You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2011/12/07 10:41:51 UTC
svn commit: r1211352 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Author: kbrand
Date: Wed Dec 7 09:41:51 2011
New Revision: 1211352
URL: http://svn.apache.org/viewvc?rev=1211352&view=rev
Log:
Adjust the OpenSSL session id context for SNI configurations, so that
sessions are tied to the proper vhost (subset of a patch I originally
proposed in November 2009, cf. message with ID <4A...@velox.ch>).
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1211352&r1=1211351&r2=1211352&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Wed Dec 7 09:41:51 2011
@@ -29,6 +29,7 @@
time I was too famous.''
-- Unknown */
#include "ssl_private.h"
+#include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
#ifndef OPENSSL_NO_TLSEXT
@@ -2044,6 +2045,23 @@ static int ssl_find_vhost(void *serverna
}
/*
+ * Adjust the session id context. ssl_init_ssl_connection()
+ * always picks the configuration of the first vhost when
+ * calling SSL_new(), but we want to tie the session to the
+ * vhost we have just switched to. Again, we have to make sure
+ * that we're not overwriting a session id context which was
+ * possibly set in ssl_hook_Access(), before triggering
+ * a renegotation.
+ */
+ if (SSL_num_renegotiations(ssl) == 0) {
+ unsigned char *sid_ctx =
+ (unsigned char *)ap_md5_binary(c->pool,
+ (unsigned char *)sc->vhost_id,
+ sc->vhost_id_len);
+ SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
+ }
+
+ /*
* Save the found server into our SSLConnRec for later
* retrieval
*/