You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/28 18:17:33 UTC
DO NOT REPLY [Bug 28665] New: -
mod_ssl ignores server cipher preferences
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28665>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28665
mod_ssl ignores server cipher preferences
Summary: mod_ssl ignores server cipher preferences
Product: Apache httpd-2.0
Version: 2.0-HEAD
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: jschneid@netilla.com
This has been kicking around the net for years, so I have a patch to fix it.
This patch needs to be applied in the modules/ssl directory, and it creates a
new configuration directive - "SSLHonorCipherOrder", which takes a boolean
value. If "SSLHonorCipherOrder" is true, the server prefers its own ordering
for cipher selection (as set by the "SSLCipherSuite" directive). If it's set to
false (or absent), the historical behavior of prefering the client cipher
ordering is used.
Note that the patch checks for the availability of the
SSL_OP_CIPHER_SERVER_PREFERENCE define, so it's safe to use (but ignored) even
if you're using an ancient version of OpenSSL that doesn't support this.
Patch follows:
--<cut here>--
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c 2003/04/10 19:09:56 1.1.1.2
+++ modules/ssl/mod_ssl.c 2004/04/28 15:57:20
@@ -167,6 +167,10 @@
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+ SSL_CMD_SRV(HonorCipherOrder, FLAG,
+ "Use the server's cipher ordering preference")
/*
* Proxy configuration for remote SSL connections
Index: modules/ssl/mod_ssl.h
===================================================================
--- modules/ssl/mod_ssl.h 2003/06/05 20:51:17 1.1.1.3
+++ modules/ssl/mod_ssl.h 2004/04/28 15:57:21
@@ -514,6 +514,9 @@
SSLModConfigRec *mc;
BOOL enabled;
BOOL proxy_enabled;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ BOOL bHonorCipherOrder;
+#endif
const char *vhost_id;
int vhost_id_len;
int session_cache_timeout;
@@ -574,6 +577,9 @@
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, void *, int);
const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c 2003/04/10 19:09:56 1.1.1.2
+++ modules/ssl/ssl_engine_config.c 2004/04/28 15:57:21
@@ -212,7 +212,9 @@
sc->vhost_id = NULL; /* set during module init */
sc->vhost_id_len = 0; /* set during module init */
sc->session_cache_timeout = UNSET;
-
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ sc->bHonorCipherOrder = UNSET;
+#endif
modssl_ctx_init_proxy(sc, p);
modssl_ctx_init_server(sc, p);
@@ -296,6 +298,9 @@
cfgMergeBool(enabled);
cfgMergeBool(proxy_enabled);
cfgMergeInt(session_cache_timeout);
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ cfgMergeBool(bHonorCipherOrder);
+#endif
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -662,6 +667,18 @@
return NULL;
}
+
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+ "ssl_cmd_SSLHonorCipherOrder: Setting bHonorCipherOrder to %s",
+ flag?"TRUE":"FALSE");
+ sc->bHonorCipherOrder = flag?TRUE:FALSE;
+#endif
+ return NULL;
+}
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
void *dcfg,
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c 2003/06/05 20:51:17 1.1.1.3
+++ modules/ssl/ssl_engine_init.c 2004/04/28 15:57:21
@@ -416,6 +416,9 @@
SSL_METHOD *method = NULL;
char *cp;
int protocol = mctx->protocol;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+#endif
/*
* Create the new per-server SSL context
@@ -464,6 +467,11 @@
if (!(protocol & SSL_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
}
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ if(TRUE == sc->bHonorCipherOrder) {
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+#endif
SSL_CTX_set_app_data(ctx, s);
--<cut here>--
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org