On Sun, Jul 07, 2013 at 10:17:11PM -0700, Aaron Stellman wrote:
> On Mon, Jul 08, 2013 at 07:06:43AM +0200, Otto Moerbeek wrote:
> > I think you missed the renogiate case. Anyway, I posted almost the
> > same diff some time ago.
>
> You're right -- renegotiate case was missed. Your patch from April looks
> fine to me. It would be beneficial to have it committed.
>
> Thanks
As gunther@ kindly remarked, there was a small issue: AP_SRV_CMD
versus my AP_ALL_CMD in my original diff. So this is the diff I am
going to commit unless sombody objects quickly.
-Otto
Index: src/modules/ssl/mod_ssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v
retrieving revision 1.10
diff -u -p -r1.10 mod_ssl.c
--- src/modules/ssl/mod_ssl.c 14 Oct 2007 15:12:59 -0000 1.10
+++ src/modules/ssl/mod_ssl.c 10 Jul 2013 08:26:47 -0000
@@ -107,6 +107,9 @@ static command_rec ssl_config_cmds[] = {
AP_SRV_CMD(Engine, FLAG,
"SSL switch for the protocol engine "
"(`on', `off')")
+ AP_SRV_CMD(HonorCipherOrder, TAKE1,
+ "Let the server determine preferred ciphers "
+ "(`on', `off'")
AP_ALL_CMD(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
Index: src/modules/ssl/mod_ssl.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.21
diff -u -p -r1.21 mod_ssl.h
--- src/modules/ssl/mod_ssl.h 4 Apr 2006 08:51:28 -0000 1.21
+++ src/modules/ssl/mod_ssl.h 10 Jul 2013 08:26:47 -0000
@@ -516,6 +516,7 @@ typedef struct {
char *szCipherSuite;
FILE *fileLogFile;
int nLogLevel;
+ BOOL cipher_server_pref;
int nVerifyDepth;
ssl_verify_t nVerifyClient;
X509 *pPublicCert[SSL_AIDX_MAX];
@@ -589,6 +590,7 @@ const char *ssl_cmd_SSLPassPhraseDialog
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char
*);
const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
Index: src/modules/ssl/ssl_engine_config.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.19
diff -u -p -r1.19 ssl_engine_config.c
--- src/modules/ssl/ssl_engine_config.c 27 May 2008 10:17:24 -0000 1.19
+++ src/modules/ssl/ssl_engine_config.c 10 Jul 2013 08:26:47 -0000
@@ -197,6 +197,7 @@ void *ssl_config_server_create(pool *p,
sc->szLogFile = NULL;
sc->szCipherSuite = NULL;
sc->nLogLevel = SSL_LOG_NONE;
+ sc->cipher_server_pref = UNSET;
sc->nVerifyDepth = UNSET;
sc->nVerifyClient = SSL_CVERIFY_UNSET;
sc->nSessionCacheTimeout = UNSET;
@@ -252,6 +253,7 @@ void *ssl_config_server_merge(pool *p, v
cfgMergeString(szCertificateChain);
cfgMergeString(szLogFile);
cfgMergeString(szCipherSuite);
+ cfgMergeBool(cipher_server_pref);
cfgMerge(nLogLevel, SSL_LOG_NONE);
cfgMergeInt(nVerifyDepth);
cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
@@ -527,6 +529,14 @@ const char *ssl_cmd_SSLEngine(
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->bEnabled = (flag ? TRUE : FALSE);
+ return NULL;
+}
+
+const char *ssl_cmd_SSLHonorCipherOrder(
+ cmd_parms *cmd, char *struct_ptr, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->cipher_server_pref = flag?TRUE:FALSE;
return NULL;
}
Index: src/modules/ssl/ssl_engine_init.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.28
diff -u -p -r1.28 ssl_engine_init.c
--- src/modules/ssl/ssl_engine_init.c 7 Jul 2012 17:08:17 -0000 1.28
+++ src/modules/ssl/ssl_engine_init.c 10 Jul 2013 08:26:47 -0000
@@ -589,6 +589,8 @@ void ssl_init_ConfigureServer(server_rec
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+ if (sc->cipher_server_pref == TRUE)
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_app_data(ctx, s);
sc->pSSLCtx = ctx;
Index: src/modules/ssl/ssl_engine_kernel.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.25
diff -u -p -r1.25 ssl_engine_kernel.c
--- src/modules/ssl/ssl_engine_kernel.c 22 Jul 2008 11:20:10 -0000 1.25
+++ src/modules/ssl/ssl_engine_kernel.c 10 Jul 2013 08:26:47 -0000
@@ -801,9 +801,12 @@ int ssl_hook_Access(request_rec *r)
if (skCipherOld != NULL)
sk_SSL_CIPHER_free(skCipherOld);
/* tracing */
- if (renegotiate)
+ if (renegotiate) {
+ if (sc->cipher_server_pref == TRUE)
+ SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
ssl_log(r->server, SSL_LOG_TRACE,
"Reconfigured cipher suite will force renegotiation");
+ }
}
/*
