diff options
| author | Joe Orton <jorton@apache.org> | 2024-05-09 11:05:38 +0200 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2024-05-09 11:05:38 +0200 |
| commit | 5971ee662032d861024462a18f950e4eed4ab8ad (patch) | |
| tree | 26112bb1a27010ea0b7c9f2afbbbee7dc5ccfb6d /modules/ssl | |
| parent | On Linux use the real thread id via gettid() in error logging, (diff) | |
| download | apache2-5971ee662032d861024462a18f950e4eed4ab8ad.tar.xz apache2-5971ee662032d861024462a18f950e4eed4ab8ad.zip | |
Fail if SSLInsecureRenegotiation is used with mod_ssl, CVE-2009-3555
is now approaching 15 years old.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation):
Fail if used.
(ssl_config_server_new, ssl_config_server_merge): Remove insecure
reneg handling.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Remove
insecure_reneg handling.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917600 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/ssl')
| -rw-r--r-- | modules/ssl/ssl_engine_config.c | 12 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 6 | ||||
| -rw-r--r-- | modules/ssl/ssl_private.h | 1 |
3 files changed, 1 insertions, 18 deletions
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index f68ef7e800..0f96ee8ddc 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -214,7 +214,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) sc->vhost_id = NULL; /* set during module init */ sc->session_cache_timeout = UNSET; sc->cipher_server_pref = UNSET; - sc->insecure_reneg = UNSET; #ifdef HAVE_TLSEXT sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; #endif @@ -348,7 +347,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMerge(enabled, SSL_ENABLED_UNSET); cfgMergeInt(session_cache_timeout); cfgMergeBool(cipher_server_pref); - cfgMergeBool(insecure_reneg); #ifdef HAVE_TLSEXT cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); #endif @@ -983,14 +981,7 @@ const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag) const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag) { -#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - sc->insecure_reneg = flag?TRUE:FALSE; - return NULL; -#else - return "The SSLInsecureRenegotiation directive is not available " - "with this SSL library"; -#endif + return "The SSLInsecureRenegotiation directive is no longer supported"; } @@ -2648,7 +2639,6 @@ static void ssl_srv_dump(SSLSrvConfigRec *sc, apr_pool_t *p, modssl_ctx_dump(sc->server, p, 0, out, indent, psep); DMP_LONG( "SSLSessionCacheTimeout", sc->session_cache_timeout); - DMP_ON_OFF("SSLInsecureRenegotiation", sc->insecure_reneg); DMP_ON_OFF("SSLStrictSNIVHostCheck", sc->strict_sni_vhost_check); DMP_ON_OFF("SSLSessionTickets", sc->session_tickets); } diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index f657026d13..ace87522d7 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -847,12 +847,6 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, } #endif -#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - if (sc->insecure_reneg == TRUE) { - SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); - } -#endif - SSL_CTX_set_app_data(ctx, s); /* diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index e26caf04b8..2f8578be81 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -825,7 +825,6 @@ struct SSLSrvConfigRec { const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */ int session_cache_timeout; BOOL cipher_server_pref; - BOOL insecure_reneg; modssl_ctx_t *server; #ifdef HAVE_TLSEXT ssl_enabled_t strict_sni_vhost_check; |