Commit c8931f5a authored by Rainer Jung's avatar Rainer Jung
Browse files

mod_ssl: Backport SSLHonorCipher 

PR 28665.

Backport of r103832 and r103837 from trunk.

Proposed/Backported by: rjung
Reviewed by: humbedooh, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1489890 13f79535-47bb-0310-9956-ffa450edef68
parent f069eb0e

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -28,6 +28,11 @@ Changes with Apache 2.0.65 
     is enabled, could allow local users to gain privileges via a .htaccess

     file. [Stefan Fritsch, Greg Ames]



  *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the

     OpenSSL 0.9.7 flag which uses the server's cipher order rather

     than the client's.  PR 28665.

     [Jim Schneider <jschneid netilla.com>]



  *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains

     including multiple INCLUDES filters. PR 39369 [Joe Orton]

STATUS

+0 −7
Original line number Diff line number Diff line
@@ -188,13 +188,6 @@ RELEASE SHOWSTOPPERS: 
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]



  * mod_ssl: Backport SSLHonorCipher

    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=103832

                 http://svn.apache.org/viewvc?view=revision&revision=103837

                 http://svn.apache.org/viewvc?view=revision&revision=966160

    Backport: http://people.apache.org/~rjung/patches/sslhonorcipher-2.0.patch

    +1: rjung, humbedooh, wrowe



  * htdigest: Fix buffer overflow when reading digest

    password file with very long lines. PR 54893.

    trunk patch: https://svn.apache.org/r1475878

docs/manual/mod/mod_ssl.html.en

+19 −0
Original line number Diff line number Diff line
@@ -56,6 +56,7 @@ to provide the cryptography engine.</p> 
<li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></li>

<li><img alt="" src="../images/down.gif" /> <a href="#sslciphersuite">SSLCipherSuite</a></li>

<li><img alt="" src="../images/down.gif" /> <a href="#sslengine">SSLEngine</a></li>

<li><img alt="" src="../images/down.gif" /> <a href="#sslhonorcipherorder">SSLHonorCipherOrder</a></li>

<li><img alt="" src="../images/down.gif" /> <a href="#sslinsecurerenegotiation">SSLInsecureRenegotiation</a></li>

<li><img alt="" src="../images/down.gif" /> <a href="#sslmutex">SSLMutex</a></li>

<li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
@@ -520,6 +521,24 @@ SSLEngine on<br /> 
&lt;/VirtualHost&gt;

</code></p></div>



</div>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>

<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>

<table class="directive">

<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr>

<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder <em>flag</em></code></td></tr>

<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>

<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>

<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>

<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.0.65 and later, if using OpenSSL 0.9.7 or later</td></tr>

</table>

<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally

the client's preference is used.  If this directive is enabled, the

server's preference will be used instead.</p>

<div class="example"><h3>Example</h3><p><code>

SSLHonorCipherOrder on

</code></p></div>



</div>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>

<div class="directive-section"><h2><a name="SSLInsecureRenegotiation" id="SSLInsecureRenegotiation">SSLInsecureRenegotiation</a> <a name="sslinsecurerenegotiation" id="sslinsecurerenegotiation">Directive</a></h2>

docs/manual/mod/mod_ssl.xml

+18 −0
Original line number Diff line number Diff line
@@ -1511,6 +1511,24 @@ SSLUserName SSL_CLIENT_S_DN_CN 
</usage>

</directivesynopsis>



<directivesynopsis>

<name>SSLHonorCipherOrder</name>

<description>Option to prefer the server's cipher preference order</description>

<syntax>SSLHonorCipherOrder <em>flag</em></syntax>

<contextlist><context>server config</context>

<context>virtual host</context></contextlist>

<compatibility>Available in Apache 2.0.65 and later, if using OpenSSL 0.9.7 or later</compatibility>



<usage>

<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally

the client's preference is used.  If this directive is enabled, the

server's preference will be used instead.</p>

<example><title>Example</title>

SSLHonorCipherOrder on

</example>

</usage>

</directivesynopsis>



<directivesynopsis>

<name>SSLInsecureRenegotiation</name>

<description>Option to enable support for insecure renegotiation</description>

modules/ssl/mod_ssl.c

+2 −0
Original line number Diff line number Diff line
@@ -134,6 +134,8 @@ static const command_rec ssl_config_cmds[] = { 
    SSL_CMD_SRV(Protocol, RAW_ARGS,

                "Enable or disable various SSL protocols"

                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")

    SSL_CMD_SRV(HonorCipherOrder, FLAG,

                "Use the server's cipher ordering preference")

    SSL_CMD_ALL(UserName, TAKE1,

		"Set user name to SSL variable value")

    SSL_CMD_SRV(InsecureRenegotiation, FLAG,