You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2018/03/29 14:10:12 UTC
svn commit: r1827992 - in /httpd/httpd/trunk: ./ docs/manual/mod/
modules/ssl/
Author: icing
Date: Thu Mar 29 14:10:12 2018
New Revision: 1827992
URL: http://svn.apache.org/viewvc?rev=1827992&view=rev
Log:
On the trunk:
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_policies.h
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/update_policies.py
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Mar 29 14:10:12 2018
@@ -2,9 +2,8 @@
Changes with Apache 2.5.1
*) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
- need more sugar). Added configuration directives for TLSv1.3 cipher suites (which
- are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
- to find a better name.
+ need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the
+ protocol the ciphers are for.
[Stefan Eissing]
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Mar 29 14:10:12 2018
@@ -650,6 +650,11 @@ The available (case-insensitive) <em>pro
A revision of the TLS 1.1 protocol, as defined in
<a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
+<li><code>TLSv1.3</code> (when using OpenSSL 1.1.1 and later)
+ <p>
+ A new version of the TLS protocol, as defined in
+ <a href="https://github.com/tlswg/tls13-spec">RFC TBD</a>.</p></li>
+
<li><code>all</code>
<p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
@@ -670,7 +675,7 @@ SSLProtocol TLSv1
<name>SSLCipherSuite</name>
<description>Cipher Suite available for negotiation in SSL
handshake</description>
-<syntax>SSLCipherSuite <em>cipher-spec</em></syntax>
+<syntax>SSLCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
<default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default>
<contextlist><context>server config</context>
<context>virtual host</context>
@@ -682,12 +687,25 @@ handshake</description>
<p>
This complex directive uses a colon-separated <em>cipher-spec</em> string
consisting of OpenSSL cipher specifications to configure the Cipher Suite the
-client is permitted to negotiate in the SSL handshake phase. Notice that this
-directive can be used both in per-server and per-directory context. In
-per-server context it applies to the standard SSL handshake when a connection
+client is permitted to negotiate in the SSL handshake phase. The optional
+protocol specifier can configure the Cipher Suite for a specific SSL version.
+Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2.
+<p>
+Notice that this
+directive can be used both in per-server and per-directory context.
+In per-server context it applies to the standard SSL handshake when a connection
is established. In per-directory context it forces a SSL renegotiation with the
reconfigured Cipher Suite after the HTTP request was read but before the HTTP
-response is sent.</p>
+response is sent. (Since renegotiation is not</p>
+<p>
+If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol
+specifier "TLSv1.3" can be used to configure the cipher suites for that protocol.
+Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in
+a directory context is not allowed.</p>
+<p>
+For a list of TLSv1.3 cipher names, see
+<a href="https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html">the OpenSSL
+documentation</a>.</p>
<p>
An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
attributes plus a few extra minor ones:</p>
@@ -2071,7 +2089,7 @@ for additional information.
<name>SSLProxyCipherSuite</name>
<description>Cipher Suite available for negotiation in SSL
proxy handshake</description>
-<syntax>SSLProxyCipherSuite <em>cipher-spec</em></syntax>
+<syntax>SSLProxyCipherSuite [<em>protocol</em>] <em>cipher-spec</em></syntax>
<default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</default>
<contextlist><context>server config</context> <context>virtual host</context>
<context>proxy section</context></contextlist>
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Thu Mar 29 14:10:12 2018
@@ -97,14 +97,9 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(FIPS, FLAG,
"Enable FIPS-140 mode "
"(`on', `off')")
- SSL_CMD_ALL(CipherSuite, TAKE1,
- "Colon-delimited list of permitted SSL Ciphers "
- "('XXX:...:XXX' - see manual)")
-#ifdef SSL_OP_NO_TLSv1_3
- SSL_CMD_SRV(CipherSuiteV1_3, TAKE1,
- "Colon-delimited list of permitted TLSv1.3 Ciphers "
- "('XXX:...:XXX' - see manual)")
-#endif
+ SSL_CMD_ALL(CipherSuite, TAKE12,
+ "Colon-delimited list of permitted SSL Ciphers, optional preceeded "
+ "by protocol identifier ('XXX:...:XXX' - see manual)")
SSL_CMD_SRV(CertificateFile, TAKE1,
"SSL Server Certificate file "
"('/path/to/file' - PEM or DER encoded)")
@@ -194,14 +189,9 @@ static const command_rec ssl_config_cmds
SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
- SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
