https://bz.apache.org/bugzilla/show_bug.cgi?id=58213
Bug ID: 58213
Summary: Can't use SUITEB128 etc. ciphers with apache.
Product: Apache httpd-2
Version: 2.4.12
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
mod_ssl tries to modify the SSLCipherSuite to disable NULL and export ciphers.
OpenSSL requires the cipher string to be *exactly* SUITEB128, SUITEB192, etc to
use Suite B modes. These two things result in this error when attempting to
use Suite B ciphers:
2015-08-05T08:27:00.680740-04:00 michigan local7 emerg httpd[11453]:
[ssl:emerg] [pid 11453] AH01898: Unable to configure permitted SSL ciphers
2015-08-05T08:27:00.680776-04:00 michigan local7 emerg httpd[11453]:
[ssl:emerg] [pid 11453] SSL Library Error: error:1410D0B9:SSL
routines:SSL_CTX_set_cipher_list:no cipher match
This patch allows Suite B to be used:
--- modules/ssl/ssl_engine_config.c.orig 2015-08-05 12:12:58 UTC
+++ modules/ssl/ssl_engine_config.c
@@ -708,8 +708,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
- /* always disable null and export ciphers */
- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+ if( strncmp( arg, "SUITEB", 6 ) != 0 ) {
+ /* always disable null and export ciphers */
+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+ }
if (cmd->path) {
dc->szCipherSuite = arg;
PS. My apache version is 2.4.16, but that is not a choice on the bug report
page. Should I file a bug report for that? :)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
