On the trunk: (0b9673c9) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+5 −0

Original line number	Diff line number	Diff line
		-- coding: utf-8 --
		Changes with Apache 2.5.0

		*) mod_ssl: adding ssl_policies.h[.in] for policy cipher/protocol definitions. Use
		update_policies.py to update manually from Mozilla JSON definitions at
		https://statics.tls.security.mozilla.org/server-side-tls-conf.json
		[Stefan Eissing]

		*) mod_md: v0.9.5:
		- New directive (srly: what do you expect at this point?) "MDMustStaple on\|off" to control if
		new certificates are requested with the OCSP Must Staple extension.

modules/ssl/mod_ssl.dsp

+4 −0

Original line number	Diff line number	Diff line
		@@ -180,6 +180,10 @@ SOURCE=.\ssl_private.h
		# End Source File
		# Begin Source File

		SOURCE=.\ssl_policies.h
		# End Source File
		# Begin Source File

		SOURCE=.\ssl_util_ssl.h
		# End Source File
		# Begin Source File

modules/ssl/ssl_engine_config.c

+27 −76

Original line number	Diff line number	Diff line
		@@ -30,6 +30,7 @@
		#include <stdlib.h>

		#include "ssl_private.h"
		#include "ssl_policies.h"
		#include "util_mutex.h"
		#include "ap_provider.h"

		@@ -521,70 +522,6 @@ void ssl_config_proxy_merge(apr_pool_t *p,
		** _________________________________________________________________
		*/

		#define SSL_MOD_POLICIES_KEY "ssl_module_policies"

		#ifndef OPENSSL_NO_SSL3
		#define STUPID_PROTOCOL_CONSTANTS_SSLV3 SSL_PROTOCOL_SSLV3
		#else
		#define STUPID_PROTOCOL_CONSTANTS_SSLV3 0
		#endif

		/**
		* Define a core set of policies that are always there:
		* - 'modern' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* - 'intermediate' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* - 'old' from https://wiki.mozilla.org/Security/Server_Side_TLS
		*/
		#ifdef HAVE_TLSV1_X
		/* Only with OpenSSL > v1.0.2 do we have a chance to implement modern */
		#define SSL_POLICY_LEGACY_PROTOCOLS \
		(STUPID_PROTOCOL_CONSTANTS_SSLV3\|SSL_PROTOCOL_TLSV1\|SSL_PROTOCOL_TLSV1_1)

		#define SSL_POLICY_MODERN_PROTOCOLS \
		(SSL_PROTOCOL_ALL & ~SSL_POLICY_LEGACY_PROTOCOLS)
		#define SSL_POLICY_MODERN_CIPHERS \
		"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
		"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
		"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
		"ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" \
		"ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
		#endif

		#define SSL_POLICY_INTERMEDIATE_PROTOCOLS \
		(SSL_PROTOCOL_ALL & ~STUPID_PROTOCOL_CONSTANTS_SSLV3)

		#define SSL_POLICY_INTERMEDIATE_CIPHERS \
		"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
		"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
		"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
		"DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:" \
		"ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:" \
		"ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:" \
		"ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:" \
		"DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:" \
		"ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:" \
		"AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:" \
		"AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

		#define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL)
		#define SSL_POLICY_OLD_CIPHERS \
		"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
		"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:" \
		"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:" \
		"DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:" \
		"ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:" \
		"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:" \
		"ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:" \
		"DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:" \
		"DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:" \
		"ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:" \
		"AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:" \
		"DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:" \
		"!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"

		#define SSL_POLICY_PROXY_VERIFY_MODE SSL_CVERIFY_REQUIRE
		#define SSL_POLICY_PROXY_VERIFY_DEPTH -1

		static void add_policy(apr_hash_t policies, apr_pool_t p, const char *name,
		int protocols, const char *ciphers,
		int honor_order, int compression, int session_tickets,
		@@ -632,22 +569,36 @@ static apr_hash_t get_policies(apr_pool_t p, int create)
		if (create) {
		policies = apr_hash_make(p);

