Tree - rpms/httpd - src.fedoraproject.org

rpms / httpd

Overview Files Commits Branches Forks Releases

Monitoring status:

Bugzilla Assignee:

Fedora:: luhliarik
EPEL:: luhliarik

Files

Commit: 6ebb5a2203de9f5cf7c3d9f9a1e7bf026cfa8dc2

Blob Blame History Raw

From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 22 Mar 2016 13:09:17 +0000
Subject: [PATCH] mod_ssl: return non ambigous value in
 ssl_callback_SessionTicket() for encryption mode (we used to return 0,
 OpenSSL documents returning 1 instead).

Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).

However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:

2
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters. Additionally it indicates that the session
    ticket is in a renewal period and should be replaced. The OpenSSL library
    will call cb again with an enc argument of 1 to set the new ticket (see
    RFC5077 3.3 paragraph 2).

1
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters.

0
    This indicates that it was not possible to set/retrieve a session ticket
    and the SSL/TLS session will continue by by negotiating a set of
    cryptographic parameters or using the alternate SSL/TLS resumption
    mechanism, session ids.
    If called with enc equal to 0 the library will call the cb again to get a
    new set of parameters.

less than 0
    This indicates an error.
"

So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).

Reported by: oknet on github, pull request #18.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/ssl_engine_kernel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 91da94c4f58..91d5e926d66 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
                       "TLS session ticket key for %s successfully set, "
                       "creating new session ticket", sc->vhost_id);
 
-        return 0;
+        return 1;
     }
     else if (mode == 0) {
         /*

rpms / httpd

Source Code

Files