diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2019-02-25 16:42:54 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2019-02-25 16:42:54 +0300 |
| commit | ecfab06cb20959219c9aadc2ef59507488e4fa99 (patch) | |
| tree | 1a8a5da9c30639700d006f56851f69f77cd1fff2 /src/http/modules/ngx_http_proxy_module.c | |
| parent | fbcb0c8a33c7168aad3b1474d4cd8cde3486e155 (diff) | |
| download | nginx-ecfab06cb20959219c9aadc2ef59507488e4fa99.tar.gz nginx-ecfab06cb20959219c9aadc2ef59507488e4fa99.zip | |
SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.
To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration. This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
Diffstat (limited to 'src/http/modules/ngx_http_proxy_module.c')
0 files changed, 0 insertions, 0 deletions