Gentoo Logo

Apache 2, mod_ssl: Bypass of SSLCipherSuite directive


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200410-21 / apache
Release Date October 21, 2004
Latest Revision December 30, 2007: 02
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-servers/apache < 2.0.52 >= 2.0.52, < 2.0 All supported architectures
net-www/mod_ssl < 2.8.20 >= 2.8.20 All supported architectures

Related bugreports: #66807


In certain configurations, it can be possible to bypass restrictions set by the "SSLCipherSuite" directive of mod_ssl.

2.  Impact Information


The Apache HTTP server is one of the most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2.


A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could be bypassed in certain configurations if it is used in a directory or location context to restrict the set of allowed cipher suites.


A remote attacker could gain access to a location using any cipher suite allowed by the server/virtual host configuration, disregarding the restrictions by "SSLCipherSuite" for that location.

3.  Resolution Information


There is no known workaround at this time.


All Apache 2 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=www-servers/apache-2.0.52"
# emerge ">=www-servers/apache-2.0.52"

All mod_ssl users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=net-www/mod_ssl-2.8.20"
# emerge ">=net-www/mod_ssl-2.8.20"

4.  References


Page updated October 21, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.