From: Rainer Jung <rjung@apache.org>
Date: Wed, 5 Jun 2013 14:44:02 +0000 (+0000)
Subject: mod_ssl: Backport SSLHonorCipher
X-Git-Tag: 2.0.65~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=609402ececd3e294ec5cec528d94b27006c8ba5c;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl: Backport SSLHonorCipher

PR 28665.

Backport of r103832 and r103837 from trunk.

Proposed/Backported by: rjung
Reviewed by: humbedooh, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1489890 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 896766aa0fd..610e9d93290 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,11 @@ Changes with Apache 2.0.65
      is enabled, could allow local users to gain privileges via a .htaccess
      file. [Stefan Fritsch, Greg Ames]
 
+  *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
+     OpenSSL 0.9.7 flag which uses the server's cipher order rather
+     than the client's.  PR 28665.
+     [Jim Schneider <jschneid netilla.com>]
+
   *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
      including multiple INCLUDES filters. PR 39369 [Joe Orton]
 
diff --git a/STATUS b/STATUS
index 531568a6005..d562ec6e6c6 100644
--- a/STATUS
+++ b/STATUS
@@ -188,13 +188,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_ssl: Backport SSLHonorCipher
-    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=103832
-                 http://svn.apache.org/viewvc?view=revision&revision=103837
-                 http://svn.apache.org/viewvc?view=revision&revision=966160
-    Backport: http://people.apache.org/~rjung/patches/sslhonorcipher-2.0.patch
-    +1: rjung, humbedooh, wrowe
-
   * htdigest: Fix buffer overflow when reading digest
     password file with very long lines. PR 54893.
     trunk patch: https://svn.apache.org/r1475878
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
index 053b31f0e83..d771d3ce144 100644
--- a/docs/manual/mod/mod_ssl.html.en
+++ b/docs/manual/mod/mod_ssl.html.en
@@ -56,6 +56,7 @@ to provide the cryptography engine.</p>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslciphersuite">SSLCipherSuite</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslengine">SSLEngine</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslhonorcipherorder">SSLHonorCipherOrder</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslinsecurerenegotiation">SSLInsecureRenegotiation</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sslmutex">SSLMutex</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
@@ -520,6 +521,24 @@ SSLEngine on<br />
 &lt;/VirtualHost&gt;
 </code></p></div>
 
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.0.65 and later, if using OpenSSL 0.9.7 or later</td></tr>
+</table>
+<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
+the client's preference is used.  If this directive is enabled, the
+server's preference will be used instead.</p>
+<div class="example"><h3>Example</h3><p><code>
+SSLHonorCipherOrder on
+</code></p></div>
+
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="SSLInsecureRenegotiation" id="SSLInsecureRenegotiation">SSLInsecureRenegotiation</a> <a name="sslinsecurerenegotiation" id="sslinsecurerenegotiation">Directive</a></h2>
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 14318108bd8..4a2a1e8224c 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1511,6 +1511,24 @@ SSLUserName SSL_CLIENT_S_DN_CN
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLHonorCipherOrder</name>
+<description>Option to prefer the server's cipher preference order</description>
+<syntax>SSLHonorCipherOrder <em>flag</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in Apache 2.0.65 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
+the client's preference is used.  If this directive is enabled, the
+server's preference will be used instead.</p>
+<example><title>Example</title>
+SSLHonorCipherOrder on
+</example>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>SSLInsecureRenegotiation</name>
 <description>Option to enable support for insecure renegotiation</description>
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index dd22ec9a8a3..ea8d03c31e8 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -134,6 +134,8 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols"
                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                "Use the server's cipher ordering preference")
     SSL_CMD_ALL(UserName, TAKE1,
 		"Set user name to SSL variable value")
     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 6f69c26f390..0e06df3346e 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -496,6 +496,7 @@ struct SSLSrvConfigRec {
     const char      *vhost_id;
     int              vhost_id_len;
     int              session_cache_timeout;
+    BOOL             cipher_server_pref;
     BOOL             insecure_reneg;
     modssl_ctx_t    *server;
     modssl_ctx_t    *proxy;
@@ -551,6 +552,7 @@ const char  *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index f597d2a483d..5cd76c89485 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -176,6 +176,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
+    sc->cipher_server_pref     = UNSET;
     sc->insecure_reneg         = UNSET;
 
     modssl_ctx_init_proxy(sc, p);
@@ -261,6 +262,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
     cfgMergeBool(enabled);
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
+    cfgMergeBool(cipher_server_pref);
     cfgMergeBool(insecure_reneg);
 
     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -673,6 +675,17 @@ static const char *ssl_cmd_check_file(cmd_parms *parms,
 
 }
 
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->cipher_server_pref = flag?TRUE:FALSE;
+    return NULL;
+#else
+    return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";
+#endif
+}
+
 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
 {
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 92c3395d7a1..03772d3b40c 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -415,6 +415,12 @@ static void ssl_init_ctx_protocol(server_rec *s,
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
     }
 
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    if (sc->cipher_server_pref == TRUE) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     if (sc->insecure_reneg == TRUE) {
         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 60133f7c4ab..ad619fb23cf 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -347,8 +347,13 @@ int ssl_hook_Access(request_rec *r)
             sk_SSL_CIPHER_free(cipher_list_old);
         }
 
-        /* tracing */
         if (renegotiate) {
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+            if (sc->cipher_server_pref == TRUE) {
+                SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
+            }
+#endif
+            /* tracing */
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                          "Reconfigured cipher suite will force renegotiation");
         }