Bug 28665 - mod_ssl ignores server cipher preferences
mod_ssl ignores server cipher preferences
Status: CLOSED FIXED
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl
2.0-HEAD
Other other
: P3 normal (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2004-04-28 16:17 UTC by Jim Schneider
Modified: 2004-11-16 19:05 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jim Schneider 2004-04-28 16:17:32 UTC
This has been kicking around the net for years, so I have a patch to fix it. 
This patch needs to be applied in the modules/ssl directory, and it creates a
new configuration directive - "SSLHonorCipherOrder", which takes a boolean
value.  If "SSLHonorCipherOrder" is true, the server prefers its own ordering
for cipher selection (as set by the "SSLCipherSuite" directive).  If it's set to
false (or absent), the historical behavior of prefering the client cipher
ordering is used.  

Note that the patch checks for the availability of the
SSL_OP_CIPHER_SERVER_PREFERENCE define, so it's safe to use (but ignored) even
if   you're using an ancient version of OpenSSL that doesn't support this.

Patch follows:
--<cut here>--
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c       2003/04/10 19:09:56     1.1.1.2
+++ modules/ssl/mod_ssl.c       2004/04/28 15:57:20
@@ -167,6 +167,10 @@
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols"
                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                "Use the server's cipher ordering preference")

     /*
      * Proxy configuration for remote SSL connections
Index: modules/ssl/mod_ssl.h
===================================================================
--- modules/ssl/mod_ssl.h       2003/06/05 20:51:17     1.1.1.3
+++ modules/ssl/mod_ssl.h       2004/04/28 15:57:21
@@ -514,6 +514,9 @@
     SSLModConfigRec *mc;
     BOOL             enabled;
     BOOL             proxy_enabled;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    BOOL             bHonorCipherOrder;
+#endif
     const char      *vhost_id;
     int              vhost_id_len;
     int              session_cache_timeout;
@@ -574,6 +577,9 @@
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, void *, int);
 const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c     2003/04/10 19:09:56     1.1.1.2
+++ modules/ssl/ssl_engine_config.c     2004/04/28 15:57:21
@@ -212,7 +212,9 @@
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
-
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    sc->bHonorCipherOrder      = UNSET;
+#endif
     modssl_ctx_init_proxy(sc, p);

     modssl_ctx_init_server(sc, p);
@@ -296,6 +298,9 @@
     cfgMergeBool(enabled);
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    cfgMergeBool(bHonorCipherOrder);
+#endif

     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);

@@ -662,6 +667,18 @@

     return NULL;
 }
+
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+        "ssl_cmd_SSLHonorCipherOrder: Setting bHonorCipherOrder to %s",
+       flag?"TRUE":"FALSE");
+    sc->bHonorCipherOrder = flag?TRUE:FALSE;
+#endif
+    return NULL;
+}

 const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
                                    void *dcfg,
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c       2003/06/05 20:51:17     1.1.1.3
+++ modules/ssl/ssl_engine_init.c       2004/04/28 15:57:21
@@ -416,6 +416,9 @@
     SSL_METHOD *method = NULL;
     char *cp;
     int protocol = mctx->protocol;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(s);
+#endif

     /*
      *  Create the new per-server SSL context
@@ -464,6 +467,11 @@
     if (!(protocol & SSL_PROTOCOL_TLSV1)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
     }
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    if(TRUE == sc->bHonorCipherOrder) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif

     SSL_CTX_set_app_data(ctx, s);
--<cut here>--
Comment 1 Joe Orton 2004-06-03 13:07:00 UTC
Thanks for the patch, Jim.  Committed to HEAD with a few minor tweaks.