which uses the server's cipher preference order rather than the
client's.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.
PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103832
13f79535-47bb-0310-9956-
ffa450edef68
[Remove entries to the current 2.0 section below, when backported]
+ *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
+ OpenSSL 0.9.7 flag which uses the server's cipher order rather
+ than the client's.
+ PR 28665. [Jim Shneider <jschneid netilla.com>]
+
*) mod_ssl: Drop support for the CompatEnvVars argument to
SSLOptions, which was never actually implemented in 2.0.
[Joe Orton]
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+ SSL_CMD_SRV(HonorCipherOrder, FLAG,
+ "Use the server's cipher ordering preference")
/*
* Proxy configuration for remote SSL connections
sc->vhost_id = NULL; /* set during module init */
sc->vhost_id_len = 0; /* set during module init */
sc->session_cache_timeout = UNSET;
+ sc->cipher_server_pref = UNSET;
modssl_ctx_init_proxy(sc, p);
cfgMerge(enabled, SSL_ENABLED_UNSET);
cfgMergeBool(proxy_enabled);
cfgMergeInt(session_cache_timeout);
+ cfgMergeBool(cipher_server_pref);
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
}
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->cipher_server_pref = flag?TRUE:FALSE;
+ return NULL;
+#else
+ return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";
+#endif
+}
+
static const char *ssl_cmd_check_dir(cmd_parms *parms,
const char **dir)
{
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
}
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ {
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+ if (sc->cipher_server_pref == TRUE) {
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+ }
+#endif
+
SSL_CTX_set_app_data(ctx, s);
/*
const char *vhost_id;
int vhost_id_len;
int session_cache_timeout;
+ BOOL cipher_server_pref;
modssl_ctx_t *server;
modssl_ctx_t *proxy;
};
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
projects / apache / commitdiff