From: Dirk-Willem van Gulik <dirkx@apache.org>
Date: Mon, 6 Mar 2023 17:46:04 +0000 (+0000)
Subject: Add SSL_SHARED_CIPHER environment variable
X-Git-Tag: 2.5.0-alpha2-ci-test-only~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3067b17275823708de743be1e828dbd5db3a8b4e;p=thirdparty%2Fapache%2Fhttpd.git

Add SSL_SHARED_CIPHER environment variable

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908132 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 45af2a73d33..e09c05ea5f0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) Add a SSL_SHARED_CIPHER environment variable with the list of
+     client/server permitted ciphers. [Dirk-Willem van Gulik]
+
   *) mod_http2: field values (headers and trailers) are stripped of
      leading/trailing whitespace (space +htab) before being processed
      or send in a response. This is compatible behaviour to HTTP/1.1
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index dbe3345da79..248fe752477 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -66,7 +66,8 @@ compatibility variables.</p>
 <tr><td><code>SSL_SESSION_ID</code></td>                <td>string</td>    <td>The hex-encoded SSL session id</td></tr>
 <tr><td><code>SSL_SESSION_RESUMED</code></td>           <td>string</td>    <td>Initial or Resumed SSL Session.  Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
 <tr><td><code>SSL_SECURE_RENEG</code></td>              <td>string</td>    <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
-<tr><td><code>SSL_CIPHER</code></td>                    <td>string</td>    <td>The cipher specification name</td></tr>
+<tr><td><code>SSL_SHARED_CIPHERS</code></td>            <td>string</td>    <td>Colon separated list of shared ciphers (i.e. the subset of ciphers that are configured on both server and on the client)</td></tr>
+<tr><td><code>SSL_CIPHER</code></td>                    <td>string</td>    <td>The name of the cipher agreed between client and server</td></tr>
 <tr><td><code>SSL_CIPHER_EXPORT</code></td>             <td>string</td>    <td><code>true</code> if cipher is an export cipher</td></tr>
 <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td>         <td>number</td>    <td>Number of cipher bits (actually used)</td></tr>
 <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td>         <td>number</td>    <td>Number of cipher bits (possible)</td></tr>
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index b5f5379a89e..885d3f3d674 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1532,6 +1532,7 @@ static const char *const ssl_hook_Fixup_vars[] = {
     "SSL_SERVER_A_SIG",
     "SSL_SESSION_ID",
     "SSL_SESSION_RESUMED",
+    "SSL_SHARED_CIPHERS",
 #ifdef HAVE_SRP
     "SSL_SRP_USER",
     "SSL_SRP_USERINFO",
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index af6c4de1b7c..6ba70fcecbb 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -506,6 +506,11 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
         result = ssl_var_lookup_ssl_compress_meth(ssl);
     }
+    else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) {
+        char buf[ 1024 * 16 ];
+        if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf)))
+               result = apr_pstrdup(p,buf);
+    }
 #ifdef HAVE_TLSEXT
     else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
         result = apr_pstrdup(p, SSL_get_servername(ssl,