From: Joe Orton Date: Fri, 8 Oct 2004 11:59:33 +0000 (+0000) Subject: Fix CAN-2004-0885: X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c04fef22c7e31192f9bdc42dea4d4da2e338023;p=thirdparty%2Fapache%2Fhttpd.git Fix CAN-2004-0885: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a correct cipher suite has been negotiated, else deny access. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable) cipher suite. Submitted by: Hartmut Keil , Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@105396 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/ssl_engine_init.c b/ssl_engine_init.c index d0521171a98..2a9c7a4ef82 100644 --- a/ssl_engine_init.c +++ b/ssl_engine_init.c @@ -443,6 +443,14 @@ static void ssl_init_ctx_protocol(server_rec *s, * Configure additional context ingredients */ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); + +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif } static void ssl_init_ctx_session_cache(server_rec *s, diff --git a/ssl_engine_kernel.c b/ssl_engine_kernel.c index f1372232843..6557c1f3833 100644 --- a/ssl_engine_kernel.c +++ b/ssl_engine_kernel.c @@ -733,6 +733,21 @@ int ssl_hook_Access(request_rec *r) X509_free(peercert); } } + + /* + * Also check that SSLCipherSuite has been enforced as expected. + */ + if (cipher_list) { + cipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, + SSL_CIPHER_get_name(cipher)); + return HTTP_FORBIDDEN; + } + } } /*