From: Rainer Jung Date: Wed, 16 Jul 2014 06:04:38 +0000 (+0000) Subject: Extend the scope of SSLSessionCacheTimeout to sessions X-Git-Tag: 2.2.28~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2b5cb6c3f8ec9553179ef3c5fe5a86ab6c5885f;p=thirdparty%2Fapache%2Fhttpd.git Extend the scope of SSLSessionCacheTimeout to sessions resumed by TLS session resumption (RFC 5077). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1610914 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 60848d57b37..252f22ce23b 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,9 @@ Changes with Apache 2.2.28 Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. [Joe Orton, Eric Covener, Jeff Trawick] + *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions + resumed by TLS session resumption (RFC 5077). [Rainer Jung] + *) mod_proxy_ajp: Forward local IP address as a custom request attribute like we already do for the remote port. [Rainer Jung] diff --git a/STATUS b/STATUS index 57bce868b42..738ec82baba 100644 --- a/STATUS +++ b/STATUS @@ -121,15 +121,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-cgid-script_timeout.diff +1: covener, trawick, ylavic - * mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions - resumed by TLS session resumption (RFC 5077). - trunk patch: http://svn.apache.org/r1610311 - 2.4.x patch: Trunk patch works modulo CHANGES - and compatibility note. - 2.2.x patch: http://people.apache.org/~rjung/patches/mod_ssl_session_resumption_timeout-2.2.patch - +1: rjung, ylavic, covener - - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 600b6a2c4df..c9c795eabed 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -463,11 +463,13 @@ in the Session Cache SSLSessionCacheTimeout 300 server config virtual host +Applies also to RFC 5077 TLS session resumption in Apache 2.2.28 and later

This directive sets the timeout in seconds for the information stored in the -global/inter-process SSL Session Cache and the OpenSSL internal memory cache. +global/inter-process SSL Session Cache, the OpenSSL internal memory cache and +for sessions resumed by TLS session resumption (RFC 5077). It can be set as low as 15 for testing, but should be set to higher values like 300 in real life.

Example diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index d8b4802cd96..2c7b90072fe 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1264,6 +1264,10 @@ static void ssl_init_server_ctx(server_rec *s, ssl_init_ctx(s, p, ptemp, sc->server); ssl_init_server_certs(s, p, ptemp, sc->server); + + SSL_CTX_set_timeout(sc->server->ssl_ctx, + sc->session_cache_timeout == UNSET ? + SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout); } /*