Added virtualhost configuration fields to make SSL engine options configurable (namely, protocol, cipher suite, honor cipher order, ssl proxy engine, ssl proxy verification)

2 files changed, 75 insertions, 24 deletions

diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc
index b24a5d1c..1ef78819 100644
--- a/config/apache_mod_security-dev/apache_mod_security.inc
+++ b/config/apache_mod_security-dev/apache_mod_security.inc
@@ -541,10 +541,14 @@ EOF;
 
 				#check ssl
 				if(isset($virtualhost["ssl_cert"]) && $virtualhost["ssl_cert"] !="none" && $virtualhost["proto"] == "https") {
-					$vh_config.= " SSLEngine on\n SSLProtocol all -SSLv2\n SSLProxyEngine on\n SSLProxyVerify none\n";
-					$vh_config.= " SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\n";
+					$vh_config.= " SSLEngine on\n";
+					$vh_config.= " SSLProtocol ". ($virtualhost['ssl_protocol'] ? $virtualhost['ssl_protocol'] : "all -SSLv2") ."\n";
+					$vh_config.= " SSLProxyEngine ". ($virtualhost['ssl_proxy_engine'] ? "on" : "off") ."\n";
+					$vh_config.= " SSLProxyVerify ". ($virtualhost['ssl_proxy_verify'] ? $virtualhost['ssl_proxy_verify'] : "none") ."\n";
+					$vh_config.= " SSLCipherSuite ". ($virtualhost['ssl_cipher_suite'] ? $virtualhost['ssl_cipher_suite'] : "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL") ."\n";
+					$vh_config.= " SSLHonorCipherOrder ". ($virtualhost['ssl_honor_cipher_order'] ? "on" : "off") ."\n";
 					
-    				$svr_cert = lookup_cert($virtualhost["ssl_cert"]);
+					$svr_cert = lookup_cert($virtualhost["ssl_cert"]);
 					if ($svr_cert != false) {
 						if(base64_decode($svr_cert['crt'])) {
 							file_put_contents(APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["ssl_cert"]}.crt",apache_textarea_decode($svr_cert['crt']),LOCK_EX);
@@ -565,7 +569,7 @@ EOF;
 							file_put_contents(APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($cli_ca['crt']),LOCK_EX);
 							$vh_config.= " SSLCACertificateFile ". APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["reverse_int_ca"]}.crt\n";
 							}
-					}
+				}
 				#Custom Options
 				$vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n";
 
diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml
index 8558c490..ca448cd2 100644
--- a/config/apache_mod_security-dev/apache_virtualhost.xml
+++ b/config/apache_mod_security-dev/apache_virtualhost.xml
@@ -257,6 +257,72 @@
 			<type>input</type>
 		</field>
 		<field>
+			<fielddescr>
+				<![CDATA[Location(s)]]>
+			</fielddescr>
+			<fieldname>locations</fieldname>
+			<type>rowhelper</type>
+			<rowhelper>
+				<rowhelperfield>
+					<fielddescr><![CDATA[Location]]></fielddescr>
+					<fieldname>location</fieldname>
+					<description>Server Location</description>
+					<source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source>
+					<source_name>name</source_name>
+					<source_value>name</source_value>
+					<show_disable_value>none</show_disable_value>
+					<type>select_source</type>
+				</rowhelperfield>
+			</rowhelper>
+		</field>
+		<field>
+			<name>SSL Environment</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>SSL Protocol</fielddescr>
+			<fieldname>ssl_protocol</fieldname>
+			<size>50</size>
+			<description><![CDATA[Enter the SSL protocol versions allowed (default: all -SSLv2)]]></description>
+			<type>input</type>
+			<default_value>all -SSLv2</default_value>
+		</field>
+		<field>
+			<fielddescr>SSL Cipher Suite</fielddescr>
+			<fieldname>ssl_cipher_suite</fieldname>
+			<size>50</size>
+			<description><![CDATA[Configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. (default: ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL)]]></description>
+			<type>input</type>
+			<default_value>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL</default_value>
+		</field>
+		<field>
+			<fielddescr>SSL Honor Cipher Order</fielddescr>
+			<fieldname>ssl_honor_cipher_order</fieldname>
+			<description><![CDATA[Forces the server's preferences to be used in a SSLv3/TLSv1 handshake (default: off)]]></description>
+			<default_value>off</default_value>
+			<type>checkbox</type>
+		</field>
+		<field>
+			<fielddescr>SSL Proxy Engine</fielddescr>
+			<fieldname>ssl_proxy_engine</fieldname>
+			<description><![CDATA[Enables the SSL proxy engine for the current virtualhost (default: on)]]></description>
+			<default_value>on</default_value>
+			<type>checkbox</type>
+		</field>
+		<field>
+			<fielddescr>SSL Proxy Verify</fielddescr>
+			<fieldname>ssl_proxy_verify</fieldname>
+			<description><![CDATA[When a proxy is configured to forward requests to a remote SSL server, this directive can be used to configure certificate verification of the remote server. ]]></description>
+			<type>select</type>
+			<options>
+				<option><name>None</name><value>none</value></option>
+				<option><name>Optional (remote server MAY present a valid certificate)</name><value>optional</value></option>
+				<option><name>Require (remote server HAS to present a valid certificate)</name><value>require</value></option>
+				<option><name>Optional, without CA (remote server may present a valid certificate, but it need not be (successfully) verifiable)</name><value>optional_no_ca</value></option>
+			</options>
+			<default_value>none</default_value>
+		</field>
+		<field>
 			<fielddescr>HTTPS SSL certificate</fielddescr>
 			<fieldname>ssl_cert</fieldname>
 			<description>Choose the SSL Server Certificate here.</description>
@@ -287,25 +353,6 @@
 			<show_disable_value>none</show_disable_value>
 		</field>
 		<field>
-			<fielddescr>
-				<![CDATA[Location(s)]]>
-			</fielddescr>
-			<fieldname>locations</fieldname>
-			<type>rowhelper</type>
-			<rowhelper>
-				<rowhelperfield>
-					<fielddescr><![CDATA[Location]]></fielddescr>
-					<fieldname>location</fieldname>
-					<description>Server Location</description>
-					<source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source>
-					<source_name>name</source_name>
-					<source_value>name</source_value>
-					<show_disable_value>none</show_disable_value>
-					<type>select_source</type>
-				</rowhelperfield>
-			</rowhelper>
-		</field>
-		<field>
 			<name>Logging</name>
 			<type>listtopic</type>
 		</field>
@@ -315,7 +362,7 @@
 			<description><![CDATA[When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.]]></description>
 			<type>checkbox</type>
 		</field>
-			<field>
+		<field>
 			<fielddescr>Log file</fielddescr>
 			<fieldname>logfile</fieldname>
 			<description><![CDATA[Enable access and error log for this virtual host.]]></description>