On the trunk:

mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 672d5b4b9d1287552efd6dd72243c8dfe664f7f7..8e64e1a8755e6002888e85980ea1b2e3083f33a4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,9 +2,8 @@
 Changes with Apache 2.5.1
 
   *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
-     need more sugar). Added configuration directives for TLSv1.3 cipher suites (which
-     are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
-     to find a better name.
+     need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the
+     protocol the ciphers are for.
      [Stefan Eissing]
 
   *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index a5a4172f6932afe592d6ffce1283dbf34fe79984..5ad451e524a8bf20763c116cb66a9647f09c5113 100644 (file)
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -650,6 +650,11 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
     A revision of the TLS 1.1 protocol, as defined in
     <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
 
+<li><code>TLSv1.3</code> (when using OpenSSL 1.1.1 and later)
+    <p>
+    A new version of the TLS protocol, as defined in
+    <a href="https://github.com/tlswg/tls13-spec">RFC TBD</a>.</p></li>
+
 <li><code>all</code>
     <p>
     This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
@@ -670,7 +675,7 @@ SSLProtocol TLSv1
 <name>SSLCipherSuite</name>
 <description>Cipher Suite available for negotiation in SSL
 handshake</description>
-<syntax>SSLCipherSuite <em>cipher-spec</em></syntax>
+<syntax>SSLCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
 <default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default>
 <contextlist><context>server config</context>
 <context>virtual host</context>
@@ -682,12 +687,25 @@ handshake</description>
 <p>
 This complex directive uses a colon-separated <em>cipher-spec</em> string
 consisting of OpenSSL cipher specifications to configure the Cipher Suite the
-client is permitted to negotiate in the SSL handshake phase. Notice that this
-directive can be used both in per-server and per-directory context. In
-per-server context it applies to the standard SSL handshake when a connection
+client is permitted to negotiate in the SSL handshake phase. The optional 
+protocol specifier can configure the Cipher Suite for a specific SSL version.
+Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2. 
+<p>
+Notice that this
+directive can be used both in per-server and per-directory context. 
+In per-server context it applies to the standard SSL handshake when a connection
 is established. In per-directory context it forces a SSL renegotiation with the
 reconfigured Cipher Suite after the HTTP request was read but before the HTTP
-response is sent.</p>
+response is sent. (Since renegotiation is not</p>
+<p>
+If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol 
+specifier "TLSv1.3" can be used to configure the cipher suites for that protocol.
+Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in
+a directory context is not allowed.</p>
+<p>
+For a list of TLSv1.3 cipher names, see 
+<a href="https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html">the OpenSSL
+documentation</a>.</p>
 <p>
 An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
 attributes plus a few extra minor ones:</p>
@@ -2071,7 +2089,7 @@ for additional information.
 <name>SSLProxyCipherSuite</name>
 <description>Cipher Suite available for negotiation in SSL
 proxy handshake</description>
-<syntax>SSLProxyCipherSuite <em>cipher-spec</em></syntax>
+<syntax>SSLProxyCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
 <default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</default>
 <contextlist><context>server config</context> <context>virtual host</context>
 <context>proxy section</context></contextlist>

