httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r917044 - in /httpd/httpd/branches/2.2.x: ./ docs/manual/mod/ modules/ssl/
Date Sat, 27 Feb 2010 21:00:59 GMT
Author: minfrin
Date: Sat Feb 27 21:00:58 2010
New Revision: 917044

URL: http://svn.apache.org/viewvc?rev=917044&view=rev
Log:
Backport:
mod_ssl: Add SSLInsecureRenegotiation directive.
+1: jorton, trawick, minfrin

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sat Feb 27 21:00:58 2010
@@ -35,6 +35,10 @@
      desired. Fix the default value of the SSIAccessEnable directive.
      [Graham Leggett]
 
+  *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
+     allows insecure renegotiation with clients which do not yet
+     support the secure renegotiation protocol.  [Joe Orton]
+
   *) core: Fix potential memory leaks by making sure to not destroy
      bucket brigades that have been created by earlier filters.
      [Stefan Fritsch]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sat Feb 27 21:00:58 2010
@@ -87,20 +87,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_ssl: Add SSLInsecureRenegotiation directive.
-      Trunk version of patch:
-        http://svn.apache.org/viewcvs.cgi?rev=906039&view=rev
-        http://svn.apache.org/viewcvs.cgi?rev=906057&view=rev
-        http://svn.apache.org/viewcvs.cgi?rev=906485&view=rev
-        http://svn.apache.org/viewcvs.cgi?rev=906491&view=rev
-        http://svn.apache.org/viewcvs.cgi?rev=908015&view=rev
-        http://svn.apache.org/viewcvs.cgi?rev=916733&view=rev
-        http://svn.apache.org/viewcvs.cgi?rev=916817&view=rev
-      Backport version for 2.2.x of patch:
-        http://people.apache.org/~jorton/ms_reneg22_v2.diff
-      +1: jorton, trawick, minfrin
-      minfrin: needs docs, on the case
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Sat Feb 27 21:00:58 2010
@@ -1808,4 +1808,46 @@
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLInsecureRenegotiation</name>
+<description>Option to enable support for insecure renegotiation</description>
+<syntax>SSLInsecureRenegotiation <em>flag</em></syntax>
+<default>SSLInsecureRenegotiation off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 1.0.0 Beta 5 or later</compatibility>
+
+<usage>
+<p>As originally specified, all versions of the SSL and TLS protocols
+(up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle
+attack
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>)
+during a renegotiation.  This vulnerability allowed an attacker to
+"prefix" a chosen plaintext to the HTTP request as seen by the web
+server.  A protocol extension was developed which fixed this
+vulnerability if supported by both client and server.</p>
+
+<p>If <module>mod_ssl</module> is linked against OpenSSL version 1.0.0
+Beta 5 or later, by default renegotiation is only supported with
+clients supporting the new protocol extension.  If this directive is
+enabled, renegotiation will be allowed with old (unpatched) clients,
+albeit insecurely.</p>
+
+<note type="warning"><title>Security warning</title>
+<p>If this directive is enabled, SSL connections will be vulnerable to
+the Man-in-the-Middle prefix attack as described
+in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
+</note>
+
+<example><title>Example</title>
+SSLInsecureRenegotiation on
+</example>
+
+<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
+from an SSI or CGI script to determine whether secure renegotiation is
+supported for a given SSL connection.</p>
+
+</usage>
+</directivesynopsis>
+
 </modulesynopsis>

Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Sat Feb 27 21:00:58 2010
@@ -143,6 +143,8 @@
                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
     SSL_CMD_SRV(HonorCipherOrder, FLAG,
                 "Use the server's cipher ordering preference")
+    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+                "Enable support for insecure renegotiation")
     SSL_CMD_ALL(UserName, TAKE1,
                 "Set user name to SSL variable value")
     SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Sat Feb 27 21:00:58 2010
@@ -169,6 +169,7 @@
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
     sc->cipher_server_pref     = UNSET;
+    sc->insecure_reneg         = UNSET;
     sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
     sc->proxy_ssl_check_peer_cn     = SSL_ENABLED_UNSET;
 #ifndef OPENSSL_NO_TLSEXT
@@ -262,6 +263,7 @@
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
     cfgMergeBool(cipher_server_pref);
+    cfgMergeBool(insecure_reneg);
     cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
     cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
 #ifndef OPENSSL_NO_TLSEXT
@@ -688,6 +690,19 @@
 #endif
 }
 
