Raphaël G. Git Repositories - ihttpd/blob - SOURCES/httpd-2.4.33-sslciphdefault.patch

   1
   2 https://bugzilla.redhat.com/show_bug.cgi?id=1109119
   3
   4 Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
   5
   6 --- httpd-2.4.33/modules/ssl/ssl_engine_config.c.sslciphdefault
   7 +++ httpd-2.4.33/modules/ssl/ssl_engine_config.c
   8 @@ -758,8 +758,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
   9      SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
  10      SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
  11
  12 -    /* always disable null and export ciphers */
  13 -    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
  14 +    /* Disable null and export ciphers by default, except for PROFILE=
  15 +     * configs where the parser doesn't cope. */
  16 +    if (strncmp(arg, "PROFILE=", 8) != 0)
  17 +        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
  18
  19      if (cmd->path) {
  20          dc->szCipherSuite = arg;
  21 @@ -1502,8 +1504,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(
  22  {
  23      SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
  24
  25 -    /* always disable null and export ciphers */
  26 -    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
  27 +    /* Disable null and export ciphers by default, except for PROFILE=
  28 +     * configs where the parser doesn't cope. */
  29 +    if (strncmp(arg, "PROFILE=", 8) != 0)
  30 +        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
  31
  32      dc->proxy->auth.cipher_suite = arg;
  33