Re: SSLHonorCipherOrder for OpenBSD's httpd

Sun, 07 Jul 2013 22:08:11 -0700 

On Sun, Jul 07, 2013 at 08:18:18PM -0700, Aaron Stellman wrote:

> As you may or may not know, SSLHonorCipherOrder is supported since
> apache 2.1.
> 
> This diff ports this feature to OpenBSD's httpd. Its effects can be
> tested @ https://www.ssllabs.com/ssltest/analyze.html?d=example.com by
> playing with SSLHonorCipherOrder/SSLCipherSuite directives.
> 
> SSLHonorCipherOrder directive is useful for prioritizing certain crypto
> parameters over others. I use to to prioritize GCM over RC4, and RC4
> over CBC based ciphers to reduce chance of BEAST attack.
> 
> It's documented @
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder
> 
> This diff is adapted from r103832 @
> http://svn.apache.org/repos/asf/httpd (subversion)
> 
> Thanks

I think you missed the renogiate case. Anyway, I posted almost the
same diff some time ago.

        -Otto

> Index: usr.sbin/httpd//src/modules/ssl/mod_ssl.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 mod_ssl.c
> --- usr.sbin/httpd//src/modules/ssl/mod_ssl.c 14 Oct 2007 15:12:59 -0000      
> 1.10
> +++ usr.sbin/httpd//src/modules/ssl/mod_ssl.c 8 Jul 2013 03:08:27 -0000
> @@ -158,6 +158,8 @@ static command_rec ssl_config_cmds[] = {
>      AP_SRV_CMD(Protocol, RAW_ARGS,
>                 "Enable or disable various SSL protocols"
>                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
> +    AP_SRV_CMD(HonorCipherOrder, FLAG,
> +                "Use the server's cipher ordering preference")
>  
>  #ifdef SSL_EXPERIMENTAL_PROXY
>      /* 
> Index: usr.sbin/httpd//src/modules/ssl/mod_ssl.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v
> retrieving revision 1.21
> diff -u -p -r1.21 mod_ssl.h
> --- usr.sbin/httpd//src/modules/ssl/mod_ssl.h 4 Apr 2006 08:51:28 -0000       
> 1.21
> +++ usr.sbin/httpd//src/modules/ssl/mod_ssl.h 8 Jul 2013 03:08:27 -0000
> @@ -514,6 +514,7 @@ typedef struct {
>      char        *szCACertificateFile;
>      char        *szLogFile;
>      char        *szCipherSuite;
> +    BOOL         cipher_server_pref;
>      FILE        *fileLogFile;
>      int          nLogLevel;
>      int          nVerifyDepth;
> @@ -597,6 +598,7 @@ const char  *ssl_cmd_SSLCACertificatePat
>  const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, SSLDirConfigRec *, 
> char *);
>  const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, SSLDirConfigRec *, 
> char *);
>  const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, SSLDirConfigRec *, 
> char *);
> +const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int 
> flag);
>  const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, SSLDirConfigRec *, char *);
>  const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, SSLDirConfigRec *, char *);
>  const char  *ssl_cmd_SSLSessionCache(cmd_parms *, char *, char *);
> Index: usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v
> retrieving revision 1.19
> diff -u -p -r1.19 ssl_engine_config.c
> --- usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c       27 May 2008 
> 10:17:24 -0000      1.19
> +++ usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c       8 Jul 2013 
> 03:08:27 -0000
> @@ -208,6 +208,7 @@ void *ssl_config_server_create(pool *p, 
>      sc->szCARevocationPath     = NULL;
>      sc->szCARevocationFile     = NULL;
>      sc->pRevocationStore       = NULL;
> +    sc->cipher_server_pref     = UNSET;
>  
>  #ifdef SSL_EXPERIMENTAL_PROXY
>      sc->nProxyVerifyDepth             = UNSET;
> @@ -264,6 +265,7 @@ void *ssl_config_server_merge(pool *p, v
>      cfgMerge(szCARevocationPath, NULL);
>      cfgMerge(szCARevocationFile, NULL);
>      cfgMerge(pRevocationStore, NULL);
> +    cfgMergeBool(cipher_server_pref);
>  
>      for (i = 0; i < SSL_AIDX_MAX; i++) {
>          cfgMergeString(szPublicCertFile[i]);
> @@ -540,6 +542,17 @@ const char *ssl_cmd_SSLCipherSuite(
>      else
>          dc->szCipherSuite = arg;
>      return NULL;
> +}
> +
> +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
> +{
> +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
> +    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
> +    sc->cipher_server_pref = flag?TRUE:FALSE;
> +    return NULL;
> +#else
> +    return "SSLHonorCiperOrder unsupported; not implemented by the SSL 
> library";
> +#endif
>  }
>  
>  const char *ssl_cmd_SSLCertificateFile(
> Index: usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c,v
> retrieving revision 1.28
> diff -u -p -r1.28 ssl_engine_init.c
> --- usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c 7 Jul 2012 17:08:17 
> -0000       1.28
> +++ usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c 8 Jul 2013 03:08:27 
> -0000
> @@ -589,6 +589,16 @@ void ssl_init_ConfigureServer(server_rec
>          SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
>      if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
>          SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
> +
> +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
> +    {
> +        SSLSrvConfigRec *sc = mySrvConfig(s);
> +        if (sc->cipher_server_pref == TRUE) {
> +            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> +        }
> +    }
> +#endif
> +
>      SSL_CTX_set_app_data(ctx, s);
>      sc->pSSLCtx = ctx;
>

Reply via email to