diff options
| author | clement <clement@FreeBSD.org> | 2004-10-13 17:17:38 +0800 |
|---|---|---|
| committer | clement <clement@FreeBSD.org> | 2004-10-13 17:17:38 +0800 |
| commit | ca2f10e3eb94c13b5d5fdf4abc95a2f846b3d208 (patch) | |
| tree | 964858b32f7b7c526ea64eabc6a56a42c6dab879 /www | |
| parent | 3950d4af72cefb6274f0de001d4a30382afe533b (diff) | |
| download | freebsd-ports-gnome-ca2f10e3eb94c13b5d5fdf4abc95a2f846b3d208.tar.gz freebsd-ports-gnome-ca2f10e3eb94c13b5d5fdf4abc95a2f846b3d208.tar.zst freebsd-ports-gnome-ca2f10e3eb94c13b5d5fdf4abc95a2f846b3d208.zip | |
- Yet Another Security Fix
Fix CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Credits: Hartmut Keil, Joe Orton
Diffstat (limited to 'www')
| -rw-r--r-- | www/apache2/Makefile | 1 | ||||
| -rw-r--r-- | www/apache2/files/patch-secfix-CAN-2004-0885 | 56 | ||||
| -rw-r--r-- | www/apache20/Makefile | 1 | ||||
| -rw-r--r-- | www/apache20/files/patch-secfix-CAN-2004-0885 | 56 |
4 files changed, 114 insertions, 0 deletions
diff --git a/www/apache2/Makefile b/www/apache2/Makefile index 7be52aa5d002..ecaad59fbe21 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -9,6 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.52 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo diff --git a/www/apache2/files/patch-secfix-CAN-2004-0885 b/www/apache2/files/patch-secfix-CAN-2004-0885 new file mode 100644 index 000000000000..f19a7e55c165 --- /dev/null +++ b/www/apache2/files/patch-secfix-CAN-2004-0885 @@ -0,0 +1,56 @@ +Index: ssl_engine_init.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v +retrieving revision 1.128 +retrieving revision 1.129 +diff -d -w -u -r1.128 -r1.129 +--- modules/ssl/ssl_engine_init.c 3 Jun 2004 13:03:08 -0000 1.128 ++++ modules/ssl/ssl_engine_init.c 8 Oct 2004 11:59:32 -0000 1.129 +@@ -443,6 +443,14 @@ + * Configure additional context ingredients + */ + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ++ /* ++ * Disallow a session from being resumed during a renegotiation, ++ * so that an acceptable cipher suite can be negotiated. ++ */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); ++#endif + } + + static void ssl_init_ctx_session_cache(server_rec *s, +Index: ssl_engine_kernel.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v +retrieving revision 1.110 +retrieving revision 1.111 +diff -d -w -u -r1.110 -r1.111 +--- modules/ssl/ssl_engine_kernel.c 18 Aug 2004 11:05:22 -0000 1.110 ++++ modules/ssl/ssl_engine_kernel.c 8 Oct 2004 11:59:33 -0000 1.111 +@@ -733,6 +733,21 @@ + X509_free(peercert); + } + } ++ ++ /* ++ * Also check that SSLCipherSuite has been enforced as expected. ++ */ ++ if (cipher_list) { ++ cipher = SSL_get_current_cipher(ssl); ++ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "SSL cipher suite not renegotiated: " ++ "access to %s denied using cipher %s", ++ r->filename, ++ SSL_CIPHER_get_name(cipher)); ++ return HTTP_FORBIDDEN; ++ } ++ } + } + + /* + + + diff --git a/www/apache20/Makefile b/www/apache20/Makefile index 7be52aa5d002..ecaad59fbe21 100644 --- a/www/apache20/Makefile +++ b/www/apache20/Makefile @@ -9,6 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.52 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo diff --git a/www/apache20/files/patch-secfix-CAN-2004-0885 b/www/apache20/files/patch-secfix-CAN-2004-0885 new file mode 100644 index 000000000000..f19a7e55c165 --- /dev/null +++ b/www/apache20/files/patch-secfix-CAN-2004-0885 @@ -0,0 +1,56 @@ +Index: ssl_engine_init.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v +retrieving revision 1.128 +retrieving revision 1.129 +diff -d -w -u -r1.128 -r1.129 +--- modules/ssl/ssl_engine_init.c 3 Jun 2004 13:03:08 -0000 1.128 ++++ modules/ssl/ssl_engine_init.c 8 Oct 2004 11:59:32 -0000 1.129 +@@ -443,6 +443,14 @@ + * Configure additional context ingredients + */ + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ++ /* ++ * Disallow a session from being resumed during a renegotiation, ++ * so that an acceptable cipher suite can be negotiated. ++ */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); ++#endif + } + + static void ssl_init_ctx_session_cache(server_rec *s, +Index: ssl_engine_kernel.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v +retrieving revision 1.110 +retrieving revision 1.111 +diff -d -w -u -r1.110 -r1.111 +--- modules/ssl/ssl_engine_kernel.c 18 Aug 2004 11:05:22 -0000 1.110 ++++ modules/ssl/ssl_engine_kernel.c 8 Oct 2004 11:59:33 -0000 1.111 +@@ -733,6 +733,21 @@ + X509_free(peercert); + } + } ++ ++ /* ++ * Also check that SSLCipherSuite has been enforced as expected. ++ */ ++ if (cipher_list) { ++ cipher = SSL_get_current_cipher(ssl); ++ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "SSL cipher suite not renegotiated: " ++ "access to %s denied using cipher %s", ++ r->filename, ++ SSL_CIPHER_get_name(cipher)); ++ return HTTP_FORBIDDEN; ++ } ++ } + } + + /* + + + |