httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl ssl_engine_init.c ssl_engine_kernel.c
Date Fri, 08 Oct 2004 11:59:33 GMT
jorton      2004/10/08 04:59:33

  Modified:    .        CHANGES
               modules/ssl ssl_engine_init.c ssl_engine_kernel.c
  Log:
  Fix CAN-2004-0885:
  
  * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
  correct cipher suite has been negotiated, else deny access.
  
  * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
  0.9.7, prevent session resumption during a renegotiation to force the
  client to negotiate a new (and acceptable) cipher suite.
  
  Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
  
  Revision  Changes    Path
  1.1609    +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1608
  retrieving revision 1.1609
  diff -d -w -u -r1.1608 -r1.1609
  --- CHANGES	4 Oct 2004 23:43:19 -0000	1.1608
  +++ CHANGES	8 Oct 2004 11:59:32 -0000	1.1609
  @@ -2,6 +2,11 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) SECURITY: CAN-2004-0885 (cve.mitre.org)
  +     mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
  +     bypassed during an SSL renegotiation.  PR 31505.  
  +     [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
  +
     *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
        library handles special characters. PR 24437 [Jess Holle]
   
  
  
  
  1.129     +8 -0      httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.128
  retrieving revision 1.129
  diff -d -w -u -r1.128 -r1.129
  --- ssl_engine_init.c	3 Jun 2004 13:03:08 -0000	1.128
  +++ ssl_engine_init.c	8 Oct 2004 11:59:32 -0000	1.129
  @@ -443,6 +443,14 @@
        * Configure additional context ingredients
        */
       SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
  +
  +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  +    /* 
  +     * Disallow a session from being resumed during a renegotiation,
  +     * so that an acceptable cipher suite can be negotiated.
  +     */
  +    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  +#endif
   }
   
   static void ssl_init_ctx_session_cache(server_rec *s,
  
  
  
  1.111     +15 -0     httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.110
  retrieving revision 1.111
  diff -d -w -u -r1.110 -r1.111
  --- ssl_engine_kernel.c	18 Aug 2004 11:05:22 -0000	1.110
  +++ ssl_engine_kernel.c	8 Oct 2004 11:59:33 -0000	1.111
  @@ -733,6 +733,21 @@
                   X509_free(peercert);
               }
           }
  +        
  +        /*
  +         * Also check that SSLCipherSuite has been enforced as expected.
  +         */
  +        if (cipher_list) {
  +            cipher = SSL_get_current_cipher(ssl);
  +            if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
  +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  +                             "SSL cipher suite not renegotiated: "
  +                             "access to %s denied using cipher %s",
  +                              r->filename,
  +                              SSL_CIPHER_get_name(cipher));
  +                return HTTP_FORBIDDEN;
  +            }
  +        }
       }
   
       /*
  
  
  

Mime
View raw message