+ SSL_CMD_PXY(ProxyCipherSuite, TAKE12,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
- "('XXX:...:XXX' - see manual)")
-#ifdef SSL_OP_NO_TLSv1_3
- SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1,
- "SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers "
- "('XXX:...:XXX' - see manual)")
-#endif
+ ", optionally preceeded by protocol specifier ('XXX:...:XXX' - see manual)")
SSL_CMD_PXY(ProxyVerify, TAKE1,
"SSL Proxy: whether to verify the remote certificate "
"('on' or 'off')")
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Mar 29 14:10:12 2018
@@ -140,7 +140,7 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->auth.cipher_suite = NULL;
mctx->auth.verify_depth = UNSET;
mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
- mctx->auth.cipher_suite_tlsv1_3 = NULL;
+ mctx->auth.tls13_ciphers = NULL;
mctx->ocsp_mask = UNSET;
mctx->ocsp_force_default = UNSET;
@@ -285,7 +285,7 @@ static void modssl_ctx_cfg_merge(apr_poo
cfgMergeString(auth.cipher_suite);
cfgMergeInt(auth.verify_depth);
cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
- cfgMergeString(auth.cipher_suite_tlsv1_3);
+ cfgMergeString(auth.tls13_ciphers);
cfgMergeInt(ocsp_mask);
cfgMergeBool(ocsp_force_default);
@@ -501,7 +501,7 @@ void ssl_config_proxy_merge(apr_pool_t *
*/
static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name,
- int protocols, const char *ciphers,
+ int protocols, const char *ssl_ciphers, const char *tls13_ciphers,
int honor_order, int compression, int session_tickets)
{
SSLPolicyRec *policy;
@@ -510,13 +510,15 @@ static void add_policy(apr_hash_t *polic
policy->name = name;
policy->sc = ssl_config_server_new(p);
- if (protocols || ciphers) {
+ if (protocols) {
policy->sc->server->protocol_set = 1;
policy->sc->server->protocol = protocols;
}
-
- if (ciphers) {
- policy->sc->server->auth.cipher_suite = ciphers;
+ if (ssl_ciphers) {
+ policy->sc->server->auth.cipher_suite = ssl_ciphers;
+ }
+ if (tls13_ciphers) {
+ policy->sc->server->auth.tls13_ciphers = tls13_ciphers;
}
#ifndef OPENSSL_NO_COMP
@@ -542,7 +544,8 @@ static apr_hash_t *get_policies(apr_pool
#if SSL_POLICY_MODERN
add_policy(policies, p, "modern",
SSL_POLICY_MODERN_PROTOCOLS,
- SSL_POLICY_MODERN_CIPHERS,
+ SSL_POLICY_MODERN_SSL_CIPHERS,
+ SSL_POLICY_MODERN_TLS13_CIPHERS,
SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION,
SSL_POLICY_SESSION_TICKETS);
@@ -550,7 +553,8 @@ static apr_hash_t *get_policies(apr_pool
#if SSL_POLICY_INTERMEDIATE
add_policy(policies, p, "intermediate",
SSL_POLICY_INTERMEDIATE_PROTOCOLS,
- SSL_POLICY_INTERMEDIATE_CIPHERS,
+ SSL_POLICY_INTERMEDIATE_SSL_CIPHERS,
+ SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS,
SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION,
SSL_POLICY_SESSION_TICKETS);
@@ -558,7 +562,8 @@ static apr_hash_t *get_policies(apr_pool
#if SSL_POLICY_OLD
add_policy(policies, p, "old",
SSL_POLICY_OLD_PROTOCOLS,
- SSL_POLICY_OLD_CIPHERS,
+ SSL_POLICY_OLD_SSL_CIPHERS,
+ SSL_POLICY_OLD_TLS13_CIPHERS,
SSL_POLICY_HONOR_ORDER,
SSL_POLICY_COMPRESSION,
SSL_POLICY_SESSION_TICKETS);
@@ -852,33 +857,37 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
void *dcfg,
- const char *arg)
+ const char *arg1, const char *arg2)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
- /* always disable null and export ciphers */
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
-
- if (cmd->path) {
- dc->szCipherSuite = arg;
+ if (arg2 == NULL) {
+ arg2 = arg1;
+ arg1 = "SSL";
}
- else {
- sc->server->auth.cipher_suite = arg;
+
+ if (!strcmp("SSL", arg1)) {
+ /* always disable null and export ciphers */
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
+ if (cmd->path) {
+ dc->szCipherSuite = arg2;
+ }
+ else {
+ sc->server->auth.cipher_suite = arg2;
+ }
+ return NULL;
}
-
- return NULL;
-}
-
-const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd,
- void *dcfg,
- const char *arg)
-{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-
- sc->server->auth.cipher_suite_tlsv1_3 = arg;
-
- return NULL;
+#ifdef SSL_OP_NO_TLSv1_3
+ else if (!strcmp("TLSv1.3", arg1)) {
+ if (cmd->path) {
+ return "TLSv1.3 ciphers cannot be set inside a directory context";
+ }
+ sc->server->auth.tls13_ciphers = arg2;
+ return NULL;
+ }
+#endif
+ return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
}
#define SSL_FLAGS_CHECK_FILE \
@@ -1614,27 +1623,28 @@ const char *ssl_cmd_SSLProxyProtocol(cmd
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
void *dcfg,
- const char *arg)
+ const char *arg1, const char *arg2)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
-
- /* always disable null and export ciphers */
- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
-
- dc->proxy->auth.cipher_suite = arg;
-
- return NULL;
-}
-
-const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd,
