You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2004/11/10 12:42:05 UTC
cvs commit: httpd-2.0/modules/ssl ssl_engine_kernel.c ssl_engine_init.c
jorton 2004/11/10 03:42:05
Modified: modules/ssl Tag: APACHE_2_0_BRANCH ssl_engine_kernel.c
ssl_engine_init.c
Log:
Backport fix for CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
PR: 31505
Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
Reviewed by: jorton, pquerna, minfrin, wrowe
Revision Changes Path
No revision
No revision
1.82.2.15 +15 -0 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.82.2.14
retrieving revision 1.82.2.15
diff -d -w -u -r1.82.2.14 -r1.82.2.15
--- ssl_engine_kernel.c 23 Aug 2004 15:18:55 -0000 1.82.2.14
+++ ssl_engine_kernel.c 10 Nov 2004 11:42:05 -0000 1.82.2.15
@@ -719,6 +719,21 @@
X509_free(peercert);
}
}
+
+ /*
+ * Also check that SSLCipherSuite has been enforced as expected.
+ */
+ if (cipher_list) {
+ cipher = SSL_get_current_cipher(ssl);
+ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "SSL cipher suite not renegotiated: "
+ "access to %s denied using cipher %s",
+ r->filename,
+ SSL_CIPHER_get_name(cipher));
+ return HTTP_FORBIDDEN;
+ }
+ }
}
/*
1.106.2.14 +8 -0 httpd-2.0/modules/ssl/ssl_engine_init.c
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.106.2.13
retrieving revision 1.106.2.14
diff -d -w -u -r1.106.2.13 -r1.106.2.14
--- ssl_engine_init.c 7 Jun 2004 10:18:37 -0000 1.106.2.13
+++ ssl_engine_init.c 10 Nov 2004 11:42:05 -0000 1.106.2.14
@@ -439,6 +439,14 @@
* Configure additional context ingredients
*/
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ /*
+ * Disallow a session from being resumed during a renegotiation,
+ * so that an acceptable cipher suite can be negotiated.
+ */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
}
static void ssl_init_ctx_session_cache(server_rec *s,