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index f8caebd889bf71c558c6bef573621ee48d59d4da..5e7c165e1e26d98eefe5fd2ebd57fc958d9b9bf7 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -97,14 +97,9 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(FIPS, FLAG,
                 "Enable FIPS-140 mode "
                 "(`on', `off')")
-    SSL_CMD_ALL(CipherSuite, TAKE1,
-                "Colon-delimited list of permitted SSL Ciphers "
-                "('XXX:...:XXX' - see manual)")
-#ifdef SSL_OP_NO_TLSv1_3
-    SSL_CMD_SRV(CipherSuiteV1_3, TAKE1,
-                "Colon-delimited list of permitted TLSv1.3 Ciphers "
-                "('XXX:...:XXX' - see manual)")
-#endif
+    SSL_CMD_ALL(CipherSuite, TAKE12,
+                "Colon-delimited list of permitted SSL Ciphers, optional preceeded "
+                "by protocol identifier ('XXX:...:XXX' - see manual)")
     SSL_CMD_SRV(CertificateFile, TAKE1,
                 "SSL Server Certificate file "
                 "('/path/to/file' - PEM or DER encoded)")
@@ -194,14 +189,9 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
                "SSL Proxy: enable or disable SSL protocol flavors "
                 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
-    SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
+    SSL_CMD_PXY(ProxyCipherSuite, TAKE12,
                "SSL Proxy: colon-delimited list of permitted SSL ciphers "
-               "('XXX:...:XXX' - see manual)")
-#ifdef SSL_OP_NO_TLSv1_3
-    SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1,
-               "SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers "
-               "('XXX:...:XXX' - see manual)")
-#endif
+               ", optionally preceeded by protocol specifier ('XXX:...:XXX' - see manual)")
     SSL_CMD_PXY(ProxyVerify, TAKE1,
                "SSL Proxy: whether to verify the remote certificate "
                "('on' or 'off')")

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 83545b9369abb1d72e7dde6e0d966749fd32b944..c6ff191b56662776ea804b7a6a0b6171109dbc4d 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -140,7 +140,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->auth.cipher_suite   = NULL;
     mctx->auth.verify_depth   = UNSET;
     mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
-    mctx->auth.cipher_suite_tlsv1_3 = NULL;
+    mctx->auth.tls13_ciphers = NULL;
 
     mctx->ocsp_mask           = UNSET;
     mctx->ocsp_force_default  = UNSET;
@@ -285,7 +285,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
     cfgMergeString(auth.cipher_suite);
     cfgMergeInt(auth.verify_depth);
     cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
-    cfgMergeString(auth.cipher_suite_tlsv1_3);
+    cfgMergeString(auth.tls13_ciphers);
 
     cfgMergeInt(ocsp_mask);
     cfgMergeBool(ocsp_force_default);
@@ -501,7 +501,7 @@ void ssl_config_proxy_merge(apr_pool_t *p,
 */
 
 static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name,
-                       int protocols, const char *ciphers, 
+                       int protocols, const char *ssl_ciphers, const char *tls13_ciphers, 
                        int honor_order, int compression, int session_tickets)
 {
     SSLPolicyRec *policy;
@@ -510,13 +510,15 @@ static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name,
     policy->name = name;
     policy->sc = ssl_config_server_new(p);
     
-    if (protocols || ciphers) {
+    if (protocols) {
         policy->sc->server->protocol_set      = 1;
         policy->sc->server->protocol          = protocols;
     }
-    
-    if (ciphers) {
-        policy->sc->server->auth.cipher_suite = ciphers;
+    if (ssl_ciphers) {
+        policy->sc->server->auth.cipher_suite = ssl_ciphers;
+    }
+    if (tls13_ciphers) {
+        policy->sc->server->auth.tls13_ciphers = tls13_ciphers;
     }
 
