Attachment #30478 for bug #53899

View | Details | Raw Unified | Return to bug 53899
Collapse All | Expand All




</directivesynopsis>

<directivesynopsis>
<name>SSLEnableEmptyFragments</name>
<description>Option to enable empty fragments countermeasure in SSLv3/TLSv1 protocols</description>
<syntax>SSLEnableEmptyFragments <em>flag</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available if using OpenSSL 0.9.6e or later</compatibility>

<usage>
<p>Enables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability
affecting CBC ciphers, which cannot be handled by some broken SSL
implementations. This option has no effect for connections using other ciphers.
This option clears the <code>SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS</code> OpenSSL
connection flag which is set by default.
</p>
<p>This does not protect against the &quot;BEAST&quot; attack itself, which
is performed from the client side, but is related to the vulnerability
used by &quot;BEAST&quot;. Some background is available at
<a href="http://www.openssl.org/~bodo/tls-cbc.txt">
http://www.openssl.org/~bodo/tls-cbc.txt</a>
</p>
<example><title>Example</title>
<highlight language="config">
SSLEnableEmptyFragments on
</highlight>
</example>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>SSLCryptoDevice</name>
<description>Enable use of a cryptographic hardware accelerator</description>
<syntax>SSLCryptoDevice <em>engine</em></syntax>

