From: Kaspar Brand <kbrand@apache.org>
Date: Sun, 29 Sep 2013 09:36:31 +0000 (+0000)
Subject: Follow-up fixes for r1526168:
X-Git-Tag: 2.5.0-alpha~4996
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=056e10bb4f529eea2e9e1a178c628b0eefa02b92;p=apache

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers
  for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527291 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index e6e4d9b76e..9734106e99 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -651,6 +651,9 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
 
+    /* always disable null and export ciphers */
+    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+
     if (cmd->path) {
         dc->szCipherSuite = arg;
     }
@@ -1397,6 +1400,9 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
 
+    /* always disable null and export ciphers */
+    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+
     sc->proxy->auth.cipher_suite = arg;
 
     return NULL;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 025be3c71e..0ba6375f36 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -668,11 +668,12 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
 
     /*
      *  Configure SSL Cipher Suite. Always disable NULL and export ciphers,
-     *  no matter what SSLCipherSuite directive is appearing in the config.
+     *  see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
+     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
+     *  so only prepend !EXP in this case.
      */
-    suite = apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", mctx->auth.cipher_suite ?
-                        mctx->auth.cipher_suite : SSL_DEFAULT_CIPHER_LIST,
-                        NULL);
+    suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
+            apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
 
     ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
                  "Configuring permitted SSL ciphers [%s]",
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index ef14f7ad5a..0e9fd70aba 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -312,22 +312,6 @@ typedef int ssl_algo_t;
 #define SSL_AIDX_MAX     (2)
 #endif
 
-
-/**
- * Define IDs for the temporary RSA keys and DH params
- */
-
-#define SSL_TMP_KEY_RSA_512  (0)
-#define SSL_TMP_KEY_RSA_1024 (1)
-#define SSL_TMP_KEY_DH_512   (2)
-#define SSL_TMP_KEY_DH_1024  (3)
-#ifndef OPENSSL_NO_EC
-#define SSL_TMP_KEY_EC_256   (4)
-#define SSL_TMP_KEY_MAX      (5)
-#else
-#define SSL_TMP_KEY_MAX      (4)
-#endif
-
 /**
  * Define the SSL options
  */