Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: pass (athena.apache.org: local policy)
Message-ID: <4AF554B4.2090807@velox.ch>
Date: Sat, 07 Nov 2009 12:06:28 +0100
From: Kaspar Brand <httpd-dev.2009@velox.ch>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: [PATCH] mod_ssl: improving session caching for SNI configurations
References: <4AF14AEC.6060500@velox.ch> <4AF1A295.5040606@apache.org>
 <4AF1B2EC.9050301@velox.ch> <4AF1B6D0.6020009@apache.org>
 <4AF26C0D.2050802@velox.ch>
In-Reply-To: <4AF26C0D.2050802@velox.ch>
Content-Type: multipart/mixed;
 boundary="------------060406090005030304070606"

This is a multi-part message in MIME format.
--------------060406090005030304070606
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Kaspar Brand wrote:
> Does that sound reasonable? If so, I would prepare a new patch with
> SSL_CTX_set_tlsext_ticket_keys and the new config directive.

No reactions = no objections?

Would it perhaps be possible to piggyback onto Joe's reneg patch and get
this also into 2.2.15...? ;-)

Attached are updated patches for trunk and 2.2.x which:

- fix TLS session tickets for SNI configurations when OpenSSL versions
between 0.9.8f and 0.9.8l are used

- add a new (global) "SSLSessionTicketExtension" configuration directive
which allows controlling SSL_OP_NO_TICKET (defaulting to "on", i.e.
tickets are left enabled, but can be turned off if necessary)

- include the fix for the SNI callback which makes sure that the correct
session id context is set (to prevent improper session resumption).

Kaspar

--------------060406090005030304070606
Content-Type: text/plain;
 name="mod_ssl-sessioncaching.trunk.v2.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="mod_ssl-sessioncaching.trunk.v2.diff"

Index: httpd-trunk/modules/ssl/ssl_private.h
===================================================================
--- httpd-trunk/modules/ssl/ssl_private.h	(revision 833672)
+++ httpd-trunk/modules/ssl/ssl_private.h	(working copy)
@@ -405,6 +405,9 @@ typedef struct {
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
     const char     *szCryptoDevice;
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+    ssl_enabled_t  session_tickets_enabled;
+#endif
 
 #ifdef HAVE_OCSP_STAPLING
     const ap_socache_provider_t *stapling_cache;
@@ -585,6 +588,7 @@ const char  *ssl_cmd_SSLUserName(cmd_par
 const char  *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
 
 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
Index: httpd-trunk/modules/ssl/ssl_engine_init.c
===================================================================
--- httpd-trunk/modules/ssl/ssl_engine_init.c	(revision 833672)
+++ httpd-trunk/modules/ssl/ssl_engine_init.c	(working copy)
@@ -363,6 +363,15 @@ static void ssl_init_server_check(server
                 "(theoretically shouldn't happen!)");
         ssl_die();
     }
+
+    /*
+     * Session tickets (stateless resumption)
+     */
+    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                     "Disabling TLS session ticket support");
+        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
+    }
 }
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -1061,6 +1070,14 @@ void ssl_init_CheckServers(server_rec *b
 
     BOOL conflict = FALSE;
 
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
+#define TICK_KEYS_LEN   sizeof(((SSL_CTX *)0)->tlsext_tick_key_name) \
+                      + sizeof(((SSL_CTX *)0)->tlsext_tick_hmac_key) \
+                      + sizeof(((SSL_CTX *)0)->tlsext_tick_aes_key)
+    unsigned char tlsext_tick_keys[TICK_KEYS_LEN];
+    RAND_pseudo_bytes(tlsext_tick_keys, TICK_KEYS_LEN);
+#endif
+
     /*
      * Give out warnings when a server has HTTPS configured
      * for the HTTP port or vice versa
@@ -1085,6 +1102,18 @@ void ssl_init_CheckServers(server_rec *b
                          ssl_util_vhostid(p, s),
                          DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
         }
+
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
+        /*
+         * When using OpenSSL versions 0.9.8f through 0.9.8l, also configure
+         * the same key_name/hmac_key/aes_key combo for every SSL_CTX (workaround
+         * for SNI+SessionTicket extension interoperability issue in these versions)
+         */
+        if ((sc->enabled == SSL_ENABLED_TRUE) ||
+            (sc->enabled == SSL_ENABLED_OPTIONAL))
+            SSL_CTX_set_tlsext_ticket_keys(sc->server->ssl_ctx,
+                                           tlsext_tick_keys, TICK_KEYS_LEN);   
+#endif
     }
 
