diff options
| author | Kaspar Brand <kbrand@apache.org> | 2013-09-29 11:36:31 +0200 |
|---|---|---|
| committer | Kaspar Brand <kbrand@apache.org> | 2013-09-29 11:36:31 +0200 |
| commit | 056e10bb4f529eea2e9e1a178c628b0eefa02b92 (patch) | |
| tree | abd09e879cb7839b9810dbcdcb55c77541f11e1c | |
| parent | Follow up to r1526666: (diff) | |
| download | apache2-056e10bb4f529eea2e9e1a178c628b0eefa02b92.tar.xz apache2-056e10bb4f529eea2e9e1a178c628b0eefa02b92.zip | |
Follow-up fixes for r1526168:
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527291 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | modules/ssl/ssl_engine_config.c | 6 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 9 | ||||
| -rw-r--r-- | modules/ssl/ssl_private.h | 16 |
3 files changed, 11 insertions, 20 deletions
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index e6e4d9b76e..9734106e99 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -651,6 +651,9 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; + /* always disable null and export ciphers */ + arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + if (cmd->path) { dc->szCipherSuite = arg; } @@ -1397,6 +1400,9 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + /* always disable null and export ciphers */ + arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + sc->proxy->auth.cipher_suite = arg; return NULL; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 025be3c71e..0ba6375f36 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -668,11 +668,12 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, /* * Configure SSL Cipher Suite. Always disable NULL and export ciphers, - * no matter what SSLCipherSuite directive is appearing in the config. + * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). + * OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL, + * so only prepend !EXP in this case. */ - suite = apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", mctx->auth.cipher_suite ? - mctx->auth.cipher_suite : SSL_DEFAULT_CIPHER_LIST, - NULL); + suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : + apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL); ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "Configuring permitted SSL ciphers [%s]", diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index ef14f7ad5a..0e9fd70aba 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -312,22 +312,6 @@ typedef int ssl_algo_t; #define SSL_AIDX_MAX (2) #endif - -/** - * Define IDs for the temporary RSA keys and DH params - */ - -#define SSL_TMP_KEY_RSA_512 (0) -#define SSL_TMP_KEY_RSA_1024 (1) -#define SSL_TMP_KEY_DH_512 (2) -#define SSL_TMP_KEY_DH_1024 (3) -#ifndef OPENSSL_NO_EC -#define SSL_TMP_KEY_EC_256 (4) -#define SSL_TMP_KEY_MAX (5) -#else -#define SSL_TMP_KEY_MAX (4) -#endif - /** * Define the SSL options */ |