New releases of OpenSSL will only allow secure renegotiation by

default. Add an "SSLInsecureRenegotiation" directive to enable renegotiation against unpatched clients, to ease transition: * modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add insecure_reneg field. * modules/ssl/ssl_engine_config.c (ssl_config_server_new, ssl_config_server_merge): Handle the insecure_reneg flag. (ssl_cmd_SSLInsecureRenegotiation): New function. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is enabled. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of support for secure reneg. * modules/ssl/mod_ssl.c: Add the directive definition. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2010-02-03 13:38:09 +00:00
parent 262c4164d2
commit f1e767fd68
5 changed files with 37 additions and 8 deletions
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -123,6 +123,8 @@ static const command_rec ssl_config_cmds[] = {
                "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
    SSL_CMD_SRV(HonorCipherOrder, FLAG,
                "Use the server's cipher ordering preference")
+    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+                "Enable support for insecure renegotiation")
    SSL_CMD_ALL(UserName, TAKE1,
                "Set user name to SSL variable value")
    SSL_CMD_SRV(LogLevelDebugDump, TAKE1,
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -185,6 +185,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
    sc->vhost_id_len           = 0;     /* set during module init */
    sc->session_cache_timeout  = UNSET;
    sc->cipher_server_pref     = UNSET;
+    sc->insecure_reneg         = UNSET;
    sc->ssl_log_level          = SSL_LOG_UNSET;
    sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
    sc->proxy_ssl_check_peer_cn     = SSL_ENABLED_UNSET;
@@ -294,6 +295,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
    cfgMergeBool(proxy_enabled);
    cfgMergeInt(session_cache_timeout);
    cfgMergeBool(cipher_server_pref);
+    cfgMergeBool(insecure_reneg);
    cfgMerge(ssl_log_level, SSL_LOG_UNSET);
    cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
    cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
@@ -628,6 +630,18 @@ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
 #endif
 }

+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->insecure_reneg = flag?TRUE:FALSE;
+    return NULL;
+#else
+    return "SSLInsecureRenegotiation is not supported by the SSL library";
+#endif
+}
+
+
 static const char *ssl_cmd_check_dir(cmd_parms *parms,
                                     const char **dir)
 {
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -414,6 +414,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
    MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
    char *cp;
    int protocol = mctx->protocol;
+    SSLSrvConfigRec *sc = mySrvConfig(s);

    /*
     *  Create the new per-server SSL context
@@ -473,11 +474,14 @@ static void ssl_init_ctx_protocol(server_rec *s,
    }

 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-    {
-        SSLSrvConfigRec *sc = mySrvConfig(s);
-        if (sc->cipher_server_pref == TRUE) {
-            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-        }
+    if (sc->cipher_server_pref == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif
+
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    if (sc->insecure_reneg == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
    }
 #endif

--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -764,10 +764,17 @@ int ssl_hook_Access(request_rec *r)
                r->connection->keepalive = AP_CONN_CLOSE;
            }

-            /* do a full renegotiation */
+            /* Perform a full renegotiation. */
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                          "Performing full renegotiation: "
-                          "complete handshake protocol");
+                          "Performing full renegotiation: complete handshake "
+                          "protocol (%s support secure renegotiation)",
+#if defined(SSL_get_secure_renegotiation_support)
+                          SSL_get_secure_renegotiation_support(ssl) ? 
+                          "client does" : "client does not"
+#else
+                          "server does not"
+#endif
+                );

            SSL_set_session_id_context(ssl,
                                       (unsigned char *)&id,
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -507,6 +507,7 @@ struct SSLSrvConfigRec {
    int              vhost_id_len;
    int              session_cache_timeout;
    BOOL             cipher_server_pref;
+    BOOL             insecure_reneg;
    modssl_ctx_t    *server;
    modssl_ctx_t    *proxy;
    ssl_log_level_e  ssl_log_level;
@@ -580,6 +581,7 @@ const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);

 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);