Commit 9329dc4f authored by Joe Orton's avatar Joe Orton
Browse files

Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag 

which uses the server's cipher preference order rather than the
client's.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.

PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103832 13f79535-47bb-0310-9956-ffa450edef68
parent 38dba79c

mod_ssl.c

+2 −0
Original line number Diff line number Diff line
@@ -134,6 +134,8 @@ static const command_rec ssl_config_cmds[] = { 
    SSL_CMD_SRV(Protocol, RAW_ARGS,

                "Enable or disable various SSL protocols"

                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")

    SSL_CMD_SRV(HonorCipherOrder, FLAG,

                "Use the server's cipher ordering preference")



    /* 

     * Proxy configuration for remote SSL connections

ssl_engine_config.c

+13 −0
Original line number Diff line number Diff line
@@ -175,6 +175,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) 
    sc->vhost_id               = NULL;  /* set during module init */

    sc->vhost_id_len           = 0;     /* set during module init */

    sc->session_cache_timeout  = UNSET;

    sc->cipher_server_pref     = UNSET;



    modssl_ctx_init_proxy(sc, p);
@@ -259,6 +260,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) 
    cfgMerge(enabled, SSL_ENABLED_UNSET);

    cfgMergeBool(proxy_enabled);

    cfgMergeInt(session_cache_timeout);

    cfgMergeBool(cipher_server_pref);



    modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -664,6 +666,17 @@ static const char *ssl_cmd_check_file(cmd_parms *parms, 


}



const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)

{

#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    sc->cipher_server_pref = flag?TRUE:FALSE;

    return NULL;

#else

    return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";

#endif

}



static const char *ssl_cmd_check_dir(cmd_parms *parms,

                                     const char **dir)

{

ssl_engine_init.c

+9 −0
Original line number Diff line number Diff line
@@ -428,6 +428,15 @@ static void ssl_init_ctx_protocol(server_rec *s, 
        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);

    }



#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

    {

        SSLSrvConfigRec *sc = mySrvConfig(s);

        if (sc->cipher_server_pref == TRUE) {

            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

        }

    }

#endif



    SSL_CTX_set_app_data(ctx, s);



    /*

ssl_private.h

+2 −0
Original line number Diff line number Diff line
@@ -434,6 +434,7 @@ struct SSLSrvConfigRec { 
    const char      *vhost_id;

    int              vhost_id_len;

    int              session_cache_timeout;

    BOOL             cipher_server_pref;

    modssl_ctx_t    *server;

    modssl_ctx_t    *proxy;

};
@@ -487,6 +488,7 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); 
const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);

const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);