X-Git-Url: https://git.rapsys.eu/ihttpd/blobdiff_plain/985f8d25bdd17fde0ffef26373378ac15fb2d8fe..9028059ad6c85a6a221a7d6de279c4f4d8603158:/SOURCES/httpd-2.4.33-sslciphdefault.patch

diff --git a/SOURCES/httpd-2.4.33-sslciphdefault.patch b/SOURCES/httpd-2.4.33-sslciphdefault.patch
new file mode 100644
index 0000000..6b94a16
--- /dev/null
+++ b/SOURCES/httpd-2.4.33-sslciphdefault.patch
@@ -0,0 +1,33 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1109119
+
+Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
+
+--- httpd-2.4.33/modules/ssl/ssl_engine_config.c.sslciphdefault
++++ httpd-2.4.33/modules/ssl/ssl_engine_config.c
+@@ -758,8 +758,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
+     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ 
+-    /* always disable null and export ciphers */
+-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++    /* Disable null and export ciphers by default, except for PROFILE=
++     * configs where the parser doesn't cope. */
++    if (strncmp(arg, "PROFILE=", 8) != 0)
++        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+ 
+     if (cmd->path) {
+         dc->szCipherSuite = arg;
+@@ -1502,8 +1504,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(
+ {
+     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ 
+-    /* always disable null and export ciphers */
+-    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
++    /* Disable null and export ciphers by default, except for PROFILE=
++     * configs where the parser doesn't cope. */
++    if (strncmp(arg, "PROFILE=", 8) != 0)
++        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+ 
+     dc->proxy->auth.cipher_suite = arg;
+