head	1.2;
access;
symbols
	old_RELEASE_4_11_0:1.1;
locks; strict;
comment	@# @;


1.2
date	2005.02.08.15.17.06;	author clement;	state dead;
branches;
next	1.1;

1.1
date	2004.10.13.09.17.38;	author clement;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- Update to 2.0.53
- Download bz2'd tarball [1]
- Add print-closest-mirrors target.
  It allows you to find the 6 (3 http/3 ftp) closest mirror,
  base on http://www.apache.org/dyn/closer.cgi/httpd/
  make print-closest-mirrors >> /etc/make.conf automatically add
  the six closest mirror to the head of ${MASTER_SITE_APACHE_HTTPD}.

Requested by:	delphij
@
text
@Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.128
retrieving revision 1.129
diff -d -w -u -r1.128 -r1.129
--- modules/ssl/ssl_engine_init.c	3 Jun 2004 13:03:08 -0000	1.128
+++ modules/ssl/ssl_engine_init.c	8 Oct 2004 11:59:32 -0000	1.129
@@@@ -443,6 +443,14 @@@@
      * Configure additional context ingredients
      */
     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+    /* 
+     * Disallow a session from being resumed during a renegotiation,
+     * so that an acceptable cipher suite can be negotiated.
+     */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
 }
 
 static void ssl_init_ctx_session_cache(server_rec *s,
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.110
retrieving revision 1.111
diff -d -w -u -r1.110 -r1.111
--- modules/ssl/ssl_engine_kernel.c	18 Aug 2004 11:05:22 -0000	1.110
+++ modules/ssl/ssl_engine_kernel.c	8 Oct 2004 11:59:33 -0000	1.111
@@@@ -733,6 +733,21 @@@@
                 X509_free(peercert);
             }
         }
+        
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected.
+         */
+        if (cipher_list) {
+            cipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                             "SSL cipher suite not renegotiated: "
+                             "access to %s denied using cipher %s",
+                              r->filename,
+                              SSL_CIPHER_get_name(cipher));
+                return HTTP_FORBIDDEN;
+            }
+        }
     }
 
     /*



@


1.1
log
@- Yet Another Security Fix
  Fix CAN-2004-0885:

  * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
  correct cipher suite has been negotiated, else deny access.

  * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
  0.9.7, prevent session resumption during a renegotiation to force the
  client to negotiate a new (and acceptable) cipher suite.

Credits:	Hartmut Keil, Joe Orton
@
text
@@

