On 3/6/23 6:46 PM, di...@apache.org wrote: > Author: dirkx > Date: Mon Mar 6 17:46:04 2023 > New Revision: 1908132 > > URL: http://svn.apache.org/viewvc?rev=1908132&view=rev > Log: > Add SSL_SHARED_CIPHER environment variable > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml > httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c > > Modified: httpd/httpd/trunk/CHANGES > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1908132&r1=1908131&r2=1908132&view=diff > ============================================================================== > --- httpd/httpd/trunk/CHANGES [utf-8] (original) > +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Mar 6 17:46:04 2023 > @@ -1,6 +1,9 @@ > -*- coding: utf-8 > -*- > Changes with Apache 2.5.1 > > + *) Add a SSL_SHARED_CIPHER environment variable with the list of > + client/server permitted ciphers. [Dirk-Willem van Gulik] > + To reduce backporting conflicts we now store change entries in separate files per change in the changes-entries directory and merge them from time to time or latest before a release via 'make update-changes' into the CHANGES file. See http://svn.apache.org/viewvc/httpd/httpd/trunk/README.CHANGES?revision=1879840&view=co > *) mod_http2: field values (headers and trailers) are stripped of > leading/trailing whitespace (space +htab) before being processed > or send in a response. This is compatible behaviour to HTTP/1.1 > > Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1908132&r1=1908131&r2=1908132&view=diff > ============================================================================== > --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Mar 6 17:46:04 2023 > @@ -66,7 +66,8 @@ compatibility variables.</p> > <tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> > <td>The hex-encoded SSL session id</td></tr> > <tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> > <td>Initial or Resumed SSL Session. Note: multiple requests may be served > over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in > use</td></tr> > <tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> > <td><code>true</code> if secure renegotiation is supported, else > <code>false</code></td></tr> > -<tr><td><code>SSL_CIPHER</code></td> <td>string</td> > <td>The cipher specification name</td></tr> > +<tr><td><code>SSL_SHARED_CIPHERS</code></td> <td>string</td> > <td>Colon separated list of shared ciphers (i.e. the subset of ciphers that > are configured on both server and on the client)</td></tr> > +<tr><td><code>SSL_CIPHER</code></td> <td>string</td> > <td>The name of the cipher agreed between client and server</td></tr> > <tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> > <td><code>true</code> if cipher is an export cipher</td></tr> > <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> > <td>Number of cipher bits (actually used)</td></tr> > <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> > <td>Number of cipher bits (possible)</td></tr> > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1908132&r1=1908131&r2=1908132&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 6 17:46:04 2023 > @@ -1532,6 +1532,7 @@ static const char *const ssl_hook_Fixup_ > "SSL_SERVER_A_SIG", > "SSL_SESSION_ID", > "SSL_SESSION_RESUMED", > + "SSL_SHARED_CIPHERS", > #ifdef HAVE_SRP > "SSL_SRP_USER", > "SSL_SRP_USERINFO", > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1908132&r1=1908131&r2=1908132&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Mon Mar 6 17:46:04 2023 > @@ -506,6 +506,11 @@ static const char *ssl_var_lookup_ssl(ap > else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { > result = ssl_var_lookup_ssl_compress_meth(ssl); > } > + else if (ssl != NULL && strcEQ(var, "SHARED_CIPHERS")) { > + char buf[ 1024 * 16 ]; Is it important to be 16k? Typically we use HUGE_STRING_LEN which is 8k in such situations. If it needs to be 16k I would favor HUGE_STRING_LEN * 2 instead. > + if (SSL_get_shared_ciphers(ssl,buf,sizeof(buf))) > + result = apr_pstrdup(p,buf); > + } > #ifdef HAVE_TLSEXT > else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { > result = apr_pstrdup(p, SSL_get_servername(ssl, > > > Regards RĂ¼diger