 #ifndef OPENSSL_NO_COMP
@@ -542,7 +544,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create)
 #if SSL_POLICY_MODERN
         add_policy(policies, p, "modern", 
                    SSL_POLICY_MODERN_PROTOCOLS, 
-                   SSL_POLICY_MODERN_CIPHERS, 
+                   SSL_POLICY_MODERN_SSL_CIPHERS, 
+                   SSL_POLICY_MODERN_TLS13_CIPHERS, 
                    SSL_POLICY_HONOR_ORDER, 
                    SSL_POLICY_COMPRESSION, 
                    SSL_POLICY_SESSION_TICKETS);
@@ -550,7 +553,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create)
 #if SSL_POLICY_INTERMEDIATE
         add_policy(policies, p, "intermediate", 
                    SSL_POLICY_INTERMEDIATE_PROTOCOLS, 
-                   SSL_POLICY_INTERMEDIATE_CIPHERS, 
+                   SSL_POLICY_INTERMEDIATE_SSL_CIPHERS, 
+                   SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS, 
                    SSL_POLICY_HONOR_ORDER, 
                    SSL_POLICY_COMPRESSION, 
                    SSL_POLICY_SESSION_TICKETS);
@@ -558,7 +562,8 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create)
 #if SSL_POLICY_OLD
         add_policy(policies, p, "old", 
                    SSL_POLICY_OLD_PROTOCOLS, 
-                   SSL_POLICY_OLD_CIPHERS, 
+                   SSL_POLICY_OLD_SSL_CIPHERS, 
+                   SSL_POLICY_OLD_TLS13_CIPHERS, 
                    SSL_POLICY_HONOR_ORDER, 
                    SSL_POLICY_COMPRESSION, 
                    SSL_POLICY_SESSION_TICKETS);
@@ -852,33 +857,37 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
 
 const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
                                    void *dcfg,
-                                   const char *arg)
+                                   const char *arg1, const char *arg2)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
 
-    /* always disable null and export ciphers */
-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
-
-    if (cmd->path) {
-        dc->szCipherSuite = arg;
+    if (arg2 == NULL) {
+        arg2 = arg1;
+        arg1 = "SSL";
     }
-    else {
-        sc->server->auth.cipher_suite = arg;
+    
+    if (!strcmp("SSL", arg1)) {
+        /* always disable null and export ciphers */
+        arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
+        if (cmd->path) {
+            dc->szCipherSuite = arg2;
+        }
+        else {
+            sc->server->auth.cipher_suite = arg2;
+        }
+        return NULL;
     }
-
-    return NULL;
-}
-
-const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd,
-                                      void *dcfg,
-                                      const char *arg)
-{
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-
-    sc->server->auth.cipher_suite_tlsv1_3 = arg;
-
-    return NULL;
+#ifdef SSL_OP_NO_TLSv1_3
+    else if (!strcmp("TLSv1.3", arg1)) {
+        if (cmd->path) {
+            return "TLSv1.3 ciphers cannot be set inside a directory context";
+        }
+        sc->server->auth.tls13_ciphers = arg2;
+        return NULL;
+    }
+#endif
+    return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
 }
 
 #define SSL_FLAGS_CHECK_FILE \
@@ -1614,27 +1623,28 @@ const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd,
 
 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
                                         void *dcfg,
-                                        const char *arg)
+                                        const char *arg1, const char *arg2)
 {
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
-
-    /* always disable null and export ciphers */
-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
-
-    dc->proxy->auth.cipher_suite = arg;
-
-    return NULL;
-}
-
-const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd,
-                                            void *dcfg,
-                                            const char *arg)
-{
-    SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
-
-    dc->proxy->auth.cipher_suite_tlsv1_3 = arg;
-
-    return NULL;
+    
+    if (arg2 == NULL) {
+        arg2 = arg1;
+        arg1 = "SSL";
+    }
+    
+    if (!strcmp("SSL", arg1)) {
+        /* always disable null and export ciphers */
+        arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
+        dc->proxy->auth.cipher_suite = arg2;
+        return NULL;
+    }
+#ifdef SSL_OP_NO_TLSv1_3
+    else if (!strcmp("TLSv1.3", arg1)) {
+        dc->proxy->auth.tls13_ciphers = arg2;
+        return NULL;
+    }
+#endif
+    return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
 }
 
 const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
@@ -2512,7 +2522,10 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro
 {
     DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
 #ifdef SSL_OP_NO_TLSv1_3
-    DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3);
+    if (auth->tls13_ciphers) {
+        DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", 
+            apr_pstrcat(p, "TLSv1.3 ", auth->tls13_ciphers, NULL));
+    }
 #endif
     DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode);
     DMP_LONG(  proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth);

