diff options
author | Joe Orton <jorton@apache.org> | 2004-11-10 11:42:05 +0000 |
---|---|---|
committer | Joe Orton <jorton@apache.org> | 2004-11-10 11:42:05 +0000 |
commit | cfed8e1c61f287b0c74dd6a6fef5c58fec1ba49e (patch) | |
tree | cd1ead7a4565eeef51d8c1710ca33bd1b7bc6ea6 | |
parent | 808f856d6257e5e17db687daaf10f32815cd9c3b (diff) | |
download | httpd-cfed8e1c61f287b0c74dd6a6fef5c58fec1ba49e.tar.gz |
Backport fix for CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
PR: 31505
Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
Reviewed by: jorton, pquerna, minfrin, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105732 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | modules/ssl/ssl_engine_init.c | 8 | ||||
-rw-r--r-- | modules/ssl/ssl_engine_kernel.c | 15 |
2 files changed, 23 insertions, 0 deletions
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 7f5e3e78a7..6023bfebcb 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -439,6 +439,14 @@ static void ssl_init_ctx_protocol(server_rec *s, * Configure additional context ingredients */ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); + +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif } static void ssl_init_ctx_session_cache(server_rec *s, diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index eccaa98512..f7872adfa4 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -719,6 +719,21 @@ int ssl_hook_Access(request_rec *r) X509_free(peercert); } } + + /* + * Also check that SSLCipherSuite has been enforced as expected. + */ + if (cipher_list) { + cipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, + SSL_CIPHER_get_name(cipher)); + return HTTP_FORBIDDEN; + } + } } /* |