[1348] | 1 | Index: httpd-2.2.x/modules/ssl/ssl_private.h |
---|
| 2 | =================================================================== |
---|
| 3 | --- httpd-2.2.x/modules/ssl/ssl_private.h (revision 833672) |
---|
| 4 | +++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) |
---|
| 5 | @@ -395,6 +395,9 @@ typedef struct { |
---|
| 6 | #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) |
---|
| 7 | const char *szCryptoDevice; |
---|
| 8 | #endif |
---|
| 9 | +#ifndef OPENSSL_NO_TLSEXT |
---|
| 10 | + ssl_enabled_t session_tickets_enabled; |
---|
| 11 | +#endif |
---|
| 12 | struct { |
---|
| 13 | void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; |
---|
| 14 | } rCtx; |
---|
| 15 | @@ -545,6 +548,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm |
---|
| 16 | const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); |
---|
| 17 | const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); |
---|
| 18 | const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); |
---|
| 19 | +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag); |
---|
| 20 | |
---|
| 21 | const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); |
---|
| 22 | const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); |
---|
| 23 | Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c |
---|
| 24 | =================================================================== |
---|
| 25 | --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672) |
---|
| 26 | +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) |
---|
| 27 | @@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions( |
---|
| 28 | ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); |
---|
| 29 | ssl_die(); |
---|
| 30 | } |
---|
| 31 | + |
---|
| 32 | + /* |
---|
| 33 | + * Session tickets (stateless resumption) |
---|
| 34 | + */ |
---|
| 35 | + if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) { |
---|
| 36 | + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, |
---|
| 37 | + "Disabling TLS session ticket support"); |
---|
| 38 | + SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET); |
---|
| 39 | + } |
---|
| 40 | } |
---|
| 41 | #endif |
---|
| 42 | |
---|
| 43 | @@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b |
---|
| 44 | |
---|
| 45 | BOOL conflict = FALSE; |
---|
| 46 | |
---|
| 47 | +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 |
---|
| 48 | + unsigned char *tlsext_tick_keys = NULL; |
---|
| 49 | + long tick_keys_len; |
---|
| 50 | +#endif |
---|
| 51 | + |
---|
| 52 | /* |
---|
| 53 | * Give out warnings when a server has HTTPS configured |
---|
| 54 | * for the HTTP port or vice versa |
---|
| 55 | @@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b |
---|
| 56 | ssl_util_vhostid(p, s), |
---|
| 57 | DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT); |
---|
| 58 | } |
---|
| 59 | + |
---|
| 60 | +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 |
---|
| 61 | + /* |
---|
| 62 | + * When using OpenSSL versions 0.9.8f through 0.9.8l, configure |
---|
| 63 | + * the same ticket encryption parameters for every SSL_CTX (workaround |
---|
| 64 | + * for SNI+SessionTicket extension interoperability issue in these versions) |
---|
| 65 | + */ |
---|
| 66 | + if ((sc->enabled == SSL_ENABLED_TRUE) || |
---|
| 67 | + (sc->enabled == SSL_ENABLED_OPTIONAL)) { |
---|
| 68 | + if (!tlsext_tick_keys) { |
---|
| 69 | + tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, |
---|
| 70 | + (-1),(NULL)); |
---|
| 71 | + tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len); |
---|
| 72 | + RAND_bytes(tlsext_tick_keys, tick_keys_len); |
---|
| 73 | + } |
---|
| 74 | + SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, |
---|
| 75 | + (tick_keys_len),(tlsext_tick_keys)); |
---|
| 76 | + } |
---|
| 77 | +#endif |
---|
| 78 | } |
---|
| 79 | |
---|
| 80 | /* |
---|
| 81 | Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c |
---|
| 82 | =================================================================== |
---|
| 83 | --- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672) |
---|
| 84 | +++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy) |
---|
| 85 | @@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat |
---|
