httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yla...@apache.org
Subject svn commit: r1679470 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Date Thu, 14 May 2015 22:38:20 GMT
Author: ylavic
Date: Thu May 14 22:38:20 2015
New Revision: 1679470

URL: http://svn.apache.org/r1679470
Log:
mod_ssl: follow up to r1527291.
Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
not yet included by default.

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1679470&r1=1679469&r2=1679470&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu May 14 22:38:20 2015
@@ -750,11 +750,13 @@ static apr_status_t ssl_init_ctx_cipher_
     /*
      *  Configure SSL Cipher Suite. Always disable NULL and export ciphers,
      *  see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
-     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
-     *  so only prepend !EXP in this case.
+     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
+     *  and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support
+     *  earlier versions.
      */
     suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
-            apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
+            apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST,
+                        NULL);
 
     ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
                  "Configuring permitted SSL ciphers [%s]",



Mime
View raw message