From 8ad013bf7bfe3cfa3701fd2abc19ea8c9c6bd408 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Mon, 18 May 2015 11:07:07 +0000 Subject: [PATCH] Merge r1679470 from trunk: mod_ssl: follow up to r1527291. Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was not yet included by default. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679989 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 7 ------- modules/ssl/ssl_engine_init.c | 8 +++++--- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/STATUS b/STATUS index 5c05cf4ec2..ebbad96ada 100644 --- a/STATUS +++ b/STATUS @@ -105,13 +105,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for - SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was - not yet included by default (follow up to merge r1542327 in 2.4.7). - trunk patch: http://svn.apache.org/r1679470 - 2.4.x patch: trunk works (modulo CHANGES) - +1: ylavic, wrowe, jim - *) mod_dir: backport r1679620 which reverts r1675103. This change makes FallBackResource hijack requests that mod_autoindex might want to handle later. diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 931011c6c9..46e022c3de 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -725,11 +725,13 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, /* * Configure SSL Cipher Suite. Always disable NULL and export ciphers, * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). - * OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL, - * so only prepend !EXP in this case. + * OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f, + * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support + * earlier versions. */ suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : - apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL); + apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST, + NULL); ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "Configuring permitted SSL ciphers [%s]", -- 2.40.0