diff options
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c | 10 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c | 16 |
2 files changed, 24 insertions, 2 deletions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index 8e7b7d94e57..69bc248f088 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_engine_init.c,v 1.23 2003/11/17 18:57:06 henning Exp $ */ +/* $OpenBSD: ssl_engine_init.c,v 1.24 2004/10/20 14:02:40 henning Exp $ */ /* _ _ ** _ __ ___ ___ __| | ___ ___| | mod_ssl @@ -640,6 +640,14 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif + + /* * Configure callbacks for SSL context */ nVerify = SSL_VERIFY_NONE; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index dd135e4ee89..8bec6d690bf 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -672,7 +672,7 @@ int ssl_hook_Access(request_rec *r) X509_STORE_CTX certstorectx; int depth; STACK_OF(SSL_CIPHER) *skCipherOld; - STACK_OF(SSL_CIPHER) *skCipher; + STACK_OF(SSL_CIPHER) *skCipher = NULL; SSL_CIPHER *pCipher; ap_ctx *apctx; int nVerifyOld; @@ -1067,6 +1067,20 @@ int ssl_hook_Access(request_rec *r) if (cert != NULL) X509_free(cert); } + + /* + * Also check that SSLCipherSuite has been enforced as expected + */ + if (skCipher != NULL) { + pCipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) { + ssl_log(r->server, SSL_LOG_ERROR, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, SSL_CIPHER_get_name(pCipher)); + return FORBIDDEN; + } + } } /* |