mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119)

- switch default ssl.conf to use PROFILE=SYSTEM (#1109119)
Resolves: rhbz#1109119
This commit is contained in:
Joe Orton 2014-08-21 11:32:44 +01:00
parent f65d1ef433
commit 4475e3e262
3 changed files with 30 additions and 3 deletions

View File

@ -0,0 +1,20 @@
https://bugzilla.redhat.com/show_bug.cgi?id=1109119
Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
--- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault
+++ httpd-2.4.10/modules/ssl/ssl_engine_config.c
@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
- /* always disable null and export ciphers */
- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
+ /* Disable null and export ciphers by default, except for PROFILE=
+ * configs where the parser doesn't cope. */
+ if (strncmp(arg, "PROFILE=", 8) != 0)
+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
if (cmd->path) {
dc->szCipherSuite = arg;

View File

@ -14,7 +14,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.10 Version: 2.4.10
Release: 5%{?dist} Release: 6%{?dist}
URL: http://httpd.apache.org/ URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html Source1: index.html
@ -65,6 +65,7 @@ Patch29: httpd-2.4.3-mod_systemd.patch
Patch30: httpd-2.4.4-cachehardmax.patch Patch30: httpd-2.4.4-cachehardmax.patch
Patch31: httpd-2.4.6-sslmultiproxy.patch Patch31: httpd-2.4.6-sslmultiproxy.patch
Patch34: httpd-2.4.9-socket-activation.patch Patch34: httpd-2.4.9-socket-activation.patch
Patch35: httpd-2.4.10-sslciphdefault.patch
# Bug fixes # Bug fixes
Patch55: httpd-2.4.4-malformed-host.patch Patch55: httpd-2.4.4-malformed-host.patch
Patch56: httpd-2.4.4-mod_unique_id.patch Patch56: httpd-2.4.4-mod_unique_id.patch
@ -202,6 +203,7 @@ interface for storing and accessing per-user session data.
%patch30 -p1 -b .cachehardmax %patch30 -p1 -b .cachehardmax
%patch31 -p1 -b .sslmultiproxy %patch31 -p1 -b .sslmultiproxy
%patch34 -p1 -b .socketactivation %patch34 -p1 -b .socketactivation
%patch35 -p1 -b .sslciphdefault
%patch55 -p1 -b .malformedhost %patch55 -p1 -b .malformedhost
%patch56 -p1 -b .uniqueid %patch56 -p1 -b .uniqueid
@ -659,6 +661,10 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Thu Aug 21 2014 Joe Orton <jorton@redhat.com> - 2.4.10-6
- mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119)
- switch default ssl.conf to use PROFILE=SYSTEM (#1109119)
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.10-5 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.10-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

View File

@ -77,9 +77,10 @@ SSLProtocol all -SSLv2
# SSL Cipher Suite: # SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. # List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list. # See the mod_ssl documentation for a complete list.
# By leaving this directive commented out, the system-wide OpenSSL # The OpenSSL system profile is configured by default. See
# default is used. See update-crypto-policies(8) for more details. # update-crypto-policies(8) for more details.
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite PROFILE=DEFAULT
# Speed-optimized SSL Cipher configuration: # Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.), # If speed is your main concern (on busy HTTPS servers e.g.),