source: trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch @ 1412

Last change on this file since 1412 was 1348, checked in by mitchb, 15 years ago
Prompt for certs once, not five bajillion times (fix SSL session caching) Clients that support both the SNI extension and the TLS Session Tickets extension have problems that, among other things, result in many of our cert-protected sites requesting the user's certs an inordinate number of times. This will supposedly be fixed in later versions of openssl, but in the meantime, this applies the patch proposed here: http://mail-archives.apache.org/mod_mbox/httpd-dev/200911.mbox/ajax/%3c4AF58A80.5080101@velox.ch%3e with the following modifications: o Remove the documentation chunk of the patch (it applies to the source XML file which isn't part of the distribution tarball) o Expand the macro SSL_CTX_set_tlsext_ticket_keys in two places to work around the typo in our version of openssl corrected by this upstream commit: http://marc.info/?l=openssl-cvs&m=124638969912935&w=2
File size: 7.1 KB
RevLine 
[1348]1Index: httpd-2.2.x/modules/ssl/ssl_private.h
2===================================================================
3--- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 833672)
4+++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
5@@ -395,6 +395,9 @@ typedef struct {
6 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
7     const char     *szCryptoDevice;
8 #endif
9+#ifndef OPENSSL_NO_TLSEXT
10+    ssl_enabled_t  session_tickets_enabled;
11+#endif
12     struct {
13         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
14     } rCtx;
15@@ -545,6 +548,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
16 const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
17 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
18 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
19+const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
20 
21 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
22 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
23Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
24===================================================================
25--- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 833672)
26+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
27@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
28         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
29         ssl_die();
30     }
31+
32+    /*
33+     * Session tickets (stateless resumption)
34+     */
35+    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
36+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
37+                     "Disabling TLS session ticket support");
38+        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
39+    }
40 }
41 #endif
42 
43@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
44 
45     BOOL conflict = FALSE;
46 
47+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
48+    unsigned char *tlsext_tick_keys = NULL;
49+    long tick_keys_len;
50+#endif
51+
52     /*
53      * Give out warnings when a server has HTTPS configured
54      * for the HTTP port or vice versa
55@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
56                          ssl_util_vhostid(p, s),
57                          DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
58         }
59+
60+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
61+        /*
62+         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
63+         * the same ticket encryption parameters for every SSL_CTX (workaround
64+         * for SNI+SessionTicket extension interoperability issue in these versions)
65+         */
66+        if ((sc->enabled == SSL_ENABLED_TRUE) ||
67+            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
68+            if (!tlsext_tick_keys) {
69+                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
70+                                                               (-1),(NULL));
71+                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
72+                RAND_bytes(tlsext_tick_keys, tick_keys_len);
73+            }
74+            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
75+                                           (tick_keys_len),(tlsext_tick_keys));
76+        }
77+#endif
78     }
79 
80     /*
81Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
82===================================================================
83--- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672)
84+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy)
85@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
86 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
87     mc->szCryptoDevice         = NULL;
88 #endif
89+#ifndef OPENSSL_NO_TLSEXT
90+    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
91+#endif
92 
93     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
94 
95@@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
96 #endif
97 }
98 
99+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
100+{
101+#ifndef OPENSSL_NO_TLSEXT
102+    const char *err;
103+    SSLModConfigRec *mc = myModConfig(cmd->server);
104+
105+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
106+        return err;
107+    }
108+
109+    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
110+
111+    return NULL;
112+#else
113+    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
114+           "for TLS extensions. Refer to the documentation, and build "
115+           "a compatible version of OpenSSL.";
116+#endif
117+}
118+
119 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
120 {
121     if (!ap_exists_config_define("DUMP_CERTS")) {
122Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
123===================================================================
124--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672)
125+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
126@@ -29,6 +29,7 @@
127                                   time I was too famous.''
128                                             -- Unknown                */
129 #include "ssl_private.h"
130+#include "util_md5.h"
131 
132 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
133 #ifndef OPENSSL_NO_TLSEXT
134@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
135     apr_array_header_t *names;
136     int i;
137     SSLConnRec *sslcon;
138+    char *sid_ctx;
139 
140     /* check ServerName */
141     if (!strcasecmp(servername, s->server_hostname)) {
142@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
143             SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
144                            SSL_CTX_get_verify_callback(ssl->ctx));
145         }
146+        /*
147+         * Adjust the session id context. ssl_init_ssl_connection()
148+         * always picks the configuration of the first vhost when
149+         * calling SSL_new(), but we want to tie the session to the
150+         * vhost we have just switched to. Again, we have to make sure
151+         * that we're not overwriting a session id context which was
152+         * possibly set in ssl_hook_Access(), before triggering
153+         * a renegotation.
154+         */
155+        if (!SSL_num_renegotiations(ssl)) {
156+            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
157+                                    sc->vhost_id_len);
158+            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
159+                                       APR_MD5_DIGESTSIZE*2);
160+        }
161 
162         /*
163          * Save the found server into our SSLConnRec for later
164Index: httpd-2.2.x/modules/ssl/mod_ssl.c
165===================================================================
166--- httpd-2.2.x/modules/ssl/mod_ssl.c   (revision 833672)
167+++ httpd-2.2.x/modules/ssl/mod_ssl.c   (working copy)
168@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
169     SSL_CMD_SRV(RandomSeed, TAKE23,
170                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
171                 "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
172+    SSL_CMD_SRV(SessionTicketExtension, FLAG,
173+                "TLS Session Ticket extension support")
174 
175     /*
176      * Per-server context configuration directives
Note: See TracBrowser for help on using the repository browser.