- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@
1527291 13f79535-47bb-0310-9956-
ffa450edef68
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ /* always disable null and export ciphers */
+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+
if (cmd->path) {
dc->szCipherSuite = arg;
}
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ /* always disable null and export ciphers */
+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+
sc->proxy->auth.cipher_suite = arg;
return NULL;
/*
* Configure SSL Cipher Suite. Always disable NULL and export ciphers,
- * no matter what SSLCipherSuite directive is appearing in the config.
+ * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
+ * OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
+ * so only prepend !EXP in this case.
*/
- suite = apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", mctx->auth.cipher_suite ?
- mctx->auth.cipher_suite : SSL_DEFAULT_CIPHER_LIST,
- NULL);
+ suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
+ apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
"Configuring permitted SSL ciphers [%s]",
#define SSL_AIDX_MAX (2)
#endif
-
-/**
- * Define IDs for the temporary RSA keys and DH params
- */
-
-#define SSL_TMP_KEY_RSA_512 (0)
-#define SSL_TMP_KEY_RSA_1024 (1)
-#define SSL_TMP_KEY_DH_512 (2)
-#define SSL_TMP_KEY_DH_1024 (3)
-#ifndef OPENSSL_NO_EC
-#define SSL_TMP_KEY_EC_256 (4)
-#define SSL_TMP_KEY_MAX (5)
-#else
-#define SSL_TMP_KEY_MAX (4)
-#endif
-
/**
* Define the SSL options
*/
projects / apache / commitdiff