]> git.kaiwu.me - nginx.git/commit
projects / nginx.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fbcb0c8) | patch
SSL: adjusted session id context with dynamic certificates.
authorMaxim Dounin <mdounin@mdounin.ru>
Mon, 25 Feb 2019 13:42:54 +0000 (16:42 +0300)
committerMaxim Dounin <mdounin@mdounin.ru>
Mon, 25 Feb 2019 13:42:54 +0000 (16:42 +0300)
commitecfab06cb20959219c9aadc2ef59507488e4fa99
tree1a8a5da9c30639700d006f56851f69f77cd1fff2tree | snapshot
parentfbcb0c8a33c7168aad3b1474d4cd8cde3486e155commit | diff
SSL: adjusted session id context with dynamic certificates.

Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
src/event/ngx_event_openssl.c diff | blob | history
src/event/ngx_event_openssl.h diff | blob | history
src/http/modules/ngx_http_ssl_module.c diff | blob | history
src/mail/ngx_mail_ssl_module.c diff | blob | history
src/stream/ngx_stream_ssl_module.c diff | blob | history
nginx upstream