From e371a53443d7ec30b989cab712f758d46c9206e0 Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Wed, 7 Dec 2011 09:41:51 +0000 Subject: [PATCH] Adjust the OpenSSL session id context for SNI configurations, so that sessions are tied to the proper vhost (subset of a patch I originally proposed in November 2009, cf. message with ID <4AF85A18.1000205@velox.ch>). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1211352 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index cc3321f870..a3643d9783 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -29,6 +29,7 @@ time I was too famous.'' -- Unknown */ #include "ssl_private.h" +#include "util_md5.h" static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); #ifndef OPENSSL_NO_TLSEXT @@ -2043,6 +2044,23 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) SSL_CTX_get_verify_callback(ssl->ctx)); } + /* + * Adjust the session id context. ssl_init_ssl_connection() + * always picks the configuration of the first vhost when + * calling SSL_new(), but we want to tie the session to the + * vhost we have just switched to. Again, we have to make sure + * that we're not overwriting a session id context which was + * possibly set in ssl_hook_Access(), before triggering + * a renegotation. + */ + if (SSL_num_renegotiations(ssl) == 0) { + unsigned char *sid_ctx = + (unsigned char *)ap_md5_binary(c->pool, + (unsigned char *)sc->vhost_id, + sc->vhost_id_len); + SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2); + } + /* * Save the found server into our SSLConnRec for later * retrieval -- 2.40.0