Red Hat Bugzilla – Bug 430637
CVE-2004-0885 mod_ssl SSLCipherSuite bypass
Last modified: 2008-06-02 05:29:49 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2004-0885 to the following vulnerability:
The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the
directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.
An issue has been discovered in the mod_ssl module when configured to
use the "SSLCipherSuite" directive in directory or location context.
If a particular location context has been configured to require a
specific set of cipher suites, then a client will be able to access
that location using any cipher suite allowed by the virtual host
This issue was reported in Apache bugzilla.
This is a fairly rare and uncommon configuration, so the security
impact is low. We'll likely include a fix for this issue during the