httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1736186 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Date Tue, 22 Mar 2016 13:09:17 GMT
Author: ylavic
Date: Tue Mar 22 13:09:17 2016
New Revision: 1736186

mod_ssl: return non ambigous value in ssl_callback_SessionTicket() for
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).

Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).

However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:

    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters. Additionally it indicates that the session
    ticket is in a renewal period and should be replaced. The OpenSSL library
    will call cb again with an enc argument of 1 to set the new ticket (see
    RFC5077 3.3 paragraph 2).

    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters.

    This indicates that it was not possible to set/retrieve a session ticket
    and the SSL/TLS session will continue by by negotiating a set of
    cryptographic parameters or using the alternate SSL/TLS resumption
    mechanism, session ids.
    If called with enc equal to 0 the library will call the cb again to get a
    new set of parameters.

less than 0
    This indicates an error.

So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).

Reported by: oknet on github, pull request #18.


Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Mar 22 13:09:17 2016
@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
                       "TLS session ticket key for %s successfully set, "
                       "creating new session ticket", sc->vhost_id);
-        return 0;
+        return 1;
     else if (mode == 0) {

View raw message