From: Kaspar Brand Date: Sat, 12 Sep 2015 15:33:28 +0000 (+0000) Subject: Append :!aNULL:!eNULL:!EXP to the cipher string settings, X-Git-Tag: 2.5.0-alpha~2855 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0a30649059c400515677e2e8905ddc04127ab84d;p=apache Append :!aNULL:!eNULL:!EXP to the cipher string settings, instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7 and later). Enables support for configuring the SUITEB* cipher strings introduced in OpenSSL 1.0.2. PR 58213. Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1702643 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 674f509312..0fa36abfe9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings, + instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7 + and later). Enables support for configuring the SUITEB* cipher + strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand] + *) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are loaded. [Eric Covener] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index b1b2134e40..7e6f4829fd 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -742,8 +742,8 @@ prefixes are:

<code>aNULL</code>, <code>eNULL</code> and <code>EXP</code> ciphers are always disabled

Beginning with version 2.4.7, null and export-grade -ciphers are always disabled, as mod_ssl unconditionally prepends any supplied -cipher suite string with !aNULL:!eNULL:!EXP: at initialization.

+ciphers are always disabled, as mod_ssl unconditionally adds +!aNULL:!eNULL:!EXP to any cipher string at initialization.

A simpler way to look at all of this is to use the ``openssl ciphers diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index af79ad5179..c9012beb55 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -671,7 +671,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; /* always disable null and export ciphers */ - arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); if (cmd->path) { dc->szCipherSuite = arg; @@ -1394,7 +1394,7 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, SSLSrvConfigRec *sc = mySrvConfig(cmd->server); /* always disable null and export ciphers */ - arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); sc->proxy->auth.cipher_suite = arg; @@ -1850,6 +1850,11 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, return err; } + if (strcEQ(arg1, "CipherString")) { + /* always disable null and export ciphers */ + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); + } + param = apr_array_push(sc->server->ssl_ctx_param); param->name = arg1; param->value = arg2; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index ff02a76faf..04ca2e603c 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -768,11 +768,11 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, * Configure SSL Cipher Suite. Always disable NULL and export ciphers, * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). * OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f, - * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support + * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so append them while we support * earlier versions. */ suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : - apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST, + apr_pstrcat(ptemp, SSL_DEFAULT_CIPHER_LIST, ":!aNULL:!eNULL:!EXP", NULL); ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,