From: Kaspar Brand
aNULL
, eNULL
and EXP
ciphers are always disabledBeginning with version 2.4.7, null and export-grade
-ciphers are always disabled, as mod_ssl unconditionally prepends any supplied
-cipher suite string with !aNULL:!eNULL:!EXP:
at initialization.
!aNULL:!eNULL:!EXP
to any cipher string at initialization.
A simpler way to look at all of this is to use the ``openssl ciphers
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 2ff312e870..43be5db720 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -709,7 +709,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
/* always disable null and export ciphers */
- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
if (cmd->path) {
dc->szCipherSuite = arg;
@@ -1421,7 +1421,7 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
/* always disable null and export ciphers */
- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
sc->proxy->auth.cipher_suite = arg;
@@ -1877,6 +1877,11 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
return err;
}
+ if (strcEQ(arg1, "CipherString")) {
+ /* always disable null and export ciphers */
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
+ }
+
param = apr_array_push(sc->server->ssl_ctx_param);
param->name = arg1;
param->value = arg2;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 70bdeffcd8..05479625cc 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -730,11 +730,11 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
* Configure SSL Cipher Suite. Always disable NULL and export ciphers,
* see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
* OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
- * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support
+ * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so append them while we support
* earlier versions.
*/
suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
- apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST,
+ apr_pstrcat(ptemp, SSL_DEFAULT_CIPHER_LIST, ":!aNULL:!eNULL:!EXP",
NULL);
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,