Commit b21c91ae authored by Joe Orton's avatar Joe Orton
Browse files

Backport fix for CAN-2004-0885: 

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.

PR: 31505
Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
Reviewed by: jorton, pquerna, minfrin, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105732 13f79535-47bb-0310-9956-ffa450edef68
parent c19173a9

modules/ssl/ssl_engine_init.c

+8 −0
Original line number Diff line number Diff line
@@ -439,6 +439,14 @@ static void ssl_init_ctx_protocol(server_rec *s, 
     * Configure additional context ingredients

     */

    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);



#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

    /* 

     * Disallow a session from being resumed during a renegotiation,

     * so that an acceptable cipher suite can be negotiated.

     */

    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);

#endif

}



static void ssl_init_ctx_session_cache(server_rec *s,

modules/ssl/ssl_engine_kernel.c

+15 −0
Original line number Diff line number Diff line
@@ -719,6 +719,21 @@ int ssl_hook_Access(request_rec *r) 
                X509_free(peercert);

            }

        }

        

        /*

         * Also check that SSLCipherSuite has been enforced as expected.

         */

        if (cipher_list) {

            cipher = SSL_get_current_cipher(ssl);

            if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

                             "SSL cipher suite not renegotiated: "

                             "access to %s denied using cipher %s",

                              r->filename,

                              SSL_CIPHER_get_name(cipher));

                return HTTP_FORBIDDEN;

            }

        }

    }



    /*