source:
branches/fc15-dev/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch
@
1938
Last change on this file since 1938 was 1539, checked in by mitchb, 15 years ago | |
---|---|
File size: 7.1 KB |
-
httpd-2.2.x/modules/ssl/ssl_private.h
typedef struct { 395 395 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 396 396 const char *szCryptoDevice; 397 397 #endif 398 #ifndef OPENSSL_NO_TLSEXT 399 ssl_enabled_t session_tickets_enabled; 400 #endif 398 401 struct { 399 402 void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; 400 403 } rCtx; … … const char *ssl_cmd_SSLRequire(cmd_parm 547 550 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); 548 551 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); 549 552 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); 553 const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag); 550 554 551 555 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); 552 556 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); -
httpd-2.2.x/modules/ssl/ssl_engine_init.c
static void ssl_init_ctx_tls_extensions( 382 382 ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); 383 383 ssl_die(); 384 384 } 385 386 /* 387 * Session tickets (stateless resumption) 388 */ 389 if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) { 390 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, 391 "Disabling TLS session ticket support"); 392 SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET); 393 } 385 394 } 386 395 #endif 387 396 … … void ssl_init_CheckServers(server_rec *b 1018 1027 1019 1028 BOOL conflict = FALSE; 1020 1029 1030 #if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 1031 unsigned char *tlsext_tick_keys = NULL; 1032 long tick_keys_len; 1033 #endif 1034 1021 1035 /* 1022 1036 * Give out warnings when a server has HTTPS configured 1023 1037 * for the HTTP port or vice versa … … void ssl_init_CheckServers(server_rec *b 1042 1056 ssl_util_vhostid(p, s), 1043 1057 DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT); 1044 1058 } 1059 1060 #if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 1061 /* 1062 * When using OpenSSL versions 0.9.8f through 0.9.8l, configure 1063 * the same ticket encryption parameters for every SSL_CTX (workaround 1064 * for SNI+SessionTicket extension interoperability issue in these versions) 1065 */ 1066 if ((sc->enabled == SSL_ENABLED_TRUE) || 1067 (sc->enabled == SSL_ENABLED_OPTIONAL)) { 1068 if (!tlsext_tick_keys) { 1069 tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, 1070 (-1),(NULL)); 1071 tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len); 1072 RAND_bytes(tlsext_tick_keys, tick_keys_len); 1073 } 1074 SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, 1075 (tick_keys_len),(tlsext_tick_keys)); 1076 } 1077 #endif 1045 1078 } 1046 1079 1047 1080 /* -
httpd-2.2.x/modules/ssl/ssl_engine_config.c
SSLModConfigRec *ssl_config_global_creat 75 75 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 76 76 mc->szCryptoDevice = NULL; 77 77 #endif 78 #ifndef OPENSSL_NO_TLSEXT 79 mc->session_tickets_enabled = SSL_ENABLED_UNSET; 80 #endif 78 81 79 82 memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); 80 83 … … const char *ssl_cmd_SSLStrictSNIVHostCh 1471 1474 #endif 1472 1475 } 1473 1476 1477 const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag) 1478 { 1479 #ifndef OPENSSL_NO_TLSEXT 1480 const char *err; 1481 SSLModConfigRec *mc = myModConfig(cmd->server); 1482 1483 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { 1484 return err; 1485 } 1486 1487 mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; 1488 1489 return NULL; 1490 #else 1491 return "SSLSessionTicketExtension failed; OpenSSL is not built with support " 1492 "for TLS extensions. Refer to the documentation, and build " 1493 "a compatible version of OpenSSL."; 1494 #endif 1495 } 1496 1474 1497 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) 1475 1498 { 1476 1499 if (!ap_exists_config_define("DUMP_CERTS")) { -
httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
29 29 time I was too famous.'' 30 30 -- Unknown */ 31 31 #include "ssl_private.h" 32 #include "util_md5.h" 32 33 33 34 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); 34 35 #ifndef OPENSSL_NO_TLSEXT … … static int ssl_find_vhost(void *serverna 2010 2011 apr_array_header_t *names; 2011 2012 int i; 2012 2013 SSLConnRec *sslcon; 2014 char *sid_ctx; 2013 2015 2014 2016 /* check ServerName */ 2015 2017 if (!strcasecmp(servername, s->server_hostname)) { … … static int ssl_find_vhost(void *serverna 2074 2076 SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), 2075 2077 SSL_CTX_get_verify_callback(ssl->ctx)); 2076 2078 } 2079 /* 2080 * Adjust the session id context. ssl_init_ssl_connection() 2081 * always picks the configuration of the first vhost when 2082 * calling SSL_new(), but we want to tie the session to the 2083 * vhost we have just switched to. Again, we have to make sure 2084 * that we're not overwriting a session id context which was 2085 * possibly set in ssl_hook_Access(), before triggering 2086 * a renegotation. 2087 */ 2088 if (!SSL_num_renegotiations(ssl)) { 2089 sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id, 2090 sc->vhost_id_len); 2091 SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx, 2092 APR_MD5_DIGESTSIZE*2); 2093 } 2077 2094 2078 2095 /* 2079 2096 * Save the found server into our SSLConnRec for later -
httpd-2.2.x/modules/ssl/mod_ssl.c
static const command_rec ssl_config_cmds 92 92 SSL_CMD_SRV(RandomSeed, TAKE23, 93 93 "SSL Pseudo Random Number Generator (PRNG) seeding source " 94 94 "(`startup|connect builtin|file:/path|exec:/path [bytes]')") 95 SSL_CMD_SRV(SessionTicketExtension, FLAG, 96 "TLS Session Ticket extension support") 95 97 96 98 /* 97 99 * Per-server context configuration directives
Note: See TracBrowser
for help on using the repository browser.