diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2014-11-12 11:41:29 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2014-11-21 15:38:19 -0500 |
| commit | 7b876fb247e1e337c236c8183d342ab182d6a837 (patch) | |
| tree | 80ffa49a23d1a685408023f71fccefc4ae51b232 | |
| parent | f8b6ab7dab90e92537de3cddc01d915d31bb87fc (diff) | |
| download | mod_nss-7b876fb247e1e337c236c8183d342ab182d6a837.tar.gz mod_nss-7b876fb247e1e337c236c8183d342ab182d6a837.tar.xz mod_nss-7b876fb247e1e337c236c8183d342ab182d6a837.zip | |
Initialize cipher list when re-negotiating handshake.
If an NSSCipherSuite is defined in a location or directory then
we re-do the SSL handshake. The cipher list wasn't being initialized
to PR_FALSE so changes are good that all ciphers would be enabled,
not just the ones in the local NSSCipherSuite setting.
Resolves BZ 1165408
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | nss_engine_kernel.c | 23 |
2 files changed, 27 insertions, 0 deletions
@@ -1,3 +1,7 @@ +2014-11-12 Rob Crittenden <rcritten@redhat.com> + * Initialize ciphers to all disabled before renegotiation + (#1165408) + 2014-11-06 Rob Crittenden <rcritten@redhat.com> * Completely remove support for SSLv2 diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index deb91a0..4addb39 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -198,6 +198,10 @@ int nss_hook_Access(request_rec *r) /* configure new state */ + for (i=0; i<ciphernum; i++) + { + ciphers_new[i] = PR_FALSE; + } ciphers = strdup(dc->szCipherSuite); if (nss_parse_ciphers(r->server, ciphers, ciphers_new) < 0) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, @@ -211,6 +215,13 @@ int nss_hook_Access(request_rec *r) } free(ciphers); + /* Disable all ciphers so only the ones we want will be available */ + + for (i = 0; i < SSL_NumImplementedCiphers; i++) + { + SSL_CipherPrefSet(ssl, SSL_ImplementedCiphers[i], SSL_NOT_ALLOWED); + } + /* Actually enable the selected ciphers. Also check to see if the existing cipher is in the new list for a possible optimization later. */ @@ -474,6 +485,18 @@ int nss_hook_Access(request_rec *r) } } + if (cipher || !cipher_in_list) { + int on, keySize, secretKeySize; + char *issuer, *subject; + + SSL_SecurityStatus(ssl, &on, &cipher, + &keySize, &secretKeySize, &issuer, + &subject); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "Re-negotiated cipher %s", cipher); + } + /* * Remember the peer certificate's DN */ |