+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->insecure_reneg = flag?TRUE:FALSE;
+    return NULL;
+#else
+    return "The SSLInsecureRenegotiation directive is not available "
+        "with this SSL library";
+#endif
+}
+
+
 static const char *ssl_cmd_check_dir(cmd_parms *parms,
                                      const char **dir)
 {

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Sat Feb 27 21:00:58 2010
@@ -394,6 +394,7 @@
     MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
     char *cp;
     int protocol = mctx->protocol;
+    SSLSrvConfigRec *sc = mySrvConfig(s);
 
     /*
      *  Create the new per-server SSL context
@@ -444,11 +445,14 @@
     }
 
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-    {
-        SSLSrvConfigRec *sc = mySrvConfig(s);
-        if (sc->cipher_server_pref == TRUE) {
-            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-        }
+    if (sc->cipher_server_pref == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif
+
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    if (sc->insecure_reneg == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
     }
 #endif
 

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c Sat Feb 27 21:00:58 2010
@@ -760,10 +760,17 @@
                 r->connection->keepalive = AP_CONN_CLOSE;
             }
 
-            /* do a full renegotiation */
+            /* Perform a full renegotiation. */
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                          "Performing full renegotiation: "
-                          "complete handshake protocol");
+                          "Performing full renegotiation: complete handshake "
+                          "protocol (%s support secure renegotiation)",
+#if defined(SSL_get_secure_renegotiation_support)
+                          SSL_get_secure_renegotiation_support(ssl) ? 
+                          "client does" : "client does not"
+#else
+                          "server does not"
+#endif
+                );
 
             SSL_set_session_id_context(ssl,
                                        (unsigned char *)&id,
@@ -779,6 +786,7 @@
             if (SSL_get_state(ssl) != SSL_ST_OK) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                               "Re-negotiation request failed");
+                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
 
                 r->connection->aborted = 1;
                 return HTTP_FORBIDDEN;
@@ -1067,6 +1075,7 @@
     "SSL_VERSION_INTERFACE",
     "SSL_VERSION_LIBRARY",
     "SSL_PROTOCOL",
+    "SSL_SECURE_RENEG",
     "SSL_COMPRESS_METHOD",
     "SSL_CIPHER",
     "SSL_CIPHER_EXPORT",
@@ -1171,6 +1180,12 @@
         }
     }
 
+
+#ifdef SSL_get_secure_renegotiation_support
+    apr_table_setn(r->notes, "ssl-secure-reneg", 
+                   SSL_get_secure_renegotiation_support(ssl) ? "1" : "0");
+#endif
+
     return DECLINED;
 }
 

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c Sat Feb 27 21:00:58 2010
@@ -326,6 +326,14 @@
                                                    TLSEXT_NAMETYPE_host_name));
     }
 #endif
+    else if (ssl != NULL && strcEQ(var, "SECURE_RENEG")) {
+        int flag = 0;
+#ifdef SSL_get_secure_renegotiation_support
+        flag = SSL_get_secure_renegotiation_support(ssl);
+#endif
+        result = apr_pstrdup(p, flag ? "true" : "false");
+    }                             
+
     return result;
 }
 

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Sat Feb 27 21:00:58 2010
@@ -471,6 +471,7 @@
     int              vhost_id_len;
     int              session_cache_timeout;
     BOOL             cipher_server_pref;
+    BOOL             insecure_reneg;
     modssl_ctx_t    *server;
     modssl_ctx_t    *proxy;
     ssl_enabled_t    proxy_ssl_check_peer_expire;
@@ -545,6 +546,7 @@
 const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
 
 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);



Mime
View raw message