From: Joe Orton Date: Thu, 3 Jun 2004 13:03:08 +0000 (+0000) Subject: Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fded34ddf6d7905887ba628ce437a7af754de7f6;p=thirdparty%2Fapache%2Fhttpd.git Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag which uses the server's cipher preference order rather than the client's. * modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add cipher_server_pref field. * modules/ssl/ssl_engine_config.c (ssl_config_server_create, ssl_config_server_merge): Initialize and merge cipher_server_pref field. (ssl_cmd_SSLHonorCipherOrder): New function. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the context option SSL_OP_CIPHER_SERVER_PREFERENCE when required. PR: 28665 Submitted by: Jim Shneider git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103832 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/mod_ssl.c b/mod_ssl.c index 4c8fb13e34c..748f3b286cb 100644 --- a/mod_ssl.c +++ b/mod_ssl.c @@ -134,6 +134,8 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(Protocol, RAW_ARGS, "Enable or disable various SSL protocols" "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") + SSL_CMD_SRV(HonorCipherOrder, FLAG, + "Use the server's cipher ordering preference") /* * Proxy configuration for remote SSL connections diff --git a/ssl_engine_config.c b/ssl_engine_config.c index 42128b2d901..5fe54a8406a 100644 --- a/ssl_engine_config.c +++ b/ssl_engine_config.c @@ -175,6 +175,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) sc->vhost_id = NULL; /* set during module init */ sc->vhost_id_len = 0; /* set during module init */ sc->session_cache_timeout = UNSET; + sc->cipher_server_pref = UNSET; modssl_ctx_init_proxy(sc, p); @@ -259,6 +260,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMerge(enabled, SSL_ENABLED_UNSET); cfgMergeBool(proxy_enabled); cfgMergeInt(session_cache_timeout); + cfgMergeBool(cipher_server_pref); modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); @@ -664,6 +666,17 @@ static const char *ssl_cmd_check_file(cmd_parms *parms, } +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) +{ +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + sc->cipher_server_pref = flag?TRUE:FALSE; + return NULL; +#else + return "SSLHonorCiperOrder unsupported; not implemented by the SSL library"; +#endif +} + static const char *ssl_cmd_check_dir(cmd_parms *parms, const char **dir) { diff --git a/ssl_engine_init.c b/ssl_engine_init.c index e2c29b448b5..d0521171a98 100644 --- a/ssl_engine_init.c +++ b/ssl_engine_init.c @@ -428,6 +428,15 @@ static void ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); } +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + { + SSLSrvConfigRec *sc = mySrvConfig(s); + if (sc->cipher_server_pref == TRUE) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } + } +#endif + SSL_CTX_set_app_data(ctx, s); /* diff --git a/ssl_private.h b/ssl_private.h index 246c8c42141..8b79b7e7e0b 100644 --- a/ssl_private.h +++ b/ssl_private.h @@ -434,6 +434,7 @@ struct SSLSrvConfigRec { const char *vhost_id; int vhost_id_len; int session_cache_timeout; + BOOL cipher_server_pref; modssl_ctx_t *server; modssl_ctx_t *proxy; }; @@ -487,6 +488,7 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);