Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
apache2.4685
httpd-cipher-suite-order.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File httpd-cipher-suite-order.patch of Package apache2.4685
From 213c5b0636a3b5c41da12a9c9cb10d092bc3f645 Mon Sep 17 00:00:00 2001 From: Kaspar Brand <kbrand@apache.org> Date: Wed, 30 Sep 2015 11:42:54 +0000 Subject: [PATCH] merge r1702643 from trunk Append :!aNULL:!eNULL:!EXP to the cipher string settings, instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7 and later). Enables support for configuring the SUITEB* cipher strings introduced in OpenSSL 1.0.2. PR 58213. Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive. Proposed by: kbrand Reviewed by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_config.c | 9 +++++++-- modules/ssl/ssl_engine_init.c | 4 ++-- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 2ff312e870..43be5db720 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -709,7 +709,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; /* always disable null and export ciphers */ - arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); if (cmd->path) { dc->szCipherSuite = arg; @@ -1421,7 +1421,7 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, SSLSrvConfigRec *sc = mySrvConfig(cmd->server); /* always disable null and export ciphers */ - arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); sc->proxy->auth.cipher_suite = arg; @@ -1877,6 +1877,11 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, return err; } + if (strcEQ(arg1, "CipherString")) { + /* always disable null and export ciphers */ + arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); + } + param = apr_array_push(sc->server->ssl_ctx_param); param->name = arg1; param->value = arg2; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 70bdeffcd8..05479625cc 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -730,11 +730,11 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, * Configure SSL Cipher Suite. Always disable NULL and export ciphers, * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). * OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f, - * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support + * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so append them while we support * earlier versions. */ suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : - apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST, + apr_pstrcat(ptemp, SSL_DEFAULT_CIPHER_LIST, ":!aNULL:!eNULL:!EXP", NULL); ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, -- 2.13.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor