Browse Source

[ssl] add option to honor server cipher order, true by default (fixes #2364)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2810 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.30
Stefan Bühler 10 years ago
parent
commit
0f96222e7e
  1. 1
      NEWS
  2. 2
      doc/config/lighttpd.conf
  3. 1
      src/base.h
  4. 6
      src/configfile.c
  5. 4
      src/network.c

1
NEWS

@ -12,6 +12,7 @@ NEWS
* Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351)
* [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
* [ssl] count renegotiations to prevent client renegotiations
* [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
- 1.4.29 - 2011-07-03
* Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259)

2
doc/config/lighttpd.conf

@ -394,6 +394,8 @@ server.upload-dirs = ( "/var/tmp" )
## $SERVER["socket"] == "10.0.0.1:443" {
## ssl.engine = "enable"
## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
## server.name = "www.example.com"
##
## server.document-root = "/srv/www/vhosts/example.com/www/"

1
src/base.h

@ -277,6 +277,7 @@ typedef struct {
buffer *ssl_cipher_list;
buffer *ssl_dh_file;
buffer *ssl_ec_curve;
unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
unsigned short ssl_use_sslv2;
unsigned short ssl_use_sslv3;
unsigned short ssl_verifyclient;

6
src/configfile.c

@ -106,6 +106,7 @@ static int config_insert(server *srv) {
{ "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
{ "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
{ "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */
{ "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@ -177,6 +178,7 @@ static int config_insert(server *srv) {
s->max_write_idle = 360;
s->use_xattr = 0;
s->is_ssl = 0;
s->ssl_honor_cipher_order = 1;
s->ssl_use_sslv2 = 0;
s->ssl_use_sslv3 = 1;
s->use_ipv6 = 0;
@ -247,6 +249,7 @@ static int config_insert(server *srv) {
cv[62].destination = &(s->ssl_use_sslv3);
cv[63].destination = s->ssl_dh_file;
cv[64].destination = s->ssl_ec_curve;
cv[65].destination = &(s->ssl_honor_cipher_order);
cv[49].destination = &(s->etag_use_inode);
cv[50].destination = &(s->etag_use_mtime);
@ -339,6 +342,7 @@ int config_setup_connection(server *srv, connection *con) {
PATCH(ssl_cipher_list);
PATCH(ssl_dh_file);
PATCH(ssl_ec_curve);
PATCH(ssl_honor_cipher_order);
PATCH(ssl_use_sslv2);
PATCH(ssl_use_sslv3);
PATCH(etag_use_inode);
@ -405,6 +409,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
#endif
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
PATCH(ssl_ca_file);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
PATCH(ssl_honor_cipher_order);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
PATCH(ssl_use_sslv2);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {

4
src/network.c

@ -632,6 +632,10 @@ int network_init(server *srv) {
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
if (s->ssl_honor_cipher_order) {
SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
}
/* Support for Diffie-Hellman key exchange */

Loading…
Cancel
Save