From 8b305c839724e92990c54c5e096330f3710e93d0 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Wed, 28 Mar 2018 15:38:51 +0000 Subject: [PATCH] On the trunk: mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity to find a better name. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 ++++- modules/ssl/mod_ssl.c | 10 ++++++++++ modules/ssl/ssl_engine_config.c | 27 +++++++++++++++++++++++++++ modules/ssl/ssl_engine_init.c | 10 +++++++++- modules/ssl/ssl_engine_kernel.c | 6 ++++++ modules/ssl/ssl_private.h | 7 +++++++ 6 files changed, 63 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 3d0563f5a6..672d5b4b9d 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,10 @@ Changes with Apache 2.5.1 *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may - need more sugar). [Stefan Eissing] + need more sugar). Added configuration directives for TLSv1.3 cipher suites (which + are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity + to find a better name. + [Stefan Eissing] *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard). [Eric Covener] diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 4f85248fd3..f8caebd889 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -100,6 +100,11 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_ALL(CipherSuite, TAKE1, "Colon-delimited list of permitted SSL Ciphers " "('XXX:...:XXX' - see manual)") +#ifdef SSL_OP_NO_TLSv1_3 + SSL_CMD_SRV(CipherSuiteV1_3, TAKE1, + "Colon-delimited list of permitted TLSv1.3 Ciphers " + "('XXX:...:XXX' - see manual)") +#endif SSL_CMD_SRV(CertificateFile, TAKE1, "SSL Server Certificate file " "('/path/to/file' - PEM or DER encoded)") @@ -192,6 +197,11 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_PXY(ProxyCipherSuite, TAKE1, "SSL Proxy: colon-delimited list of permitted SSL ciphers " "('XXX:...:XXX' - see manual)") +#ifdef SSL_OP_NO_TLSv1_3 + SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1, + "SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers " + "('XXX:...:XXX' - see manual)") +#endif SSL_CMD_PXY(ProxyVerify, TAKE1, "SSL Proxy: whether to verify the remote certificate " "('on' or 'off')") diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 2aeb324485..83545b9369 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -140,6 +140,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->auth.cipher_suite = NULL; mctx->auth.verify_depth = UNSET; mctx->auth.verify_mode = SSL_CVERIFY_UNSET; + mctx->auth.cipher_suite_tlsv1_3 = NULL; mctx->ocsp_mask = UNSET; mctx->ocsp_force_default = UNSET; @@ -284,6 +285,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, cfgMergeString(auth.cipher_suite); cfgMergeInt(auth.verify_depth); cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); + cfgMergeString(auth.cipher_suite_tlsv1_3); cfgMergeInt(ocsp_mask); cfgMergeBool(ocsp_force_default); @@ -868,6 +870,17 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, return NULL; } +const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->auth.cipher_suite_tlsv1_3 = arg; + + return NULL; +} + #define SSL_FLAGS_CHECK_FILE \ (SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO) @@ -1613,6 +1626,17 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, return NULL; } +const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; + + dc->proxy->auth.cipher_suite_tlsv1_3 = arg; + + return NULL; +} + const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd, void *dcfg, const char *arg) @@ -2487,6 +2511,9 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro apr_file_t *out, const char *indent, const char **psep) { DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite); +#ifdef SSL_OP_NO_TLSv1_3 + DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3); +#endif DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode); DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth); DMP_STRING(proxy? "SSLProxyCACertificateFile" : "SSLCACertificateFile", auth->ca_cert_file); diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 3c8d86fcdb..4033bb7d82 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -935,7 +935,15 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); return ssl_die(s); } - +#ifdef SSL_OP_NO_TLSv1_3 + if (mctx->auth.cipher_suite_tlsv1_3 + && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO() + "Unable to configure permitted TLSv1.3 ciphers"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return ssl_die(s); + } +#endif return APR_SUCCESS; } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 305901b132..3a63da0a85 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -188,6 +188,12 @@ static int ssl_auth_compatible(modssl_auth_ctx_t *a1, || strcmp(a1->cipher_suite, a2->cipher_suite))) { return 0; } + /* both have the same ca cipher suite string */ + if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3) + && (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3 + || strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) { + return 0; + } return 1; } diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 7f016ebad0..1247ee5310 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -640,6 +640,11 @@ typedef struct { /** for client or downstream server authentication */ int verify_depth; ssl_verify_t verify_mode; + + /** TLSv1.3 has its separate cipher list, separate from the + settings for older TLS protocol versions. Since which one takes + effect is a matter of negotiation, we need separate settings */ + const char *cipher_suite_tlsv1_3; } modssl_auth_ctx_t; #ifdef HAVE_TLS_SESSION_TICKETS @@ -806,6 +811,7 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); @@ -835,6 +841,7 @@ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int fla const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); -- 2.50.1