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 4033bb7d82583eaa05b99dfe820a4814b3aad0b9..35553f5eaf6e7be6b89590492585fdd0d06a4afd 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -936,8 +936,8 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
         return ssl_die(s);
     }
 #ifdef SSL_OP_NO_TLSv1_3
-    if (mctx->auth.cipher_suite_tlsv1_3 
-        && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) {
+    if (mctx->auth.tls13_ciphers 
+        && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
                 "Unable to configure permitted TLSv1.3 ciphers");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 3a63da0a85ed885c34a293a0c25652d0a053010f..36ed3c80c13bd5309089191942168d73bf934e24 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -189,9 +189,9 @@ static int ssl_auth_compatible(modssl_auth_ctx_t *a1,
         return 0;
     }
     /* both have the same ca cipher suite string */
-    if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3)
-        && (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3 
-            || strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) {
+    if ((a1->tls13_ciphers != a2->tls13_ciphers)
+        && (!a1->tls13_ciphers || !a2->tls13_ciphers 
+            || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
         return 0;
     }
     return 1;

diff --git a/modules/ssl/ssl_policies.h b/modules/ssl/ssl_policies.h
index 0e9575678ba0e333b9dbf66d4e8119a32a70ae78..dd5d60726b620af7b3badb049afca196072ec4eb 100644 (file)
--- a/modules/ssl/ssl_policies.h
+++ b/modules/ssl/ssl_policies.h
@@ -65,18 +65,21 @@
 
 #ifdef HAVE_TLSV1_X
 #define SSL_POLICY_MODERN    1
-#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+#define SSL_POLICY_MODERN_SSL_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+#define SSL_POLICY_MODERN_TLS13_CIPHERS NULL
 #define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
 #else /* ifdef HAVE_TLSV1_X */
 #define SSL_POLICY_MODERN    0
 #endif /* ifdef HAVE_TLSV1_X, else part */
 
 #define SSL_POLICY_INTERMEDIATE    1
-#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+#define SSL_POLICY_INTERMEDIATE_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+#define SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS NULL
 #define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3))
 
 #define SSL_POLICY_OLD    1
-#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
+#define SSL_POLICY_OLD_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
+#define SSL_POLICY_OLD_TLS13_CIPHERS NULL
 #define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3))
 
 

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 1247ee53107ec06e8b0561a55a0d68494458b8d9..cf5025788b3c41b05677aab6dfe0047e7c1ed6eb 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -644,7 +644,7 @@ typedef struct {
     /** TLSv1.3 has its separate cipher list, separate from the
      settings for older TLS protocol versions. Since which one takes
      effect is a matter of negotiation, we need separate settings */
-    const char  *cipher_suite_tlsv1_3;
+    const char  *tls13_ciphers;
 } modssl_auth_ctx_t;
 
 #ifdef HAVE_TLS_SESSION_TICKETS
@@ -810,8 +810,7 @@ const char  *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
 const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
 const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -840,8 +839,7 @@ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int fla
 
 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
 const char  *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);

diff --git a/modules/ssl/update_policies.py b/modules/ssl/update_policies.py
index 9df5869532af9c5474893f6fa550a1c1af2d8991..c4a8fa978c8a387f2b5b8b11f86f3e0cb2197be6 100644 (file)
--- a/modules/ssl/update_policies.py
+++ b/modules/ssl/update_policies.py
@@ -99,7 +99,9 @@ def printPolicies(doc):
             print "#ifdef %s" % ifdef
             
         print "#define %s    1" % prefix
-        print "#define %s_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS])
+        print "#define %s_SSL_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS])
+        # Mozilla has not specced this yet
+        print "#define %s_TLS13_CIPHERS NULL" % (prefix)
         print "#define %s_PROTOCOLS %s" % (prefix, proto_conf(p[KEY_TLS_VERSIONS]))
         
         if ifdef: