From f1e767fd68f4d8f0edc54ca25c3f3cc4f9c19a1b Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 3 Feb 2010 13:38:09 +0000 Subject: [PATCH] New releases of OpenSSL will only allow secure renegotiation by default. Add an "SSLInsecureRenegotiation" directive to enable renegotiation against unpatched clients, to ease transition: * modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add insecure_reneg field. * modules/ssl/ssl_engine_config.c (ssl_config_server_new, ssl_config_server_merge): Handle the insecure_reneg flag. (ssl_cmd_SSLInsecureRenegotiation): New function. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is enabled. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of support for secure reneg. * modules/ssl/mod_ssl.c: Add the directive definition. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/mod_ssl.c | 2 ++ modules/ssl/ssl_engine_config.c | 14 ++++++++++++++ modules/ssl/ssl_engine_init.c | 14 +++++++++----- modules/ssl/ssl_engine_kernel.c | 13 ++++++++++--- modules/ssl/ssl_private.h | 2 ++ 5 files changed, 37 insertions(+), 8 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 8ec003395c..80b5cb8568 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -123,6 +123,8 @@ static const command_rec ssl_config_cmds[] = { "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") SSL_CMD_SRV(HonorCipherOrder, FLAG, "Use the server's cipher ordering preference") + SSL_CMD_SRV(InsecureRenegotiation, FLAG, + "Enable support for insecure renegotiation") SSL_CMD_ALL(UserName, TAKE1, "Set user name to SSL variable value") SSL_CMD_SRV(LogLevelDebugDump, TAKE1, diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index d02c38e5be..81982aa54b 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -185,6 +185,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) sc->vhost_id_len = 0; /* set during module init */ sc->session_cache_timeout = UNSET; sc->cipher_server_pref = UNSET; + sc->insecure_reneg = UNSET; sc->ssl_log_level = SSL_LOG_UNSET; sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET; @@ -294,6 +295,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMergeBool(proxy_enabled); cfgMergeInt(session_cache_timeout); cfgMergeBool(cipher_server_pref); + cfgMergeBool(insecure_reneg); cfgMerge(ssl_log_level, SSL_LOG_UNSET); cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET); @@ -628,6 +630,18 @@ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) #endif } +const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag) +{ +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + sc->insecure_reneg = flag?TRUE:FALSE; + return NULL; +#else + return "SSLInsecureRenegotiation is not supported by the SSL library"; +#endif +} + + static const char *ssl_cmd_check_dir(cmd_parms *parms, const char **dir) { diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 00d07967e5..c8380128f9 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -414,6 +414,7 @@ static void ssl_init_ctx_protocol(server_rec *s, MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL; char *cp; int protocol = mctx->protocol; + SSLSrvConfigRec *sc = mySrvConfig(s); /* * Create the new per-server SSL context @@ -473,11 +474,14 @@ static void ssl_init_ctx_protocol(server_rec *s, } #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - { - SSLSrvConfigRec *sc = mySrvConfig(s); - if (sc->cipher_server_pref == TRUE) { - SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - } + if (sc->cipher_server_pref == TRUE) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } +#endif + +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + if (sc->insecure_reneg == TRUE) { + SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); } #endif diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index c9cd164661..6571cf6424 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -764,10 +764,17 @@ int ssl_hook_Access(request_rec *r) r->connection->keepalive = AP_CONN_CLOSE; } - /* do a full renegotiation */ + /* Perform a full renegotiation. */ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Performing full renegotiation: " - "complete handshake protocol"); + "Performing full renegotiation: complete handshake " + "protocol (%s support secure renegotiation)", +#if defined(SSL_get_secure_renegotiation_support) + SSL_get_secure_renegotiation_support(ssl) ? + "client does" : "client does not" +#else + "server does not" +#endif + ); SSL_set_session_id_context(ssl, (unsigned char *)&id, diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 0bea8508e1..fbd33bf7e8 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -507,6 +507,7 @@ struct SSLSrvConfigRec { int vhost_id_len; int session_cache_timeout; BOOL cipher_server_pref; + BOOL insecure_reneg; modssl_ctx_t *server; modssl_ctx_t *proxy; ssl_log_level_e ssl_log_level; @@ -580,6 +581,7 @@ const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); +const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); -- 2.40.0