httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r1489890 - in /httpd/httpd/branches/2.0.x: ./ docs/ docs/manual/mod/ modules/ssl/
Date Wed, 05 Jun 2013 14:44:03 GMT
Author: rjung
Date: Wed Jun  5 14:44:02 2013
New Revision: 1489890

URL: http://svn.apache.org/r1489890
Log:
mod_ssl: Backport SSLHonorCipher

PR 28665.

Backport of r103832 and r103837 from trunk.

Proposed/Backported by: rjung
Reviewed by: humbedooh, wrowe

Modified:
    httpd/httpd/branches/2.0.x/   (props changed)
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/docs/   (props changed)
    httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.html.en
    httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.c
    httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.h
    httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c

Propchange: httpd/httpd/branches/2.0.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r103832,103837

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Jun  5 14:44:02 2013
@@ -28,6 +28,11 @@ Changes with Apache 2.0.65
      is enabled, could allow local users to gain privileges via a .htaccess
      file. [Stefan Fritsch, Greg Ames]
 
+  *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
+     OpenSSL 0.9.7 flag which uses the server's cipher order rather
+     than the client's.  PR 28665.
+     [Jim Schneider <jschneid netilla.com>]
+
   *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
      including multiple INCLUDES filters. PR 39369 [Joe Orton]
 

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Jun  5 14:44:02 2013
@@ -188,13 +188,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_ssl: Backport SSLHonorCipher
-    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=103832
-                 http://svn.apache.org/viewvc?view=revision&revision=103837
-                 http://svn.apache.org/viewvc?view=revision&revision=966160
-    Backport: http://people.apache.org/~rjung/patches/sslhonorcipher-2.0.patch
-    +1: rjung, humbedooh, wrowe
-
   * htdigest: Fix buffer overflow when reading digest
     password file with very long lines. PR 54893.
     trunk patch: https://svn.apache.org/r1475878

Propchange: httpd/httpd/branches/2.0.x/docs/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk/docs:r103837

Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.html.en?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.html.en Wed Jun  5 14:44:02 2013
@@ -56,6 +56,7 @@ to provide the cryptography engine.</p>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslciphersuite">SSLCipherSuite</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslengine">SSLEngine</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslhonorcipherorder">SSLHonorCipherOrder</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslinsecurerenegotiation">SSLInsecureRenegotiation</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslmutex">SSLMutex</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
@@ -522,6 +523,24 @@ SSLEngine on<br />
 
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
+<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a>
<a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option
to prefer the server's cipher preference order</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder
<em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server
config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available
in Apache 2.0.65 and later, if using OpenSSL 0.9.7 or later</td></tr>
+</table>
+<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
+the client's preference is used.  If this directive is enabled, the
+server's preference will be used instead.</p>
+<div class="example"><h3>Example</h3><p><code>
+SSLHonorCipherOrder on
+</code></p></div>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
 <div class="directive-section"><h2><a name="SSLInsecureRenegotiation" id="SSLInsecureRenegotiation">SSLInsecureRenegotiation</a>
<a name="sslinsecurerenegotiation" id="sslinsecurerenegotiation">Directive</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option
to enable support for insecure renegotiation</td></tr>

Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.xml?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/mod_ssl.xml Wed Jun  5 14:44:02 2013
@@ -1512,6 +1512,24 @@ SSLUserName SSL_CLIENT_S_DN_CN
 </directivesynopsis>
 
 <directivesynopsis>
+<name>SSLHonorCipherOrder</name>
+<description>Option to prefer the server's cipher preference order</description>
+<syntax>SSLHonorCipherOrder <em>flag</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in Apache 2.0.65 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
+the client's preference is used.  If this directive is enabled, the
+server's preference will be used instead.</p>
+<example><title>Example</title>
+SSLHonorCipherOrder on
+</example>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>SSLInsecureRenegotiation</name>
 <description>Option to enable support for insecure renegotiation</description>
 <syntax>SSLInsecureRenegotiation <em>flag</em></syntax>

Modified: httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.c?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.c Wed Jun  5 14:44:02 2013
@@ -134,6 +134,8 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols"
                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                "Use the server's cipher ordering preference")
     SSL_CMD_ALL(UserName, TAKE1,
 		"Set user name to SSL variable value")
     SSL_CMD_SRV(InsecureRenegotiation, FLAG,

Modified: httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.h?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.h (original)
+++ httpd/httpd/branches/2.0.x/modules/ssl/mod_ssl.h Wed Jun  5 14:44:02 2013
@@ -496,6 +496,7 @@ struct SSLSrvConfigRec {
     const char      *vhost_id;
     int              vhost_id_len;
     int              session_cache_timeout;
+    BOOL             cipher_server_pref;
     BOOL             insecure_reneg;
     modssl_ctx_t    *server;
     modssl_ctx_t    *proxy;
@@ -551,6 +552,7 @@ const char  *ssl_cmd_SSLCACertificatePat
 const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);

Modified: httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_config.c?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_config.c Wed Jun  5 14:44:02 2013
@@ -176,6 +176,7 @@ static SSLSrvConfigRec *ssl_config_serve
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
+    sc->cipher_server_pref     = UNSET;
     sc->insecure_reneg         = UNSET;
 
     modssl_ctx_init_proxy(sc, p);
@@ -261,6 +262,7 @@ void *ssl_config_server_merge(apr_pool_t
     cfgMergeBool(enabled);
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
+    cfgMergeBool(cipher_server_pref);
     cfgMergeBool(insecure_reneg);
 
     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -673,6 +675,17 @@ static const char *ssl_cmd_check_file(cm
 
 }
 
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->cipher_server_pref = flag?TRUE:FALSE;
+    return NULL;
+#else
+    return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";
+#endif
+}
+
 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
 {
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Modified: httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_init.c?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_init.c Wed Jun  5 14:44:02 2013
@@ -415,6 +415,12 @@ static void ssl_init_ctx_protocol(server
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
     }
 
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    if (sc->cipher_server_pref == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     if (sc->insecure_reneg == TRUE) {
         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

Modified: httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c?rev=1489890&r1=1489889&r2=1489890&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c Wed Jun  5 14:44:02 2013
@@ -347,8 +347,13 @@ int ssl_hook_Access(request_rec *r)
             sk_SSL_CIPHER_free(cipher_list_old);
         }
 
-        /* tracing */
         if (renegotiate) {
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+            if (sc->cipher_server_pref == TRUE) {
+                SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
+            }
+#endif
+            /* tracing */
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                          "Reconfigured cipher suite will force renegotiation");
         }



Mime
View raw message