Blame SOURCES/httpd-2.4.6-r1650310.patch

008793
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
008793
index ca178ab..4580f1c 100644
008793
--- a/docs/manual/mod/mod_ssl.html.en
008793
+++ b/docs/manual/mod/mod_ssl.html.en
008793
@@ -57,6 +57,7 @@ to provide the cryptography engine.

008793
 
  • SSLCertificateKeyFile
  • 008793
     
  • SSLCipherSuite
  • 008793
     
  • SSLCompression
  • 008793
    +
  • SSLSessionTickets
  • 008793
     
  • SSLCryptoDevice
  • 008793
     
  • SSLEngine
  • 008793
     
  • SSLFIPS
  • 008793
    @@ -797,6 +798,26 @@ CRIME attack).

    008793
     
    008793
     
    008793
     
    008793
    +
    008793
    +
    top
    008793
    +
    008793
    +
    008793
    +Description:Enable or disable use of TLS session tickets
    008793
    +Syntax:SSLSessionTickets on|off
    008793
    +Default:SSLCompression on
    008793
    +Context:server config, virtual host
    008793
    +Status:Extension
    008793
    +Module:mod_ssl
    008793
    +Compatibility:Available.
    008793
    +
    008793
    +

    This directive allows to enable or disable the use of TLS session tickets(RFC 5077).

    008793
    +
    008793
    +

    TLS session tickets are enabled by default. Using them without restarting

    008793
    +the web server with an appropriate frequency (e.g. daily) compromises perfect
    008793
    +forward secrecy.

    008793
    +
    008793
    +
    008793
    +
    008793
     
    top
    008793
     
    008793
     
    008793
    diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
    008793
    index bbe1d20..4a8b661 100644
    008793
    --- a/modules/ssl/mod_ssl.c
    008793
    +++ b/modules/ssl/mod_ssl.c
    008793
    @@ -141,6 +141,9 @@ static const command_rec ssl_config_cmds[] = {
    008793
         SSL_CMD_SRV(Compression, FLAG,
    008793
                     "Enable SSL level compression"
    008793
                     "(`on', `off')")
    008793
    +    SSL_CMD_SRV(SessionTickets, FLAG,
    008793
    +                "Enable or disable TLS session tickets"
    008793
    +                "(`on', `off')")
    008793
         SSL_CMD_SRV(InsecureRenegotiation, FLAG,
    008793
                     "Enable support for insecure renegotiation")
    008793
         SSL_CMD_ALL(UserName, TAKE1,
    008793
    diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
    008793
    index 9530fcc..86a7f0f 100644
    008793
    --- a/modules/ssl/ssl_engine_config.c
    008793
    +++ b/modules/ssl/ssl_engine_config.c
    008793
    @@ -216,6 +216,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
    008793
     #ifndef OPENSSL_NO_COMP
    008793
         sc->compression            = UNSET;
    008793
     #endif
    008793
    +    sc->session_tickets        = UNSET;
    008793
     
    008793
         modssl_ctx_init_proxy(sc, p);
    008793
     
    008793
    @@ -346,6 +347,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
    008793
     #ifndef OPENSSL_NO_COMP
    008793
         cfgMergeBool(compression);
    008793
     #endif
    008793
    +    cfgMergeBool(session_tickets);
    008793
     
    008793
         modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
    008793
     
    008793
    @@ -720,6 +722,17 @@ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
    008793
     #endif
    008793
     }
    008793
     
    008793
    +const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
    008793
    +{
    008793
    +    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    008793
    +#ifndef SSL_OP_NO_TICKET
    008793
    +    return "This version of OpenSSL does not support using "
    008793
    +           "SSLSessionTickets.";
    008793
    +#endif
    008793
    +    sc->session_tickets = flag ? TRUE : FALSE;
    008793
    +    return NULL;
    008793
    +}
    008793
    +
    008793
     const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
    008793
     {
    008793
     #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    008793
    diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
    008793
    index 568627f..672760c 100644
    008793
    --- a/modules/ssl/ssl_engine_init.c
    008793
    +++ b/modules/ssl/ssl_engine_init.c
    008793
    @@ -566,6 +566,16 @@ static void ssl_init_ctx_protocol(server_rec *s,
    008793
         }
    008793
     #endif
    008793
     
    008793
    +#ifdef SSL_OP_NO_TICKET
    008793
    +    /*
    008793
    +     * Configure using RFC 5077 TLS session tickets
    008793
    +     * for session resumption.
    008793
    +     */
    008793
    +    if (sc->session_tickets == FALSE) {
    008793
    +        SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
    008793
    +    }
    008793
    +#endif
    008793
    +
    008793
     #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    008793
         if (sc->insecure_reneg == TRUE) {
    008793
             SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
    008793
    diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
    008793
    index 0cc6d3f..b601316 100644
    008793
    --- a/modules/ssl/ssl_private.h
    008793
    +++ b/modules/ssl/ssl_private.h
    008793
    @@ -701,6 +701,7 @@ struct SSLSrvConfigRec {
    008793
     #ifndef OPENSSL_NO_COMP
    008793
         BOOL             compression;
    008793
     #endif
    008793
    +    BOOL             session_tickets;
    008793
     };
    008793
     
    008793
     /**
    008793
    @@ -756,6 +757,7 @@ const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
    008793
     const char  *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
    008793
     const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
    008793
     const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
    008793
    +const char  *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
    008793
     const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
    008793
     const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
    008793
     const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);