- Yet Another Security Fix

Fix CAN-2004-0885: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a correct cipher suite has been negotiated, else deny access. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable) cipher suite. Credits: Hartmut Keil, Joe Orton
svn path=/head/; revision=119190
2004-10-13 09:17:38 +00:00 · 2004-10-13 09:17:38 +00:00 · 310abe64ef · 2021-03-31 03:12:20 +00:00
commit 310abe64ef
parent e7cfe6e3ad
4 changed files with 114 additions and 0 deletions
--- a/www/apache2/Makefile
+++ b/www/apache2/Makefile
@ -9,6 +9,7 @@

 PORTNAME=	apache
 PORTVERSION=	2.0.52
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo
--- a/www/apache2/files/patch-secfix-CAN-2004-0885
+++ b/www/apache2/files/patch-secfix-CAN-2004-0885
@ -0,0 +1,56 @@
+Index: ssl_engine_init.c
+===================================================================
+RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
+retrieving revision 1.128
+retrieving revision 1.129
+diff -d -w -u -r1.128 -r1.129
+--- modules/ssl/ssl_engine_init.c	3 Jun 2004 13:03:08 -0000	1.128
+++ modules/ssl/ssl_engine_init.c	8 Oct 2004 11:59:32 -0000	1.129
+@@ -443,6 +443,14 @@
+      * Configure additional context ingredients
+      */
+     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+    /* 
+     * Disallow a session from being resumed during a renegotiation,
+     * so that an acceptable cipher suite can be negotiated.
+     */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
+ }
+ 
+ static void ssl_init_ctx_session_cache(server_rec *s,
+Index: ssl_engine_kernel.c
+===================================================================
+RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
+retrieving revision 1.110
+retrieving revision 1.111
+diff -d -w -u -r1.110 -r1.111
+--- modules/ssl/ssl_engine_kernel.c	18 Aug 2004 11:05:22 -0000	1.110
+++ modules/ssl/ssl_engine_kernel.c	8 Oct 2004 11:59:33 -0000	1.111
+@@ -733,6 +733,21 @@
+                 X509_free(peercert);
+             }
+         }
+        
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected.
+         */
+        if (cipher_list) {
+            cipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                             "SSL cipher suite not renegotiated: "
+                             "access to %s denied using cipher %s",
+                              r->filename,
+                              SSL_CIPHER_get_name(cipher));
+                return HTTP_FORBIDDEN;
+            }
+        }
+     }
+ 
+     /*
+
+
+
--- a/www/apache20/Makefile
+++ b/www/apache20/Makefile
@ -9,6 +9,7 @@

 PORTNAME=	apache
 PORTVERSION=	2.0.52
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo
--- a/www/apache20/files/patch-secfix-CAN-2004-0885
+++ b/www/apache20/files/patch-secfix-CAN-2004-0885
@ -0,0 +1,56 @@
+Index: ssl_engine_init.c
+===================================================================
+RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
+retrieving revision 1.128
+retrieving revision 1.129
+diff -d -w -u -r1.128 -r1.129
+--- modules/ssl/ssl_engine_init.c	3 Jun 2004 13:03:08 -0000	1.128
+++ modules/ssl/ssl_engine_init.c	8 Oct 2004 11:59:32 -0000	1.129
+@@ -443,6 +443,14 @@
+      * Configure additional context ingredients
+      */
+     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+    /* 
+     * Disallow a session from being resumed during a renegotiation,
+     * so that an acceptable cipher suite can be negotiated.
+     */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
+ }
+ 
+ static void ssl_init_ctx_session_cache(server_rec *s,
+Index: ssl_engine_kernel.c
+===================================================================
+RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
+retrieving revision 1.110
+retrieving revision 1.111
+diff -d -w -u -r1.110 -r1.111
+--- modules/ssl/ssl_engine_kernel.c	18 Aug 2004 11:05:22 -0000	1.110
+++ modules/ssl/ssl_engine_kernel.c	8 Oct 2004 11:59:33 -0000	1.111
+@@ -733,6 +733,21 @@
+                 X509_free(peercert);
+             }
+         }
+        
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected.
+         */
+        if (cipher_list) {
+            cipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                             "SSL cipher suite not renegotiated: "
+                             "access to %s denied using cipher %s",
+                              r->filename,
+                              SSL_CIPHER_get_name(cipher));
+                return HTTP_FORBIDDEN;
+            }
+        }
+     }
+ 
+     /*
+
+
+