You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by di...@apache.org on 2023/03/06 17:46:04 UTC
svn commit: r1908132 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c
Author: dirkx
Date: Mon Mar 6 17:46:04 2023
New Revision: 1908132
URL: http://svn.apache.org/viewvc?rev=1908132&view=rev
Log:
Add SSL_SHARED_CIPHER environment variable
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1908132&r1=1908131&r2=1908132&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Mar 6 17:46:04 2023
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) Add a SSL_SHARED_CIPHER environment variable with the list of
+ client/server permitted ciphers. [Dirk-Willem van Gulik]
+
*) mod_http2: field values (headers and trailers) are stripped of
leading/trailing whitespace (space +htab) before being processed
or send in a response. This is compatible behaviour to HTTP/1.1
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1908132&r1=1908131&r2=1908132&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Mar 6 17:46:04 2023
@@ -66,7 +66,8 @@ compatibility variables.</p>
<tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
<tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
-<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr>
+<tr><td><code>SSL_SHARED_CIPHERS</code></td> <td>string</td> <td>Colon separated list of shared ciphers (i.e. the subset of ciphers that are configured on both server and on the client)</td></tr>
+<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The name of the cipher agreed between client and server</td></tr>
<tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
<tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1908132&r1=1908131&r2=1908132&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 6 17:46:04 2023
@@ -1532,6 +1532,7 @@ static const char *const ssl_hook_Fixup_
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
"SSL_SESSION_RESUMED",
+ "SSL_SHARED_CIPHERS",
#ifdef HAVE_SRP
"SSL_SRP_USER",
"SSL_SRP_USERINFO",
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1908132&r1=1908131&r2=1908132&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Mon Mar 6 17:46:04 2023
@@ -506,6 +506,11 @@ static const char *ssl_var_lookup_ssl(ap
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl);
}
+ else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) {
+ char buf[ 1024 * 16 ];
+ if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf)))
+ result = apr_pstrdup(p,buf);
+ }
#ifdef HAVE_TLSEXT
else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
result = apr_pstrdup(p, SSL_get_servername(ssl,
Re: svn commit: r1908132 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 3/6/23 6:46 PM, dirkx@apache.org wrote:
> Author: dirkx
> Date: Mon Mar 6 17:46:04 2023
> New Revision: 1908132
>
> URL: http://svn.apache.org/viewvc?rev=1908132&view=rev
> Log:
> Add SSL_SHARED_CIPHER environment variable
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1908132&r1=1908131&r2=1908132&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Mar 6 17:46:04 2023
> @@ -1,6 +1,9 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.5.1
>
> + *) Add a SSL_SHARED_CIPHER environment variable with the list of
> + client/server permitted ciphers. [Dirk-Willem van Gulik]
> +
To reduce backporting conflicts we now store change entries in separate files per change in the changes-entries directory
and merge them from time to time or latest before a release via 'make update-changes' into the CHANGES file.
See http://svn.apache.org/viewvc/httpd/httpd/trunk/README.CHANGES?revision=1879840&view=co
> *) mod_http2: field values (headers and trailers) are stripped of
> leading/trailing whitespace (space +htab) before being processed
> or send in a response. This is compatible behaviour to HTTP/1.1
>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1908132&r1=1908131&r2=1908132&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Mar 6 17:46:04 2023
> @@ -66,7 +66,8 @@ compatibility variables.</p>
> <tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
> <tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
> <tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
> -<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr>
> +<tr><td><code>SSL_SHARED_CIPHERS</code></td> <td>string</td> <td>Colon separated list of shared ciphers (i.e. the subset of ciphers that are configured on both server and on the client)</td></tr>
> +<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The name of the cipher agreed between client and server</td></tr>
> <tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
> <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
> <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1908132&r1=1908131&r2=1908132&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 6 17:46:04 2023
> @@ -1532,6 +1532,7 @@ static const char *const ssl_hook_Fixup_
> "SSL_SERVER_A_SIG",
> "SSL_SESSION_ID",
> "SSL_SESSION_RESUMED",
> + "SSL_SHARED_CIPHERS",
> #ifdef HAVE_SRP
> "SSL_SRP_USER",
> "SSL_SRP_USERINFO",
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1908132&r1=1908131&r2=1908132&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Mon Mar 6 17:46:04 2023
> @@ -506,6 +506,11 @@ static const char *ssl_var_lookup_ssl(ap
> else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
> result = ssl_var_lookup_ssl_compress_meth(ssl);
> }
> + else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) {
> + char buf[ 1024 * 16 ];
Is it important to be 16k? Typically we use HUGE_STRING_LEN which is 8k in such situations.
If it needs to be 16k I would favor HUGE_STRING_LEN * 2 instead.
> + if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf)))
> + result = apr_pstrdup(p,buf);
> + }
> #ifdef HAVE_TLSEXT
> else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
> result = apr_pstrdup(p, SSL_get_servername(ssl,
>
>
>
Regards
RĂ¼diger