     /*
Index: httpd-trunk/modules/ssl/ssl_engine_config.c
===================================================================
--- httpd-trunk/modules/ssl/ssl_engine_config.c	(revision 833672)
+++ httpd-trunk/modules/ssl/ssl_engine_config.c	(working copy)
@@ -80,6 +80,9 @@ SSLModConfigRec *ssl_config_global_creat
     mc->stapling_mutex_file            = NULL;
     mc->stapling_mutex                 = NULL;
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
+#endif
 
     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
 
@@ -1673,6 +1676,26 @@ const char *ssl_cmd_SSLStaplingForceURL(
 
 #endif /* HAVE_OCSP_STAPLING */
 
+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifndef OPENSSL_NO_TLSEXT
+    const char *err;
+    SSLModConfigRec *mc = myModConfig(cmd->server);
+
+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+        return err;
+    }
+
+    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
+
+    return NULL;
+#else
+    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
+           "for TLS extensions. Refer to the documentation, and build "
+           "a compatible version of OpenSSL.";
+#endif
+}
+
 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 {
     if (!ap_exists_config_define("DUMP_CERTS")) {
Index: httpd-trunk/modules/ssl/ssl_engine_kernel.c
===================================================================
--- httpd-trunk/modules/ssl/ssl_engine_kernel.c	(revision 833672)
+++ httpd-trunk/modules/ssl/ssl_engine_kernel.c	(working copy)
@@ -29,6 +29,7 @@
                                   time I was too famous.''
                                             -- Unknown                */
 #include "ssl_private.h"
+#include "util_md5.h"
 
 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
 #ifndef OPENSSL_NO_TLSEXT
@@ -1980,6 +1981,7 @@ static int ssl_find_vhost(void *serverna
     apr_array_header_t *names;
     int i;
     SSLConnRec *sslcon;
+    char *sid_ctx;
 
     /* check ServerName */
     if (!strcasecmp(servername, s->server_hostname)) {
@@ -2044,6 +2046,21 @@ static int ssl_find_vhost(void *serverna
             SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
                            SSL_CTX_get_verify_callback(ssl->ctx));
         }
+        /*
+         * Adjust the session id context. ssl_init_ssl_connection()
+         * always picks the configuration of the first vhost when
+         * calling SSL_new(), but we want to tie the session to the
+         * vhost we have just switched to. Again, we have to make sure
+         * that we're not overwriting a session id context which was
+         * possibly set in ssl_hook_Access(), before triggering
+         * a renegotation.
+         */
+        if (!SSL_num_renegotiations(ssl)) {
+            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
+                                    sc->vhost_id_len);
+            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
+                                       APR_MD5_DIGESTSIZE*2);
+        }
 
         /*
          * Save the found server into our SSLConnRec for later
Index: httpd-trunk/modules/ssl/mod_ssl.c
===================================================================
--- httpd-trunk/modules/ssl/mod_ssl.c	(revision 833672)
+++ httpd-trunk/modules/ssl/mod_ssl.c	(working copy)
@@ -70,6 +70,8 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
                 "('startup|connect builtin|file:/path|exec:/path [bytes]')")
+    SSL_CMD_SRV(SessionTicketExtension, FLAG,
+                "TLS Session Ticket extension support")
 
