mod_ssl: follow up to r1527291.

author Yann Ylavic <ylavic@apache.org>

Thu, 14 May 2015 22:38:20 +0000 (22:38 +0000)

committer Yann Ylavic <ylavic@apache.org>

Thu, 14 May 2015 22:38:20 +0000 (22:38 +0000)
author Yann Ylavic <ylavic@apache.org>
Thu, 14 May 2015 22:38:20 +0000 (22:38 +0000)
committer Yann Ylavic <ylavic@apache.org>
Thu, 14 May 2015 22:38:20 +0000 (22:38 +0000)
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 85cc8ffbbdfb18f152bb9bf1f814d17737b5badf..d48da637d6a53b2128376a3f1692576299fa0a18 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -750,11 +750,13 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
      /*
       *  Configure SSL Cipher Suite. Always disable NULL and export ciphers,
       *  see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
-     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
-     *  so only prepend !EXP in this case.
+     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
+     *  and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support
+     *  earlier versions.
       */
      suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
-            apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
+            apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST,
+                        NULL);
  
      ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
                   "Configuring permitted SSL ciphers [%s]",
author	Yann Ylavic <ylavic@apache.org>
	Thu, 14 May 2015 22:38:20 +0000 (22:38 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Thu, 14 May 2015 22:38:20 +0000 (22:38 +0000)