diff options
| author | Joe Orton <jorton@redhat.com> | 2014-08-21 11:32:44 +0100 |
|---|---|---|
| committer | Joe Orton <jorton@redhat.com> | 2014-08-21 11:32:44 +0100 |
| commit | 4475e3e26285ff84d9c5fd3b9ffb45376f0092d6 (patch) | |
| tree | 9c535dd0b1798be91fd916d97e2f1e6b04e59975 | |
| parent | f65d1ef433eb33de609c498cec0e3ed8205e3db0 (diff) | |
| download | httpd-4475e3e26285ff84d9c5fd3b9ffb45376f0092d6.tar.gz httpd-4475e3e26285ff84d9c5fd3b9ffb45376f0092d6.tar.xz httpd-4475e3e26285ff84d9c5fd3b9ffb45376f0092d6.zip | |
mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119)
- switch default ssl.conf to use PROFILE=SYSTEM (#1109119)
Resolves: rhbz#1109119
| -rw-r--r-- | httpd-2.4.10-sslciphdefault.patch | 20 | ||||
| -rw-r--r-- | httpd.spec | 8 | ||||
| -rw-r--r-- | ssl.conf | 5 |
3 files changed, 30 insertions, 3 deletions
diff --git a/httpd-2.4.10-sslciphdefault.patch b/httpd-2.4.10-sslciphdefault.patch new file mode 100644 index 0000000..37a74e3 --- /dev/null +++ b/httpd-2.4.10-sslciphdefault.patch @@ -0,0 +1,20 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=1109119 + +Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. + +--- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault ++++ httpd-2.4.10/modules/ssl/ssl_engine_config.c +@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; + +- /* always disable null and export ciphers */ +- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); ++ /* Disable null and export ciphers by default, except for PROFILE= ++ * configs where the parser doesn't cope. */ ++ if (strncmp(arg, "PROFILE=", 8) != 0) ++ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); + + if (cmd->path) { + dc->szCipherSuite = arg; @@ -14,7 +14,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.10 -Release: 5%{?dist} +Release: 6%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -65,6 +65,7 @@ Patch29: httpd-2.4.3-mod_systemd.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.6-sslmultiproxy.patch Patch34: httpd-2.4.9-socket-activation.patch +Patch35: httpd-2.4.10-sslciphdefault.patch # Bug fixes Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch @@ -202,6 +203,7 @@ interface for storing and accessing per-user session data. %patch30 -p1 -b .cachehardmax %patch31 -p1 -b .sslmultiproxy %patch34 -p1 -b .socketactivation +%patch35 -p1 -b .sslciphdefault %patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid @@ -659,6 +661,10 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Aug 21 2014 Joe Orton <jorton@redhat.com> - 2.4.10-6 +- mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119) +- switch default ssl.conf to use PROFILE=SYSTEM (#1109119) + * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.10-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild @@ -77,9 +77,10 @@ SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -# By leaving this directive commented out, the system-wide OpenSSL -# default is used. See update-crypto-policies(8) for more details. +# The OpenSSL system profile is configured by default. See +# update-crypto-policies(8) for more details. #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite PROFILE=DEFAULT # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), |