66d5d29be63fafde2c5c0db90aade720bf4f9fe1 - nginx

commit	66d5d29be63fafde2c5c0db90aade720bf4f9fe1	[log] [tgz]
author	Maxim Dounin <mdounin@mdounin.ru>	Mon Feb 25 16:42:54 2019 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	Mon Feb 25 16:42:54 2019 +0300
tree	1a8a5da9c30639700d006f56851f69f77cd1fff2
parent	bb871227f5fe5cb466a0bd8a500eb772bfa1c85b [diff]

SSL: adjusted session id context with dynamic certificates.

Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.

src/event/ngx_event_openssl.c[diff]
src/event/ngx_event_openssl.h[diff]
src/http/modules/ngx_http_ssl_module.c[diff]
src/mail/ngx_mail_ssl_module.c[diff]
src/stream/ngx_stream_ssl_module.c[diff]

5 files changed

tree: 1a8a5da9c30639700d006f56851f69f77cd1fff2

auto/
conf/
contrib/
docs/
misc/
src/
.hgtags