Commit b84b8648 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Merge r1526168, r1527291, r1527295, r1563420, r1588851, r1666363, r1679470


r1526168 | kbrand | 2013-09-25 14:52:35 +0200 (Wed, 25 Sep 2013) | 21 lines

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed
  for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove
  the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always
  prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is
  sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need
  for a per-handshake callback, for the time being (and also
  configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E


r1527291 | kbrand | 2013-09-29 11:36:31 +0200 (Sun, 29 Sep 2013) | 9 lines

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers
  for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite


r1527295 | kbrand | 2013-09-29 12:35:46 +0200 (Sun, 29 Sep 2013) | 20 lines

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the
  SSLCertificateFile directive, and adapt its documentation
  accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,
  use them based on the length of the certificate's RSA/DSA key,
  and add a FAQ entry for clients which limit DH support
  to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
  ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.


r1563420 | kbrand | 2014-02-01 15:04:23 +0100 (Sat, 01 Feb 2014) | 3 lines

enable auto curve selection for ephemeral ECDH keys
when compiled against OpenSSL 1.0.2 or later


r1588851 | kbrand | 2014-04-21 08:39:24 +0200 (Mon, 21 Apr 2014) | 3 lines

ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the
one actually used for the connection before calling SSL_get_privatekey(ssl)


r1666363 | jkaluza | 2015-03-13 08:32:46 +0100 (Fri, 13 Mar 2015) | 4 lines

* mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,
otherwise eckey will not be freed.


r1679470 | ylavic | 2015-05-15 00:38:20 +0200 (Fri, 15 May 2015) | 5 lines

mod_ssl: follow up to r1527291.
Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for
SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was
not yet included by default.


Reviewed by: ylavic, wrowe, rjung
Backported by: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680916 13f79535-47bb-0310-9956-ffa450edef68
parent d599209c
Loading
Loading
Loading
Loading
+10 −0
Original line number Diff line number Diff line
                                                         -*- coding: utf-8 -*-
Changes with Apache 2.2.30

  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
 
  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite). [Kaspar Brand]

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]
+0 −21
Original line number Diff line number Diff line
@@ -108,27 +108,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     ylavic: trunk/2.4.x not concerned, 2.2.x only.
     +1: ylavic, jkaluza, wrowe

   * mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size.  Also drop
     support for export-grade ciphers with ephemeral RSA keys, and
     unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite).
     trunk patch: http://svn.apache.org/r1526168
                  http://svn.apache.org/r1527291
                  http://svn.apache.org/r1527295
                  http://svn.apache.org/r1563420
                  http://svn.apache.org/r1588851
                  http://svn.apache.org/r1666363
                  http://svn.apache.org/r1679470
     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-mod_ssl-improved_EDH-v2.patch
     +1: ylavic, wrowe, rjung
     ylavic: tested with openssl 0.9.7a, 0.9.8o, 1.0.1m and 1.0.2a with 1024
             and 2048 bits certificates (modulus), using EDH and ECDH ciphers.
             v2 to include r1679470

   * mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. PR 57100.
     trunk patch: http://svn.apache.org/r1653997
     2.4.x patch: merged in http://svn.apache.org/r1663258
+37 −6
Original line number Diff line number Diff line
@@ -691,6 +691,15 @@ prefixes are:</p>
<li><code>-</code>: remove cipher from list (can be added later again)</li>
<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
</ul>

<note>
<title><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code>
ciphers are always disabled</title>
<p>Beginning with version 2.2.30, null and export-grade
ciphers are always disabled, as mod_ssl unconditionally prepends any supplied
cipher suite string with <code>!aNULL:!eNULL:!EXP:</code> at initialization.</p>
</note>

<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
-v</code>'' command which provides a nice way to successively create the
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
@@ -767,12 +776,34 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