		/* We could also invoke the commands here and let them parse strings. */
		#ifdef HAVE_TLSV1_X
		#if SSL_POLICY_MODERN
		add_policy(policies, p, "modern",
		SSL_POLICY_MODERN_PROTOCOLS, SSL_POLICY_MODERN_CIPHERS,
		1, 0, 0,
		SSL_POLICY_PROXY_VERIFY_MODE, SSL_POLICY_PROXY_VERIFY_DEPTH);
		SSL_POLICY_MODERN_PROTOCOLS,
		SSL_POLICY_MODERN_CIPHERS,
		SSL_POLICY_HONOR_ORDER,
		SSL_POLICY_COMPRESSION,
		SSL_POLICY_SESSION_TICKETS,
		SSL_POLICY_PROXY_VERIFY_MODE,
		SSL_POLICY_PROXY_VERIFY_DEPTH);
		#endif
		#if SSL_POLICY_INTERMEDIATE
		add_policy(policies, p, "intermediate",
		SSL_POLICY_INTERMEDIATE_PROTOCOLS, SSL_POLICY_INTERMEDIATE_CIPHERS,
		1, 0, 0,
		SSL_POLICY_PROXY_VERIFY_MODE, SSL_POLICY_PROXY_VERIFY_DEPTH);

		SSL_POLICY_INTERMEDIATE_PROTOCOLS,
		SSL_POLICY_INTERMEDIATE_CIPHERS,
		SSL_POLICY_HONOR_ORDER,
		SSL_POLICY_COMPRESSION,
		SSL_POLICY_SESSION_TICKETS,
		SSL_POLICY_PROXY_VERIFY_MODE,
		SSL_POLICY_PROXY_VERIFY_DEPTH);
		#endif
		#if SSL_POLICY_OLD
		add_policy(policies, p, "old",
		SSL_POLICY_OLD_PROTOCOLS, SSL_POLICY_OLD_CIPHERS,
		1, 0, 0,
		SSL_CVERIFY_NONE, -1);
		SSL_POLICY_OLD_PROTOCOLS,
		SSL_POLICY_OLD_CIPHERS,
		SSL_POLICY_HONOR_ORDER,
		SSL_POLICY_COMPRESSION,
		SSL_POLICY_SESSION_TICKETS,
		SSL_CVERIFY_NONE,
		SSL_POLICY_PROXY_VERIFY_DEPTH);
		#endif

		apr_pool_userdata_set(policies, SSL_MOD_POLICIES_KEY,
		apr_pool_cleanup_null, p);

modules/ssl/ssl_policies.h

0 → 100644

+87 −0

Original line number	Diff line number	Diff line
		/* Licensed to the Apache Software Foundation (ASF) under one or more
		* contributor license agreements. See the NOTICE file distributed with
		* this work for additional information regarding copyright ownership.
		* The ASF licenses this file to You under the Apache License, Version 2.0
		* (the "License"); you may not use this file except in compliance with
		* the License. You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		/**
		* @verbatim
		_ _
		_ __ ___ ___ __\| \| ___ ___\| \| mod_ssl
		\| '_ ` _ \ / _ \ / _` \| / __/ __\| \| Apache Interface to OpenSSL
		\| \| \| \| \| \| (_) \| (_\| \| \__ \__ \ \|
		\|_\| \|_\| \|_\|\___/ \__,_\|___\|___/___/_\|
		\|_____\|
		@endverbatim
		* @file ssl_policies.h
		* @brief Additional Utility Functions for OpenSSL
		*
		* @defgroup MOD_SSL_UTIL Utilities
		* @ingroup MOD_SSL
		* @{
		*/

		#ifndef __SSL_POLICIES_H__
		#define __SSL_POLICIES_H__

		#define SSL_MOD_POLICIES_KEY "ssl_module_policies"

		#ifndef OPENSSL_NO_SSL3
		#define SSL_PROTOCOL_CONSTANTS_SSLV3 SSL_PROTOCOL_SSLV3
		#else
		#define SSL_PROTOCOL_CONSTANTS_SSLV3 0
		#endif

		#ifdef HAVE_TLSV1_X
		#define SSL_POLICY_LEGACY_PROTOCOLS \
		(SSL_PROTOCOL_CONSTANTS_SSLV3\|SSL_PROTOCOL_TLSV1\|SSL_PROTOCOL_TLSV1_1)
		#endif