     /*
      * Per-server context configuration directives
Index: httpd-trunk/docs/manual/mod/mod_ssl.xml
===================================================================
--- httpd-trunk/docs/manual/mod/mod_ssl.xml	(revision 833672)
+++ httpd-trunk/docs/manual/mod/mod_ssl.xml	(working copy)
@@ -1849,4 +1849,35 @@ certificate being validated references a
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLSessionTicketExtension</name>
+<description>Configure TLS session ticket extension support</description>
+<syntax>SSLSessionTicketExtension on|off</syntax>
+<default>SSLSessionTicketExtension on</default>
+<contextlist><context>server config</context></contextlist>
+<compatibility>Available in Apache 2.2.15 and later</compatibility>
+
+<usage>
+<p>
+This directive configures support for TLS session tickets (stateless session
+resumption, cf. RFC 5077). Session tickets are enabled by default when mod_ssl
+is compiled against an OpenSSL version which includes this option. They can
+coexist with a stateful session cache (configured through
+<directive module="mod_ssl">SSLSessionCache</directive>);
+it is then up to the client to choose between stateful and stateless session
+resumption.</p>
+
+<p>
+Clients based on OpenSSL versions 0.9.8f through 0.9.8l are known to
+have problems (<code>parse tlsext</code> errors) when using the SNI and session
+ticket extensions at the same time. As a workaround for interoperability issues
+like these, this directive allows to completely turn off TLS session ticket support
+at the server side.</p>
+
+<example><title>Example</title>
+SSLSessionTicketExtension off
+</example>
+</usage>
+</directivesynopsis>
+
 </modulesynopsis>

--------------060406090005030304070606
Content-Type: text/plain;
 name="mod_ssl-sessioncaching.2.2.x.v2.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="mod_ssl-sessioncaching.2.2.x.v2.diff"

Index: httpd-2.2.x/modules/ssl/ssl_private.h
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_private.h	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_private.h	(working copy)
@@ -395,6 +395,9 @@ typedef struct {
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
     const char     *szCryptoDevice;
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+    ssl_enabled_t  session_tickets_enabled;
+#endif
     struct {
         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
     } rCtx;
@@ -545,6 +548,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
 const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
 
 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_init.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c	(working copy)
@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
         ssl_die();
     }
+
+    /*
+     * Session tickets (stateless resumption)
+     */
+    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                     "Disabling TLS session ticket support");
+        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
+    }
 }
 #endif
 
@@ -1018,6 +1027,14 @@ void ssl_init_CheckServers(server_rec *b
 
     BOOL conflict = FALSE;
 
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
+#define TICK_KEYS_LEN   sizeof(((SSL_CTX *)0)->tlsext_tick_key_name) \
+                      + sizeof(((SSL_CTX *)0)->tlsext_tick_hmac_key) \
+                      + sizeof(((SSL_CTX *)0)->tlsext_tick_aes_key)
+    unsigned char tlsext_tick_keys[TICK_KEYS_LEN];
+    RAND_pseudo_bytes(tlsext_tick_keys, TICK_KEYS_LEN);
+#endif
+
     /*
      * Give out warnings when a server has HTTPS configured
      * for the HTTP port or vice versa
@@ -1042,6 +1059,18 @@ void ssl_init_CheckServers(server_rec *b
                          ssl_util_vhostid(p, s),
                          DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
         }
+
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
+        /*
+         * When using OpenSSL versions 0.9.8f through 0.9.8l, also configure
+         * the same key_name/hmac_key/aes_key combo for every SSL_CTX (workaround
+         * for SNI+SessionTicket extension interoperability issue in these versions)
+         */
+        if ((sc->enabled == SSL_ENABLED_TRUE) ||
+            (sc->enabled == SSL_ENABLED_OPTIONAL))
+            SSL_CTX_set_tlsext_ticket_keys(sc->server->ssl_ctx,
+                                           tlsext_tick_keys, TICK_KEYS_LEN);   
+#endif
     }
 