<usage>
<p>
This directive points to the PEM-encoded Certificate file for the server and
optionally also to the corresponding RSA or DSA Private Key file for it
(contained in the same file). If the contained Private Key is encrypted the
Pass Phrase dialog is forced at startup time. This directive can be used up to
three times (referencing different filenames) when both a RSA, a DSA, and an
ECC based server certificate is used in parallel.</p>
This directive points to the file with the PEM-encoded certificate,
optionally also the corresponding private key, and - beginning with
version 2.2.30 - DH parameters and/or an EC curve name
for ephemeral keys (as generated by <code>openssl dhparam</code>
and <code>openssl ecparam</code>, respectively). If the private key
is encrypted, the pass phrase dialog is forced at startup time.
</p>
<p>
This directive can be used up to three times (referencing different filenames)
when both an RSA, a DSA, and an ECC based server certificate is used in
parallel. Note that DH and ECDH parameters are only read from the first
<directive>SSLCertificateFile</directive> directive.</p>

<note>
<title>DH parameter interoperability with primes > 1024 bit</title>
<p>
Beginning with version 2.2.30, mod_ssl makes use of
standardized DH parameters with prime lengths of 2048, 3072, 4096, 6144 and
8192 bits (from <a href="http://www.ietf.org/rfc/rfc3526.txt">RFC 3526</a>),
and hands them out to clients based on the length of the certificate's RSA/DSA
key.
With Java-based clients in particular (Java 7 or earlier), this may lead
to handshake failures - see this
<a href="../ssl/ssl_faq.html#javadh">FAQ answer</a> for working around
such issues.
</p>
</note>

<example><title>Example</title>
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
</example>
+33 −0
Original line number Diff line number Diff line
@@ -684,6 +684,7 @@ HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer
<li><a href="#nn">Why do I get I/O errors, or the message "Netscape has 
encountered bad data from the server", when connecting via
HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></li>
<li><a href="#javadh">Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?</a></li>
</ul>

<section id="random"><title>Why do I get lots of random SSL protocol 
@@ -929,6 +930,38 @@ HTTPS to an Apache+mod_ssl server with Netscape Navigator?</title>
    implementation is correct, so when you encounter I/O errors with Netscape
    Navigator it is usually caused by the configured certificates.</p>
</section>

<section id="javadh"><title>Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?</title>
    <p>Beginning with version 2.2.30,
    <module>mod_ssl</module> will use DH parameters which include primes
    with lengths of more than 1024 bits. Java 7 and earlier limit their
    support for DH prime sizes to a maximum of 1024 bits, however.</p>

    <p>If your Java-based client aborts with exceptions such as
    <code>java.lang.RuntimeException: Could not generate DH keypair</code> and
    <code>java.security.InvalidAlgorithmParameterException: Prime size must be
    multiple of 64, and can only range from 512 to 1024 (inclusive)</code>,
    and httpd logs <code>tlsv1 alert internal error (SSL alert number 80)</code>
    (at <directive module="core">LogLevel</directive> <code>info</code>
    or higher), you can either rearrange mod_ssl's cipher list with
    <directive module="mod_ssl">SSLCipherSuite</directive>
    (possibly in conjunction with <directive module="mod_ssl">SSLHonorCipherOrder</directive>),
    or you can use the <directive module="mod_ssl">SSLCertificateFile</directive>
    directive to configure custom DH parameters with a 1024-bit prime, which
    will always have precedence over any of the built-in DH parameters.</p>

    <p>To generate custom DH parameters, use the <code>openssl dhparam</code>
    command. Alternatively, you can append the following standard 1024-bit DH
    parameters from <a href="http://www.ietf.org/rfc/rfc2409.txt">RFC 2409</a>,
    section 6.2 to the respective
    <directive module="ssl">SSLCertificateFile</directive> file:</p>
    <example><pre>-----BEGIN DH PARAMETERS-----
MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
-----END DH PARAMETERS-----</pre></example>
</section>

</section>
<!-- /aboutssl -->

+0 −9
Original line number Diff line number Diff line
@@ -444,15 +444,6 @@ int ssl_init_ssl_connection(conn_rec *c)

    sslconn->ssl = ssl;

    /*
     *  Configure callbacks for SSL connection
     */
    SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
    SSL_set_tmp_dh_callback(ssl,  ssl_callback_TmpDH);
#ifndef OPENSSL_NO_EC
    SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH);
#endif

    SSL_set_verify_result(ssl, X509_V_OK);

    ssl_io_filter_init(c, ssl);
Loading