From 4475e3e26285ff84d9c5fd3b9ffb45376f0092d6 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Thu, 21 Aug 2014 11:32:44 +0100 Subject: [PATCH] mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119) - switch default ssl.conf to use PROFILE=SYSTEM (#1109119) Resolves: rhbz#1109119 --- httpd-2.4.10-sslciphdefault.patch | 20 ++++++++++++++++++++ httpd.spec | 8 +++++++- ssl.conf | 5 +++-- 3 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 httpd-2.4.10-sslciphdefault.patch diff --git a/httpd-2.4.10-sslciphdefault.patch b/httpd-2.4.10-sslciphdefault.patch new file mode 100644 index 0000000..37a74e3 --- /dev/null +++ b/httpd-2.4.10-sslciphdefault.patch @@ -0,0 +1,20 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=1109119 + +Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. + +--- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault ++++ httpd-2.4.10/modules/ssl/ssl_engine_config.c +@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; + +- /* always disable null and export ciphers */ +- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); ++ /* Disable null and export ciphers by default, except for PROFILE= ++ * configs where the parser doesn't cope. */ ++ if (strncmp(arg, "PROFILE=", 8) != 0) ++ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + + if (cmd->path) { + dc->szCipherSuite = arg; diff --git a/httpd.spec b/httpd.spec index 02f9adc..7d9ea42 100644 --- a/httpd.spec +++ b/httpd.spec @@ -14,7 +14,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.10 -Release: 5%{?dist} +Release: 6%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -65,6 +65,7 @@ Patch29: httpd-2.4.3-mod_systemd.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.6-sslmultiproxy.patch Patch34: httpd-2.4.9-socket-activation.patch +Patch35: httpd-2.4.10-sslciphdefault.patch # Bug fixes Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch @@ -202,6 +203,7 @@ interface for storing and accessing per-user session data. %patch30 -p1 -b .cachehardmax %patch31 -p1 -b .sslmultiproxy %patch34 -p1 -b .socketactivation +%patch35 -p1 -b .sslciphdefault %patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid @@ -659,6 +661,10 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Aug 21 2014 Joe Orton - 2.4.10-6 +- mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119) +- switch default ssl.conf to use PROFILE=SYSTEM (#1109119) + * Sat Aug 16 2014 Fedora Release Engineering - 2.4.10-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild diff --git a/ssl.conf b/ssl.conf index 5c9b652..c6b1b27 100644 --- a/ssl.conf +++ b/ssl.conf @@ -77,9 +77,10 @@ SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -# By leaving this directive commented out, the system-wide OpenSSL -# default is used. See update-crypto-policies(8) for more details. +# The OpenSSL system profile is configured by default. See +# update-crypto-policies(8) for more details. #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite PROFILE=DEFAULT # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.),