[PATCH] proposed fix for CAN-2004-0885

[PATCH] proposed fix for CAN-2004-0885

am 08.10.2004 17:25:10 von Joe Orton

Ralf, here's the fix I suggest for the CAN-2004-0885 SSLCipherSuite
bypass issue (http://issues.apache.org/bugzilla/show_bug.cgi?id=31505):
does it look OK?

I've tested this on a server running OpenSSL 0.9.6 from a custom-hacked
client which resumes the session during the renegotiation for a
per-dir-SSLCipherSuite, and it gets a 403 as expected. I've tested the
equivalent patch for 2.0 against 0.9.7 and it renegotiates the cipher
suite properly as expected.

--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c.can0885 2002-10-04 14:17:33.000000000 +0100
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c 2004-10-08 13:35:15.000000000 +0100
@@ -602,6 +602,14 @@
else
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);

+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ /*
+ * Disallow a session from being resumed during a renegotiation,
+ * so that an acceptable cipher suite can be negotiated.
+ */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
+
/*
* Configure callbacks for SSL context
*/
--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_kernel.c.can0885 2004-10-08 13:35:15.000000000 +0100
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_kernel.c 2004-10-08 13:35:41.000000000 +0100
@@ -665,7 +665,7 @@
X509_STORE_CTX certstorectx;
int depth;
STACK_OF(SSL_CIPHER) *skCipherOld;
- STACK_OF(SSL_CIPHER) *skCipher;
+ STACK_OF(SSL_CIPHER) *skCipher = NULL;
SSL_CIPHER *pCipher;
ap_ctx *apctx;
int nVerifyOld;
@@ -1051,6 +1051,20 @@
return FORBIDDEN;
}
}
+
+ /*
+ * Also check that SSLCipherSuite has been enforced as expected.
+ */
+ if (skCipher) {
+ pCipher = SSL_get_current_cipher(ssl);
+ if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) {
+ ssl_log(r->server, SSL_LOG_ERROR,
+ "SSL cipher suite not renegotiated: "
+ "access to %s denied using cipher %s",
+ r->filename, SSL_CIPHER_get_name(pCipher));
+ return FORBIDDEN;
+ }
+ }
}

/*
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org