vhost at startup, rather than building it for each new connection.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec):
Replace vhost_id_len field with vhost_md5.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Build the
sc->vhost_md5 hash here.
* modules/ssl/mod_ssl.c: Fail at compile time if the
SSL_set_session_id_context() API constraint on context length is
violated.
(ssl_init_ssl_connection): Use sc->vhost_md5.
* modules/ssl/ssl_engine_kernel.c (ssl_find_vhost): Use sc->vhost_md5
after renegotiation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@
1877349 13f79535-47bb-0310-9956-
ffa450edef68
return ssl_engine_set(c, NULL, 0, 0);
}
+#if defined(SSL_MAX_SID_CTX_LENGTH) && (APR_MD5_DIGESTSIZE * 2) > SSL_MAX_SID_CTX_LENGTH
+#error APR digest length x2 exceeds SSL_MAX_SID_CTX_LENGTH
+#endif
+
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{
SSLSrvConfigRec *sc;
SSL *ssl;
SSLConnRec *sslconn;
- char *vhost_md5;
int rc;
modssl_ctx_t *mctx;
server_rec *server;
return rc;
}
- vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
- sc->vhost_id_len);
-
- if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
- APR_MD5_DIGESTSIZE*2))
- {
+ if (!SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2)) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
- "Unable to set session id context to '%s'", vhost_md5);
+ "Unable to set session id context to '%s'",
+ sc->vhost_md5);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
sc->mc = NULL;
sc->enabled = SSL_ENABLED_UNSET;
sc->vhost_id = NULL; /* set during module init */
- sc->vhost_id_len = 0; /* set during module init */
sc->session_cache_timeout = UNSET;
sc->cipher_server_pref = UNSET;
sc->insecure_reneg = UNSET;
#include "mod_ssl_openssl.h"
#include "mpm_common.h"
#include "mod_md.h"
+#include "util_md5.h"
static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *,
STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *);
/* Derive the vhost id only after potentially defaulting-on
* sc->enabled since the port used may change. */
sc->vhost_id = ssl_util_vhostid(p, s);
- sc->vhost_id_len = strlen(sc->vhost_id);
-
+ sc->vhost_md5 =
+ (unsigned char *)ap_md5_binary(p, (unsigned char *)sc->vhost_id,
+ strlen(sc->vhost_id));
+
/* Fix up stuff that may not have been set. If sc->enabled is
* UNSET, then SSL is disabled on this vhost. */
if (sc->enabled == SSL_ENABLED_UNSET) {
* a renegotiation.
*/
if (SSL_num_renegotiations(ssl) == 0) {
- unsigned char *sid_ctx =
- (unsigned char *)ap_md5_binary(c->pool,
- (unsigned char *)sc->vhost_id,
- sc->vhost_id_len);
- SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
+ SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2);
}
/*
SSLModConfigRec *mc;
ssl_enabled_t enabled;
const char *vhost_id;
- int vhost_id_len;
+ const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
int session_cache_timeout;
BOOL cipher_server_pref;
BOOL insecure_reneg;
projects / thirdparty / apache / httpd.git / commitdiff
