summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOtto Moerbeek <otto@cvs.openbsd.org>2013-07-11 12:41:53 +0000
committerOtto Moerbeek <otto@cvs.openbsd.org>2013-07-11 12:41:53 +0000
commit97d5c0f1769d3b6b0c70c9c2f8346ddb9eb478d1 (patch)
tree41bd5c0383c06b10bc22c0e1d77f06948c22eaac
parentee6dc9571fd1deb4ea9194d98e65482a1fae3e0b (diff)
introduce HonorCipherOrder to use the server's order of preference of ciphers
ok djm@ guenther@
-rw-r--r--usr.sbin/httpd/src/modules/ssl/mod_ssl.c5
-rw-r--r--usr.sbin/httpd/src/modules/ssl/mod_ssl.h2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c10
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c4
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c5
5 files changed, 23 insertions, 3 deletions
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
index 21c53558626..c516b4ae845 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
@@ -74,7 +74,7 @@
* identify the module to SCCS `what' and RCS `ident' commands
*/
static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";
-static char const rcsid[] = "$Id: mod_ssl.c,v 1.10 2007/10/14 15:12:59 krw Exp $";
+static char const rcsid[] = "$Id: mod_ssl.c,v 1.11 2013/07/11 12:41:52 otto Exp $";
/*
* the table of configuration directives we provide
@@ -107,6 +107,9 @@ static command_rec ssl_config_cmds[] = {
AP_SRV_CMD(Engine, FLAG,
"SSL switch for the protocol engine "
"(`on', `off')")
+ AP_SRV_CMD(HonorCipherOrder, TAKE1,
+ "Let the server determine preferred ciphers "
+ "(`on', `off'")
AP_ALL_CMD(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index 505104d50b6..c4529bf2c3d 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
@@ -516,6 +516,7 @@ typedef struct {
char *szCipherSuite;
FILE *fileLogFile;
int nLogLevel;
+ BOOL cipher_server_pref;
int nVerifyDepth;
ssl_verify_t nVerifyClient;
X509 *pPublicCert[SSL_AIDX_MAX];
@@ -589,6 +590,7 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index abf0a93b4b3..7929468cc8c 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
@@ -197,6 +197,7 @@ void *ssl_config_server_create(pool *p, server_rec *s)
sc->szLogFile = NULL;
sc->szCipherSuite = NULL;
sc->nLogLevel = SSL_LOG_NONE;
+ sc->cipher_server_pref = UNSET;
sc->nVerifyDepth = UNSET;
sc->nVerifyClient = SSL_CVERIFY_UNSET;
sc->nSessionCacheTimeout = UNSET;
@@ -252,6 +253,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv)
cfgMergeString(szCertificateChain);
cfgMergeString(szLogFile);
cfgMergeString(szCipherSuite);
+ cfgMergeBool(cipher_server_pref);
cfgMerge(nLogLevel, SSL_LOG_NONE);
cfgMergeInt(nVerifyDepth);
cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
@@ -530,6 +532,14 @@ const char *ssl_cmd_SSLEngine(
return NULL;
}
+const char *ssl_cmd_SSLHonorCipherOrder(
+ cmd_parms *cmd, char *struct_ptr, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->cipher_server_pref = flag?TRUE:FALSE;
+ return NULL;
+}
+
const char *ssl_cmd_SSLCipherSuite(
cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
{
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
index 61a9a5b3594..8720f236134 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_engine_init.c,v 1.28 2012/07/07 17:08:17 sthen Exp $ */
+/* $OpenBSD: ssl_engine_init.c,v 1.29 2013/07/11 12:41:52 otto Exp $ */
/* _ _
** _ __ ___ ___ __| | ___ ___| | mod_ssl
@@ -589,6 +589,8 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+ if (sc->cipher_server_pref == TRUE)
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_app_data(ctx, s);
sc->pSSLCtx = ctx;
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index 15a1e124418..89823934f68 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -801,9 +801,12 @@ int ssl_hook_Access(request_rec *r)
if (skCipherOld != NULL)
sk_SSL_CIPHER_free(skCipherOld);
/* tracing */
- if (renegotiate)
+ if (renegotiate) {
+ if (sc->cipher_server_pref == TRUE)
+ SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
ssl_log(r->server, SSL_LOG_TRACE,
"Reconfigured cipher suite will force renegotiation");
+ }
}
/*