Mercurial > hg > nginx-quic
comparison src/mail/ngx_mail_ssl_module.c @ 7465:6708bec13757
SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.
To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration. This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 25 Feb 2019 16:42:54 +0300 |
parents | 46c0c7ef4913 |
children | 8981dbb12254 |
comparison
equal
deleted
inserted
replaced
7464:e970de27966a | 7465:6708bec13757 |
---|---|
433 if (conf->shm_zone == NULL) { | 433 if (conf->shm_zone == NULL) { |
434 conf->shm_zone = prev->shm_zone; | 434 conf->shm_zone = prev->shm_zone; |
435 } | 435 } |
436 | 436 |
437 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, | 437 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
438 conf->builtin_session_cache, | 438 conf->certificates, conf->builtin_session_cache, |
439 conf->shm_zone, conf->session_timeout) | 439 conf->shm_zone, conf->session_timeout) |
440 != NGX_OK) | 440 != NGX_OK) |
441 { | 441 { |
442 return NGX_CONF_ERROR; | 442 return NGX_CONF_ERROR; |
443 } | 443 } |