aboutsummaryrefslogtreecommitdiff
path: root/src/stream/ngx_stream_ssl_module.c
diff options
context:
space:
mode:
authorMaxim Dounin <mdounin@mdounin.ru>2019-02-25 16:42:54 +0300
committerMaxim Dounin <mdounin@mdounin.ru>2019-02-25 16:42:54 +0300
commitecfab06cb20959219c9aadc2ef59507488e4fa99 (patch)
tree1a8a5da9c30639700d006f56851f69f77cd1fff2 /src/stream/ngx_stream_ssl_module.c
parentfbcb0c8a33c7168aad3b1474d4cd8cde3486e155 (diff)
downloadnginx-ecfab06cb20959219c9aadc2ef59507488e4fa99.tar.gz
nginx-ecfab06cb20959219c9aadc2ef59507488e4fa99.zip
SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical.
Diffstat (limited to 'src/stream/ngx_stream_ssl_module.c')
-rw-r--r--src/stream/ngx_stream_ssl_module.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 7e91d5bfe..9ab2c82be 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -766,7 +766,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
}
if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx,
- conf->builtin_session_cache,
+ conf->certificates, conf->builtin_session_cache,
conf->shm_zone, conf->session_timeout)
!= NGX_OK)
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-18 05:31:34 +0000