SSLHonorCipherOrder for OpenBSD's httpd

Aaron Stellman Sun, 07 Jul 2013 20:19:16 -0700

As you may or may not know, SSLHonorCipherOrder is supported since
apache 2.1.


This diff ports this feature to OpenBSD's httpd. Its effects can be
tested @ https://www.ssllabs.com/ssltest/analyze.html?d=example.com by
playing with SSLHonorCipherOrder/SSLCipherSuite directives.

SSLHonorCipherOrder directive is useful for prioritizing certain crypto
parameters over others. I use to to prioritize GCM over RC4, and RC4
over CBC based ciphers to reduce chance of BEAST attack.

It's documented @
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder

This diff is adapted from r103832 @
http://svn.apache.org/repos/asf/httpd (subversion)

Thanks

Index: usr.sbin/httpd//src/modules/ssl/mod_ssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v
retrieving revision 1.10
diff -u -p -r1.10 mod_ssl.c
--- usr.sbin/httpd//src/modules/ssl/mod_ssl.c	14 Oct 2007 15:12:59 -0000	1.10
+++ usr.sbin/httpd//src/modules/ssl/mod_ssl.c	8 Jul 2013 03:08:27 -0000
@@ -158,6 +158,8 @@ static command_rec ssl_config_cmds[] = {
     AP_SRV_CMD(Protocol, RAW_ARGS,
                "Enable or disable various SSL protocols"
                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    AP_SRV_CMD(HonorCipherOrder, FLAG,
+                "Use the server's cipher ordering preference")
 
 #ifdef SSL_EXPERIMENTAL_PROXY
     /* 
Index: usr.sbin/httpd//src/modules/ssl/mod_ssl.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.21
diff -u -p -r1.21 mod_ssl.h
--- usr.sbin/httpd//src/modules/ssl/mod_ssl.h	4 Apr 2006 08:51:28 -0000	1.21
+++ usr.sbin/httpd//src/modules/ssl/mod_ssl.h	8 Jul 2013 03:08:27 -0000
@@ -514,6 +514,7 @@ typedef struct {
     char        *szCACertificateFile;
     char        *szLogFile;
     char        *szCipherSuite;
+    BOOL         cipher_server_pref;
     FILE        *fileLogFile;
     int          nLogLevel;
     int          nVerifyDepth;
@@ -597,6 +598,7 @@ const char  *ssl_cmd_SSLCACertificatePat
 const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, SSLDirConfigRec *, char *);
 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, SSLDirConfigRec *, char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, SSLDirConfigRec *, char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, SSLDirConfigRec *, char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, SSLDirConfigRec *, char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, char *, char *);
Index: usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.19
diff -u -p -r1.19 ssl_engine_config.c
--- usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c	27 May 2008 10:17:24 -0000	1.19
+++ usr.sbin/httpd//src/modules/ssl/ssl_engine_config.c	8 Jul 2013 03:08:27 -0000
@@ -208,6 +208,7 @@ void *ssl_config_server_create(pool *p, 
     sc->szCARevocationPath     = NULL;
     sc->szCARevocationFile     = NULL;
     sc->pRevocationStore       = NULL;
+    sc->cipher_server_pref     = UNSET;
 
 #ifdef SSL_EXPERIMENTAL_PROXY
     sc->nProxyVerifyDepth             = UNSET;
@@ -264,6 +265,7 @@ void *ssl_config_server_merge(pool *p, v
     cfgMerge(szCARevocationPath, NULL);
     cfgMerge(szCARevocationFile, NULL);
     cfgMerge(pRevocationStore, NULL);
+    cfgMergeBool(cipher_server_pref);
 
     for (i = 0; i < SSL_AIDX_MAX; i++) {
         cfgMergeString(szPublicCertFile[i]);
@@ -540,6 +542,17 @@ const char *ssl_cmd_SSLCipherSuite(
     else
         dc->szCipherSuite = arg;
     return NULL;
+}
+
+const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->cipher_server_pref = flag?TRUE:FALSE;
+    return NULL;
+#else
+    return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";
+#endif
 }
 
 const char *ssl_cmd_SSLCertificateFile(
Index: usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.28
diff -u -p -r1.28 ssl_engine_init.c
--- usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c	7 Jul 2012 17:08:17 -0000	1.28
+++ usr.sbin/httpd//src/modules/ssl/ssl_engine_init.c	8 Jul 2013 03:08:27 -0000
@@ -589,6 +589,16 @@ void ssl_init_ConfigureServer(server_rec
         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
     if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    {
+        SSLSrvConfigRec *sc = mySrvConfig(s);
+        if (sc->cipher_server_pref == TRUE) {
+            SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+        }
+    }
+#endif
+
     SSL_CTX_set_app_data(ctx, s);
     sc->pSSLCtx = ctx;

SSLHonorCipherOrder for OpenBSD's httpd

Reply via email to