httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Re: svn commit: r1200040 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Date Thu, 10 Nov 2011 15:19:46 GMT
On Thu, Nov 10, 2011 at 12:14 AM, Rüdiger Plüm
<ruediger.pluem@vodafone.com> wrote:
....
> Author: pquerna
> Date: Wed Nov  9 23:37:37 2011
> New Revision: 1200040
>
> URL: http://svn.apache.org/viewvc?rev=1200040&view=rev
> Log:
> Add support for RFC 5077 TLS Session tickets.  This adds two new directives:
>
> * SSLTicketKeyFile: To store the private information for the encryption of the ticket.
> * SSLTicketKeyDefault To set the default, otherwise the first listed token is used. 
This
> enables key rotation across servers.
>
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/ssl/mod_ssl.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>     httpd/httpd/trunk/modules/ssl/
> ssl_private.h
.....
> +const char *ssl_cmd_SSLTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *name, const
> char *path)
> +{
> +#ifdef HAVE_TLSEXT_TICKETS
> +    apr_status_t rv;
> +    apr_file_t *fp;
> +    apr_size_t len;
> +    char buf[TLSEXT_TICKET_KEYLEN];
> +    modssl_ticket_t* ticket = NULL;
> +    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
> +
> +    rv = apr_file_open(&fp, path, APR_READ|APR_BINARY,
>
>
>
> Why not using ap_server_root_relative on path first?

Fixed in r1200372.

....
> +
> +        memcpy(keyname, ticket->key_name, 16);
> +
> +        RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
> +
> +        memcpy(iv, iv, EVP_MAX_IV_LENGTH);
>
>
> What is the purpose of this operation? Source and destination are the same.

Unneeded, No Purpose, I had an earlier version of the code when I used
a temp local buffer to generate the IV, but later just wrote directly
into the parameter with RAND_pseudo_bytes.  Removed in r1200374.

....
> Regards
>
> Rüdiger

Thanks again,

Paul

Mime
View raw message