This has been kicking around the net for years, so I have a patch to fix it. This patch needs to be applied in the modules/ssl directory, and it creates a new configuration directive - "SSLHonorCipherOrder", which takes a boolean value. If "SSLHonorCipherOrder" is true, the server prefers its own ordering for cipher selection (as set by the "SSLCipherSuite" directive). If it's set to false (or absent), the historical behavior of prefering the client cipher ordering is used. Note that the patch checks for the availability of the SSL_OP_CIPHER_SERVER_PREFERENCE define, so it's safe to use (but ignored) even if you're using an ancient version of OpenSSL that doesn't support this. Patch follows: --<cut here>-- Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c 2003/04/10 19:09:56 1.1.1.2 +++ modules/ssl/mod_ssl.c 2004/04/28 15:57:20 @@ -167,6 +167,10 @@ SSL_CMD_SRV(Protocol, RAW_ARGS, "Enable or disable various SSL protocols" "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") + SSL_CMD_SRV(HonorCipherOrder, FLAG, + "Use the server's cipher ordering preference") /* * Proxy configuration for remote SSL connections Index: modules/ssl/mod_ssl.h =================================================================== --- modules/ssl/mod_ssl.h 2003/06/05 20:51:17 1.1.1.3 +++ modules/ssl/mod_ssl.h 2004/04/28 15:57:21 @@ -514,6 +514,9 @@ SSLModConfigRec *mc; BOOL enabled; BOOL proxy_enabled; +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + BOOL bHonorCipherOrder; +#endif const char *vhost_id; int vhost_id_len; int session_cache_timeout; @@ -574,6 +577,9 @@ const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, void *, int); const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); Index: modules/ssl/ssl_engine_config.c =================================================================== --- modules/ssl/ssl_engine_config.c 2003/04/10 19:09:56 1.1.1.2 +++ modules/ssl/ssl_engine_config.c 2004/04/28 15:57:21 @@ -212,7 +212,9 @@ sc->vhost_id = NULL; /* set during module init */ sc->vhost_id_len = 0; /* set during module init */ sc->session_cache_timeout = UNSET; - +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + sc->bHonorCipherOrder = UNSET; +#endif modssl_ctx_init_proxy(sc, p); modssl_ctx_init_server(sc, p); @@ -296,6 +298,9 @@ cfgMergeBool(enabled); cfgMergeBool(proxy_enabled); cfgMergeInt(session_cache_timeout); +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + cfgMergeBool(bHonorCipherOrder); +#endif modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); @@ -662,6 +667,18 @@ return NULL; } + +const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) +{ +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, + "ssl_cmd_SSLHonorCipherOrder: Setting bHonorCipherOrder to %s", + flag?"TRUE":"FALSE"); + sc->bHonorCipherOrder = flag?TRUE:FALSE; +#endif + return NULL; +} const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *dcfg, Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c 2003/06/05 20:51:17 1.1.1.3 +++ modules/ssl/ssl_engine_init.c 2004/04/28 15:57:21 @@ -416,6 +416,9 @@ SSL_METHOD *method = NULL; char *cp; int protocol = mctx->protocol; +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + SSLSrvConfigRec *sc = mySrvConfig(s); +#endif /* * Create the new per-server SSL context @@ -464,6 +467,11 @@ if (!(protocol & SSL_PROTOCOL_TLSV1)) { SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); } +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if(TRUE == sc->bHonorCipherOrder) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } +#endif SSL_CTX_set_app_data(ctx, s); --<cut here>--
Thanks for the patch, Jim. Committed to HEAD with a few minor tweaks.