On Sun, Jul 07, 2013 at 08:18:18PM -0700, Aaron Stellman wrote: > As you may or may not know, SSLHonorCipherOrder is supported since > apache 2.1. > > This diff ports this feature to OpenBSD's httpd. Its effects can be > tested @ https://www.ssllabs.com/ssltest/analyze.html?d=example.com by > playing with SSLHonorCipherOrder/SSLCipherSuite directives. > > SSLHonorCipherOrder directive is useful for prioritizing certain crypto > parameters over others. I use to to prioritize GCM over RC4, and RC4 > over CBC based ciphers to reduce chance of BEAST attack. > > It's documented @ > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder > > This diff is adapted from r103832 @ > http://svn.apache.org/repos/asf/httpd (subversion) > > Thanks
I think you missed the renogiate case. Anyway, I posted almost the same diff some time ago. -Otto > Index: usr.sbin/httpd//src/modules/ssl/mod_ssl.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v > retrieving revision 1.10 > diff -u -p -r1.10 mod_ssl.c > --- usr.sbin/httpd//src/modules/ssl/mod_ssl.c 14 Oct 2007 15:12:59 -0000 > 1.10 > +++ usr.sbin/httpd//src/modules/ssl/mod_ssl.c 8 Jul 2013 03:08:27 -0000 > @@ -158,6 +158,8 @@ static command_rec ssl_config_cmds[] = { > AP_SRV_CMD(Protocol, RAW_ARGS, > "Enable or disable various SSL protocols" > "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") > + AP_SRV_CMD(HonorCipherOrder, FLAG, > + "Use the server's cipher ordering preference") > > #ifdef SSL_EXPERIMENTAL_PROXY > /* > Index: usr.sbin/httpd//src/modules/ssl/mod_ssl.h > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v > retrieving revision 1.21 > diff -u -p -r1.21 mod_ssl.h > --- usr.sbin/httpd//src/modules/ssl/mod_ssl.h 4 Apr 2006 08:51:28 -0000 > 1.21 > +++ usr.sbin/httpd//src/modules/ssl/mod_ssl.h 8 Jul 2013 03:08:27 -0000 > @@ -514,6 +514,7 @@ typedef struct { > char *szCACertificateFile; > char *szLogFile; > char *szCipherSuite; > + BOOL cipher_server_pref; > FILE *fileLogFile; > int nLogLevel; > int nVerifyDepth; > @@ -597,6 +598,7 @@ const char *ssl_cmd_SSLCACertificatePat > const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, SSLDirConfigRec *, > char *); > const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, SSLDirConfigRec *, > char *); > const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, SSLDirConfigRec *, > char *); > +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int > flag); > const char *ssl_cmd_SSLVerifyClient(cmd_parms *, SSLDirConfigRec *, char *); > const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, SSLDirConfigRec *, char *); > const char *ssl_cmd_SSLSessionCache(cmd_parms *, char *, char *); > Index: usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v > retrieving revision 1.19 > diff -u -p -r1.19 ssl_engine_config.c > --- usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c 27 May 2008 > 10:17:24 -0000 1.19 > +++ usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c 8 Jul 2013 > 03:08:27 -0000 > @@ -208,6 +208,7 @@ void *ssl_config_server_create(pool *p, > sc->szCARevocationPath = NULL; > sc->szCARevocationFile = NULL; > sc->pRevocationStore = NULL; > + sc->cipher_server_pref = UNSET; > > #ifdef SSL_EXPERIMENTAL_PROXY > sc->nProxyVerifyDepth = UNSET; > @@ -264,6 +265,7 @@ void *ssl_config_server_merge(pool *p, v > cfgMerge(szCARevocationPath, NULL); > cfgMerge(szCARevocationFile, NULL); > cfgMerge(pRevocationStore, NULL); > + cfgMergeBool(cipher_server_pref); > > for (i = 0; i < SSL_AIDX_MAX; i++) { > cfgMergeString(szPublicCertFile[i]); > @@ -540,6 +542,17 @@ const char *ssl_cmd_SSLCipherSuite( > else > dc->szCipherSuite = arg; > return NULL; > +} > + > +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) > +{ > +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE > + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); > + sc->cipher_server_pref = flag?TRUE:FALSE; > + return NULL; > +#else > + return "SSLHonorCiperOrder unsupported; not implemented by the SSL > library"; > +#endif > } > > const char *ssl_cmd_SSLCertificateFile( > Index: usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c,v > retrieving revision 1.28 > diff -u -p -r1.28 ssl_engine_init.c > --- usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c 7 Jul 2012 17:08:17 > -0000 1.28 > +++ usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c 8 Jul 2013 03:08:27 > -0000 > @@ -589,6 +589,16 @@ void ssl_init_ConfigureServer(server_rec > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); > if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1)) > SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); > + > +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE > + { > + SSLSrvConfigRec *sc = mySrvConfig(s); > + if (sc->cipher_server_pref == TRUE) { > + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); > + } > + } > +#endif > + > SSL_CTX_set_app_data(ctx, s); > sc->pSSLCtx = ctx; >