httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yla...@apache.org
Subject svn commit: r1678703 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h
Date Mon, 11 May 2015 09:32:14 GMT
Author: ylavic
Date: Mon May 11 09:32:13 2015
New Revision: 1678703

URL: http://svn.apache.org/r1678703
Log:
Merge r1650310, r1650320 from trunk.


Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).

Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.

As long as we do not have a nice key management
there should be a way to deactivate session
tickets.


Fix copy and paste error in docs of new feature.


Committed by: rjung
Reviewed by: ylavic, rjung, gsmith
Backported by: ylavic

Modified:
    httpd/httpd/branches/2.2.x/   (props changed)
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h

Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon May 11 09:32:13 2015
@@ -1,2 +1,2 @@
 /httpd/httpd/branches/2.4.x:1555538,1555559,1648845,1649003
-/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,932791,942209,952823,953311,955966,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,1368396,1369568,1395225,1398066,1400700,1408402,1410681,
 1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1527925,1528718,1529559,1531505,1532816,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1586745,1587594,1587639,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1620932,1621453,1648840,1649001,1676654
+/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,932791,942209,952823,953311,955966,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,1368396,1369568,1395225,1398066,1400700,1408402,1410681,
 1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1527925,1528718,1529559,1531505,1532816,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1586745,1587594,1587639,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1620932,1621453,1648840,1649001,1650310,1650320,1676654

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1678703&r1=1678702&r2=1678703&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon May 11 09:32:13 2015
@@ -1,6 +1,15 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.30
 
+  *) mod_ssl: New directive SSLSessionTickets (On|Off).
+     The directive controls the use of TLS session tickets (RFC 5077),
+     default value is "On" (unchanged behavior).
+     Session ticket creation uses a random key created during web
+     server startup and recreated during restarts. No other key
+     recreation mechanism is available currently. Therefore using session
+     tickets without restarting the web server with an appropriate frequency
+     (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
+
   *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
      compile against APR-1.2.x (minimum required version). [Yann Ylavic]
 

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1678703&r1=1678702&r2=1678703&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon May 11 09:32:13 2015
@@ -101,20 +101,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: Add SSLSessionTickets (on|off). [Rainer Jung]
-     It controls the use of TLS session tickets (RFC 5077).
-     Default is unchanged (on).
-     Using session tickets without restarting the web server with
-     an appropriate frequency (e.g. daily) compromises perfect forward
-     secrecy. As long as we do not have a nice key management
-     there needs to be a way to deactivate the use of session tickets.
-     trunk patch: http://svn.apache.org/r1650310
-                  http://svn.apache.org/r1650320
-     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-SSLSessionTickets-v2.patch
-     +1: ylavic, rjung, gsmith
-     rjung: Adjust compatibility note in docs.
-     ylavic: Done, thanks.
-
    * mod_log_config: Add new format flag for requestion duration in milliseconds
      trunk patch: http://svn.apache.org/r1675533
      2.2.x patch: https://people.apache.org/~breser/httpd/2.2.x/patches/httpd-2.2.x-req_duration_milliseconds.patch
(modulo CHANGES)

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=1678703&r1=1678702&r2=1678703&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Mon May 11 09:32:13 2015
@@ -1926,5 +1926,25 @@ CRIME attack).</p>
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLSessionTickets</name>
+<description>Enable or disable use of TLS session tickets</description>
+<syntax>SSLSessionTickets on|off</syntax>
+<default>SSLSessionTickets on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.2.30 and later, if using OpenSSL 0.9.8f
+or later.</compatibility>
+
+<usage>
+<p>This directive allows to enable or disable the use of TLS session tickets
+(RFC 5077).</p>
+<note type="warning">
+<p>TLS session tickets are enabled by default. Using them without restarting
+the web server with an appropriate frequency (e.g. daily) compromises perfect
+forward secrecy.</p>
+</note>
+</usage>
+</directivesynopsis>
 
 </modulesynopsis>

Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=1678703&r1=1678702&r2=1678703&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Mon May 11 09:32:13 2015
@@ -159,6 +159,9 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(Compression, FLAG,
                 "Enable SSL level compression"
                 "(`on', `off')")
+    SSL_CMD_SRV(SessionTickets, FLAG,
+                "Enable or disable TLS session tickets"
+                "(`on', `off')")
     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
                 "Enable support for insecure renegotiation")
     SSL_CMD_ALL(UserName, TAKE1,

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=1678703&r1=1678702&r2=1678703&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Mon May 11 09:32:13 2015
@@ -183,6 +183,7 @@ static SSLSrvConfigRec *ssl_config_serve
 #ifndef OPENSSL_NO_COMP
     sc->compression            = UNSET;
 #endif
+    sc->session_tickets        = UNSET;
 
     modssl_ctx_init_proxy(sc, p);
 
@@ -284,6 +285,7 @@ void *ssl_config_server_merge(apr_pool_t
 #ifndef OPENSSL_NO_COMP
     cfgMergeBool(compression);
 #endif
+    cfgMergeBool(session_tickets);
 
     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
 
@@ -745,6 +747,17 @@ const char *ssl_cmd_SSLHonorCipherOrder(
 #endif
 }
 
+const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#ifndef SSL_OP_NO_TICKET
+    return "This version of OpenSSL does not support using "
+           "SSLSessionTickets.";
+#endif
+    sc->session_tickets = flag ? TRUE : FALSE;
+    return NULL;
+}
+
 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
 {
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=1678703&r1=1678702&r2=1678703&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Mon May 11 09:32:13 2015
@@ -595,6 +595,16 @@ static void ssl_init_ctx_protocol(server
     }
 #endif
 
+#ifdef SSL_OP_NO_TICKET
+    /*
+     * Configure using RFC 5077 TLS session tickets
+     * for session resumption.
+     */
+    if (sc->session_tickets == FALSE) {
+        SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+    }
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     if (sc->insecure_reneg == TRUE) {
         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=1678703&r1=1678702&r2=1678703&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Mon May 11 09:32:13 2015
@@ -531,6 +531,7 @@ struct SSLSrvConfigRec {
 #ifndef OPENSSL_NO_COMP
     BOOL             compression;
 #endif
+    BOOL             session_tickets;
 };
 
 /**
@@ -588,6 +589,7 @@ const char  *ssl_cmd_SSLCARevocationPath
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
+const char  *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);



Mime
View raw message