From: Joe Orton Date: Fri, 8 Oct 2004 11:59:33 +0000 (+0000) Subject: Fix CAN-2004-0885: X-Git-Tag: 2.1.1~164 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0e5aa595c2a6e97a9e59664c22dfb54bdb90286a;p=apache Fix CAN-2004-0885: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a correct cipher suite has been negotiated, else deny access. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable) cipher suite. Submitted by: Hartmut Keil , Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105396 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 34688b0570..82523e1802 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev [Remove entries to the current 2.0 section below, when backported] + *) SECURITY: CAN-2004-0885 (cve.mitre.org) + mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be + bypassed during an SSL renegotiation. PR 31505. + [Hartmut Keil , Joe Orton] + *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. PR 24437 [Jess Holle] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index d0521171a9..2a9c7a4ef8 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -443,6 +443,14 @@ static void ssl_init_ctx_protocol(server_rec *s, * Configure additional context ingredients */ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); + +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif } static void ssl_init_ctx_session_cache(server_rec *s, diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index f137223284..6557c1f383 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -733,6 +733,21 @@ int ssl_hook_Access(request_rec *r) X509_free(peercert); } } + + /* + * Also check that SSLCipherSuite has been enforced as expected. + */ + if (cipher_list) { + cipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, + SSL_CIPHER_get_name(cipher)); + return HTTP_FORBIDDEN; + } + } } /*