| 86 | #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) |
---|
| 87 | mc->szCryptoDevice = NULL; |
---|
| 88 | #endif |
---|
| 89 | +#ifndef OPENSSL_NO_TLSEXT |
---|
| 90 | + mc->session_tickets_enabled = SSL_ENABLED_UNSET; |
---|
| 91 | +#endif |
---|
| 92 | |
---|
| 93 | memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); |
---|
| 94 | |
---|
| 95 | @@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh |
---|
| 96 | #endif |
---|
| 97 | } |
---|
| 98 | |
---|
| 99 | +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag) |
---|
| 100 | +{ |
---|
| 101 | +#ifndef OPENSSL_NO_TLSEXT |
---|
| 102 | + const char *err; |
---|
| 103 | + SSLModConfigRec *mc = myModConfig(cmd->server); |
---|
| 104 | + |
---|
| 105 | + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { |
---|
| 106 | + return err; |
---|
| 107 | + } |
---|
| 108 | + |
---|
| 109 | + mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; |
---|
| 110 | + |
---|
| 111 | + return NULL; |
---|
| 112 | +#else |
---|
| 113 | + return "SSLSessionTicketExtension failed; OpenSSL is not built with support " |
---|
| 114 | + "for TLS extensions. Refer to the documentation, and build " |
---|
| 115 | + "a compatible version of OpenSSL."; |
---|
| 116 | +#endif |
---|
| 117 | +} |
---|
| 118 | + |
---|
| 119 | void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) |
---|
| 120 | { |
---|
| 121 | if (!ap_exists_config_define("DUMP_CERTS")) { |
---|
| 122 | Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c |
---|
| 123 | =================================================================== |
---|
| 124 | --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672) |
---|
| 125 | +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) |
---|
| 126 | @@ -29,6 +29,7 @@ |
---|
| 127 | time I was too famous.'' |
---|
| 128 | -- Unknown */ |
---|
| 129 | #include "ssl_private.h" |
---|
| 130 | +#include "util_md5.h" |
---|
| 131 | |
---|
| 132 | static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); |
---|
| 133 | #ifndef OPENSSL_NO_TLSEXT |
---|
| 134 | @@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna |
---|
| 135 | apr_array_header_t *names; |
---|
| 136 | int i; |
---|
| 137 | SSLConnRec *sslcon; |
---|
| 138 | + char *sid_ctx; |
---|
| 139 | |
---|
| 140 | /* check ServerName */ |
---|
| 141 | if (!strcasecmp(servername, s->server_hostname)) { |
---|
| 142 | @@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna |
---|
| 143 | SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), |
---|
| 144 | SSL_CTX_get_verify_callback(ssl->ctx)); |
---|
| 145 | } |
---|
| 146 | + /* |
---|
| 147 | + * Adjust the session id context. ssl_init_ssl_connection() |
---|
| 148 | + * always picks the configuration of the first vhost when |
---|
| 149 | + * calling SSL_new(), but we want to tie the session to the |
---|
| 150 | + * vhost we have just switched to. Again, we have to make sure |
---|
| 151 | + * that we're not overwriting a session id context which was |
---|
| 152 | + * possibly set in ssl_hook_Access(), before triggering |
---|
| 153 | + * a renegotation. |
---|
| 154 | + */ |
---|
| 155 | + if (!SSL_num_renegotiations(ssl)) { |
---|
| 156 | + sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id, |
---|
| 157 | + sc->vhost_id_len); |
---|
| 158 | + SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx, |
---|
| 159 | + APR_MD5_DIGESTSIZE*2); |
---|
| 160 | + } |
---|
| 161 | |
---|
| 162 | /* |
---|
| 163 | * Save the found server into our SSLConnRec for later |
---|
| 164 | Index: httpd-2.2.x/modules/ssl/mod_ssl.c |
---|
| 165 | =================================================================== |
---|
| 166 | --- httpd-2.2.x/modules/ssl/mod_ssl.c (revision 833672) |
---|
| 167 | +++ httpd-2.2.x/modules/ssl/mod_ssl.c (working copy) |
---|
| 168 | @@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds |
---|
| 169 | SSL_CMD_SRV(RandomSeed, TAKE23, |
---|
| 170 | "SSL Pseudo Random Number Generator (PRNG) seeding source " |
---|
| 171 | "(`startup|connect builtin|file:/path|exec:/path [bytes]')") |
---|
| 172 | + SSL_CMD_SRV(SessionTicketExtension, FLAG, |
---|
| 173 | + "TLS Session Ticket extension support") |
---|
| 174 | |
---|
| 175 | /* |
---|
| 176 | * Per-server context configuration directives |
---|