diff options
| author | Clement Laforet <clement@FreeBSD.org> | 2004-10-13 09:17:38 +0000 |
|---|---|---|
| committer | Clement Laforet <clement@FreeBSD.org> | 2004-10-13 09:17:38 +0000 |
| commit | 310abe64eff0a2abd439e4cb7b142a677cd7f916 (patch) | |
| tree | 55f2d16601383288a57c88ac0d8fa80fc9d2bfc9 /www/apache20 | |
| parent | e7cfe6e3ad56f98e688bc5a6073c2655352412df (diff) | |
| download | ports-310abe64eff0a2abd439e4cb7b142a677cd7f916.tar.gz ports-310abe64eff0a2abd439e4cb7b142a677cd7f916.zip | |
Notes
Diffstat (limited to 'www/apache20')
| -rw-r--r-- | www/apache20/Makefile | 1 | ||||
| -rw-r--r-- | www/apache20/files/patch-secfix-CAN-2004-0885 | 56 |
2 files changed, 57 insertions, 0 deletions
diff --git a/www/apache20/Makefile b/www/apache20/Makefile index 7be52aa5d002..ecaad59fbe21 100644 --- a/www/apache20/Makefile +++ b/www/apache20/Makefile @@ -9,6 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.52 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo diff --git a/www/apache20/files/patch-secfix-CAN-2004-0885 b/www/apache20/files/patch-secfix-CAN-2004-0885 new file mode 100644 index 000000000000..f19a7e55c165 --- /dev/null +++ b/www/apache20/files/patch-secfix-CAN-2004-0885 @@ -0,0 +1,56 @@ +Index: ssl_engine_init.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v +retrieving revision 1.128 +retrieving revision 1.129 +diff -d -w -u -r1.128 -r1.129 +--- modules/ssl/ssl_engine_init.c 3 Jun 2004 13:03:08 -0000 1.128 ++++ modules/ssl/ssl_engine_init.c 8 Oct 2004 11:59:32 -0000 1.129 +@@ -443,6 +443,14 @@ + * Configure additional context ingredients + */ + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ++#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ++ /* ++ * Disallow a session from being resumed during a renegotiation, ++ * so that an acceptable cipher suite can be negotiated. ++ */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); ++#endif + } + + static void ssl_init_ctx_session_cache(server_rec *s, +Index: ssl_engine_kernel.c +=================================================================== +RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v +retrieving revision 1.110 +retrieving revision 1.111 +diff -d -w -u -r1.110 -r1.111 +--- modules/ssl/ssl_engine_kernel.c 18 Aug 2004 11:05:22 -0000 1.110 ++++ modules/ssl/ssl_engine_kernel.c 8 Oct 2004 11:59:33 -0000 1.111 +@@ -733,6 +733,21 @@ + X509_free(peercert); + } + } ++ ++ /* ++ * Also check that SSLCipherSuite has been enforced as expected. ++ */ ++ if (cipher_list) { ++ cipher = SSL_get_current_cipher(ssl); ++ if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "SSL cipher suite not renegotiated: " ++ "access to %s denied using cipher %s", ++ r->filename, ++ SSL_CIPHER_get_name(cipher)); ++ return HTTP_FORBIDDEN; ++ } ++ } + } + + /* + + + |