From 48802c25dc82a8b13ac351c0c2137ef748256bbd Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sun, 2 Aug 2015 00:19:16 +0200 Subject: Imported Upstream version 2.4.16 --- modules/ssl/ssl_engine_init.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'modules/ssl/ssl_engine_init.c') diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 63e89578..6baf2f51 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -353,9 +353,11 @@ apr_status_t ssl_init_Engine(server_rec *s, apr_pool_t *p) return ssl_die(s); } +#ifdef ENGINE_CTRL_CHIL_SET_FORKCHECK if (strEQ(mc->szCryptoDevice, "chil")) { ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0); } +#endif if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01889) @@ -723,11 +725,13 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s, /* * Configure SSL Cipher Suite. Always disable NULL and export ciphers, * see also ssl_engine_config.c:ssl_cmd_SSLCipherSuite(). - * OpenSSL's SSL_DEFAULT_CIPHER_LIST already includes !aNULL:!eNULL, - * so only prepend !EXP in this case. + * OpenSSL's SSL_DEFAULT_CIPHER_LIST includes !aNULL:!eNULL from 0.9.8f, + * and !EXP from 0.9.8zf/1.0.1m/1.0.2a, so prepend them while we support + * earlier versions. */ suite = mctx->auth.cipher_suite ? mctx->auth.cipher_suite : - apr_pstrcat(ptemp, "!EXP:", SSL_DEFAULT_CIPHER_LIST, NULL); + apr_pstrcat(ptemp, "!aNULL:!eNULL:!EXP:", SSL_DEFAULT_CIPHER_LIST, + NULL); ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "Configuring permitted SSL ciphers [%s]", @@ -956,7 +960,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, #ifdef HAVE_ECC EC_GROUP *ecparams; int nid; - EC_KEY *eckey; + EC_KEY *eckey = NULL; #endif #ifndef HAVE_SSL_CONF_CMD SSL *ssl; @@ -1129,6 +1133,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); #endif } + EC_KEY_free(eckey); #endif return APR_SUCCESS; -- cgit v1.2.3