Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.h @ 7465:6708bec13757
SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.
To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration. This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 25 Feb 2019 16:42:54 +0300 |
parents | 180df83473a4 |
children | 9d2ad2fb4423 |
comparison
equal
deleted
inserted
replaced
7464:e970de27966a | 7465:6708bec13757 |
---|---|
190 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, | 190 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, |
191 ngx_uint_t enable); | 191 ngx_uint_t enable); |
192 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, | 192 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, |
193 ngx_uint_t enable); | 193 ngx_uint_t enable); |
194 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, | 194 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
195 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); | 195 ngx_array_t *certificates, ssize_t builtin_session_cache, |
196 ngx_shm_zone_t *shm_zone, time_t timeout); | |
196 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, | 197 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, |
197 ngx_array_t *paths); | 198 ngx_array_t *paths); |
198 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); | 199 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
199 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, | 200 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |
200 ngx_uint_t flags); | 201 ngx_uint_t flags); |