Updated Branches: refs/heads/master 581282d8b -> d75e933a1
TS-2372: update default SSL context options Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d7bb4cd3 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d7bb4cd3 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d7bb4cd3 Branch: refs/heads/master Commit: d7bb4cd3c6ec6c1fc5e70251257e2e10e450c92f Parents: 581282d Author: James Peach <[email protected]> Authored: Tue Nov 26 09:37:15 2013 -0800 Committer: James Peach <[email protected]> Committed: Wed Dec 4 14:05:09 2013 -0800 ---------------------------------------------------------------------- iocore/net/SSLConfig.cc | 18 ++++++++++++++++++ iocore/net/SSLNetVConnection.cc | 1 + 2 files changed, 19 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d7bb4cd3/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 72b7c42..d4e0b9e 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -164,6 +164,24 @@ SSLConfigParams::initialize() #endif } + // Enable ephemeral DH parameters for the case where we use a cipher with DH forward security. +#ifdef SSL_OP_SINGLE_DH_USE + ssl_ctx_options |= SSL_OP_SINGLE_DH_USE; +#endif + +#ifdef SSL_OP_SINGLE_ECDH_USE + ssl_ctx_options |= SSL_OP_SINGLE_ECDH_USE; +#endif + + // Enable all SSL compatibility workarounds. + ssl_ctx_options |= SSL_OP_ALL; + + // According to OpenSSL source, applications must enable this if they support the Server Name extension. Since + // we do, then we ought to enable this. Httpd also enables this unconditionally. +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + ssl_ctx_options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; +#endif + REC_ReadConfigStringAlloc(serverCertChainFilename, "proxy.config.ssl.server.cert_chain.filename"); REC_ReadConfigStringAlloc(serverCertRelativePath, "proxy.config.ssl.server.cert.path"); set_paths_helper(serverCertRelativePath, NULL, &serverCertPathOnly, NULL); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d7bb4cd3/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 9e477da..6bdb0da 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -466,6 +466,7 @@ SSLNetVConnection::free(EThread * t) { sslHandShakeComplete = false; sslClientConnection = false; npnSet = NULL; + npnEndPoint= NULL; if (from_accept_thread) { sslNetVCAllocator.free(this);
