Apache 2, mod_ssl: Bypass of SSLCipherSuite directive

Apache 2, mod_ssl: Bypass of SSLCipherSuite directive In certain configurations, it can be possible to bypass restrictions set by the "SSLCipherSuite" directive of mod_ssl. apache 2004-10-21 2007-12-30 66807 remote 2.0.52 2.0 2.0.52 2.8.20 2.8.20

The Apache HTTP server is one of the most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2.

A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could be bypassed in certain configurations if it is used in a directory or location context to restrict the set of allowed cipher suites.

A remote attacker could gain access to a location using any cipher suite allowed by the server/virtual host configuration, disregarding the restrictions by "SSLCipherSuite" for that location.

There is no known workaround at this time.

All Apache 2 users should upgrade to the latest version:


    # emerge sync

    # emerge -pv ">=www-servers/apache-2.0.52"
    # emerge ">=www-servers/apache-2.0.52"

All mod_ssl users should upgrade to the latest version:


    # emerge sync

    # emerge -pv ">=net-www/mod_ssl-2.8.20"
    # emerge ">=net-www/mod_ssl-2.8.20"

CAN-2004-0885 Apache HTTPD Bug 31505 koon vorlon078 lewk