On Tue, Dec 28, 1999, Ryu Inada wrote:
> Dear Mr. Engelschall.
> Thank you for your rapid follow up and patch.
>
> I've checked your patch and it work fine.
>
> But I have 2 suggesions for the code.
> 1. MD5 always generate fix length (128bit = 16octets) hash data.
> So, patch for SSL_set_session_id_context() can be:
> SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, 16);
> This make code more smaller and more efficient.
Efficiency is not very much decreased by a strlen() for a 32 byte long string.
Instead the magic value 32 (because its special both inside ap_md5 _and_
SSL_set_session_id_context) just confuses this piece of code. So I'll
intentionally keep the strlen(cpVHostMD5) there.
> 2. Must check SSL_set_session_id_context()'s return value.
> Currently, openssl implementation restricts SID context
> length to 32 octets, but in future, we could not certify
> it.
> To check return value, we could easily clear the reason
> of problems.
Ok, good suggestion. I've now adjusted the patch for this. Please review it
again and give me feedback whether it still works as expected (I'm currently
very busy and have no time for testing myself, sorry).
> If you add my name in CHANGES log, please add
> [EMAIL PROTECTED] also. He is investigate SSLed Apache on
> NT box, and found out what was happen. I've checked on Solaris 7 box
> in same time he did.
Done.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: mod_ssl.h
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.119
diff -u -r1.119 mod_ssl.h
--- mod_ssl.h 1999/11/24 11:28:10 1.119
+++ mod_ssl.h 1999/12/27 07:10:29
@@ -110,6 +110,7 @@
#include "http_core.h"
#include "http_log.h"
#include "scoreboard.h"
+#include "util_md5.h"
#include "fnmatch.h"
#undef CORE_PRIVATE
Index: ssl_engine_ext.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_ext.c,v
retrieving revision 1.29
diff -u -r1.29 ssl_engine_ext.c
--- ssl_engine_ext.c 1999/09/06 13:13:24 1.29
+++ ssl_engine_ext.c 1999/12/28 07:14:01
@@ -296,6 +296,7 @@
char *errmsg;
int rc;
char *cpVHostID;
+ char *cpVHostMD5;
if (ap_ctx_get(r->ctx, "ssl::proxy::enabled") == PFALSE)
return NULL;
@@ -312,7 +313,13 @@
return errmsg;
}
SSL_clear(ssl);
- SSL_set_session_id_context(ssl, (unsigned char *)cpVHostID, strlen(cpVHostID));
+ cpVHostMD5 = ap_md5(r->pool, cpVHostID);
+ if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5,
+strlen(cpVHostMD5))) {
+ errmsg = ap_pstrcat(r->pool, "Unable to set session id context to `%s': ",
+cpVHostMD5,
+ ERR_reason_error_string(ERR_get_error()), NULL);
+ ap_ctx_set(fb->ctx, "ssl", NULL);
+ return errmsg;
+ }
SSL_set_fd(ssl, fb->fd);
ap_ctx_set(fb->ctx, "ssl", ssl);
Index: ssl_engine_kernel.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.114
diff -u -r1.114 ssl_engine_kernel.c
--- ssl_engine_kernel.c 1999/11/24 11:28:10 1.114
+++ ssl_engine_kernel.c 1999/12/28 07:13:40
@@ -134,6 +134,7 @@
SSL *ssl;
char *cp;
char *cpVHostID;
+ char *cpVHostMD5;
X509 *xs;
int rc;
int n;
@@ -186,7 +187,15 @@
return;
}
SSL_clear(ssl);
- SSL_set_session_id_context(ssl, (unsigned char *)cpVHostID, strlen(cpVHostID));
+ cpVHostMD5 = ap_md5(conn->pool, cpVHostID);
+ if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5,
+strlen(cpVHostMD5))) {
+ ssl_log(conn->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "Unable to set session id context to `%s'", cpVHostMD5);
+ ap_ctx_set(fb->ctx, "ssl", NULL);
+ ap_bsetflag(fb, B_EOF|B_EOUT, 1);
+ conn->aborted = 1;
+ return;
+ }
SSL_set_app_data(ssl, conn);
apctx = ap_ctx_new(conn->pool);
ap_ctx_set(apctx, "ssl::request_rec", NULL);
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
