Klaus Demo nginx / ecfab06
SSL: adjusted session id context with dynamic certificates. Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical. Maxim Dounin 3 years ago
5 changed file(s) with 31 addition(s) and 8 deletion(s). Raw diff Collapse all Expand all
5353 static void ngx_ssl_clear_error(ngx_log_t *log);
5454
5555 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
56 ngx_str_t *sess_ctx);
56 ngx_str_t *sess_ctx, ngx_array_t *certificates);
5757 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
5858 ngx_ssl_session_t *sess);
5959 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
30123012
30133013 ngx_int_t
30143014 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
3015 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
3015 ngx_array_t *certificates, ssize_t builtin_session_cache,
3016 ngx_shm_zone_t *shm_zone, time_t timeout)
30163017 {
30173018 long cache_mode;
30183019
30193020 SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
30203021
3021 if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) {
3022 if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) {
30223023 return NGX_ERROR;
30233024 }
30243025
30843085
30853086
30863087 static ngx_int_t
3087 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
3088 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
3089 ngx_array_t *certificates)
30883090 {
30893091 int n, i;
30903092 X509 *cert;
30913093 X509_NAME *name;
3094 ngx_str_t *certs;
3095 ngx_uint_t k;
30923096 EVP_MD_CTX *md;
30933097 unsigned int len;
30943098 STACK_OF(X509_NAME) *list;
31303134 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
31313135 "EVP_DigestUpdate() failed");
31323136 goto failed;
3137 }
3138 }
3139
3140 if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL) {
3141
3142 /*
3143 * If certificates are loaded dynamically, we use certificate
3144 * names as specified in the configuration (with variables).
3145 */
3146
3147 certs = certificates->elts;
3148 for (k = 0; k < certificates->nelts; k++) {
3149
3150 if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) {
3151 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
3152 "EVP_DigestUpdate() failed");
3153 goto failed;
3154 }
31333155 }
31343156 }
31353157
191191 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
192192 ngx_uint_t enable);
193193 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
194 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
194 ngx_array_t *certificates, ssize_t builtin_session_cache,
195 ngx_shm_zone_t *shm_zone, time_t timeout);
195196 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
196197 ngx_array_t *paths);
197198 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
816816 }
817817
818818 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
819 conf->builtin_session_cache,
819 conf->certificates, conf->builtin_session_cache,
820820 conf->shm_zone, conf->session_timeout)
821821 != NGX_OK)
822822 {
434434 }
435435
436436 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx,
437 conf->builtin_session_cache,
437 conf->certificates, conf->builtin_session_cache,
438438 conf->shm_zone, conf->session_timeout)
439439 != NGX_OK)
440440 {
765765 }
766766
767767 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx,
768 conf->builtin_session_cache,
768 conf->certificates, conf->builtin_session_cache,
769769 conf->shm_zone, conf->session_timeout)
770770 != NGX_OK)
771771 {