You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2010/02/27 22:00:59 UTC
svn commit: r917044 - in /httpd/httpd/branches/2.2.x: ./ docs/manual/mod/
modules/ssl/
Author: minfrin
Date: Sat Feb 27 21:00:58 2010
New Revision: 917044
URL: http://svn.apache.org/viewvc?rev=917044&view=rev
Log:
Backport:
mod_ssl: Add SSLInsecureRenegotiation directive.
+1: jorton, trawick, minfrin
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sat Feb 27 21:00:58 2010
@@ -35,6 +35,10 @@
desired. Fix the default value of the SSIAccessEnable directive.
[Graham Leggett]
+ *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
+ allows insecure renegotiation with clients which do not yet
+ support the secure renegotiation protocol. [Joe Orton]
+
*) core: Fix potential memory leaks by making sure to not destroy
bucket brigades that have been created by earlier filters.
[Stefan Fritsch]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sat Feb 27 21:00:58 2010
@@ -87,20 +87,6 @@
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: Add SSLInsecureRenegotiation directive.
- Trunk version of patch:
- http://svn.apache.org/viewcvs.cgi?rev=906039&view=rev
- http://svn.apache.org/viewcvs.cgi?rev=906057&view=rev
- http://svn.apache.org/viewcvs.cgi?rev=906485&view=rev
- http://svn.apache.org/viewcvs.cgi?rev=906491&view=rev
- http://svn.apache.org/viewcvs.cgi?rev=908015&view=rev
- http://svn.apache.org/viewcvs.cgi?rev=916733&view=rev
- http://svn.apache.org/viewcvs.cgi?rev=916817&view=rev
- Backport version for 2.2.x of patch:
- http://people.apache.org/~jorton/ms_reneg22_v2.diff
- +1: jorton, trawick, minfrin
- minfrin: needs docs, on the case
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Sat Feb 27 21:00:58 2010
@@ -1808,4 +1808,46 @@
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLInsecureRenegotiation</name>
+<description>Option to enable support for insecure renegotiation</description>
+<syntax>SSLInsecureRenegotiation <em>flag</em></syntax>
+<default>SSLInsecureRenegotiation off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 1.0.0 Beta 5 or later</compatibility>
+
+<usage>
+<p>As originally specified, all versions of the SSL and TLS protocols
+(up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle
+attack
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>)
+during a renegotiation. This vulnerability allowed an attacker to
+"prefix" a chosen plaintext to the HTTP request as seen by the web
+server. A protocol extension was developed which fixed this
+vulnerability if supported by both client and server.</p>
+
+<p>If <module>mod_ssl</module> is linked against OpenSSL version 1.0.0
+Beta 5 or later, by default renegotiation is only supported with
+clients supporting the new protocol extension. If this directive is
+enabled, renegotiation will be allowed with old (unpatched) clients,
+albeit insecurely.</p>
+
+<note type="warning"><title>Security warning</title>
+<p>If this directive is enabled, SSL connections will be vulnerable to
+the Man-in-the-Middle prefix attack as described
+in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
+</note>
+
+<example><title>Example</title>
+SSLInsecureRenegotiation on
+</example>
+
+<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
+from an SSI or CGI script to determine whether secure renegotiation is
+supported for a given SSL connection.</p>
+
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Sat Feb 27 21:00:58 2010
@@ -143,6 +143,8 @@
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
+ SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+ "Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1,
"Set user name to SSL variable value")
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Sat Feb 27 21:00:58 2010
@@ -169,6 +169,7 @@
sc->vhost_id_len = 0; /* set during module init */
sc->session_cache_timeout = UNSET;
sc->cipher_server_pref = UNSET;
+ sc->insecure_reneg = UNSET;
sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
#ifndef OPENSSL_NO_TLSEXT
@@ -262,6 +263,7 @@
cfgMergeBool(proxy_enabled);
cfgMergeInt(session_cache_timeout);
cfgMergeBool(cipher_server_pref);
+ cfgMergeBool(insecure_reneg);
cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
#ifndef OPENSSL_NO_TLSEXT
@@ -688,6 +690,19 @@
#endif
}
+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->insecure_reneg = flag?TRUE:FALSE;
+ return NULL;
+#else
+ return "The SSLInsecureRenegotiation directive is not available "
+ "with this SSL library";
+#endif
+}
+
+
static const char *ssl_cmd_check_dir(cmd_parms *parms,
const char **dir)
{
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Sat Feb 27 21:00:58 2010
@@ -394,6 +394,7 @@
MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
char *cp;
int protocol = mctx->protocol;
+ SSLSrvConfigRec *sc = mySrvConfig(s);
/*
* Create the new per-server SSL context
@@ -444,11 +445,14 @@
}
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
- {
- SSLSrvConfigRec *sc = mySrvConfig(s);
- if (sc->cipher_server_pref == TRUE) {
- SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
+ if (sc->cipher_server_pref == TRUE) {
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+#endif
+
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ if (sc->insecure_reneg == TRUE) {
+ SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
}
#endif
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c Sat Feb 27 21:00:58 2010
@@ -760,10 +760,17 @@
r->connection->keepalive = AP_CONN_CLOSE;
}
- /* do a full renegotiation */
+ /* Perform a full renegotiation. */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "Performing full renegotiation: "
- "complete handshake protocol");
+ "Performing full renegotiation: complete handshake "
+ "protocol (%s support secure renegotiation)",
+#if defined(SSL_get_secure_renegotiation_support)
+ SSL_get_secure_renegotiation_support(ssl) ?