Lines 132-138 Link Here

(-)httpd-trunk/docs/manual/style/scripts/prettify.js (-1 / +1 lines)
132	var SH_KEYWORDS = [FLOW_CONTROL_KEYWORDS, "case,done,elif,esac,eval,fi," +	132	var SH_KEYWORDS = [FLOW_CONTROL_KEYWORDS, "case,done,elif,esac,eval,fi," +
133	"function,in,local,set,then,until,echo"];	133	"function,in,local,set,then,until,echo"];
134	var CONFIG_ENVS = ["User-Agent,HTTP_USER_AGENT,HTTP_REFERER,HTTP_COOKIE,HTTP_FORWARDED,HTTP_HOST,HTTP_PROXY_CONNECTION,HTTP_ACCEPT,REMOTE_ADDR,REMOTE_HOST,REMOTE_PORT,REMOTE_USER,REMOTE_IDENT,REQUEST_METHOD,SCRIPT_FILENAME,PATH_INFO,QUERY_STRING,AUTH_TYPE,DOCUMENT_ROOT,SERVER_ADMIN,SERVER_NAME,SERVER_ADDR,SERVER_PORT,SERVER_PROTOCOL,SERVER_SOFTWARE,TIME_YEAR,TIME_MON,TIME_DAY,TIME_HOUR,TIME_MIN,TIME_SEC,TIME_WDAY,TIME,API_VERSION,THE_REQUEST,REQUEST_URI,REQUEST_FILENAME,IS_SUBREQ,HTTPS,REQUEST_SCHEME"];	134	var CONFIG_ENVS = ["User-Agent,HTTP_USER_AGENT,HTTP_REFERER,HTTP_COOKIE,HTTP_FORWARDED,HTTP_HOST,HTTP_PROXY_CONNECTION,HTTP_ACCEPT,REMOTE_ADDR,REMOTE_HOST,REMOTE_PORT,REMOTE_USER,REMOTE_IDENT,REQUEST_METHOD,SCRIPT_FILENAME,PATH_INFO,QUERY_STRING,AUTH_TYPE,DOCUMENT_ROOT,SERVER_ADMIN,SERVER_NAME,SERVER_ADDR,SERVER_PORT,SERVER_PROTOCOL,SERVER_SOFTWARE,TIME_YEAR,TIME_MON,TIME_DAY,TIME_HOUR,TIME_MIN,TIME_SEC,TIME_WDAY,TIME,API_VERSION,THE_REQUEST,REQUEST_URI,REQUEST_FILENAME,IS_SUBREQ,HTTPS,REQUEST_SCHEME"];
135	var CONFIG_KEYWORDS = ["Macro,UndefMacro,Use,AuthLDAPURL,AcceptFilter,AcceptPathInfo,AccessFileName,Action,AddAlt,AddAltByEncoding,AddAltByType,AddCharset,AddDefaultCharset,AddDescription,AddEncoding,AddHandler,AddIcon,AddIconByEncoding,AddIconByType,AddInputFilter,AddLanguage,AddModuleInfo,AddOutputFilter,AddOutputFilterByType,AddType,Alias,AliasMatch,Allow,AllowCONNECT,AllowEncodedSlashes,AllowMethods,AllowOverride,AllowOverrideList,Anonymous,Anonymous_LogEmail,Anonymous_MustGiveEmail,Anonymous_NoUserID,Anonymous_VerifyEmail,AsyncRequestWorkerFactor,AuthBasicAuthoritative,AuthBasicProvider,AuthDBDUserPWQuery,AuthDBDUserRealmQuery,AuthDBMGroupFile,AuthDBMType,AuthDBMUserFile,AuthDigestAlgorithm,AuthDigestDomain,AuthDigestNcCheck,AuthDigestNonceFormat,AuthDigestNonceLifetime,AuthDigestProvider,AuthDigestQop,AuthDigestShmemSize,AuthFormAuthoritative,AuthFormBody,AuthFormDisableNoStore,AuthFormFakeBasicAuth,AuthFormLocation,AuthFormLoginRequiredLocation,AuthFormLoginSuccessLocation,AuthFormLogoutLocation,AuthFormMethod,AuthFormMimetype,AuthFormPassword,AuthFormProvider,AuthFormSitePassphrase,AuthFormSize,AuthFormUsername,AuthGroupFile,AuthLDAPAuthorizePrefix,AuthLDAPBindAuthoritative,AuthLDAPBindDN,AuthLDAPBindPassword,AuthLDAPCharsetConfig,AuthLDAPCompareAsUser,AuthLDAPCompareDNOnServer,AuthLDAPDereferenceAliases,AuthLDAPGroupAttribute,AuthLDAPGroupAttributeIsDN,AuthLDAPInitialBindAsUser,AuthLDAPInitialBindPattern,AuthLDAPMaxSubGroupDepth,AuthLDAPRemoteUserAttribute,AuthLDAPRemoteUserIsDN,AuthLDAPSearchAsUser,AuthLDAPSubGroupAttribute,AuthLDAPSubGroupClass,AuthLDAPUrl,AuthMerging,AuthName,AuthnCacheContext,AuthnCacheEnable,AuthnCacheProvideFor,AuthnCacheSOCache,AuthnCacheTimeout,<AuthnProviderAlias>,AuthType,AuthUserFile,AuthzDBDLoginToReferer,AuthzDBDQuery,AuthzDBDRedirectQuery,AuthzDBMType,<AuthzProviderAlias>,AuthzSendForbiddenOnFailure,BalancerGrowth,BalancerMember,BrowserMatch,BrowserMatchNoCase,BufferedLogs,BufferSize,CacheDefaultExpire,CacheDetailHeader,CacheDirLength,CacheDirLevels,CacheDisable,CacheEnable,CacheFile,CacheHeader,CacheIgnoreCacheControl,CacheIgnoreHeaders,CacheIgnoreNoLastMod,CacheIgnoreQueryString,CacheIgnoreURLSessionIdentifiers,CacheKeyBaseURL,CacheLastModifiedFactor,CacheLock,CacheLockMaxAge,CacheLockPath,CacheMaxExpire,CacheMaxFileSize,CacheMinExpire,CacheMinFileSize,CacheNegotiatedDocs,CacheQuickHandler,CacheReadSize,CacheReadTime,CacheRoot,CacheStaleOnError,CacheStoreExpired,CacheStoreNoStore,CacheStorePrivate,CGIMapExtension,CharsetDefault,CharsetOptions,CharsetSourceEnc,CheckCaseOnly,CheckSpelling,ChrootDir,ContentDigest,CookieDomain,CookieExpires,CookieName,CookieStyle,CookieTracking,CoreDumpDirectory,CustomLog,Dav,DavDepthInfinity,DavGenericLockDB,DavLockDB,DavMinTimeout,DBDExptime,DBDInitSQL,DBDKeep,DBDMax,DBDMin,DBDParams,DBDPersist,DBDPrepareSQL,DBDriver,DefaultIcon,DefaultLanguage,DefaultRuntimeDir,DefaultType,Define,DeflateBufferSize,DeflateCompressionLevel,DeflateFilterNote,DeflateMemLevel,DeflateWindowSize,Deny,<Directory>,DirectoryIndex,DirectoryIndexRedirect,<DirectoryMatch>,DirectorySlash,DocumentRoot,DTracePrivileges,DumpIOInput,DumpIOOutput,<Else>,<ElseIf>,EnableExceptionHook,EnableMMAP,EnableSendfile,Error,ErrorDocument,ErrorLog,ErrorLogFormat,Example,ExpiresActive,ExpiresByType,ExpiresDefault,ExtendedStatus,ExtFilterDefine,ExtFilterOptions,FallbackResource,FileETag,<Files>,<FilesMatch>,FilterChain,FilterDeclare,FilterProtocol,FilterProvider,FilterTrace,ForceLanguagePriority,ForceType,ForensicLog,GprofDir,GracefulShutdownTimeout,Group,Header,HeaderName,HeartbeatAddress,HeartbeatListen,HeartbeatMaxServers,HeartbeatStorage,HeartbeatStorage,HostnameLookups,IdentityCheck,IdentityCheckTimeout,<If>,<IfDefine>,<IfModule>,<IfVersion>,ImapBase,ImapDefault,ImapMenu,Include,IncludeOptional,IndexHeadInsert,IndexIgnore,IndexIgnoreReset,IndexOptions,IndexOrderDefault,IndexStyleSheet,InputSed,ISAPIAppendLogToErrors,ISAPIAppendLogToQuery,ISAPICacheFile,ISAPIFakeAsync,ISAPILogNotSupported,ISAPIReadAheadBuffer,KeepAlive,KeepAliveTimeout,KeptBodySize,LanguagePriority,LDAPCacheEntries,LDAPCacheTTL,LDAPConnectionPoolTTL,LDAPConnectionTimeout,LDAPLibraryDebug,LDAPOpCacheEntries,LDAPOpCacheTTL,LDAPReferralHopLimit,LDAPReferrals,LDAPRetries,LDAPRetryDelay,LDAPSharedCacheFile,LDAPSharedCacheSize,LDAPTimeout,LDAPTrustedClientCert,LDAPTrustedGlobalCert,LDAPTrustedMode,LDAPVerifyServerCert,<Limit>,<LimitExcept>,LimitInternalRecursion,LimitRequestBody,LimitRequestFields,LimitRequestFieldSize,LimitRequestLine,LimitXMLRequestBody,Listen,ListenBackLog,LoadFile,LoadModule,<Location>,<LocationMatch>,LogFormat,LogLevel,LogMessage,LuaCodeCache,LuaHookAccessChecker,LuaHookAuthChecker,LuaAuthzProvider,LuaHookCheckUserID,LuaHookFixups,LuaHookInsertFilter,LuaHookMapToStorage,LuaHookTranslateName,LuaHookTypeChecker,LuaInherit,LuaInputFilter,LuaMapHandler,LuaOutputFilter,LuaPackageCPath,LuaPackagePath,LuaQuickHandler,LuaRoot,LuaScope,MaxConnectionsPerChild,MaxKeepAliveRequests,MaxMemFree,MaxRangeOverlaps,MaxRangeReversals,MaxRanges,MaxRequestWorkers,MaxSpareServers,MaxSpareThreads,MaxThreads,MetaDir,MetaFiles,MetaSuffix,MimeMagicFile,MinSpareServers,MinSpareThreads,MMapFile,ModemStandard,ModMimeUsePathInfo,MultiviewsMatch,Mutex,NameVirtualHost,NoProxy,NWSSLTrustedCerts,NWSSLUpgradeable,Options,Order,OutputSed,PassEnv,PidFile,PrivilegesMode,Protocol,ProtocolEcho,<Proxy>,ProxyAddHeaders,ProxyBadHeader,ProxyBlock,ProxyDomain,ProxyErrorOverride,ProxyExpressDBMFile,ProxyExpressDBMType,ProxyExpressEnable,ProxyFtpDirCharset,ProxyFtpEscapeWildcards,ProxyFtpListOnWildcard,ProxyHTMLBufSize,ProxyHTMLCharsetOut,ProxyHTMLDocType,ProxyHTMLEnable,ProxyHTMLEvents,ProxyHTMLExtended,ProxyHTMLFixups,ProxyHTMLInterp,ProxyHTMLLinks,ProxyHTMLStripComments,ProxyHTMLURLMap,ProxyIOBufferSize,<ProxyMatch>,ProxyMaxForwards,ProxyPass,ProxyPassInterpolateEnv,ProxyPassMatch,ProxyPassReverse,ProxyPassReverseCookieDomain,ProxyPassReverseCookiePath,ProxyPreserveHost,ProxyReceiveBufferSize,ProxyRemote,ProxyRemoteMatch,ProxyRequests,ProxySCGIInternalRedirect,ProxySCGISendfile,ProxySet,ProxySourceAddress,ProxyStatus,ProxyTimeout,ProxyVia,ReadmeName,ReceiveBufferSize,Redirect,RedirectMatch,RedirectPermanent,RedirectTemp,ReflectorHeader,RemoteIPHeader,RemoteIPInternalProxy,RemoteIPInternalProxyList,RemoteIPProxiesHeader,RemoteIPTrustedProxy,RemoteIPTrustedProxyList,RemoveCharset,RemoveEncoding,RemoveHandler,RemoveInputFilter,RemoveLanguage,RemoveOutputFilter,RemoveType,RequestHeader,RequestReadTimeout,Require,<RequireAll>,<RequireAny>,<RequireNone>,RewriteBase,RewriteCond,RewriteEngine,RewriteMap,RewriteOptions,RewriteRule,RLimitCPU,RLimitMEM,RLimitNPROC,Satisfy,ScoreBoardFile,Script,ScriptAlias,ScriptAliasMatch,ScriptInterpreterSource,ScriptLog,ScriptLogBuffer,ScriptLogLength,ScriptSock,SecureListen,SeeRequestTail,SendBufferSize,ServerAdmin,ServerAlias,ServerLimit,ServerName,ServerPath,ServerRoot,ServerSignature,ServerTokens,Session,SessionCookieName,SessionCookieName2,SessionCookieRemove,SessionCryptoCipher,SessionCryptoDriver,SessionCryptoPassphrase,SessionCryptoPassphraseFile,SessionDBDCookieName,SessionDBDCookieName2,SessionDBDCookieRemove,SessionDBDDeleteLabel,SessionDBDInsertLabel,SessionDBDPerUser,SessionDBDSelectLabel,SessionDBDUpdateLabel,SessionEnv,SessionExclude,SessionHeader,SessionInclude,SessionMaxAge,SetEnv,SetEnvIf,SetEnvIfExpr,SetEnvIfNoCase,SetHandler,SetInputFilter,SetOutputFilter,SSIEndTag,SSIErrorMsg,SSIETag,SSILastModified,SSILegacyExprParser,SSIStartTag,SSITimeFormat,SSIUndefinedEcho,SSLCACertificateFile,SSLCACertificatePath,SSLCADNRequestFile,SSLCADNRequestPath,SSLCARevocationCheck,SSLCARevocationFile,SSLCARevocationPath,SSLCertificateChainFile,SSLCertificateFile,SSLCertificateKeyFile,SSLCipherSuite,SSLCryptoDevice,SSLEngine,SSLFIPS,SSLHonorCipherOrder,SSLInsecureRenegotiation,SSLOCSPDefaultResponder,SSLOCSPEnable,SSLOCSPOverrideResponder,SSLOCSPResponderTimeout,SSLOCSPResponseMaxAge,SSLOCSPResponseTimeSkew,SSLOptions,SSLPassPhraseDialog,SSLProtocol,SSLProxyCACertificateFile,SSLProxyCACertificatePath,SSLProxyCARevocationCheck,SSLProxyCARevocationFile,SSLProxyCARevocationPath,SSLProxyCheckPeerCN,SSLProxyCheckPeerExpire,SSLProxyCipherSuite,SSLProxyEngine,SSLProxyMachineCertificateChainFile,SSLProxyMachineCertificateFile,SSLProxyMachineCertificatePath,SSLProxyProtocol,SSLProxyVerify,SSLProxyVerifyDepth,SSLRandomSeed,SSLRenegBufferSize,SSLRequire,SSLRequireSSL,SSLSessionCache,SSLSessionCacheTimeout,SSLSessionTicketKeyFile,SSLStaplingCache,SSLStaplingErrorCacheTimeout,SSLStaplingFakeTryLater,SSLStaplingForceURL,SSLStaplingResponderTimeout,SSLStaplingResponseMaxAge,SSLStaplingResponseTimeSkew,SSLStaplingReturnResponderErrors,SSLStaplingStandardCacheTimeout,SSLStrictSNIVHostCheck,SSLUserName,SSLUseStapling,SSLVerifyClient,SSLVerifyDepth,StartServers,StartThreads,Substitute,Suexec,SuexecUserGroup,ThreadLimit,ThreadsPerChild,ThreadStackSize,TimeOut,TraceEnable,TransferLog,TypesConfig,UnDefine,UnsetEnv,UseCanonicalName,UseCanonicalPhysicalPort,User,UserDir,VHostCGIMode,VHostCGIPrivs,VHostGroup,VHostPrivs,VHostSecure,VHostUser,VirtualDocumentRoot,VirtualDocumentRootIP,<VirtualHost>,VirtualScriptAlias,VirtualScriptAliasIP,WatchdogInterval,XBitHack,xml2EncAlias,xml2EncDefault,xml2StartParse,RewriteLog,RewriteLogLevel"];	135	var CONFIG_KEYWORDS = ["Macro,UndefMacro,Use,AuthLDAPURL,AcceptFilter,AcceptPathInfo,AccessFileName,Action,AddAlt,AddAltByEncoding,AddAltByType,AddCharset,AddDefaultCharset,AddDescription,AddEncoding,AddHandler,AddIcon,AddIconByEncoding,AddIconByType,AddInputFilter,AddLanguage,AddModuleInfo,AddOutputFilter,AddOutputFilterByType,AddType,Alias,AliasMatch,Allow,AllowCONNECT,AllowEncodedSlashes,AllowMethods,AllowOverride,AllowOverrideList,Anonymous,Anonymous_LogEmail,Anonymous_MustGiveEmail,Anonymous_NoUserID,Anonymous_VerifyEmail,AsyncRequestWorkerFactor,AuthBasicAuthoritative,AuthBasicProvider,AuthDBDUserPWQuery,AuthDBDUserRealmQuery,AuthDBMGroupFile,AuthDBMType,AuthDBMUserFile,AuthDigestAlgorithm,AuthDigestDomain,AuthDigestNcCheck,AuthDigestNonceFormat,AuthDigestNonceLifetime,AuthDigestProvider,AuthDigestQop,AuthDigestShmemSize,AuthFormAuthoritative,AuthFormBody,AuthFormDisableNoStore,AuthFormFakeBasicAuth,AuthFormLocation,AuthFormLoginRequiredLocation,AuthFormLoginSuccessLocation,AuthFormLogoutLocation,AuthFormMethod,AuthFormMimetype,AuthFormPassword,AuthFormProvider,AuthFormSitePassphrase,AuthFormSize,AuthFormUsername,AuthGroupFile,AuthLDAPAuthorizePrefix,AuthLDAPBindAuthoritative,AuthLDAPBindDN,AuthLDAPBindPassword,AuthLDAPCharsetConfig,AuthLDAPCompareAsUser,AuthLDAPCompareDNOnServer,AuthLDAPDereferenceAliases,AuthLDAPGroupAttribute,AuthLDAPGroupAttributeIsDN,AuthLDAPInitialBindAsUser,AuthLDAPInitialBindPattern,AuthLDAPMaxSubGroupDepth,AuthLDAPRemoteUserAttribute,AuthLDAPRemoteUserIsDN,AuthLDAPSearchAsUser,AuthLDAPSubGroupAttribute,AuthLDAPSubGroupClass,AuthLDAPUrl,AuthMerging,AuthName,AuthnCacheContext,AuthnCacheEnable,AuthnCacheProvideFor,AuthnCacheSOCache,AuthnCacheTimeout,<AuthnProviderAlias>,AuthType,AuthUserFile,AuthzDBDLoginToReferer,AuthzDBDQuery,AuthzDBDRedirectQuery,AuthzDBMType,<AuthzProviderAlias>,AuthzSendForbiddenOnFailure,BalancerGrowth,BalancerMember,BrowserMatch,BrowserMatchNoCase,BufferedLogs,BufferSize,CacheDefaultExpire,CacheDetailHeader,CacheDirLength,CacheDirLevels,CacheDisable,CacheEnable,CacheFile,CacheHeader,CacheIgnoreCacheControl,CacheIgnoreHeaders,CacheIgnoreNoLastMod,CacheIgnoreQueryString,CacheIgnoreURLSessionIdentifiers,CacheKeyBaseURL,CacheLastModifiedFactor,CacheLock,CacheLockMaxAge,CacheLockPath,CacheMaxExpire,CacheMaxFileSize,CacheMinExpire,CacheMinFileSize,CacheNegotiatedDocs,CacheQuickHandler,CacheReadSize,CacheReadTime,CacheRoot,CacheStaleOnError,CacheStoreExpired,CacheStoreNoStore,CacheStorePrivate,CGIMapExtension,CharsetDefault,CharsetOptions,CharsetSourceEnc,CheckCaseOnly,CheckSpelling,ChrootDir,ContentDigest,CookieDomain,CookieExpires,CookieName,CookieStyle,CookieTracking,CoreDumpDirectory,CustomLog,Dav,DavDepthInfinity,DavGenericLockDB,DavLockDB,DavMinTimeout,DBDExptime,DBDInitSQL,DBDKeep,DBDMax,DBDMin,DBDParams,DBDPersist,DBDPrepareSQL,DBDriver,DefaultIcon,DefaultLanguage,DefaultRuntimeDir,DefaultType,Define,DeflateBufferSize,DeflateCompressionLevel,DeflateFilterNote,DeflateMemLevel,DeflateWindowSize,Deny,<Directory>,DirectoryIndex,DirectoryIndexRedirect,<DirectoryMatch>,DirectorySlash,DocumentRoot,DTracePrivileges,DumpIOInput,DumpIOOutput,<Else>,<ElseIf>,EnableExceptionHook,EnableMMAP,EnableSendfile,Error,ErrorDocument,ErrorLog,ErrorLogFormat,Example,ExpiresActive,ExpiresByType,ExpiresDefault,ExtendedStatus,ExtFilterDefine,ExtFilterOptions,FallbackResource,FileETag,<Files>,<FilesMatch>,FilterChain,FilterDeclare,FilterProtocol,FilterProvider,FilterTrace,ForceLanguagePriority,ForceType,ForensicLog,GprofDir,GracefulShutdownTimeout,Group,Header,HeaderName,HeartbeatAddress,HeartbeatListen,HeartbeatMaxServers,HeartbeatStorage,HeartbeatStorage,HostnameLookups,IdentityCheck,IdentityCheckTimeout,<If>,<IfDefine>,<IfModule>,<IfVersion>,ImapBase,ImapDefault,ImapMenu,Include,IncludeOptional,IndexHeadInsert,IndexIgnore,IndexIgnoreReset,IndexOptions,IndexOrderDefault,IndexStyleSheet,InputSed,ISAPIAppendLogToErrors,ISAPIAppendLogToQuery,ISAPICacheFile,ISAPIFakeAsync,ISAPILogNotSupported,ISAPIReadAheadBuffer,KeepAlive,KeepAliveTimeout,KeptBodySize,LanguagePriority,LDAPCacheEntries,LDAPCacheTTL,LDAPConnectionPoolTTL,LDAPConnectionTimeout,LDAPLibraryDebug,LDAPOpCacheEntries,LDAPOpCacheTTL,LDAPReferralHopLimit,LDAPReferrals,LDAPRetries,LDAPRetryDelay,LDAPSharedCacheFile,LDAPSharedCacheSize,LDAPTimeout,LDAPTrustedClientCert,LDAPTrustedGlobalCert,LDAPTrustedMode,LDAPVerifyServerCert,<Limit>,<LimitExcept>,LimitInternalRecursion,LimitRequestBody,LimitRequestFields,LimitRequestFieldSize,LimitRequestLine,LimitXMLRequestBody,Listen,ListenBackLog,LoadFile,LoadModule,<Location>,<LocationMatch>,LogFormat,LogLevel,LogMessage,LuaCodeCache,LuaHookAccessChecker,LuaHookAuthChecker,LuaAuthzProvider,LuaHookCheckUserID,LuaHookFixups,LuaHookInsertFilter,LuaHookMapToStorage,LuaHookTranslateName,LuaHookTypeChecker,LuaInherit,LuaInputFilter,LuaMapHandler,LuaOutputFilter,LuaPackageCPath,LuaPackagePath,LuaQuickHandler,LuaRoot,LuaScope,MaxConnectionsPerChild,MaxKeepAliveRequests,MaxMemFree,MaxRangeOverlaps,MaxRangeReversals,MaxRanges,MaxRequestWorkers,MaxSpareServers,MaxSpareThreads,MaxThreads,MetaDir,MetaFiles,MetaSuffix,MimeMagicFile,MinSpareServers,MinSpareThreads,MMapFile,ModemStandard,ModMimeUsePathInfo,MultiviewsMatch,Mutex,NameVirtualHost,NoProxy,NWSSLTrustedCerts,NWSSLUpgradeable,Options,Order,OutputSed,PassEnv,PidFile,PrivilegesMode,Protocol,ProtocolEcho,<Proxy>,ProxyAddHeaders,ProxyBadHeader,ProxyBlock,ProxyDomain,ProxyErrorOverride,ProxyExpressDBMFile,ProxyExpressDBMType,ProxyExpressEnable,ProxyFtpDirCharset,ProxyFtpEscapeWildcards,ProxyFtpListOnWildcard,ProxyHTMLBufSize,ProxyHTMLCharsetOut,ProxyHTMLDocType,ProxyHTMLEnable,ProxyHTMLEvents,ProxyHTMLExtended,ProxyHTMLFixups,ProxyHTMLInterp,ProxyHTMLLinks,ProxyHTMLStripComments,ProxyHTMLURLMap,ProxyIOBufferSize,<ProxyMatch>,ProxyMaxForwards,ProxyPass,ProxyPassInterpolateEnv,ProxyPassMatch,ProxyPassReverse,ProxyPassReverseCookieDomain,ProxyPassReverseCookiePath,ProxyPreserveHost,ProxyReceiveBufferSize,ProxyRemote,ProxyRemoteMatch,ProxyRequests,ProxySCGIInternalRedirect,ProxySCGISendfile,ProxySet,ProxySourceAddress,ProxyStatus,ProxyTimeout,ProxyVia,ReadmeName,ReceiveBufferSize,Redirect,RedirectMatch,RedirectPermanent,RedirectTemp,ReflectorHeader,RemoteIPHeader,RemoteIPInternalProxy,RemoteIPInternalProxyList,RemoteIPProxiesHeader,RemoteIPTrustedProxy,RemoteIPTrustedProxyList,RemoveCharset,RemoveEncoding,RemoveHandler,RemoveInputFilter,RemoveLanguage,RemoveOutputFilter,RemoveType,RequestHeader,RequestReadTimeout,Require,<RequireAll>,<RequireAny>,<RequireNone>,RewriteBase,RewriteCond,RewriteEngine,RewriteMap,RewriteOptions,RewriteRule,RLimitCPU,RLimitMEM,RLimitNPROC,Satisfy,ScoreBoardFile,Script,ScriptAlias,ScriptAliasMatch,ScriptInterpreterSource,ScriptLog,ScriptLogBuffer,ScriptLogLength,ScriptSock,SecureListen,SeeRequestTail,SendBufferSize,ServerAdmin,ServerAlias,ServerLimit,ServerName,ServerPath,ServerRoot,ServerSignature,ServerTokens,Session,SessionCookieName,SessionCookieName2,SessionCookieRemove,SessionCryptoCipher,SessionCryptoDriver,SessionCryptoPassphrase,SessionCryptoPassphraseFile,SessionDBDCookieName,SessionDBDCookieName2,SessionDBDCookieRemove,SessionDBDDeleteLabel,SessionDBDInsertLabel,SessionDBDPerUser,SessionDBDSelectLabel,SessionDBDUpdateLabel,SessionEnv,SessionExclude,SessionHeader,SessionInclude,SessionMaxAge,SetEnv,SetEnvIf,SetEnvIfExpr,SetEnvIfNoCase,SetHandler,SetInputFilter,SetOutputFilter,SSIEndTag,SSIErrorMsg,SSIETag,SSILastModified,SSILegacyExprParser,SSIStartTag,SSITimeFormat,SSIUndefinedEcho,SSLCACertificateFile,SSLCACertificatePath,SSLCADNRequestFile,SSLCADNRequestPath,SSLCARevocationCheck,SSLCARevocationFile,SSLCARevocationPath,SSLCertificateChainFile,SSLCertificateFile,SSLCertificateKeyFile,SSLCipherSuite,SSLCryptoDevice,SSLEngine,SSLFIPS,SSLHonorCipherOrder,SSLEnableEmptyFragments,SSLInsecureRenegotiation,SSLOCSPDefaultResponder,SSLOCSPEnable,SSLOCSPOverrideResponder,SSLOCSPResponderTimeout,SSLOCSPResponseMaxAge,SSLOCSPResponseTimeSkew,SSLOptions,SSLPassPhraseDialog,SSLProtocol,SSLProxyCACertificateFile,SSLProxyCACertificatePath,SSLProxyCARevocationCheck,SSLProxyCARevocationFile,SSLProxyCARevocationPath,SSLProxyCheckPeerCN,SSLProxyCheckPeerExpire,SSLProxyCipherSuite,SSLProxyEngine,SSLProxyMachineCertificateChainFile,SSLProxyMachineCertificateFile,SSLProxyMachineCertificatePath,SSLProxyProtocol,SSLProxyVerify,SSLProxyVerifyDepth,SSLRandomSeed,SSLRenegBufferSize,SSLRequire,SSLRequireSSL,SSLSessionCache,SSLSessionCacheTimeout,SSLSessionTicketKeyFile,SSLStaplingCache,SSLStaplingErrorCacheTimeout,SSLStaplingFakeTryLater,SSLStaplingForceURL,SSLStaplingResponderTimeout,SSLStaplingResponseMaxAge,SSLStaplingResponseTimeSkew,SSLStaplingReturnResponderErrors,SSLStaplingStandardCacheTimeout,SSLStrictSNIVHostCheck,SSLUserName,SSLUseStapling,SSLVerifyClient,SSLVerifyDepth,StartServers,StartThreads,Substitute,Suexec,SuexecUserGroup,ThreadLimit,ThreadsPerChild,ThreadStackSize,TimeOut,TraceEnable,TransferLog,TypesConfig,UnDefine,UnsetEnv,UseCanonicalName,UseCanonicalPhysicalPort,User,UserDir,VHostCGIMode,VHostCGIPrivs,VHostGroup,VHostPrivs,VHostSecure,VHostUser,VirtualDocumentRoot,VirtualDocumentRootIP,<VirtualHost>,VirtualScriptAlias,VirtualScriptAliasIP,WatchdogInterval,XBitHack,xml2EncAlias,xml2EncDefault,xml2StartParse,RewriteLog,RewriteLogLevel"];
136	var CONFIG_OPTIONS = /^[\\+\\-]?(AuthConfig\|IncludesNOEXEC\|ExecCGI\|FollowSymLinks\|MultiViews\|Includes\|Indexes\|SymLinksIfOwnerMatch)\b/i;	136	var CONFIG_OPTIONS = /^[\\+\\-]?(AuthConfig\|IncludesNOEXEC\|ExecCGI\|FollowSymLinks\|MultiViews\|Includes\|Indexes\|SymLinksIfOwnerMatch)\b/i;
137	var ALL_KEYWORDS = [	137	var ALL_KEYWORDS = [
138	CPP_KEYWORDS, CSHARP_KEYWORDS, JSCRIPT_KEYWORDS, PERL_KEYWORDS +	138	CPP_KEYWORDS, CSHARP_KEYWORDS, JSCRIPT_KEYWORDS, PERL_KEYWORDS +

