httpd-2.2.x-mod_ssl-sessioncaching.patch

   1 Index: httpd-2.2.x/modules/ssl/ssl_private.h
   2 ===================================================================
   3 --- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 833672)
   4 +++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
   5 @@ -395,6 +395,9 @@ typedef struct {
   6  #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
   7      const char     *szCryptoDevice;
   8  #endif
   9 +#ifndef OPENSSL_NO_TLSEXT
  10 +    ssl_enabled_t  session_tickets_enabled;
  11 +#endif
  12      struct {
  13          void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
  14      } rCtx;
  15 @@ -545,6 +548,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
  16  const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
  17  const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
  18  const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
  19 +const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
  20
  21  const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
  22  const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
  23 Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
  24 ===================================================================
  25 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 833672)
  26 +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
  27 @@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
  28          ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
  29          ssl_die();
  30      }
  31 +
  32 +    /*
  33 +     * Session tickets (stateless resumption)
  34 +     */
  35 +    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
  36 +        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
  37 +                     "Disabling TLS session ticket support");
  38 +        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
  39 +    }
  40  }
  41  #endif
  42
  43 @@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
  44
  45      BOOL conflict = FALSE;
  46
  47 +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
  48 +    unsigned char *tlsext_tick_keys = NULL;
  49 +    long tick_keys_len;
  50 +#endif
  51 +
  52      /*
  53       * Give out warnings when a server has HTTPS configured
  54       * for the HTTP port or vice versa
  55 @@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
  56                           ssl_util_vhostid(p, s),
  57                           DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
  58          }
  59 +
  60 +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
  61 +        /*
  62 +         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
  63 +         * the same ticket encryption parameters for every SSL_CTX (workaround
  64 +         * for SNI+SessionTicket extension interoperability issue in these versions)
  65 +         */
  66 +        if ((sc->enabled == SSL_ENABLED_TRUE) ||
  67 +            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
  68 +            if (!tlsext_tick_keys) {
  69 +                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
  70 +                                                               (-1),(NULL));
  71 +                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
  72 +                RAND_bytes(tlsext_tick_keys, tick_keys_len);
  73 +            }
  74 +            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
  75 +                                           (tick_keys_len),(tlsext_tick_keys));
  76 +        }
  77 +#endif
  78      }
  79
  80      /*
  81 Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
  82 ===================================================================
  83 --- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672)
  84 +++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy)
  85 @@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
  86  #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
  87      mc->szCryptoDevice         = NULL;
  88  #endif
  89 +#ifndef OPENSSL_NO_TLSEXT
  90 +    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
  91 +#endif
  92
  93      memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
  94
  95 @@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
  96  #endif
  97  }
  98
  99 +const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
 100 +{
 101 +#ifndef OPENSSL_NO_TLSEXT
 102 +    const char *err;
 103 +    SSLModConfigRec *mc = myModConfig(cmd->server);
 104 +
 105 +    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
 106 +        return err;
 107 +    }
 108 +
 109 +    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
 110 +
 111 +    return NULL;
 112 +#else
 113 +    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
 114 +           "for TLS extensions. Refer to the documentation, and build "
 115 +           "a compatible version of OpenSSL.";
 116 +#endif
 117 +}
 118 +
 119  void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 120  {
 121      if (!ap_exists_config_define("DUMP_CERTS")) {
 122 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
 123 ===================================================================
 124 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672)
 125 +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
 126 @@ -29,6 +29,7 @@
 127                                    time I was too famous.''
 128                                              -- Unknown                */
 129  #include "ssl_private.h"
 130 +#include "util_md5.h"
 131
 132  static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
 133  #ifndef OPENSSL_NO_TLSEXT
 134 @@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
 135      apr_array_header_t *names;
 136      int i;
 137      SSLConnRec *sslcon;
 138 +    char *sid_ctx;
 139
 140      /* check ServerName */
 141      if (!strcasecmp(servername, s->server_hostname)) {
 142 @@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
 143              SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
 144                             SSL_CTX_get_verify_callback(ssl->ctx));
 145          }
 146 +        /*
 147 +         * Adjust the session id context. ssl_init_ssl_connection()
 148 +         * always picks the configuration of the first vhost when
 149 +         * calling SSL_new(), but we want to tie the session to the
 150 +         * vhost we have just switched to. Again, we have to make sure
 151 +         * that we're not overwriting a session id context which was
 152 +         * possibly set in ssl_hook_Access(), before triggering
 153 +         * a renegotation.
 154 +         */
 155 +        if (!SSL_num_renegotiations(ssl)) {
 156 +            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
 157 +                                    sc->vhost_id_len);
 158 +            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
 159 +                                       APR_MD5_DIGESTSIZE*2);
 160 +        }
 161
 162          /*
 163           * Save the found server into our SSLConnRec for later
 164 Index: httpd-2.2.x/modules/ssl/mod_ssl.c
 165 ===================================================================
 166 --- httpd-2.2.x/modules/ssl/mod_ssl.c   (revision 833672)
 167 +++ httpd-2.2.x/modules/ssl/mod_ssl.c   (working copy)
 168 @@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
 169      SSL_CMD_SRV(RandomSeed, TAKE23,
 170                  "SSL Pseudo Random Number Generator (PRNG) seeding source "
 171                  "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
 172 +    SSL_CMD_SRV(SessionTicketExtension, FLAG,
 173 +                "TLS Session Ticket extension support")
 174
 175      /*
 176       * Per-server context configuration directives