+ "client does" : "client does not"
+#else
+ "server does not"
+#endif
+ );
SSL_set_session_id_context(ssl,
(unsigned char *)&id,
@@ -779,6 +786,7 @@
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation request failed");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
r->connection->aborted = 1;
return HTTP_FORBIDDEN;
@@ -1067,6 +1075,7 @@
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
+ "SSL_SECURE_RENEG",
"SSL_COMPRESS_METHOD",
"SSL_CIPHER",
"SSL_CIPHER_EXPORT",
@@ -1171,6 +1180,12 @@
}
}
+
+#ifdef SSL_get_secure_renegotiation_support
+ apr_table_setn(r->notes, "ssl-secure-reneg",
+ SSL_get_secure_renegotiation_support(ssl) ? "1" : "0");
+#endif
+
return DECLINED;
}
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_vars.c Sat Feb 27 21:00:58 2010
@@ -326,6 +326,14 @@
TLSEXT_NAMETYPE_host_name));
}
#endif
+ else if (ssl != NULL && strcEQ(var, "SECURE_RENEG")) {
+ int flag = 0;
+#ifdef SSL_get_secure_renegotiation_support
+ flag = SSL_get_secure_renegotiation_support(ssl);
+#endif
+ result = apr_pstrdup(p, flag ? "true" : "false");
+ }
+
return result;
}
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=917044&r1=917043&r2=917044&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Sat Feb 27 21:00:58 2010
@@ -471,6 +471,7 @@
int vhost_id_len;
int session_cache_timeout;
BOOL cipher_server_pref;
+ BOOL insecure_reneg;
modssl_ctx_t *server;
modssl_ctx_t *proxy;
ssl_enabled_t proxy_ssl_check_peer_expire;
@@ -545,6 +546,7 @@
const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
Re: svn commit: r917044 - in /httpd/httpd/branches/2.2.x: ./ docs/manual/mod/ modules/ssl/
Posted by Graham Leggett <mi...@sharp.fm>.
On 27 Feb 2010, at 11:07 PM, Eric Covener wrote:
>> +<compatibility>Available in httpd 2.3 and later, if using OpenSSL
>> 1.0.0 Beta 5 or later</compatibility>
>
> needs an update for 2.2., and I never know whether it's okay to say
> "n+1 or later" in case n+1 doesn't end up being released ("versions
> after n")
Thanks for this, fixed in r917229.
Regards,
Graham
--
Re: svn commit: r917044 - in /httpd/httpd/branches/2.2.x: ./
docs/manual/mod/ modules/ssl/
Posted by Eric Covener <co...@gmail.com>.
On Sat, Feb 27, 2010 at 4:00 PM, <mi...@apache.org> wrote:
> Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=917044&r1=917043&r2=917044&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
> +++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Sat Feb 27 21:00:58 2010
> @@ -1808,4 +1808,46 @@
> </usage>
> </directivesynopsis>
>
> +<directivesynopsis>
> +<name>SSLInsecureRenegotiation</name>
> +<description>Option to enable support for insecure renegotiation</description>
> +<syntax>SSLInsecureRenegotiation <em>flag</em></syntax>
> +<default>SSLInsecureRenegotiation off</default>
> +<contextlist><context>server config</context>
> +<context>virtual host</context></contextlist>
> +<compatibility>Available in httpd 2.3 and later, if using OpenSSL 1.0.0 Beta 5 or later</compatibility>
needs an update for 2.2., and I never know whether it's okay to say
"n+1 or later" in case n+1 doesn't end up being released ("versions
after n")
--
Eric Covener
covener@gmail.com