httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 28665] New: - mod_ssl ignores server cipher preferences
Date Wed, 28 Apr 2004 16:17:33 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28665>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28665

mod_ssl ignores server cipher preferences

           Summary: mod_ssl ignores server cipher preferences
           Product: Apache httpd-2.0
           Version: 2.0-HEAD
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jschneid@netilla.com


This has been kicking around the net for years, so I have a patch to fix it. 
This patch needs to be applied in the modules/ssl directory, and it creates a
new configuration directive - "SSLHonorCipherOrder", which takes a boolean
value.  If "SSLHonorCipherOrder" is true, the server prefers its own ordering
for cipher selection (as set by the "SSLCipherSuite" directive).  If it's set to
false (or absent), the historical behavior of prefering the client cipher
ordering is used.  

Note that the patch checks for the availability of the
SSL_OP_CIPHER_SERVER_PREFERENCE define, so it's safe to use (but ignored) even
if   you're using an ancient version of OpenSSL that doesn't support this.

Patch follows:
--<cut here>--
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c       2003/04/10 19:09:56     1.1.1.2
+++ modules/ssl/mod_ssl.c       2004/04/28 15:57:20
@@ -167,6 +167,10 @@
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols"
                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                "Use the server's cipher ordering preference")

     /*
      * Proxy configuration for remote SSL connections
Index: modules/ssl/mod_ssl.h
===================================================================
--- modules/ssl/mod_ssl.h       2003/06/05 20:51:17     1.1.1.3
+++ modules/ssl/mod_ssl.h       2004/04/28 15:57:21
@@ -514,6 +514,9 @@
     SSLModConfigRec *mc;
     BOOL             enabled;
     BOOL             proxy_enabled;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    BOOL             bHonorCipherOrder;
+#endif
     const char      *vhost_id;
     int              vhost_id_len;
     int              session_cache_timeout;
@@ -574,6 +577,9 @@
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, void *, int);
 const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c     2003/04/10 19:09:56     1.1.1.2
+++ modules/ssl/ssl_engine_config.c     2004/04/28 15:57:21
@@ -212,7 +212,9 @@
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
-
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    sc->bHonorCipherOrder      = UNSET;
+#endif
     modssl_ctx_init_proxy(sc, p);

     modssl_ctx_init_server(sc, p);
@@ -296,6 +298,9 @@
     cfgMergeBool(enabled);
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    cfgMergeBool(bHonorCipherOrder);
+#endif

     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);

@@ -662,6 +667,18 @@

     return NULL;
 }
+
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+        "ssl_cmd_SSLHonorCipherOrder: Setting bHonorCipherOrder to %s",
+       flag?"TRUE":"FALSE");
+    sc->bHonorCipherOrder = flag?TRUE:FALSE;
+#endif
+    return NULL;
+}

 const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
                                    void *dcfg,
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c       2003/06/05 20:51:17     1.1.1.3
+++ modules/ssl/ssl_engine_init.c       2004/04/28 15:57:21
@@ -416,6 +416,9 @@
     SSL_METHOD *method = NULL;
     char *cp;
     int protocol = mctx->protocol;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(s);
+#endif

     /*
      *  Create the new per-server SSL context
@@ -464,6 +467,11 @@
     if (!(protocol & SSL_PROTOCOL_TLSV1)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
     }
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    if(TRUE == sc->bHonorCipherOrder) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif

     SSL_CTX_set_app_data(ctx, s);
--<cut here>--

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message