source: trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch @ 2458

Last change on this file since 2458 was 1539, checked in by mitchb, 14 years ago
Upgrade to Apache 2.2.15 Also drop the CVE-2010-0434 patch which is now incorporated upstream.
File size: 7.1 KB
  • httpd-2.2.x/modules/ssl/ssl_private.h

    typedef struct { 
    395395#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
    396396    const char     *szCryptoDevice;
    397397#endif
     398#ifndef OPENSSL_NO_TLSEXT
     399    ssl_enabled_t  session_tickets_enabled;
     400#endif
    398401    struct {
    399402        void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
    400403    } rCtx;
    const char *ssl_cmd_SSLRequire(cmd_parm 
    547550const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
    548551const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
    549552const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
     553const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
    550554
    551555const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
    552556const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
  • httpd-2.2.x/modules/ssl/ssl_engine_init.c

    static void ssl_init_ctx_tls_extensions( 
    382382        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
    383383        ssl_die();
    384384    }
     385
     386    /*
     387     * Session tickets (stateless resumption)
     388     */
     389    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
     390        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
     391                     "Disabling TLS session ticket support");
     392        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
     393    }
    385394}
    386395#endif
    387396
    void ssl_init_CheckServers(server_rec *b 
    10181027
    10191028    BOOL conflict = FALSE;
    10201029
     1030#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
     1031    unsigned char *tlsext_tick_keys = NULL;
     1032    long tick_keys_len;
     1033#endif
     1034
    10211035    /*
    10221036     * Give out warnings when a server has HTTPS configured
    10231037     * for the HTTP port or vice versa
    void ssl_init_CheckServers(server_rec *b 
    10421056                         ssl_util_vhostid(p, s),
    10431057                         DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
    10441058        }
     1059
     1060#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
     1061        /*
     1062         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
     1063         * the same ticket encryption parameters for every SSL_CTX (workaround
     1064         * for SNI+SessionTicket extension interoperability issue in these versions)
     1065         */
     1066        if ((sc->enabled == SSL_ENABLED_TRUE) ||
     1067            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
     1068            if (!tlsext_tick_keys) {
     1069                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
     1070                                                               (-1),(NULL));
     1071                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
     1072                RAND_bytes(tlsext_tick_keys, tick_keys_len);
     1073            }
     1074            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
     1075                                           (tick_keys_len),(tlsext_tick_keys));
     1076        }
     1077#endif
    10451078    }
    10461079
    10471080    /*
  • httpd-2.2.x/modules/ssl/ssl_engine_config.c

    SSLModConfigRec *ssl_config_global_creat 
    7575#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
    7676    mc->szCryptoDevice         = NULL;
    7777#endif
     78#ifndef OPENSSL_NO_TLSEXT
     79    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
     80#endif
    7881
    7982    memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
    8083
    const char *ssl_cmd_SSLStrictSNIVHostCh 
    14711474#endif
    14721475}
    14731476
     1477const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
     1478{
     1479#ifndef OPENSSL_NO_TLSEXT
     1480    const char *err;
     1481    SSLModConfigRec *mc = myModConfig(cmd->server);
     1482
     1483    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
     1484        return err;
     1485    }
     1486
     1487    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
     1488
     1489    return NULL;
     1490#else
     1491    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
     1492           "for TLS extensions. Refer to the documentation, and build "
     1493           "a compatible version of OpenSSL.";
     1494#endif
     1495}
     1496
    14741497void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
    14751498{
    14761499    if (!ap_exists_config_define("DUMP_CERTS")) {
  • httpd-2.2.x/modules/ssl/ssl_engine_kernel.c

     
    2929                                  time I was too famous.''
    3030                                            -- Unknown                */
    3131#include "ssl_private.h"
     32#include "util_md5.h"
    3233
    3334static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
    3435#ifndef OPENSSL_NO_TLSEXT
    static int ssl_find_vhost(void *serverna 
    20102011    apr_array_header_t *names;
    20112012    int i;
    20122013    SSLConnRec *sslcon;
     2014    char *sid_ctx;
    20132015
    20142016    /* check ServerName */
    20152017    if (!strcasecmp(servername, s->server_hostname)) {
    static int ssl_find_vhost(void *serverna 
    20742076            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
    20752077                           SSL_CTX_get_verify_callback(ssl->ctx));
    20762078        }
     2079        /*
     2080         * Adjust the session id context. ssl_init_ssl_connection()
     2081         * always picks the configuration of the first vhost when
     2082         * calling SSL_new(), but we want to tie the session to the
     2083         * vhost we have just switched to. Again, we have to make sure
     2084         * that we're not overwriting a session id context which was
     2085         * possibly set in ssl_hook_Access(), before triggering
     2086         * a renegotation.
     2087         */
     2088        if (!SSL_num_renegotiations(ssl)) {
     2089            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
     2090                                    sc->vhost_id_len);
     2091            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
     2092                                       APR_MD5_DIGESTSIZE*2);
     2093        }
    20772094
    20782095        /*
    20792096         * Save the found server into our SSLConnRec for later
  • httpd-2.2.x/modules/ssl/mod_ssl.c

    static const command_rec ssl_config_cmds 
    9292    SSL_CMD_SRV(RandomSeed, TAKE23,
    9393                "SSL Pseudo Random Number Generator (PRNG) seeding source "
    9494                "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
     95    SSL_CMD_SRV(SessionTicketExtension, FLAG,
     96                "TLS Session Ticket extension support")
    9597
    9698    /*
    9799     * Per-server context configuration directives
Note: See TracBrowser for help on using the repository browser.