diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2019-02-25 16:42:54 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2019-02-25 16:42:54 +0300 |
| commit | ecfab06cb20959219c9aadc2ef59507488e4fa99 (patch) | |
| tree | 1a8a5da9c30639700d006f56851f69f77cd1fff2 /src/http/modules/ngx_http_ssl_module.c | |
| parent | fbcb0c8a33c7168aad3b1474d4cd8cde3486e155 (diff) | |
| download | nginx-ecfab06cb20959219c9aadc2ef59507488e4fa99.tar.gz nginx-ecfab06cb20959219c9aadc2ef59507488e4fa99.zip | |
SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.
To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration. This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
Diffstat (limited to 'src/http/modules/ngx_http_ssl_module.c')
| -rw-r--r-- | src/http/modules/ngx_http_ssl_module.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 3134f0ec8..3bf122acb 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -817,7 +817,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) } if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, - conf->builtin_session_cache, + conf->certificates, conf->builtin_session_cache, conf->shm_zone, conf->session_timeout) != NGX_OK) { |