|
|
039bf80 |
From 925ee5b8f636ab2fd5a3e02af79ba49f54a85b8d Mon Sep 17 00:00:00 2001
|
|
|
039bf80 |
From: Paul Howarth <paul@city-fan.org>
|
|
|
039bf80 |
Date: Fri, 5 May 2017 15:38:59 +0100
|
|
|
039bf80 |
Subject: [PATCH] Don't touch TLSCipherSuite when using system profiles
|
|
|
039bf80 |
|
|
|
039bf80 |
Fedora and possibly other Linux distributions support system-wide
|
|
|
039bf80 |
crypto policies to enable sane defaults to be specified in an ever
|
|
|
039bf80 |
changing world of different cipher recommendations. In order to use
|
|
|
039bf80 |
such a policy, OpenSSL users just set their cipher selection to
|
|
|
039bf80 |
"PROFILE=SYSTEM", and the system-wide policy will be selected
|
|
|
039bf80 |
(which can itself be set to various values, for best compatibility,
|
|
|
039bf80 |
best strength, a compromise of the two, etc.).
|
|
|
039bf80 |
|
|
|
039bf80 |
See:
|
|
|
039bf80 |
https://fedoraproject.org/wiki/Packaging:CryptoPolicies
|
|
|
039bf80 |
https://fedoraproject.org/wiki/Changes/CryptoPolicy
|
|
|
039bf80 |
|
|
|
039bf80 |
The "PROFILE=SYSTEM" string cannot be used in conjunction with other
|
|
|
039bf80 |
cipher selections, so prepending it with "!EXPORT:" results in:
|
|
|
039bf80 |
|
|
|
039bf80 |
mod_tls/2.7[xxxxx]: unable to accept TLS connection: client does not support
|
|
|
039bf80 |
any cipher from 'TLSCipherSuite !EXPORT:PROFILE=SYSTEM' (see `openssl ciphers
|
|
|
039bf80 |
!EXPORT:PROFILE=SYSTEM` for full list)
|
|
|
039bf80 |
|
|
|
039bf80 |
Hence, do not touch the supplied TLSCipherSuite if it starts with "PROFILE=".
|
|
|
039bf80 |
---
|
|
|
039bf80 |
contrib/mod_tls.c | 7 ++++++-
|
|
|
039bf80 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
039bf80 |
|
|
|
039bf80 |
diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
|
|
|
039bf80 |
index 3ff8ee2..c38ecac 100644
|
|
|
039bf80 |
--- a/contrib/mod_tls.c
|
|
|
039bf80 |
+++ b/contrib/mod_tls.c
|
|
|
039bf80 |
@@ -11985,7 +11985,12 @@ MODRET set_tlsciphersuite(cmd_rec *cmd) {
|
|
|
039bf80 |
c = add_config_param(cmd->argv[0], 1, NULL);
|
|
|
039bf80 |
|
|
|
039bf80 |
/* Make sure that EXPORT ciphers cannot be used, per Bug#4163. */
|
|
|
039bf80 |
- ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL);
|
|
|
039bf80 |
+ /* This breaks system profiles though, so don't change them. */
|
|
|
039bf80 |
+ if (strncmp(ciphersuite, "PROFILE=", 8) == 0) {
|
|
|
039bf80 |
+ ciphersuite = pstrdup(c->pool, ciphersuite);
|
|
|
039bf80 |
+ } else {
|
|
|
039bf80 |
+ ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL);
|
|
|
039bf80 |
+ }
|
|
|
039bf80 |
|
|
|
039bf80 |
/* Check that our construct ciphersuite is acceptable. */
|
|
|
039bf80 |
ctx = SSL_CTX_new(SSLv23_server_method());
|