src - OpenBSD base system

diff options


context:
space:
mode:

author	Otto Moerbeek <otto@cvs.openbsd.org>	2013-07-11 12:41:53 +0000
committer	Otto Moerbeek <otto@cvs.openbsd.org>	2013-07-11 12:41:53 +0000
commit	97d5c0f1769d3b6b0c70c9c2f8346ddb9eb478d1 (patch)
tree	41bd5c0383c06b10bc22c0e1d77f06948c22eaac /usr.sbin/httpd
parent	ee6dc9571fd1deb4ea9194d98e65482a1fae3e0b (diff)

introduce HonorCipherOrder to use the server's order of preference of ciphers

ok djm@ guenther@

Diffstat (limited to 'usr.sbin/httpd')

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/mod_ssl.c

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/mod_ssl.h

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c

5 files changed, 23 insertions, 3 deletions

diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
index 21c53558626..c516b4ae845 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c

@@ -74,7 +74,7 @@

* identify the module to SCCS `what' and RCS `ident' commands

static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";

-static char const rcsid[] = "$Id: mod_ssl.c,v 1.10 2007/10/14 15:12:59 krw Exp $";

+static char const rcsid[] = "$Id: mod_ssl.c,v 1.11 2013/07/11 12:41:52 otto Exp $";

* the table of configuration directives we provide

@@ -107,6 +107,9 @@ static command_rec ssl_config_cmds[] = {

AP_SRV_CMD(Engine, FLAG,

"SSL switch for the protocol engine "

"(`on', `off')")

+ AP_SRV_CMD(HonorCipherOrder, TAKE1,

+ "Let the server determine preferred ciphers "

+ "(`on', `off'")

AP_ALL_CMD(CipherSuite, TAKE1,

"Colon-delimited list of permitted SSL Ciphers "

"(`XXX:...:XXX' - see manual)")

diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index 505104d50b6..c4529bf2c3d 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h

@@ -516,6 +516,7 @@ typedef struct {

char *szCipherSuite;

FILE *fileLogFile;

int nLogLevel;

+ BOOL cipher_server_pref;

int nVerifyDepth;

ssl_verify_t nVerifyClient;

X509 *pPublicCert[SSL_AIDX_MAX];

@@ -589,6 +590,7 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);

const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);

const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);

const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int);

+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);

const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);

const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);

const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index abf0a93b4b3..7929468cc8c 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c

@@ -197,6 +197,7 @@ void *ssl_config_server_create(pool *p, server_rec *s)

sc->szLogFile = NULL;

sc->szCipherSuite = NULL;

sc->nLogLevel = SSL_LOG_NONE;

+ sc->cipher_server_pref = UNSET;

sc->nVerifyDepth = UNSET;

sc->nVerifyClient = SSL_CVERIFY_UNSET;

sc->nSessionCacheTimeout = UNSET;

@@ -252,6 +253,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv)

cfgMergeString(szCertificateChain);

cfgMergeString(szLogFile);

cfgMergeString(szCipherSuite);

+ cfgMergeBool(cipher_server_pref);

cfgMerge(nLogLevel, SSL_LOG_NONE);

cfgMergeInt(nVerifyDepth);

cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);

@@ -530,6 +532,14 @@ const char *ssl_cmd_SSLEngine(

return NULL;

}

+const char *ssl_cmd_SSLHonorCipherOrder(

+ cmd_parms *cmd, char *struct_ptr, int flag)

+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

+ sc->cipher_server_pref = flag?TRUE:FALSE;

+ return NULL;

const char *ssl_cmd_SSLCipherSuite(

cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)

{

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
index 61a9a5b3594..8720f236134 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_engine_init.c,v 1.28 2012/07/07 17:08:17 sthen Exp $ */

+/* $OpenBSD: ssl_engine_init.c,v 1.29 2013/07/11 12:41:52 otto Exp $ */

/* _ _

** _ __ ___ ___ __| | ___ ___| | mod_ssl

@@ -589,6 +589,8 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)

SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);

if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))

SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);

+ if (sc->cipher_server_pref == TRUE)

+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

SSL_CTX_set_app_data(ctx, s);

sc->pSSLCtx = ctx;

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index 15a1e124418..89823934f68 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c

@@ -801,9 +801,12 @@ int ssl_hook_Access(request_rec *r)

if (skCipherOld != NULL)

sk_SSL_CIPHER_free(skCipherOld);

/* tracing */

- if (renegotiate)

+ if (renegotiate) {

+ if (sc->cipher_server_pref == TRUE)

+ SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);

ssl_log(r->server, SSL_LOG_TRACE,

"Reconfigured cipher suite will force renegotiation");

+ }

}