httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1211353 - /httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
Date Wed, 07 Dec 2011 09:42:38 GMT
Author: kbrand
Date: Wed Dec  7 09:42:38 2011
New Revision: 1211353

URL: http://svn.apache.org/viewvc?rev=1211353&view=rev
Log:
backport r1211352 from trunk:

Adjust the OpenSSL session id context for SNI configurations, so that
sessions are tied to the proper vhost (subset of a patch I originally
proposed in November 2009, cf. message with ID <4AF85A18.1000205@velox.ch>).

Modified:
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1211353&r1=1211352&r2=1211353&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Wed Dec  7 09:42:38 2011
@@ -29,6 +29,7 @@
                                   time I was too famous.''
                                             -- Unknown                */
 #include "ssl_private.h"
+#include "util_md5.h"
 
 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
 #ifndef OPENSSL_NO_TLSEXT
@@ -2044,6 +2045,23 @@ static int ssl_find_vhost(void *serverna
         }
 
         /*
+         * Adjust the session id context. ssl_init_ssl_connection()
+         * always picks the configuration of the first vhost when
+         * calling SSL_new(), but we want to tie the session to the
+         * vhost we have just switched to. Again, we have to make sure
+         * that we're not overwriting a session id context which was
+         * possibly set in ssl_hook_Access(), before triggering
+         * a renegotation.
+         */
+        if (SSL_num_renegotiations(ssl) == 0) {
+            unsigned char *sid_ctx =
+                (unsigned char *)ap_md5_binary(c->pool,
+                                               (unsigned char *)sc->vhost_id,
+                                               sc->vhost_id_len);
+            SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
+        }
+
+        /*
          * Save the found server into our SSLConnRec for later
          * retrieval
          */



Mime
View raw message