source: trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch @ 1474

Last change on this file since 1474 was 1348, checked in by mitchb, 14 years ago
Prompt for certs once, not five bajillion times (fix SSL session caching) Clients that support both the SNI extension and the TLS Session Tickets extension have problems that, among other things, result in many of our cert-protected sites requesting the user's certs an inordinate number of times. This will supposedly be fixed in later versions of openssl, but in the meantime, this applies the patch proposed here: http://mail-archives.apache.org/mod_mbox/httpd-dev/200911.mbox/ajax/%3c4AF58A80.5080101@velox.ch%3e with the following modifications: o Remove the documentation chunk of the patch (it applies to the source XML file which isn't part of the distribution tarball) o Expand the macro SSL_CTX_set_tlsext_ticket_keys in two places to work around the typo in our version of openssl corrected by this upstream commit: http://marc.info/?l=openssl-cvs&m=124638969912935&w=2
File size: 7.1 KB
  • httpd-2.2.x/modules/ssl/ssl_private.h

    typedef struct { 
    395395#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
    396396    const char     *szCryptoDevice;
    397397#endif
     398#ifndef OPENSSL_NO_TLSEXT
     399    ssl_enabled_t  session_tickets_enabled;
     400#endif
    398401    struct {
    399402        void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
    400403    } rCtx;
    const char *ssl_cmd_SSLRequire(cmd_parm 
    545548const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
    546549const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
    547550const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
     551const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
    548552
    549553const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
    550554const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
  • httpd-2.2.x/modules/ssl/ssl_engine_init.c

    static void ssl_init_ctx_tls_extensions( 
    382382        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
    383383        ssl_die();
    384384    }
     385
     386    /*
     387     * Session tickets (stateless resumption)
     388     */
     389    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
     390        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
     391                     "Disabling TLS session ticket support");
     392        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
     393    }
    385394}
    386395#endif
    387396
    void ssl_init_CheckServers(server_rec *b 
    10181027
    10191028    BOOL conflict = FALSE;
    10201029
     1030#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
     1031    unsigned char *tlsext_tick_keys = NULL;
     1032    long tick_keys_len;
     1033#endif
     1034
    10211035    /*
    10221036     * Give out warnings when a server has HTTPS configured
    10231037     * for the HTTP port or vice versa
    void ssl_init_CheckServers(server_rec *b 
    10421056                         ssl_util_vhostid(p, s),
    10431057                         DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
    10441058        }
     1059
     1060#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
     1061        /*
     1062         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
     1063         * the same ticket encryption parameters for every SSL_CTX (workaround
     1064         * for SNI+SessionTicket extension interoperability issue in these versions)
     1065         */
     1066        if ((sc->enabled == SSL_ENABLED_TRUE) ||
     1067            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
     1068            if (!tlsext_tick_keys) {
     1069                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
     1070                                                               (-1),(NULL));
     1071                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
     1072                RAND_bytes(tlsext_tick_keys, tick_keys_len);
     1073            }
     1074            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
     1075                                           (tick_keys_len),(tlsext_tick_keys));
     1076        }
     1077#endif
    10451078    }
    10461079
    10471080    /*
  • httpd-2.2.x/modules/ssl/ssl_engine_config.c

    SSLModConfigRec *ssl_config_global_creat 
    7575#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
    7676    mc->szCryptoDevice         = NULL;
    7777#endif
     78#ifndef OPENSSL_NO_TLSEXT
     79    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
     80#endif
    7881
    7982    memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
    8083
    const char *ssl_cmd_SSLStrictSNIVHostCh 
    14711474#endif
    14721475}
    14731476
     1477const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
     1478{
     1479#ifndef OPENSSL_NO_TLSEXT
     1480    const char *err;
     1481    SSLModConfigRec *mc = myModConfig(cmd->server);
     1482
     1483    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
     1484        return err;
     1485    }
     1486
     1487    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
     1488
     1489    return NULL;
     1490#else
     1491    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
     1492           "for TLS extensions. Refer to the documentation, and build "
     1493           "a compatible version of OpenSSL.";
     1494#endif
     1495}
     1496
    14741497void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
    14751498{
    14761499    if (!ap_exists_config_define("DUMP_CERTS")) {
  • httpd-2.2.x/modules/ssl/ssl_engine_kernel.c

     
    2929                                  time I was too famous.''
    3030                                            -- Unknown                */
    3131#include "ssl_private.h"
     32#include "util_md5.h"
    3233
    3334static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
    3435#ifndef OPENSSL_NO_TLSEXT
    static int ssl_find_vhost(void *serverna 
    20102011    apr_array_header_t *names;
    20112012    int i;
    20122013    SSLConnRec *sslcon;
     2014    char *sid_ctx;
    20132015
    20142016    /* check ServerName */
    20152017    if (!strcasecmp(servername, s->server_hostname)) {
    static int ssl_find_vhost(void *serverna 
    20742076            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
    20752077                           SSL_CTX_get_verify_callback(ssl->ctx));
    20762078        }
     2079        /*
     2080         * Adjust the session id context. ssl_init_ssl_connection()
     2081         * always picks the configuration of the first vhost when
     2082         * calling SSL_new(), but we want to tie the session to the
     2083         * vhost we have just switched to. Again, we have to make sure
     2084         * that we're not overwriting a session id context which was
     2085         * possibly set in ssl_hook_Access(), before triggering
     2086         * a renegotation.
     2087         */
     2088        if (!SSL_num_renegotiations(ssl)) {
     2089            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
     2090                                    sc->vhost_id_len);
     2091            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
     2092                                       APR_MD5_DIGESTSIZE*2);
     2093        }
    20772094
    20782095        /*
    20792096         * Save the found server into our SSLConnRec for later
  • httpd-2.2.x/modules/ssl/mod_ssl.c

    static const command_rec ssl_config_cmds 
    9292    SSL_CMD_SRV(RandomSeed, TAKE23,
    9393                "SSL Pseudo Random Number Generator (PRNG) seeding source "
    9494                "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
     95    SSL_CMD_SRV(SessionTicketExtension, FLAG,
     96                "TLS Session Ticket extension support")
    9597
    9698    /*
    9799     * Per-server context configuration directives
Note: See TracBrowser for help on using the repository browser.