1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.128
retrieving revision 1.129
diff -d -w -u -r1.128 -r1.129
--- modules/ssl/ssl_engine_init.c 3 Jun 2004 13:03:08 -0000 1.128
+++ modules/ssl/ssl_engine_init.c 8 Oct 2004 11:59:32 -0000 1.129
@@ -443,6 +443,14 @@
* Configure additional context ingredients
*/
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ /*
+ * Disallow a session from being resumed during a renegotiation,
+ * so that an acceptable cipher suite can be negotiated.
+ */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
}
static void ssl_init_ctx_session_cache(server_rec *s,
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.110
retrieving revision 1.111
diff -d -w -u -r1.110 -r1.111
--- modules/ssl/ssl_engine_kernel.c 18 Aug 2004 11:05:22 -0000 1.110
+++ modules/ssl/ssl_engine_kernel.c 8 Oct 2004 11:59:33 -0000 1.111
@@ -733,6 +733,21 @@
X509_free(peercert);
}
}
+
+ /*
+ * Also check that SSLCipherSuite has been enforced as expected.
+ */
+ if (cipher_list) {
+ cipher = SSL_get_current_cipher(ssl);
+ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "SSL cipher suite not renegotiated: "
+ "access to %s denied using cipher %s",
+ r->filename,
+ SSL_CIPHER_get_name(cipher));
+ return HTTP_FORBIDDEN;
+ }
+ }
}
/*
|