Lines 143-148 Link Here

(-)httpd-trunk/modules/ssl/mod_ssl.c (+2 lines)
143	"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")	143	"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
144	SSL_CMD_SRV(HonorCipherOrder, FLAG,	144	SSL_CMD_SRV(HonorCipherOrder, FLAG,
145	"Use the server's cipher ordering preference")	145	"Use the server's cipher ordering preference")
		146	SSL_CMD_SRV(EnableEmptyFragments, FLAG,
		147	"Enable countermeasure against SSL3.0/TLS1.0 protocol vulnerability")
146	SSL_CMD_SRV(Compression, FLAG,	148	SSL_CMD_SRV(Compression, FLAG,
147	"Enable SSL level compression"	149	"Enable SSL level compression"
148	"(`on', `off')")	150	"(`on', `off')")




    sc->vhost_id_len           = 0;     /* set during module init */
    sc->session_cache_timeout  = UNSET;
    sc->cipher_server_pref     = UNSET;
    sc->enable_empty_fragments = UNSET;
    sc->insecure_reneg         = UNSET;
    sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
    sc->proxy_ssl_check_peer_cn     = SSL_ENABLED_UNSET;

    cfgMergeBool(proxy_enabled);
    cfgMergeInt(session_cache_timeout);
    cfgMergeBool(cipher_server_pref);
    cfgMergeBool(enable_empty_fragments);
    cfgMergeBool(insecure_reneg);
    cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
    cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);

#endif
}

const char *ssl_cmd_SSLEnableEmptyFragments(cmd_parms *cmd,
                                            void *dcfg, int flag)
{
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    sc->enable_empty_fragments = flag?TRUE:FALSE;
    return NULL;
#else
    return "SSLEnableEmptyFragments unsupported; "
        "not implemented by the SSL library";
#endif
}

const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
{
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION




    char *cp;
    int protocol = mctx->protocol;
    SSLSrvConfigRec *sc = mySrvConfig(s);
    long ssl_initial_options; 

    /*
     *  Create the new per-server SSL context


    mctx->ssl_ctx = ctx;

    /* We can not rely on SSL_CTX_clear_options being available, 
       so we unset from SSL_OP_ALL before we call SSL_CTX_set_options */
    /* Use a generic variable in case we ever wish to unmask other options */
    ssl_initial_options = SSL_OP_ALL;
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
    /* We check TRUE and FALSE as the default is UNSET, in which case
       no manipulation of the default SSL_OP_ALL bits is done */
    if (sc->enable_empty_fragments == TRUE) {
        /* we must UNSET the "DONT_INSERT" bit to enable empty fragments */
        ssl_initial_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
    }
    else if (sc->enable_empty_fragments == FALSE) {
        /* we SET the "DONT_INSERT" bit to disable empty fragments */
        /* This is redundant, as this bit is SET in SSL_OP_ALL
           however it could be removed in the future */
        ssl_initial_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
    }
#endif
    SSL_CTX_set_options(ctx, ssl_initial_options);

    /* always disable SSLv2, as per RFC 6176 */
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);

Lines 706-711 Link Here

(-)httpd-trunk/modules/ssl/ssl_private.h (+2 lines)
706	int vhost_id_len;	706	int vhost_id_len;
707	int session_cache_timeout;	707	int session_cache_timeout;
708	BOOL cipher_server_pref;	708	BOOL cipher_server_pref;
		709	BOOL enable_empty_fragments;
709	BOOL insecure_reneg;	710	BOOL insecure_reneg;
710	modssl_ctx_t *server;	711	modssl_ctx_t *server;
711	modssl_ctx_t *proxy;	712	modssl_ctx_t *proxy;
Lines 775-780 Link Here
775	const char ssl_cmd_SSLCARevocationFile(cmd_parms , void , const char );	776	const char ssl_cmd_SSLCARevocationFile(cmd_parms , void , const char );
776	const char ssl_cmd_SSLCARevocationCheck(cmd_parms , void , const char );	777	const char ssl_cmd_SSLCARevocationCheck(cmd_parms , void , const char );
777	const char ssl_cmd_SSLHonorCipherOrder(cmd_parms cmd, void *dcfg, int flag);	778	const char ssl_cmd_SSLHonorCipherOrder(cmd_parms cmd, void *dcfg, int flag);
		779	const char ssl_cmd_SSLEnableEmptyFragments(cmd_parms cmd, void *dcfg, int flag);
778	const char ssl_cmd_SSLCompression(cmd_parms , void *, int flag);	780	const char ssl_cmd_SSLCompression(cmd_parms , void *, int flag);
779	const char ssl_cmd_SSLVerifyClient(cmd_parms , void , const char );	781	const char ssl_cmd_SSLVerifyClient(cmd_parms , void , const char );
780	const char ssl_cmd_SSLVerifyDepth(cmd_parms , void , const char );	782	const char ssl_cmd_SSLVerifyDepth(cmd_parms , void , const char );

