From 97d5c0f1769d3b6b0c70c9c2f8346ddb9eb478d1 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Thu, 11 Jul 2013 12:41:53 +0000 Subject: introduce HonorCipherOrder to use the server's order of preference of ciphers ok djm@ guenther@ --- usr.sbin/httpd/src/modules/ssl/mod_ssl.c | 5 ++++- usr.sbin/httpd/src/modules/ssl/mod_ssl.h | 2 ++ usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c | 10 ++++++++++ usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c | 4 +++- usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c | 5 ++++- 5 files changed, 23 insertions(+), 3 deletions(-) (limited to 'usr.sbin/httpd') diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c index 21c53558626..c516b4ae845 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c @@ -74,7 +74,7 @@ * identify the module to SCCS `what' and RCS `ident' commands */ static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >"; -static char const rcsid[] = "$Id: mod_ssl.c,v 1.10 2007/10/14 15:12:59 krw Exp $"; +static char const rcsid[] = "$Id: mod_ssl.c,v 1.11 2013/07/11 12:41:52 otto Exp $"; /* * the table of configuration directives we provide @@ -107,6 +107,9 @@ static command_rec ssl_config_cmds[] = { AP_SRV_CMD(Engine, FLAG, "SSL switch for the protocol engine " "(`on', `off')") + AP_SRV_CMD(HonorCipherOrder, TAKE1, + "Let the server determine preferred ciphers " + "(`on', `off'") AP_ALL_CMD(CipherSuite, TAKE1, "Colon-delimited list of permitted SSL Ciphers " "(`XXX:...:XXX' - see manual)") diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 505104d50b6..c4529bf2c3d 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -516,6 +516,7 @@ typedef struct { char *szCipherSuite; FILE *fileLogFile; int nLogLevel; + BOOL cipher_server_pref; int nVerifyDepth; ssl_verify_t nVerifyClient; X509 *pPublicCert[SSL_AIDX_MAX]; @@ -589,6 +590,7 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *); const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int); +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index abf0a93b4b3..7929468cc8c 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -197,6 +197,7 @@ void *ssl_config_server_create(pool *p, server_rec *s) sc->szLogFile = NULL; sc->szCipherSuite = NULL; sc->nLogLevel = SSL_LOG_NONE; + sc->cipher_server_pref = UNSET; sc->nVerifyDepth = UNSET; sc->nVerifyClient = SSL_CVERIFY_UNSET; sc->nSessionCacheTimeout = UNSET; @@ -252,6 +253,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv) cfgMergeString(szCertificateChain); cfgMergeString(szLogFile); cfgMergeString(szCipherSuite); + cfgMergeBool(cipher_server_pref); cfgMerge(nLogLevel, SSL_LOG_NONE); cfgMergeInt(nVerifyDepth); cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET); @@ -530,6 +532,14 @@ const char *ssl_cmd_SSLEngine( return NULL; } +const char *ssl_cmd_SSLHonorCipherOrder( + cmd_parms *cmd, char *struct_ptr, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + sc->cipher_server_pref = flag?TRUE:FALSE; + return NULL; +} + const char *ssl_cmd_SSLCipherSuite( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index 61a9a5b3594..8720f236134 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_engine_init.c,v 1.28 2012/07/07 17:08:17 sthen Exp $ */ +/* $OpenBSD: ssl_engine_init.c,v 1.29 2013/07/11 12:41:52 otto Exp $ */ /* _ _ ** _ __ ___ ___ __| | ___ ___| | mod_ssl @@ -589,6 +589,8 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1)) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); + if (sc->cipher_server_pref == TRUE) + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_app_data(ctx, s); sc->pSSLCtx = ctx; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index 15a1e124418..89823934f68 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -801,9 +801,12 @@ int ssl_hook_Access(request_rec *r) if (skCipherOld != NULL) sk_SSL_CIPHER_free(skCipherOld); /* tracing */ - if (renegotiate) + if (renegotiate) { + if (sc->cipher_server_pref == TRUE) + SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); ssl_log(r->server, SSL_LOG_TRACE, "Reconfigured cipher suite will force renegotiation"); + } } /* -- cgit v1.2.3