From: Joe Orton <jorton@apache.org>
Date: Thu, 3 Jun 2004 13:03:08 +0000 (+0000)
Subject: Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag
X-Git-Tag: pre_ajp_proxy~200
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e9ef26208528ca4d7a7a4593773589239f74bc0a;p=apache

Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag
which uses the server's cipher preference order rather than the
client's.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.

PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103832 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c2c7dca656..a5d84d3b42 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
+     OpenSSL 0.9.7 flag which uses the server's cipher order rather
+     than the client's.  
+     PR 28665.  [Jim Shneider <jschneid netilla.com>]
+
   *) mod_ssl: Drop support for the CompatEnvVars argument to
      SSLOptions, which was never actually implemented in 2.0.
      [Joe Orton]
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 4c8fb13e34..748f3b286c 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -134,6 +134,8 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols"
                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                "Use the server's cipher ordering preference")
 
     /* 
      * Proxy configuration for remote SSL connections
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 42128b2d90..5fe54a8406 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -175,6 +175,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
+    sc->cipher_server_pref     = UNSET;
 
     modssl_ctx_init_proxy(sc, p);
 
@@ -259,6 +260,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
     cfgMerge(enabled, SSL_ENABLED_UNSET);
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
+    cfgMergeBool(cipher_server_pref);
 
     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
 
@@ -664,6 +666,17 @@ static const char *ssl_cmd_check_file(cmd_parms *parms,
 
 }
 
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->cipher_server_pref = flag?TRUE:FALSE;
+    return NULL;
+#else
+    return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";
+#endif
+}
+
 static const char *ssl_cmd_check_dir(cmd_parms *parms,
                                      const char **dir)
 {
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e2c29b448b..d0521171a9 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -428,6 +428,15 @@ static void ssl_init_ctx_protocol(server_rec *s,
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
     }
 
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    {
+        SSLSrvConfigRec *sc = mySrvConfig(s);
+        if (sc->cipher_server_pref == TRUE) {
+            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+        }
+    }
+#endif
+
     SSL_CTX_set_app_data(ctx, s);
 
     /*
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 246c8c4214..8b79b7e7e0 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -434,6 +434,7 @@ struct SSLSrvConfigRec {
     const char      *vhost_id;
     int              vhost_id_len;
     int              session_cache_timeout;
+    BOOL             cipher_server_pref;
     modssl_ctx_t    *server;
     modssl_ctx_t    *proxy;
 };
@@ -487,6 +488,7 @@ const char  *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);