28665 – mod_ssl ignores server cipher preferences

Bug 28665 - mod_ssl ignores server cipher preferences

Summary: mod_ssl ignores server cipher preferences

Status:	CLOSED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.0-HEAD
Hardware:	Other other

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2004-04-28 16:17 UTC by Jim Schneider
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jim Schneider 2004-04-28 16:17:32 UTC

This has been kicking around the net for years, so I have a patch to fix it. 
This patch needs to be applied in the modules/ssl directory, and it creates a
new configuration directive - "SSLHonorCipherOrder", which takes a boolean
value.  If "SSLHonorCipherOrder" is true, the server prefers its own ordering
for cipher selection (as set by the "SSLCipherSuite" directive).  If it's set to
false (or absent), the historical behavior of prefering the client cipher
ordering is used.  

Note that the patch checks for the availability of the
SSL_OP_CIPHER_SERVER_PREFERENCE define, so it's safe to use (but ignored) even
if   you're using an ancient version of OpenSSL that doesn't support this.

Patch follows:
--<cut here>--
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c       2003/04/10 19:09:56     1.1.1.2
+++ modules/ssl/mod_ssl.c       2004/04/28 15:57:20
@@ -167,6 +167,10 @@
     SSL_CMD_SRV(Protocol, RAW_ARGS,
                 "Enable or disable various SSL protocols"
                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                "Use the server's cipher ordering preference")

     /*
      * Proxy configuration for remote SSL connections
Index: modules/ssl/mod_ssl.h
===================================================================
--- modules/ssl/mod_ssl.h       2003/06/05 20:51:17     1.1.1.3
+++ modules/ssl/mod_ssl.h       2004/04/28 15:57:21
@@ -514,6 +514,9 @@
     SSLModConfigRec *mc;
     BOOL             enabled;
     BOOL             proxy_enabled;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    BOOL             bHonorCipherOrder;
+#endif
     const char      *vhost_id;
     int              vhost_id_len;
     int              session_cache_timeout;
@@ -574,6 +577,9 @@
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, void *, int);
 const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c     2003/04/10 19:09:56     1.1.1.2
+++ modules/ssl/ssl_engine_config.c     2004/04/28 15:57:21
@@ -212,7 +212,9 @@
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
-
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    sc->bHonorCipherOrder      = UNSET;
+#endif
     modssl_ctx_init_proxy(sc, p);

     modssl_ctx_init_server(sc, p);
@@ -296,6 +298,9 @@
     cfgMergeBool(enabled);
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    cfgMergeBool(bHonorCipherOrder);
+#endif

     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);

@@ -662,6 +667,18 @@

     return NULL;
 }
+
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+        "ssl_cmd_SSLHonorCipherOrder: Setting bHonorCipherOrder to %s",
+       flag?"TRUE":"FALSE");
+    sc->bHonorCipherOrder = flag?TRUE:FALSE;
+#endif
+    return NULL;
+}

 const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
                                    void *dcfg,
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c       2003/06/05 20:51:17     1.1.1.3
+++ modules/ssl/ssl_engine_init.c       2004/04/28 15:57:21
@@ -416,6 +416,9 @@
     SSL_METHOD *method = NULL;
     char *cp;
     int protocol = mctx->protocol;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(s);
+#endif

     /*
      *  Create the new per-server SSL context
@@ -464,6 +467,11 @@
     if (!(protocol & SSL_PROTOCOL_TLSV1)) {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
     }
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    if(TRUE == sc->bHonorCipherOrder) {
+        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
+#endif

     SSL_CTX_set_app_data(ctx, s);
--<cut here>--

Comment 1 Joe Orton 2004-06-03 13:07:00 UTC

Thanks for the patch, Jim.  Committed to HEAD with a few minor tweaks.