Mercurial > hg > nginx

comparison src/mail/ngx_mail_ssl_module.c @ 7465:6708bec13757

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: adjusted session id context with dynamic certificates. Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 25 Feb 2019 16:42:54 +0300
parents 46c0c7ef4913
children 8981dbb12254
comparison
equal deleted inserted replaced
7464:e970de27966a 7465:6708bec13757
433 if (conf->shm_zone == NULL) { 433 if (conf->shm_zone == NULL) {
434 conf->shm_zone = prev->shm_zone; 434 conf->shm_zone = prev->shm_zone;
435 } 435 }
436 436
437 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, 437 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx,
438 conf->builtin_session_cache, 438 conf->certificates, conf->builtin_session_cache,
439 conf->shm_zone, conf->session_timeout) 439 conf->shm_zone, conf->session_timeout)
440 != NGX_OK) 440 != NGX_OK)
441 { 441 {
442 return NGX_CONF_ERROR; 442 return NGX_CONF_ERROR;
443 } 443 }