]>
Commit | Line | Data |
---|---|---|
7ed09ac4 ER |
1 | Index: httpd-2.2.x/modules/ssl/ssl_private.h |
2 | =================================================================== | |
3 | --- httpd-2.2.x/modules/ssl/ssl_private.h (revision 833672) | |
4 | +++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) | |
5 | @@ -395,6 +395,9 @@ typedef struct { | |
9f2f5880 | 6 | #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) |
7 | const char *szCryptoDevice; | |
8 | #endif | |
9 | +#ifndef OPENSSL_NO_TLSEXT | |
10 | + ssl_enabled_t session_tickets_enabled; | |
11 | +#endif | |
7ed09ac4 ER |
12 | struct { |
13 | void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; | |
14 | } rCtx; | |
9f2f5880 | 15 | @@ -545,6 +548,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm |
9f2f5880 | 16 | const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); |
17 | const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); | |
2bd52d66 | 18 | const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); |
9f2f5880 | 19 | +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag); |
20 | ||
21 | const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); | |
22 | const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); | |
23 | Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c | |
24 | =================================================================== | |
25 | --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672) | |
26 | +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) | |
27 | @@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions( | |
28 | ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); | |
29 | ssl_die(); | |
30 | } | |
31 | + | |
32 | + /* | |
33 | + * Session tickets (stateless resumption) | |
34 | + */ | |
35 | + if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) { | |
36 | + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, | |
37 | + "Disabling TLS session ticket support"); | |
38 | + SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET); | |
39 | + } | |
40 | } | |
41 | #endif | |
42 | ||
43 | @@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b | |
44 | ||
45 | BOOL conflict = FALSE; | |
46 | ||
47 | +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 | |
48 | + unsigned char *tlsext_tick_keys = NULL; | |
49 | + long tick_keys_len; | |
50 | +#endif | |
51 | + | |
52 | /* | |
53 | * Give out warnings when a server has HTTPS configured | |
54 | * for the HTTP port or vice versa | |
55 | @@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b | |
56 | ssl_util_vhostid(p, s), | |
57 | DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT); | |
58 | } | |
59 | + | |
60 | +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 | |
61 | + /* | |
62 | + * When using OpenSSL versions 0.9.8f through 0.9.8l, configure | |
63 | + * the same ticket encryption parameters for every SSL_CTX (workaround | |
64 | + * for SNI+SessionTicket extension interoperability issue in these versions) | |
65 | + */ | |
66 | + if ((sc->enabled == SSL_ENABLED_TRUE) || | |
67 | + (sc->enabled == SSL_ENABLED_OPTIONAL)) { | |
68 | + if (!tlsext_tick_keys) { | |
69 | + tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, | |
70 | + (-1),(NULL)); | |
71 | + tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len); | |
72 | + RAND_bytes(tlsext_tick_keys, tick_keys_len); | |
73 | + } | |
74 | + SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, | |
75 | + (tick_keys_len),(tlsext_tick_keys)); | |
76 | + } | |
77 | +#endif | |
78 | } | |
79 | ||
80 | /* | |
81 | Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c | |
82 | =================================================================== | |
83 | --- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672) | |
84 | +++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy) | |
85 | @@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat | |
86 | #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) | |
87 | mc->szCryptoDevice = NULL; | |
88 | #endif | |
89 | +#ifndef OPENSSL_NO_TLSEXT | |
90 | + mc->session_tickets_enabled = SSL_ENABLED_UNSET; | |
91 | +#endif | |
92 | ||
93 | memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); | |
94 | ||
95 | @@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh | |
96 | #endif | |
97 | } | |
98 | ||
99 | +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag) | |
100 | +{ | |
101 | +#ifndef OPENSSL_NO_TLSEXT | |
102 | + const char *err; | |
103 | + SSLModConfigRec *mc = myModConfig(cmd->server); | |
104 | + | |
105 | + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { | |
106 | + return err; | |
107 | + } | |
108 | + | |
109 | + mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; | |
110 | + | |
111 | + return NULL; | |
112 | +#else | |
113 | + return "SSLSessionTicketExtension failed; OpenSSL is not built with support " | |
114 | + "for TLS extensions. Refer to the documentation, and build " | |
115 | + "a compatible version of OpenSSL."; | |
116 | +#endif | |
117 | +} | |
118 | + | |
119 | void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) | |
120 | { | |
121 | if (!ap_exists_config_define("DUMP_CERTS")) { | |
122 | Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c | |
123 | =================================================================== | |
124 | --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672) | |
125 | +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) | |
126 | @@ -29,6 +29,7 @@ | |
127 | time I was too famous.'' | |
128 | -- Unknown */ | |
129 | #include "ssl_private.h" | |
130 | +#include "util_md5.h" | |
131 | ||
132 | static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); | |
133 | #ifndef OPENSSL_NO_TLSEXT | |
134 | @@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna | |
135 | apr_array_header_t *names; | |
136 | int i; | |
137 | SSLConnRec *sslcon; | |
138 | + char *sid_ctx; | |
139 | ||
140 | /* check ServerName */ | |
141 | if (!strcasecmp(servername, s->server_hostname)) { | |
142 | @@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna | |
143 | SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), | |
144 | SSL_CTX_get_verify_callback(ssl->ctx)); | |
145 | } | |
146 | + /* | |
147 | + * Adjust the session id context. ssl_init_ssl_connection() | |
148 | + * always picks the configuration of the first vhost when | |
149 | + * calling SSL_new(), but we want to tie the session to the | |
150 | + * vhost we have just switched to. Again, we have to make sure | |
151 | + * that we're not overwriting a session id context which was | |
152 | + * possibly set in ssl_hook_Access(), before triggering | |
153 | + * a renegotation. | |
154 | + */ | |
155 | + if (!SSL_num_renegotiations(ssl)) { | |
156 | + sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id, | |
157 | + sc->vhost_id_len); | |
158 | + SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx, | |
159 | + APR_MD5_DIGESTSIZE*2); | |
160 | + } | |
161 | ||
162 | /* | |
163 | * Save the found server into our SSLConnRec for later | |
7ed09ac4 ER |
164 | Index: httpd-2.2.x/modules/ssl/mod_ssl.c |
165 | =================================================================== | |
166 | --- httpd-2.2.x/modules/ssl/mod_ssl.c (revision 833672) | |
167 | +++ httpd-2.2.x/modules/ssl/mod_ssl.c (working copy) | |
168 | @@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds | |
9f2f5880 | 169 | SSL_CMD_SRV(RandomSeed, TAKE23, |
170 | "SSL Pseudo Random Number Generator (PRNG) seeding source " | |
7ed09ac4 | 171 | "(`startup|connect builtin|file:/path|exec:/path [bytes]')") |
9f2f5880 | 172 | + SSL_CMD_SRV(SessionTicketExtension, FLAG, |
173 | + "TLS Session Ticket extension support") | |
174 | ||
175 | /* | |
176 | * Per-server context configuration directives |