     /*
Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_config.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c	(working copy)
@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
     mc->szCryptoDevice         = NULL;
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
+#endif
 
     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
 
@@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
 #endif
 }
 
+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifndef OPENSSL_NO_TLSEXT
+    const char *err;
+    SSLModConfigRec *mc = myModConfig(cmd->server);
+
+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+        return err;
+    }
+
+    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
+
+    return NULL;
+#else
+    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
+           "for TLS extensions. Refer to the documentation, and build "
+           "a compatible version of OpenSSL.";
+#endif
+}
+
 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 {
     if (!ap_exists_config_define("DUMP_CERTS")) {
Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(working copy)
@@ -29,6 +29,7 @@
                                   time I was too famous.''
                                             -- Unknown                */
 #include "ssl_private.h"
+#include "util_md5.h"
 
 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
 #ifndef OPENSSL_NO_TLSEXT
@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
     apr_array_header_t *names;
     int i;
     SSLConnRec *sslcon;
+    char *sid_ctx;
 
     /* check ServerName */
     if (!strcasecmp(servername, s->server_hostname)) {
@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
             SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
                            SSL_CTX_get_verify_callback(ssl->ctx));
         }
+        /*
+         * Adjust the session id context. ssl_init_ssl_connection()
+         * always picks the configuration of the first vhost when
+         * calling SSL_new(), but we want to tie the session to the
+         * vhost we have just switched to. Again, we have to make sure
+         * that we're not overwriting a session id context which was
+         * possibly set in ssl_hook_Access(), before triggering
+         * a renegotation.
+         */
+        if (!SSL_num_renegotiations(ssl)) {
+            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
+                                    sc->vhost_id_len);
+            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
+                                       APR_MD5_DIGESTSIZE*2);
+        }
 
         /*
          * Save the found server into our SSLConnRec for later
Index: httpd-2.2.x/modules/ssl/mod_ssl.c
===================================================================
--- httpd-2.2.x/modules/ssl/mod_ssl.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/mod_ssl.c	(working copy)
@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
                 "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
+    SSL_CMD_SRV(SessionTicketExtension, FLAG,
+                "TLS Session Ticket extension support")
 
     /*
      * Per-server context configuration directives
Index: httpd-2.2.x/docs/manual/mod/mod_ssl.xml
===================================================================
--- httpd-2.2.x/docs/manual/mod/mod_ssl.xml	(revision 833672)
+++ httpd-2.2.x/docs/manual/mod/mod_ssl.xml	(working copy)
@@ -1808,4 +1808,35 @@ SSLCryptoDevice ubsec
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLSessionTicketExtension</name>
+<description>Configure TLS session ticket extension support</description>
+<syntax>SSLSessionTicketExtension on|off</syntax>
+<default>SSLSessionTicketExtension on</default>
+<contextlist><context>server config</context></contextlist>
+<compatibility>Available in Apache 2.2.15 and later</compatibility>
+
+<usage>
+<p>
+This directive configures support for TLS session tickets (stateless session
+resumption, cf. RFC 5077). Session tickets are enabled by default when mod_ssl
+is compiled against an OpenSSL version which includes this option. They can
+coexist with a stateful session cache (configured through
+<directive module="mod_ssl">SSLSessionCache</directive>);
+it is then up to the client to choose between stateful and stateless session
+resumption.</p>
+
+<p>
+Clients based on OpenSSL versions 0.9.8f through 0.9.8l are known to
+have problems (<code>parse tlsext</code> errors) when using the SNI and session
+ticket extensions at the same time. As a workaround for interoperability issues
+like these, this directive allows to completely turn off TLS session ticket support
+at the server side.</p>
+
+<example><title>Example</title>
+SSLSessionTicketExtension off
+</example>
+</usage>
+</directivesynopsis>
+
 </modulesynopsis>

--------------060406090005030304070606--