Return to bug 53899

Lines 2081-2086 Link Here

(-)httpd-trunk/docs/manual/mod/mod_ssl.xml (+29 lines)
2081	</directivesynopsis>	2081	</directivesynopsis>
2082		2082
2083	<directivesynopsis>	2083	<directivesynopsis>
		2084	<name>SSLEnableEmptyFragments</name>
		2085	<description>Option to enable empty fragments countermeasure in SSLv3/TLSv1 protocols</description>
		2086	<syntax>SSLEnableEmptyFragments <em>flag</em></syntax>
		2087	<contextlist><context>server config</context>
		2088	<context>virtual host</context></contextlist>
		2089	<compatibility>Available if using OpenSSL 0.9.6e or later</compatibility>
		2090
		2091	<usage>
		2092	<p>Enables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability
		2093	affecting CBC ciphers, which cannot be handled by some broken SSL
		2094	implementations. This option has no effect for connections using other ciphers.
		2095	This option clears the <code>SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS</code> OpenSSL
		2096	connection flag which is set by default.
		2097	</p>
		2098	<p>This does not protect against the "BEAST" attack itself, which
		2099	is performed from the client side, but is related to the vulnerability
		2100	used by "BEAST". Some background is available at
		2101	<a href="http://www.openssl.org/~bodo/tls-cbc.txt">
		2102	http://www.openssl.org/~bodo/tls-cbc.txt</a>
		2103	</p>
		2104	<example><title>Example</title>
		2105	<highlight language="config">
		2106	SSLEnableEmptyFragments on
		2107	</highlight>
		2108	</example>
		2109	</usage>
		2110	</directivesynopsis>
		2111
		2112	<directivesynopsis>
2084	<name>SSLCryptoDevice</name>	2113	<name>SSLCryptoDevice</name>
2085	<description>Enable use of a cryptographic hardware accelerator</description>	2114	<description>Enable use of a cryptographic hardware accelerator</description>
2086	<syntax>SSLCryptoDevice <em>engine</em></syntax>	2115	<syntax>SSLCryptoDevice <em>engine</em></syntax>

Lines 207-212 Link Here

(-)httpd-trunk/modules/ssl/ssl_engine_config.c (+15 lines)
207	sc->vhost_id_len = 0; /* set during module init */	207	sc->vhost_id_len = 0; /* set during module init */
208	sc->session_cache_timeout = UNSET;	208	sc->session_cache_timeout = UNSET;
209	sc->cipher_server_pref = UNSET;	209	sc->cipher_server_pref = UNSET;
		210	sc->enable_empty_fragments = UNSET;
210	sc->insecure_reneg = UNSET;	211	sc->insecure_reneg = UNSET;
211	sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;	212	sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
212	sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;	213	sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
Lines 342-347 Link Here
342	cfgMergeBool(proxy_enabled);	343	cfgMergeBool(proxy_enabled);
343	cfgMergeInt(session_cache_timeout);	344	cfgMergeInt(session_cache_timeout);
344	cfgMergeBool(cipher_server_pref);	345	cfgMergeBool(cipher_server_pref);
		346	cfgMergeBool(enable_empty_fragments);
345	cfgMergeBool(insecure_reneg);	347	cfgMergeBool(insecure_reneg);
346	cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);	348	cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
347	cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);	349	cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
Lines 718-723 Link Here
718	#endif	720	#endif
719	}	721	}
720		722
		723	const char ssl_cmd_SSLEnableEmptyFragments(cmd_parms cmd,
		724	void *dcfg, int flag)
		725	{
		726	#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
		727	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		728	sc->enable_empty_fragments = flag?TRUE:FALSE;
		729	return NULL;
		730	#else
		731	return "SSLEnableEmptyFragments unsupported; "
		732	"not implemented by the SSL library";
		733	#endif
		734	}
		735
721	const char ssl_cmd_SSLInsecureRenegotiation(cmd_parms cmd, void *dcfg, int flag)	736	const char ssl_cmd_SSLInsecureRenegotiation(cmd_parms cmd, void *dcfg, int flag)
722	{	737	{
723	#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	738	#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Lines 571-576 Link Here

(-)httpd-trunk/modules/ssl/ssl_engine_init.c (-1 / +20 lines)
571	char *cp;	571	char *cp;
572	int protocol = mctx->protocol;	572	int protocol = mctx->protocol;
573	SSLSrvConfigRec *sc = mySrvConfig(s);	573	SSLSrvConfigRec *sc = mySrvConfig(s);
		574	long ssl_initial_options;
574		575
575	/*	576	/*
576	* Create the new per-server SSL context	577	* Create the new per-server SSL context
Lines 625-631 Link Here
625		626
626	mctx->ssl_ctx = ctx;	627	mctx->ssl_ctx = ctx;
627		628
628	SSL_CTX_set_options(ctx, SSL_OP_ALL);	629	/* We can not rely on SSL_CTX_clear_options being available,
		630	so we unset from SSL_OP_ALL before we call SSL_CTX_set_options */
		631	/* Use a generic variable in case we ever wish to unmask other options */
		632	ssl_initial_options = SSL_OP_ALL;
		633	#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
		634	/* We check TRUE and FALSE as the default is UNSET, in which case
		635	no manipulation of the default SSL_OP_ALL bits is done */
		636	if (sc->enable_empty_fragments == TRUE) {
		637	/* we must UNSET the "DONT_INSERT" bit to enable empty fragments */
		638	ssl_initial_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
		639	}
		640	else if (sc->enable_empty_fragments == FALSE) {
		641	/* we SET the "DONT_INSERT" bit to disable empty fragments */
		642	/* This is redundant, as this bit is SET in SSL_OP_ALL
		643	however it could be removed in the future */
		644	ssl_initial_options \|= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
		645	}
		646	#endif
		647	SSL_CTX_set_options(ctx, ssl_initial_options);
629		648
630	/* always disable SSLv2, as per RFC 6176 */	649	/* always disable SSLv2, as per RFC 6176 */
631	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);	650	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);