- void *dcfg,
- const char *arg)
-{
- SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
-
- dc->proxy->auth.cipher_suite_tlsv1_3 = arg;
-
- return NULL;
+
+ if (arg2 == NULL) {
+ arg2 = arg1;
+ arg1 = "SSL";
+ }
+
+ if (!strcmp("SSL", arg1)) {
+ /* always disable null and export ciphers */
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
+ dc->proxy->auth.cipher_suite = arg2;
+ return NULL;
+ }
+#ifdef SSL_OP_NO_TLSv1_3
+ else if (!strcmp("TLSv1.3", arg1)) {
+ dc->proxy->auth.tls13_ciphers = arg2;
+ return NULL;
+ }
+#endif
+ return apr_pstrcat(cmd->pool, "procotol '", arg1, "' not supported", NULL);
}
const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
@@ -2512,7 +2522,10 @@ static void modssl_auth_ctx_dump(modssl_
{
DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
#ifdef SSL_OP_NO_TLSv1_3
- DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3);
+ if (auth->tls13_ciphers) {
+ DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite",
+ apr_pstrcat(p, "TLSv1.3 ", auth->tls13_ciphers, NULL));
+ }
#endif
DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode);
DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu Mar 29 14:10:12 2018
@@ -936,8 +936,8 @@ static apr_status_t ssl_init_ctx_cipher_
return ssl_die(s);
}
#ifdef SSL_OP_NO_TLSv1_3
- if (mctx->auth.cipher_suite_tlsv1_3
- && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) {
+ if (mctx->auth.tls13_ciphers
+ && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.tls13_ciphers)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
"Unable to configure permitted TLSv1.3 ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Mar 29 14:10:12 2018
@@ -189,9 +189,9 @@ static int ssl_auth_compatible(modssl_au
return 0;
}
/* both have the same ca cipher suite string */
- if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3)
- && (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3
- || strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) {
+ if ((a1->tls13_ciphers != a2->tls13_ciphers)
+ && (!a1->tls13_ciphers || !a2->tls13_ciphers
+ || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
return 0;
}
return 1;
Modified: httpd/httpd/trunk/modules/ssl/ssl_policies.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_policies.h?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_policies.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_policies.h Thu Mar 29 14:10:12 2018
@@ -65,18 +65,21 @@
#ifdef HAVE_TLSV1_X
#define SSL_POLICY_MODERN 1
-#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+#define SSL_POLICY_MODERN_SSL_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+#define SSL_POLICY_MODERN_TLS13_CIPHERS NULL
#define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
#else /* ifdef HAVE_TLSV1_X */
#define SSL_POLICY_MODERN 0
#endif /* ifdef HAVE_TLSV1_X, else part */
#define SSL_POLICY_INTERMEDIATE 1
-#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+#define SSL_POLICY_INTERMEDIATE_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+#define SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS NULL
#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3))
#define SSL_POLICY_OLD 1
-#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
+#define SSL_POLICY_OLD_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
+#define SSL_POLICY_OLD_TLS13_CIPHERS NULL
#define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3))
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Thu Mar 29 14:10:12 2018
@@ -644,7 +644,7 @@ typedef struct {
/** TLSv1.3 has its separate cipher list, separate from the
settings for older TLS protocol versions. Since which one takes
effect is a matter of negotiation, we need separate settings */
- const char *cipher_suite_tlsv1_3;
+ const char *tls13_ciphers;
} modssl_auth_ctx_t;
#ifdef HAVE_TLS_SESSION_TICKETS
@@ -810,8 +810,7 @@ const char *ssl_cmd_SSLPassPhraseDialog
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -840,8 +839,7 @@ const char *ssl_cmd_SSLInsecureRenegotia
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
Modified: httpd/httpd/trunk/modules/ssl/update_policies.py
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/update_policies.py?rev=1827992&r1=1827991&r2=1827992&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/update_policies.py (original)
+++ httpd/httpd/trunk/modules/ssl/update_policies.py Thu Mar 29 14:10:12 2018
@@ -99,7 +99,9 @@ def printPolicies(doc):
print "#ifdef %s" % ifdef
print "#define %s 1" % prefix
- print "#define %s_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS])
+ print "#define %s_SSL_CIPHERS \"%s\"" % (prefix, p[KEY_OSSL_CIPHERS])
+ # Mozilla has not specced this yet
+ print "#define %s_TLS13_CIPHERS NULL" % (prefix)
print "#define %s_PROTOCOLS %s" % (prefix, proto_conf(p[KEY_TLS_VERSIONS]))
if ifdef: