Upgrade to apache 2.4.33
[ihttpd] / SOURCES / httpd-2.4.33-sslciphdefault.patch
1
2 https://bugzilla.redhat.com/show_bug.cgi?id=1109119
3
4 Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
5
6 --- httpd-2.4.33/modules/ssl/ssl_engine_config.c.sslciphdefault
7 +++ httpd-2.4.33/modules/ssl/ssl_engine_config.c
8 @@ -758,8 +758,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
9 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
10 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
11
12 - /* always disable null and export ciphers */
13 - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
14 + /* Disable null and export ciphers by default, except for PROFILE=
15 + * configs where the parser doesn't cope. */
16 + if (strncmp(arg, "PROFILE=", 8) != 0)
17 + arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
18
19 if (cmd->path) {
20 dc->szCipherSuite = arg;
21 @@ -1502,8 +1504,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(
22 {
23 SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
24
25 - /* always disable null and export ciphers */
26 - arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
27 + /* Disable null and export ciphers by default, except for PROFILE=
28 + * configs where the parser doesn't cope. */
29 + if (strncmp(arg, "PROFILE=", 8) != 0)
30 + arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
31
32 dc->proxy->auth.cipher_suite = arg;
33