You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2004/11/10 12:42:05 UTC

cvs commit: httpd-2.0/modules/ssl ssl_engine_kernel.c ssl_engine_init.c

jorton      2004/11/10 03:42:05

  Modified:    modules/ssl Tag: APACHE_2_0_BRANCH ssl_engine_kernel.c
                        ssl_engine_init.c
  Log:
  Backport fix for CAN-2004-0885:
  
  * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
  correct cipher suite has been negotiated, else deny access.
  
  * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
  0.9.7, prevent session resumption during a renegotiation to force the
  client to negotiate a new (and acceptable) cipher suite.
  
  PR: 31505
  Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
  Reviewed by: jorton, pquerna, minfrin, wrowe
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.82.2.15 +15 -0     httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.82.2.14
  retrieving revision 1.82.2.15
  diff -d -w -u -r1.82.2.14 -r1.82.2.15
  --- ssl_engine_kernel.c	23 Aug 2004 15:18:55 -0000	1.82.2.14
  +++ ssl_engine_kernel.c	10 Nov 2004 11:42:05 -0000	1.82.2.15
  @@ -719,6 +719,21 @@
                   X509_free(peercert);
               }
           }
  +        
  +        /*
  +         * Also check that SSLCipherSuite has been enforced as expected.
  +         */
  +        if (cipher_list) {
  +            cipher = SSL_get_current_cipher(ssl);
  +            if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
  +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  +                             "SSL cipher suite not renegotiated: "
  +                             "access to %s denied using cipher %s",
  +                              r->filename,
  +                              SSL_CIPHER_get_name(cipher));
  +                return HTTP_FORBIDDEN;
  +            }
  +        }
       }
   
       /*
  
  
  
  1.106.2.14 +8 -0      httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.106.2.13
  retrieving revision 1.106.2.14
  diff -d -w -u -r1.106.2.13 -r1.106.2.14
  --- ssl_engine_init.c	7 Jun 2004 10:18:37 -0000	1.106.2.13
  +++ ssl_engine_init.c	10 Nov 2004 11:42:05 -0000	1.106.2.14
  @@ -439,6 +439,14 @@
        * Configure additional context ingredients
        */
       SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
  +
  +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  +    /* 
  +     * Disallow a session from being resumed during a renegotiation,
  +     * so that an acceptable cipher suite can be negotiated.
  +     */
  +    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  +#endif
   }
   
   static void ssl_init_ctx_session_cache(server_rec *s,