PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
- SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
- not yet included by default (follow up to merge r1542327 in 2.4.7).
- trunk patch: http://svn.apache.org/r1679470
- 2.4.x patch: trunk works (modulo CHANGES)
- +1: ylavic, wrowe, jim
-
*) mod_dir: backport r1679620 which reverts r1675103. This change makes
FallBackResource hijack requests that mod_autoindex might want to handle
later.
/*
* Configure SSL Cipher Suite. Always disable NULL and export ciphers,
* see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
- * OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
- * so only prepend !EXP in this case.
+ * OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
+ * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support
+ * earlier versions.
*/
suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
- apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
+ apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST,
+ NULL);
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
"Configuring permitted SSL ciphers [%s]",
projects / apache / commitdiff