httpd-2.2.x-mod_ssl-sessioncaching.patch

   1 --- httpd-2.3.8/modules/ssl/ssl_private.h~      2010-09-01 13:21:44.000000000 +0300
   2 +++ httpd-2.3.8/modules/ssl/ssl_private.h       2010-09-01 13:22:12.923733895 +0300
   3 @@ -394,6 +394,9 @@
   4  #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
   5      const char     *szCryptoDevice;
   6  #endif
   7 +#ifndef OPENSSL_NO_TLSEXT
   8 +    ssl_enabled_t  session_tickets_enabled;
   9 +#endif
  10
  11  #ifdef HAVE_OCSP_STAPLING
  12      const ap_socache_provider_t *stapling_cache;
  13 @@ -545,6 +548,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
  14  const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
  15  const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
  16  const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
  17 +const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
  18
  19  const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
  20  const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
  21 Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
  22 ===================================================================
  23 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 833672)
  24 +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
  25 @@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
  26          ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
  27          ssl_die();
  28      }
  29 +
  30 +    /*
  31 +     * Session tickets (stateless resumption)
  32 +     */
  33 +    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
  34 +        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
  35 +                     "Disabling TLS session ticket support");
  36 +        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
  37 +    }
  38  }
  39  #endif
  40
  41 @@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
  42
  43      BOOL conflict = FALSE;
  44
  45 +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
  46 +    unsigned char *tlsext_tick_keys = NULL;
  47 +    long tick_keys_len;
  48 +#endif
  49 +
  50      /*
  51       * Give out warnings when a server has HTTPS configured
  52       * for the HTTP port or vice versa
  53 @@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
  54                           ssl_util_vhostid(p, s),
  55                           DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
  56          }
  57 +
  58 +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
  59 +        /*
  60 +         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
  61 +         * the same ticket encryption parameters for every SSL_CTX (workaround
  62 +         * for SNI+SessionTicket extension interoperability issue in these versions)
  63 +         */
  64 +        if ((sc->enabled == SSL_ENABLED_TRUE) ||
  65 +            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
  66 +            if (!tlsext_tick_keys) {
  67 +                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
  68 +                                                               (-1),(NULL));
  69 +                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
  70 +                RAND_bytes(tlsext_tick_keys, tick_keys_len);
  71 +            }
  72 +            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
  73 +                                           (tick_keys_len),(tlsext_tick_keys));
  74 +        }
  75 +#endif
  76      }
  77
  78      /*
  79 Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
  80 ===================================================================
  81 --- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672)
  82 +++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy)
  83 @@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
  84  #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
  85      mc->szCryptoDevice         = NULL;
  86  #endif
  87 +#ifndef OPENSSL_NO_TLSEXT
  88 +    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
  89 +#endif
  90
  91      memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
  92
  93 @@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
  94  #endif
  95  }
  96
  97 +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
  98 +{
  99 +#ifndef OPENSSL_NO_TLSEXT
 100 +    const char *err;
 101 +    SSLModConfigRec *mc = myModConfig(cmd->server);
 102 +
 103 +    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
 104 +        return err;
 105 +    }
 106 +
 107 +    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
 108 +
 109 +    return NULL;
 110 +#else
 111 +    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
 112 +           "for TLS extensions. Refer to the documentation, and build "
 113 +           "a compatible version of OpenSSL.";
 114 +#endif
 115 +}
 116 +
 117  void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 118  {
 119      if (!ap_exists_config_define("DUMP_CERTS")) {
 120 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
 121 ===================================================================
 122 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672)
 123 +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
 124 @@ -29,6 +29,7 @@
 125                                    time I was too famous.''
 126                                              -- Unknown                */
 127  #include "ssl_private.h"
 128 +#include "util_md5.h"
 129
 130  static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
 131  #ifndef OPENSSL_NO_TLSEXT
 132 @@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
 133      apr_array_header_t *names;
 134      int i;
 135      SSLConnRec *sslcon;
 136 +    char *sid_ctx;
 137
 138      /* check ServerName */
 139      if (!strcasecmp(servername, s->server_hostname)) {
 140 @@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
 141              SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
 142                             SSL_CTX_get_verify_callback(ssl->ctx));
 143          }
 144 +        /*
 145 +         * Adjust the session id context. ssl_init_ssl_connection()
 146 +         * always picks the configuration of the first vhost when
 147 +         * calling SSL_new(), but we want to tie the session to the
 148 +         * vhost we have just switched to. Again, we have to make sure
 149 +         * that we're not overwriting a session id context which was
 150 +         * possibly set in ssl_hook_Access(), before triggering
 151 +         * a renegotation.
 152 +         */
 153 +        if (!SSL_num_renegotiations(ssl)) {
 154 +            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
 155 +                                    sc->vhost_id_len);
 156 +            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
 157 +                                       APR_MD5_DIGESTSIZE*2);
 158 +        }
 159
 160          /*
 161           * Save the found server into our SSLConnRec for later
 162 --- httpd-2.3.8/modules/ssl/mod_ssl.c~  2010-06-06 20:10:23.000000000 +0300
 163 +++ httpd-2.3.8/modules/ssl/mod_ssl.c   2010-09-01 13:22:58.820804816 +0300
 164 @@ -69,6 +69,8 @@
 165      SSL_CMD_SRV(RandomSeed, TAKE23,
 166                  "SSL Pseudo Random Number Generator (PRNG) seeding source "
 167                  "('startup|connect builtin|file:/path|exec:/path [bytes]')")
 168 +    SSL_CMD_SRV(SessionTicketExtension, FLAG,
 169 +                "TLS Session Ticket extension support")
 170
 171      /*
 172       * Per-server context configuration directives