Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 7465:6708bec13757

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: adjusted session id context with dynamic certificates. Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 25 Feb 2019 16:42:54 +0300
parents 180df83473a4
children 48c87377aabd
comparison
equal deleted inserted replaced
7464:e970de27966a 7465:6708bec13757
815 if (conf->shm_zone == NULL) { 815 if (conf->shm_zone == NULL) {
816 conf->shm_zone = prev->shm_zone; 816 conf->shm_zone = prev->shm_zone;
817 } 817 }
818 818
819 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, 819 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
820 conf->builtin_session_cache, 820 conf->certificates, conf->builtin_session_cache,
821 conf->shm_zone, conf->session_timeout) 821 conf->shm_zone, conf->session_timeout)
822 != NGX_OK) 822 != NGX_OK)
823 { 823 {
824 return NGX_CONF_ERROR; 824 return NGX_CONF_ERROR;
825 } 825 }