https://bugzilla.redhat.com/show_bug.cgi?id=1109119

Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.

--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslciphdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -774,9 +774,11 @@
     }
     
     if (!strcmp("SSL", arg1)) {
-        /* always disable null and export ciphers */
-        arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
         if (cmd->path) {
+            /* Disable null and export ciphers by default, except for PROFILE=
+             * configs where the parser doesn't cope. */
+            if (strncmp(arg2, "PROFILE=", 8) != 0)
+                arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
             dc->szCipherSuite = arg2;
         }
         else {
@@ -1540,8 +1542,10 @@
     }
     
     if (!strcmp("SSL", arg1)) {
-        /* always disable null and export ciphers */
-        arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
+        /* Disable null and export ciphers by default, except for PROFILE=
+         * configs where the parser doesn't cope. */
+        if (strncmp(arg2, "PROFILE=", 8) != 0)
+            arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL);
         dc->proxy->auth.cipher_suite = arg2;
         return NULL;
     }