		/* Settings for all policies */
		#define SSL_POLICY_HONOR_ORDER 1
		#define SSL_POLICY_COMPRESSION 0
		#define SSL_POLICY_SESSION_TICKETS 0
		#define SSL_POLICY_PROXY_VERIFY_MODE SSL_CVERIFY_REQUIRE
		#define SSL_POLICY_PROXY_VERIFY_DEPTH -1

		/**
		* Define a core set of policies that are always there:
		* - 'modern' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* - 'intermediate' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* - 'old' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* The JSON version can be retrieved here:
		* https://statics.tls.security.mozilla.org/server-side-tls-conf.json
		*/

		#define SSL_POLICY_MOZILLA_VERSION 4.0

		#ifdef HAVE_TLS1_X
		#define SSL_POLICY_MODERN 1
		#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
		#define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2
		#else /* ifdef HAVE_TLS1_X */
		#define SSL_POLICY_MODERN 0
		#endif /* ifdef HAVE_TLS1_X, else part */

		#define SSL_POLICY_INTERMEDIATE 1
		#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
		#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_CONSTANTS_SSLV3))

		#define SSL_POLICY_OLD 1
		#define SSL_POLICY_OLD_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
		#define SSL_POLICY_OLD_PROTOCOLS SSL_PROTOCOL_ALL


		#endif /* __SSL_POLICIES_H__ */
		/** @} */

modules/ssl/ssl_policies.h.in

0 → 100644

+70 −0

Original line number	Diff line number	Diff line
		/* Licensed to the Apache Software Foundation (ASF) under one or more
		* contributor license agreements. See the NOTICE file distributed with
		* this work for additional information regarding copyright ownership.
		* The ASF licenses this file to You under the Apache License, Version 2.0
		* (the "License"); you may not use this file except in compliance with
		* the License. You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		/**
		* @verbatim
		_ _
		_ __ ___ ___ __\| \| ___ ___\| \| mod_ssl
		\| '_ ` _ \ / _ \ / _` \| / __/ __\| \| Apache Interface to OpenSSL
		\| \| \| \| \| \| (_) \| (_\| \| \__ \__ \ \|
		\|_\| \|_\| \|_\|\___/ \__,_\|___\|___/___/_\|
		\|_____\|
		@endverbatim
		* @file ssl_policies.h
		* @brief Additional Utility Functions for OpenSSL
		*
		* @defgroup MOD_SSL_UTIL Utilities
		* @ingroup MOD_SSL
		* @{
		*/

		#ifndef __SSL_POLICIES_H__
		#define __SSL_POLICIES_H__

		#define SSL_MOD_POLICIES_KEY "ssl_module_policies"

		#ifndef OPENSSL_NO_SSL3
		#define SSL_PROTOCOL_CONSTANTS_SSLV3 SSL_PROTOCOL_SSLV3
		#else
		#define SSL_PROTOCOL_CONSTANTS_SSLV3 0
		#endif

		#ifdef HAVE_TLSV1_X
		#define SSL_POLICY_LEGACY_PROTOCOLS \
		(SSL_PROTOCOL_CONSTANTS_SSLV3\|SSL_PROTOCOL_TLSV1\|SSL_PROTOCOL_TLSV1_1)
		#endif

		/* Settings for all policies */
		#define SSL_POLICY_HONOR_ORDER 1
		#define SSL_POLICY_COMPRESSION 0
		#define SSL_POLICY_SESSION_TICKETS 0
		#define SSL_POLICY_PROXY_VERIFY_MODE SSL_CVERIFY_REQUIRE
		#define SSL_POLICY_PROXY_VERIFY_DEPTH -1

		/**
		* Define a core set of policies that are always there:
		* - 'modern' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* - 'intermediate' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* - 'old' from https://wiki.mozilla.org/Security/Server_Side_TLS
		* The JSON version can be retrieved here:
		* https://statics.tls.security.mozilla.org/server-side-tls-conf.json
		*/

		@MOZILLA_SECURITY_POLICIES@

		#endif /* __SSL_POLICIES_H__ */
		/** @} */