default. Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
insecure_reneg field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
ssl_config_server_merge): Handle the insecure_reneg flag.
(ssl_cmd_SSLInsecureRenegotiation): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
enabled.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
support for secure reneg.
* modules/ssl/mod_ssl.c: Add the directive definition.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039
13f79535-47bb-0310-9956-
ffa450edef68
"('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
+ SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+ "Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1,
"Set user name to SSL variable value")
SSL_CMD_SRV(LogLevelDebugDump, TAKE1,
sc->vhost_id_len = 0; /* set during module init */
sc->session_cache_timeout = UNSET;
sc->cipher_server_pref = UNSET;
+ sc->insecure_reneg = UNSET;
sc->ssl_log_level = SSL_LOG_UNSET;
sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
cfgMergeBool(proxy_enabled);
cfgMergeInt(session_cache_timeout);
cfgMergeBool(cipher_server_pref);
+ cfgMergeBool(insecure_reneg);
cfgMerge(ssl_log_level, SSL_LOG_UNSET);
cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
#endif
}
+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->insecure_reneg = flag?TRUE:FALSE;
+ return NULL;
+#else
+ return "SSLInsecureRenegotiation is not supported by the SSL library";
+#endif
+}
+
+
static const char *ssl_cmd_check_dir(cmd_parms *parms,
const char **dir)
{
MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
char *cp;
int protocol = mctx->protocol;
+ SSLSrvConfigRec *sc = mySrvConfig(s);
/*
* Create the new per-server SSL context
}
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
- {
- SSLSrvConfigRec *sc = mySrvConfig(s);
- if (sc->cipher_server_pref == TRUE) {
- SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
+ if (sc->cipher_server_pref == TRUE) {
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+#endif
+
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ if (sc->insecure_reneg == TRUE) {
+ SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
}
#endif
r->connection->keepalive = AP_CONN_CLOSE;
}
- /* do a full renegotiation */
+ /* Perform a full renegotiation. */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "Performing full renegotiation: "
- "complete handshake protocol");
+ "Performing full renegotiation: complete handshake "
+ "protocol (%s support secure renegotiation)",
+#if defined(SSL_get_secure_renegotiation_support)
+ SSL_get_secure_renegotiation_support(ssl) ?
+ "client does" : "client does not"
+#else
+ "server does not"
+#endif
+ );
SSL_set_session_id_context(ssl,
(unsigned char *)&id,
int vhost_id_len;
int session_cache_timeout;
BOOL cipher_server_pref;
+ BOOL insecure_reneg;
modssl_ctx_t *server;
modssl_ctx_t *proxy;
ssl_log_level_e ssl_log_level;
const char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
projects / thirdparty / apache / httpd.git / commitdiff
