Adjust the OpenSSL session id context for SNI configurations, so that

sessions are tied to the proper vhost (subset of a patch I originally
proposed in November 2009, cf. message with ID <4AF85A18.1000205@velox.ch>).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1211352 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index cc3321f8705378b0080ab8de260f576bedfa3d1e..a3643d9783f8bef0fd0e78348965af5505067b75 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -29,6 +29,7 @@
                                   time I was too famous.''
                                             -- Unknown                */
 #include "ssl_private.h"
+#include "util_md5.h"
 
 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
 #ifndef OPENSSL_NO_TLSEXT
@@ -2043,6 +2044,23 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
                            SSL_CTX_get_verify_callback(ssl->ctx));
         }
 
+        /*
+         * Adjust the session id context. ssl_init_ssl_connection()
+         * always picks the configuration of the first vhost when
+         * calling SSL_new(), but we want to tie the session to the
+         * vhost we have just switched to. Again, we have to make sure
+         * that we're not overwriting a session id context which was
+         * possibly set in ssl_hook_Access(), before triggering
+         * a renegotation.
+         */
+        if (SSL_num_renegotiations(ssl) == 0) {
+            unsigned char *sid_ctx =
+                (unsigned char *)ap_md5_binary(c->pool,
+                                               (unsigned char *)sc->vhost_id,
+                                               sc->vhost_id_len);
+            SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
+        }
+
         /*
          * Save the found server into our SSLConnRec for later
          * retrieval