#ifdef SSL_OP_NO_TLSv1_3
+    SSL_CMD_SRV(CipherSuiteV1_3, TAKE1,
+                "Colon-delimited list of permitted TLSv1.3 Ciphers "
+                "('XXX:...:XXX' - see manual)")
+#endif
     SSL_CMD_SRV(CertificateFile, TAKE1,
                 "SSL Server Certificate file "
                 "('/path/to/file' - PEM or DER encoded)")
@@ -192,6 +197,11 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
                "SSL Proxy: colon-delimited list of permitted SSL ciphers "
                "('XXX:...:XXX' - see manual)")
+#ifdef SSL_OP_NO_TLSv1_3
+    SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1,
+               "SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers "
+               "('XXX:...:XXX' - see manual)")
+#endif
     SSL_CMD_PXY(ProxyVerify, TAKE1,
                "SSL Proxy: whether to verify the remote certificate "
                "('on' or 'off')")

modules/ssl/ssl_engine_config.c

@@ -140,6 +140,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->auth.cipher_suite   = NULL;
     mctx->auth.verify_depth   = UNSET;
     mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
+    mctx->auth.cipher_suite_tlsv1_3 = NULL;
 
     mctx->ocsp_mask           = UNSET;
     mctx->ocsp_force_default  = UNSET;
@@ -284,6 +285,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
     cfgMergeString(auth.cipher_suite);
     cfgMergeInt(auth.verify_depth);
     cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
+    cfgMergeString(auth.cipher_suite_tlsv1_3);
 
     cfgMergeInt(ocsp_mask);
     cfgMergeBool(ocsp_force_default);
@@ -868,6 +870,17 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
     return NULL;
 }
 
+const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd,
+                                      void *dcfg,
+                                      const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->server->auth.cipher_suite_tlsv1_3 = arg;
+
+    return NULL;
+}
+
 #define SSL_FLAGS_CHECK_FILE \
     (SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO)
 
@@ -1613,6 +1626,17 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
     return NULL;
 }
 
+const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd,
+                                            void *dcfg,
+                                            const char *arg)
+{
+    SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+    dc->proxy->auth.cipher_suite_tlsv1_3 = arg;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
                                    void *dcfg,
                                    const char *arg)
@@ -2487,6 +2511,9 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro
                                  apr_file_t *out, const char *indent, const char **psep)
 {
     DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
+#ifdef SSL_OP_NO_TLSv1_3
+    DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3);
+#endif
     DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode);
     DMP_LONG(  proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth);
     DMP_STRING(proxy? "SSLProxyCACertificateFile" : "SSLCACertificateFile", auth->ca_cert_file);

modules/ssl/ssl_engine_init.c

@@ -935,7 +935,15 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
         return ssl_die(s);
     }
-
+#ifdef SSL_OP_NO_TLSv1_3
+    if (mctx->auth.cipher_suite_tlsv1_3 
+        && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
+                "Unable to configure permitted TLSv1.3 ciphers");
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+        return ssl_die(s);
+    }
+#endif
     return APR_SUCCESS;
 }
 

modules/ssl/ssl_engine_kernel.c

@@ -188,6 +188,12 @@ static int ssl_auth_compatible(modssl_auth_ctx_t *a1,
             || strcmp(a1->cipher_suite, a2->cipher_suite))) {
         return 0;
     }
+    /* both have the same ca cipher suite string */
+    if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3)
+        && (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3 
+            || strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) {
+        return 0;
+    }
     return 1;
 }
 

modules/ssl/ssl_private.h

@@ -640,6 +640,11 @@ typedef struct {
     /** for client or downstream server authentication */
     int          verify_depth;
     ssl_verify_t verify_mode;
+
+    /** TLSv1.3 has its separate cipher list, separate from the
+     settings for older TLS protocol versions. Since which one takes
+     effect is a matter of negotiation, we need separate settings */
+    const char  *cipher_suite_tlsv1_3;
 } modssl_auth_ctx_t;
 
 #ifdef HAVE_TLS_SESSION_TICKETS
@@ -806,6 +811,7 @@ const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
 const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -835,6 +841,7 @@ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int fla
 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);