1 --- httpd-2.3.8/modules/ssl/ssl_private.h~ 2010-09-01 13:21:44.000000000 +0300
2 +++ httpd-2.3.8/modules/ssl/ssl_private.h 2010-09-01 13:22:12.923733895 +0300
4 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
5 const char *szCryptoDevice;
7 +#ifndef OPENSSL_NO_TLSEXT
8 + ssl_enabled_t session_tickets_enabled;
11 #ifdef HAVE_OCSP_STAPLING
12 const ap_socache_provider_t *stapling_cache;
13 @@ -545,6 +548,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm
14 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
15 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
16 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
17 +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
19 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
20 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
21 Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
22 ===================================================================
23 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672)
24 +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy)
25 @@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
26 ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
31 + * Session tickets (stateless resumption)
33 + if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
34 + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
35 + "Disabling TLS session ticket support");
36 + SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
41 @@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
43 BOOL conflict = FALSE;
45 +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
46 + unsigned char *tlsext_tick_keys = NULL;
51 * Give out warnings when a server has HTTPS configured
52 * for the HTTP port or vice versa
53 @@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
54 ssl_util_vhostid(p, s),
55 DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
58 +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
60 + * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
61 + * the same ticket encryption parameters for every SSL_CTX (workaround
62 + * for SNI+SessionTicket extension interoperability issue in these versions)
64 + if ((sc->enabled == SSL_ENABLED_TRUE) ||
65 + (sc->enabled == SSL_ENABLED_OPTIONAL)) {
66 + if (!tlsext_tick_keys) {
67 + tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
69 + tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
70 + RAND_bytes(tlsext_tick_keys, tick_keys_len);
72 + SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
73 + (tick_keys_len),(tlsext_tick_keys));
79 Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
80 ===================================================================
81 --- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672)
82 +++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy)
83 @@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
84 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
85 mc->szCryptoDevice = NULL;
87 +#ifndef OPENSSL_NO_TLSEXT
88 + mc->session_tickets_enabled = SSL_ENABLED_UNSET;
91 memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
93 @@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh
97 +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
99 +#ifndef OPENSSL_NO_TLSEXT
101 + SSLModConfigRec *mc = myModConfig(cmd->server);
103 + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
107 + mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
111 + return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
112 + "for TLS extensions. Refer to the documentation, and build "
113 + "a compatible version of OpenSSL.";
117 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
119 if (!ap_exists_config_define("DUMP_CERTS")) {
120 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
121 ===================================================================
122 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672)
123 +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
125 time I was too famous.''
127 #include "ssl_private.h"
128 +#include "util_md5.h"
130 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
131 #ifndef OPENSSL_NO_TLSEXT
132 @@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
133 apr_array_header_t *names;
138 /* check ServerName */
139 if (!strcasecmp(servername, s->server_hostname)) {
140 @@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
141 SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
142 SSL_CTX_get_verify_callback(ssl->ctx));
145 + * Adjust the session id context. ssl_init_ssl_connection()
146 + * always picks the configuration of the first vhost when
147 + * calling SSL_new(), but we want to tie the session to the
148 + * vhost we have just switched to. Again, we have to make sure
149 + * that we're not overwriting a session id context which was
150 + * possibly set in ssl_hook_Access(), before triggering
153 + if (!SSL_num_renegotiations(ssl)) {
154 + sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
156 + SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
157 + APR_MD5_DIGESTSIZE*2);
161 * Save the found server into our SSLConnRec for later
162 --- httpd-2.3.8/modules/ssl/mod_ssl.c~ 2010-06-06 20:10:23.000000000 +0300
163 +++ httpd-2.3.8/modules/ssl/mod_ssl.c 2010-09-01 13:22:58.820804816 +0300
165 SSL_CMD_SRV(RandomSeed, TAKE23,
166 "SSL Pseudo Random Number Generator (PRNG) seeding source "
167 "('startup|connect builtin|file:/path|exec:/path [bytes]')")
168 + SSL_CMD_SRV(SessionTicketExtension, FLAG,
169 + "TLS Session Ticket extension support")
172 * Per-server context configuration directives