6ebb5a2203
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
66 lines
2.4 KiB
Diff
66 lines
2.4 KiB
Diff
From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001
|
|
From: Yann Ylavic <ylavic@apache.org>
|
|
Date: Tue, 22 Mar 2016 13:09:17 +0000
|
|
Subject: [PATCH] mod_ssl: return non ambigous value in
|
|
ssl_callback_SessionTicket() for encryption mode (we used to return 0,
|
|
OpenSSL documents returning 1 instead).
|
|
|
|
Practically this does not change anything since OpenSSL will only check for
|
|
>= 0 return value (non error) for encryption mode (the other possible return
|
|
values are only relevant for decryption mode).
|
|
|
|
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
|
|
states:
|
|
"
|
|
The return value of the cb function is used by OpenSSL to determine what
|
|
further processing will occur. The following return values have meaning:
|
|
|
|
2
|
|
This indicates that the ctx and hctx have been set and the session can
|
|
continue on those parameters. Additionally it indicates that the session
|
|
ticket is in a renewal period and should be replaced. The OpenSSL library
|
|
will call cb again with an enc argument of 1 to set the new ticket (see
|
|
RFC5077 3.3 paragraph 2).
|
|
|
|
1
|
|
This indicates that the ctx and hctx have been set and the session can
|
|
continue on those parameters.
|
|
|
|
0
|
|
This indicates that it was not possible to set/retrieve a session ticket
|
|
and the SSL/TLS session will continue by by negotiating a set of
|
|
cryptographic parameters or using the alternate SSL/TLS resumption
|
|
mechanism, session ids.
|
|
If called with enc equal to 0 the library will call the cb again to get a
|
|
new set of parameters.
|
|
|
|
less than 0
|
|
This indicates an error.
|
|
"
|
|
|
|
So 0 is not appropriate in our code, 1 is what we really want (and it won't
|
|
break if OpenSSL later changes its checks on the callback return value).
|
|
|
|
Reported by: oknet on github, pull request #18.
|
|
|
|
|
|
|
|
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
|
|
---
|
|
modules/ssl/ssl_engine_kernel.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
|
|
index 91da94c4f58..91d5e926d66 100644
|
|
--- a/modules/ssl/ssl_engine_kernel.c
|
|
+++ b/modules/ssl/ssl_engine_kernel.c
|
|
@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
|
|
"TLS session ticket key for %s successfully set, "
|
|
"creating new session ticket", sc->vhost_id);
|
|
|
|
- return 0;
|
|
+ return 1;
|
|
}
|
|
else if (mode == 0) {
|
|
/*
|