source: trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch @ 2307

Last change on this file since 2307 was 1539, checked in by mitchb, 14 years ago
Upgrade to Apache 2.2.15 Also drop the CVE-2010-0434 patch which is now incorporated upstream.
File size: 7.1 KB
RevLine 
[1348]1Index: httpd-2.2.x/modules/ssl/ssl_private.h
2===================================================================
3--- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 833672)
4+++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
5@@ -395,6 +395,9 @@ typedef struct {
6 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
7     const char     *szCryptoDevice;
8 #endif
9+#ifndef OPENSSL_NO_TLSEXT
10+    ssl_enabled_t  session_tickets_enabled;
11+#endif
12     struct {
13         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
14     } rCtx;
[1539]15@@ -547,6 +550,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
[1348]16 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
17 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
[1539]18 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
[1348]19+const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
20 
21 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
22 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
23Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
24===================================================================
25--- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 833672)
26+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
27@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
28         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
29         ssl_die();
30     }
31+
32+    /*
33+     * Session tickets (stateless resumption)
34+     */
35+    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
36+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
37+                     "Disabling TLS session ticket support");
38+        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
39+    }
40 }
41 #endif
42 
43@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
44 
45     BOOL conflict = FALSE;
46 
47+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
48+    unsigned char *tlsext_tick_keys = NULL;
49+    long tick_keys_len;
50+#endif
51+
52     /*
53      * Give out warnings when a server has HTTPS configured
54      * for the HTTP port or vice versa
55@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
56                          ssl_util_vhostid(p, s),
57                          DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
58         }
59+
60+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
61+        /*
62+         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
63+         * the same ticket encryption parameters for every SSL_CTX (workaround
64+         * for SNI+SessionTicket extension interoperability issue in these versions)
65+         */
66+        if ((sc->enabled == SSL_ENABLED_TRUE) ||
67+            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
68+            if (!tlsext_tick_keys) {
69+                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
70+                                                               (-1),(NULL));
71+                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
72+                RAND_bytes(tlsext_tick_keys, tick_keys_len);
73+            }
74+            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
75+                                           (tick_keys_len),(tlsext_tick_keys));
76+        }
77+#endif
78     }
79 
80     /*
81Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
82===================================================================
83--- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672)
84+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy)
85@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
86 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
87     mc->szCryptoDevice         = NULL;
88 #endif
89+#ifndef OPENSSL_NO_TLSEXT
90+    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
91+#endif
92 
93     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
94 
95@@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
96 #endif
97 }
98 
99+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
100+{
101+#ifndef OPENSSL_NO_TLSEXT
102+    const char *err;
103+    SSLModConfigRec *mc = myModConfig(cmd->server);
104+
105+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
106+        return err;
107+    }
108+
109+    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
110+
111+    return NULL;
112+#else
113+    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
114+           "for TLS extensions. Refer to the documentation, and build "
115+           "a compatible version of OpenSSL.";
116+#endif
117+}
118+
119 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
120 {
121     if (!ap_exists_config_define("DUMP_CERTS")) {
122Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
123===================================================================
124--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672)
125+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
126@@ -29,6 +29,7 @@
127                                   time I was too famous.''
128                                             -- Unknown                */
129 #include "ssl_private.h"
130+#include "util_md5.h"
131 
132 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
133 #ifndef OPENSSL_NO_TLSEXT
134@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
135     apr_array_header_t *names;
136     int i;
137     SSLConnRec *sslcon;
138+    char *sid_ctx;
139 
140     /* check ServerName */
141     if (!strcasecmp(servername, s->server_hostname)) {
142@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
143             SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
144                            SSL_CTX_get_verify_callback(ssl->ctx));
145         }
146+        /*
147+         * Adjust the session id context. ssl_init_ssl_connection()
148+         * always picks the configuration of the first vhost when
149+         * calling SSL_new(), but we want to tie the session to the
150+         * vhost we have just switched to. Again, we have to make sure
151+         * that we're not overwriting a session id context which was
152+         * possibly set in ssl_hook_Access(), before triggering
153+         * a renegotation.
154+         */
155+        if (!SSL_num_renegotiations(ssl)) {
156+            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
157+                                    sc->vhost_id_len);
158+            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
159+                                       APR_MD5_DIGESTSIZE*2);
160+        }
161 
162         /*
163          * Save the found server into our SSLConnRec for later
164Index: httpd-2.2.x/modules/ssl/mod_ssl.c
165===================================================================
166--- httpd-2.2.x/modules/ssl/mod_ssl.c   (revision 833672)
167+++ httpd-2.2.x/modules/ssl/mod_ssl.c   (working copy)
168@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
169     SSL_CMD_SRV(RandomSeed, TAKE23,
170                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
171                 "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
172+    SSL_CMD_SRV(SessionTicketExtension, FLAG,
173+                "TLS Session Ticket extension support")
174 
175     /*
176      * Per-server context configuration directives
Note: See TracBrowser for help on using the repository browser.