Index: pkg.sslmod/ssl_engine_init.c --- pkg.sslmod/ssl_engine_init.c 11 May 2004 19:16:39 -0000 1.74 +++ pkg.sslmod/ssl_engine_init.c 15 Oct 2004 13:26:55 -0000 1.75 @@ -603,6 +603,14 @@ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); /* + * Disallow a session from being resumed during a renegotiation, + * so that an acceptable cipher suite can be negotiated. + */ +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif + + /* * Configure callbacks for SSL context */ nVerify = SSL_VERIFY_NONE; Index: pkg.sslmod/ssl_engine_kernel.c --- pkg.sslmod/ssl_engine_kernel.c 27 May 2004 13:13:52 -0000 1.108 +++ pkg.sslmod/ssl_engine_kernel.c 15 Oct 2004 13:26:55 -0000 1.110 @@ -672,7 +672,7 @@ X509_STORE_CTX certstorectx; int depth; STACK_OF(SSL_CIPHER) *skCipherOld; - STACK_OF(SSL_CIPHER) *skCipher; + STACK_OF(SSL_CIPHER) *skCipher = NULL; SSL_CIPHER *pCipher; ap_ctx *apctx; int nVerifyOld; @@ -1067,6 +1067,20 @@ if (cert != NULL) X509_free(cert); } + + /* + * Also check that SSLCipherSuite has been enforced as expected + */ + if (skCipher != NULL) { + pCipher = SSL_get_current_cipher(ssl); + if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) { + ssl_log(r->server, SSL_LOG_ERROR, + "SSL cipher suite not renegotiated: " + "access to %s denied using cipher %s", + r->filename, SSL_CIPHER_get_name(pCipher)); + return FORBIDDEN; + } + } } /*