From: Yann Ylavic <ylavic@apache.org>
Date: Thu, 14 May 2015 22:38:20 +0000 (+0000)
Subject: mod_ssl: follow up to r1527291.
X-Git-Tag: 2.5.0-alpha~3150
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=69081b373926cea585347110648820b12cf153a3;p=apache

mod_ssl: follow up to r1527291.
Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
not yet included by default.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1679470 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 85cc8ffbbd..d48da637d6 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -750,11 +750,13 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
     /*
      *  Configure SSL Cipher Suite. Always disable NULL and export ciphers,
      *  see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite().
-     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL,
-     *  so only prepend !EXP in this case.
+     *  OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f,
+     *  and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support
+     *  earlier versions.
      */
     suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite :
-            apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL);
+            apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST,
+                        NULL);
 
     ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
                  "Configuring permitted SSL ciphers [%s]",