Blame SOURCES/httpd-2.4.35-sslciphdefault.patch

59234c
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
59234c
index 4cfd2d0..6ac55bd 100644
59234c
--- a/modules/ssl/ssl_engine_config.c
59234c
+++ b/modules/ssl/ssl_engine_config.c
59234c
@@ -776,9 +776,11 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
59234c
     }
59234c
     
59234c
     if (!strcmp("SSL", arg1)) {
59234c
-        /* always disable null and export ciphers */
59234c
-        arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
59234c
         if (cmd->path) {
59234c
+            /* Disable null and export ciphers by default, except for PROFILE=
59234c
+             * configs where the parser doesn't cope. */
59234c
+            if (strncmp(arg2, "PROFILE=", 8) != 0)
59234c
+                arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
59234c
             dc->szCipherSuite = arg2;
59234c
         }
59234c
         else {
59234c
@@ -1542,8 +1544,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
59234c
     }
59234c
     
59234c
     if (!strcmp("SSL", arg1)) {
59234c
-        /* always disable null and export ciphers */
59234c
-        arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
59234c
+        /* Disable null and export ciphers by default, except for PROFILE=
59234c
+         * configs where the parser doesn't cope. */
59234c
+        if (strncmp(arg2, "PROFILE=", 8) != 0)
59234c
+            arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
59234c
         dc->proxy->auth.cipher_suite = arg2;
59234c
         return NULL;
59234c
     }