]>
Commit | Line | Data |
---|---|---|
bcbc8512 ER |
1 | --- httpd-2.3.8/modules/ssl/ssl_private.h~ 2010-09-01 13:21:44.000000000 +0300 |
2 | +++ httpd-2.3.8/modules/ssl/ssl_private.h 2010-09-01 13:22:12.923733895 +0300 | |
3 | @@ -394,6 +394,9 @@ | |
9f2f5880 | 4 | #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) |
5 | const char *szCryptoDevice; | |
6 | #endif | |
7 | +#ifndef OPENSSL_NO_TLSEXT | |
8 | + ssl_enabled_t session_tickets_enabled; | |
9 | +#endif | |
bcbc8512 ER |
10 | |
11 | #ifdef HAVE_OCSP_STAPLING | |
12 | const ap_socache_provider_t *stapling_cache; | |
9f2f5880 | 13 | @@ -545,6 +548,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm |
9f2f5880 | 14 | const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); |
15 | const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); | |
2bd52d66 | 16 | const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); |
9f2f5880 | 17 | +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag); |
18 | ||
19 | const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); | |
20 | const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); | |
21 | Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c | |
22 | =================================================================== | |
23 | --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672) | |
24 | +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) | |
25 | @@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions( | |
26 | ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); | |
27 | ssl_die(); | |
28 | } | |
29 | + | |
30 | + /* | |
31 | + * Session tickets (stateless resumption) | |
32 | + */ | |
33 | + if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) { | |
34 | + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, | |
35 | + "Disabling TLS session ticket support"); | |
36 | + SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET); | |
37 | + } | |
38 | } | |
39 | #endif | |
40 | ||
41 | @@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b | |
42 | ||
43 | BOOL conflict = FALSE; | |
44 | ||
45 | +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 | |
46 | + unsigned char *tlsext_tick_keys = NULL; | |
47 | + long tick_keys_len; | |
48 | +#endif | |
49 | + | |
50 | /* | |
51 | * Give out warnings when a server has HTTPS configured | |
52 | * for the HTTP port or vice versa | |
53 | @@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b | |
54 | ssl_util_vhostid(p, s), | |
55 | DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT); | |
56 | } | |
57 | + | |
58 | +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 | |
59 | + /* | |
60 | + * When using OpenSSL versions 0.9.8f through 0.9.8l, configure | |
61 | + * the same ticket encryption parameters for every SSL_CTX (workaround | |
62 | + * for SNI+SessionTicket extension interoperability issue in these versions) | |
63 | + */ | |
64 | + if ((sc->enabled == SSL_ENABLED_TRUE) || | |
65 | + (sc->enabled == SSL_ENABLED_OPTIONAL)) { | |
66 | + if (!tlsext_tick_keys) { | |
67 | + tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, | |
68 | + (-1),(NULL)); | |
69 | + tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len); | |
70 | + RAND_bytes(tlsext_tick_keys, tick_keys_len); | |
71 | + } | |
72 | + SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, | |
73 | + (tick_keys_len),(tlsext_tick_keys)); | |
74 | + } | |
75 | +#endif | |
76 | } | |
77 | ||
78 | /* | |
79 | Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c | |
80 | =================================================================== | |
81 | --- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672) | |
82 | +++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy) | |
83 | @@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat | |
84 | #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) | |
85 | mc->szCryptoDevice = NULL; | |
86 | #endif | |
87 | +#ifndef OPENSSL_NO_TLSEXT | |
88 | + mc->session_tickets_enabled = SSL_ENABLED_UNSET; | |
89 | +#endif | |
90 | ||
91 | memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); | |
92 | ||
93 | @@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh | |
94 | #endif | |
95 | } | |
96 | ||
97 | +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag) | |
98 | +{ | |
99 | +#ifndef OPENSSL_NO_TLSEXT | |
100 | + const char *err; | |
101 | + SSLModConfigRec *mc = myModConfig(cmd->server); | |
102 | + | |
103 | + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { | |
104 | + return err; | |
105 | + } | |
106 | + | |
107 | + mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; | |
108 | + | |
109 | + return NULL; | |
110 | +#else | |
111 | + return "SSLSessionTicketExtension failed; OpenSSL is not built with support " | |
112 | + "for TLS extensions. Refer to the documentation, and build " | |
113 | + "a compatible version of OpenSSL."; | |
114 | +#endif | |
115 | +} | |
116 | + | |
117 | void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) | |
118 | { | |
119 | if (!ap_exists_config_define("DUMP_CERTS")) { | |
120 | Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c | |
121 | =================================================================== | |
122 | --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672) | |
123 | +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) | |
124 | @@ -29,6 +29,7 @@ | |
125 | time I was too famous.'' | |
126 | -- Unknown */ | |
127 | #include "ssl_private.h" | |
128 | +#include "util_md5.h" | |
129 | ||
130 | static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); | |
131 | #ifndef OPENSSL_NO_TLSEXT | |
132 | @@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna | |
133 | apr_array_header_t *names; | |
134 | int i; | |
135 | SSLConnRec *sslcon; | |
136 | + char *sid_ctx; | |
137 | ||
138 | /* check ServerName */ | |
139 | if (!strcasecmp(servername, s->server_hostname)) { | |
140 | @@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna | |
141 | SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), | |
142 | SSL_CTX_get_verify_callback(ssl->ctx)); | |
143 | } | |
144 | + /* | |
145 | + * Adjust the session id context. ssl_init_ssl_connection() | |
146 | + * always picks the configuration of the first vhost when | |
147 | + * calling SSL_new(), but we want to tie the session to the | |
148 | + * vhost we have just switched to. Again, we have to make sure | |
149 | + * that we're not overwriting a session id context which was | |
150 | + * possibly set in ssl_hook_Access(), before triggering | |
151 | + * a renegotation. | |
152 | + */ | |
153 | + if (!SSL_num_renegotiations(ssl)) { | |
154 | + sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id, | |
155 | + sc->vhost_id_len); | |
156 | + SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx, | |
157 | + APR_MD5_DIGESTSIZE*2); | |
158 | + } | |
159 | ||
160 | /* | |
161 | * Save the found server into our SSLConnRec for later | |
bcbc8512 ER |
162 | --- httpd-2.3.8/modules/ssl/mod_ssl.c~ 2010-06-06 20:10:23.000000000 +0300 |
163 | +++ httpd-2.3.8/modules/ssl/mod_ssl.c 2010-09-01 13:22:58.820804816 +0300 | |
164 | @@ -69,6 +69,8 @@ | |
9f2f5880 | 165 | SSL_CMD_SRV(RandomSeed, TAKE23, |
166 | "SSL Pseudo Random Number Generator (PRNG) seeding source " | |
bcbc8512 | 167 | "('startup|connect builtin|file:/path|exec:/path [bytes]')") |
9f2f5880 | 168 | + SSL_CMD_SRV(SessionTicketExtension, FLAG, |
169 | + "TLS Session Ticket extension support") | |
170 | ||
171 | /* | |
172 | * Per-server context configuration directives |