httpd/httpd-2.4.27-fixticketkeys.patch
Patrick Uiterwijk 6ebb5a2203 Backport patch for fixing ticket key usage
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2017-10-10 13:31:46 +02:00

66 lines
2.4 KiB
Diff

From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 22 Mar 2016 13:09:17 +0000
Subject: [PATCH] mod_ssl: return non ambigous value in
ssl_callback_SessionTicket() for encryption mode (we used to return 0,
OpenSSL documents returning 1 instead).
Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library
will call cb again with an enc argument of 1 to set the new ticket (see
RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can
continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket
and the SSL/TLS session will continue by by negotiating a set of
cryptographic parameters or using the alternate SSL/TLS resumption
mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a
new set of parameters.
less than 0
This indicates an error.
"
So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).
Reported by: oknet on github, pull request #18.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
---
modules/ssl/ssl_engine_kernel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 91da94c4f58..91d5e926d66 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
"TLS session ticket key for %s successfully set, "
"creating new session ticket", sc->vhost_id);
- return 0;
+ return 1;
}
else if (mode == 0) {
/*