View | Details | Raw Unified | Return to bug 53899
Collapse All | Expand All

(-)httpd-trunk/modules/ssl/mod_ssl.c (+2 lines)
Lines 143-148 Link Here
143
                "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
143
                "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
144
    SSL_CMD_SRV(HonorCipherOrder, FLAG,
144
    SSL_CMD_SRV(HonorCipherOrder, FLAG,
145
                "Use the server's cipher ordering preference")
145
                "Use the server's cipher ordering preference")
146
    SSL_CMD_SRV(EnableEmptyFragments, FLAG,
147
                "Enable countermeasure against SSL3.0/TLS1.0 protocol vulnerability")
146
    SSL_CMD_SRV(Compression, FLAG,
148
    SSL_CMD_SRV(Compression, FLAG,
147
                "Enable SSL level compression"
149
                "Enable SSL level compression"
148
                "(`on', `off')")
150
                "(`on', `off')")
(-)httpd-trunk/modules/ssl/ssl_engine_config.c (+15 lines)
Lines 207-212 Link Here
207
    sc->vhost_id_len           = 0;     /* set during module init */
207
    sc->vhost_id_len           = 0;     /* set during module init */
208
    sc->session_cache_timeout  = UNSET;
208
    sc->session_cache_timeout  = UNSET;
209
    sc->cipher_server_pref     = UNSET;
209
    sc->cipher_server_pref     = UNSET;
210
    sc->enable_empty_fragments = UNSET;
210
    sc->insecure_reneg         = UNSET;
211
    sc->insecure_reneg         = UNSET;
211
    sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
212
    sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
212
    sc->proxy_ssl_check_peer_cn     = SSL_ENABLED_UNSET;
213
    sc->proxy_ssl_check_peer_cn     = SSL_ENABLED_UNSET;
Lines 342-347 Link Here
342
    cfgMergeBool(proxy_enabled);
343
    cfgMergeBool(proxy_enabled);
343
    cfgMergeInt(session_cache_timeout);
344
    cfgMergeInt(session_cache_timeout);
344
    cfgMergeBool(cipher_server_pref);
345
    cfgMergeBool(cipher_server_pref);
346
    cfgMergeBool(enable_empty_fragments);
345
    cfgMergeBool(insecure_reneg);
347
    cfgMergeBool(insecure_reneg);
346
    cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
348
    cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
347
    cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
349
    cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
Lines 718-723 Link Here
718
#endif
720
#endif
719
}
721
}
720
722
723
const char *ssl_cmd_SSLEnableEmptyFragments(cmd_parms *cmd,
724
                                            void *dcfg, int flag)
725
{
726
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
727
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
728
    sc->enable_empty_fragments = flag?TRUE:FALSE;
729
    return NULL;
730
#else
731
    return "SSLEnableEmptyFragments unsupported; "
732
        "not implemented by the SSL library";
733
#endif
734
}
735
721
const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
736
const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
722
{
737
{
723
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
738
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
(-)httpd-trunk/modules/ssl/ssl_engine_init.c (-1 / +20 lines)
Lines 571-576 Link Here
571
    char *cp;
571
    char *cp;
572
    int protocol = mctx->protocol;
572
    int protocol = mctx->protocol;
573
    SSLSrvConfigRec *sc = mySrvConfig(s);
573
    SSLSrvConfigRec *sc = mySrvConfig(s);
574
    long ssl_initial_options; 
574
575
575
    /*
576
    /*
576
     *  Create the new per-server SSL context
577
     *  Create the new per-server SSL context
Lines 625-631 Link Here
625
626
626
    mctx->ssl_ctx = ctx;
627
    mctx->ssl_ctx = ctx;
627
628
628
    SSL_CTX_set_options(ctx, SSL_OP_ALL);
629
    /* We can not rely on SSL_CTX_clear_options being available, 
630
       so we unset from SSL_OP_ALL before we call SSL_CTX_set_options */
631
    /* Use a generic variable in case we ever wish to unmask other options */
632
    ssl_initial_options = SSL_OP_ALL;
633
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
634
    /* We check TRUE and FALSE as the default is UNSET, in which case
635
       no manipulation of the default SSL_OP_ALL bits is done */
636
    if (sc->enable_empty_fragments == TRUE) {
637
        /* we must UNSET the "DONT_INSERT" bit to enable empty fragments */
638
        ssl_initial_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
639
    }
640
    else if (sc->enable_empty_fragments == FALSE) {
641
        /* we SET the "DONT_INSERT" bit to disable empty fragments */
642
        /* This is redundant, as this bit is SET in SSL_OP_ALL
643
           however it could be removed in the future */
644
        ssl_initial_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
645
    }
646
#endif
647
    SSL_CTX_set_options(ctx, ssl_initial_options);
629
648
630
    /* always disable SSLv2, as per RFC 6176 */
649
    /* always disable SSLv2, as per RFC 6176 */
631
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
650
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
(-)httpd-trunk/modules/ssl/ssl_private.h (+2 lines)
Lines 706-711 Link Here
706
    int              vhost_id_len;
706
    int              vhost_id_len;
707
    int              session_cache_timeout;
707
    int              session_cache_timeout;
708
    BOOL             cipher_server_pref;
708
    BOOL             cipher_server_pref;
709
    BOOL             enable_empty_fragments;
709
    BOOL             insecure_reneg;
710
    BOOL             insecure_reneg;
710
    modssl_ctx_t    *server;
711
    modssl_ctx_t    *server;
711
    modssl_ctx_t    *proxy;
712
    modssl_ctx_t    *proxy;
Lines 775-780 Link Here
775
const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
776
const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
776
const char  *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
777
const char  *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
777
const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
778
const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
779
const char  *ssl_cmd_SSLEnableEmptyFragments(cmd_parms *cmd, void *dcfg, int flag);
778
const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
780
const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
779
const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
781
const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
780
const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
782
const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);

Return to bug 53899