merge changes from mod_ssl 2.8.20, in particular a fix for CAN-2004-0885

1 files changed, 15 insertions, 1 deletions

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index dd135e4ee89..8bec6d690bf 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -672,7 +672,7 @@ int ssl_hook_Access(request_rec *r)
     X509_STORE_CTX certstorectx;
     int depth;
     STACK_OF(SSL_CIPHER) *skCipherOld;
-    STACK_OF(SSL_CIPHER) *skCipher;
+    STACK_OF(SSL_CIPHER) *skCipher = NULL;
     SSL_CIPHER *pCipher;
     ap_ctx *apctx;
     int nVerifyOld;
@@ -1067,6 +1067,20 @@ int ssl_hook_Access(request_rec *r)
             if (cert != NULL)
                 X509_free(cert);
         }
+
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected
+         */
+        if (skCipher != NULL) {
+            pCipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) {
+                ssl_log(r->server, SSL_LOG_ERROR,
+                        "SSL cipher suite not renegotiated: "
+                        "access to %s denied using cipher %s",
+                        r->filename, SSL_CIPHER_get_name(pCipher));
+                return FORBIDDEN;
+            }
+        }
     }
 
     /*