Commit c7573784 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Merge r1200040, r1200372, r1200374, r1213380 from trunk.


r1200040 | pquerna | 2011-11-10 00:37:37 +0100 (Thu, 10 Nov 2011) | 5 lines

Add support for RFC 5077 TLS Session tickets.  This adds two new directives:

* SSLTicketKeyFile: To store the private information for the encryption of the ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is used.  This enables key rotation across servers.


r1200372 | pquerna | 2011-11-10 16:17:18 +0100 (Thu, 10 Nov 2011) | 4 lines

Apply ap_server_root_relative to the path used for the ticket secrets file.

Suggested by: Rüdiger Plüm


r1200374 | pquerna | 2011-11-10 16:19:15 +0100 (Thu, 10 Nov 2011) | 4 lines

Remove unneeded memcpy.

Spotted by: Rüdiger Plüm


r1213380 | kbrand | 2011-12-12 20:21:35 +0100 (Mon, 12 Dec 2011) | 9 lines

Streamline TLS session ticket key handling (added in r1200040):
- drop the SSLTicketKeyDefault directive, and only support a single
  ticket key per server/vhost
- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
  remove the keyname parameter
- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
- configure the tlsext_ticket_key_cb only when in server mode
- add documentation for SSLSessionTicketKeyFile


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680905 13f79535-47bb-0310-9956-ffa450edef68
parent c2b8e24b
Loading
Loading
Loading
Loading
+4 −0
Original line number Diff line number Diff line
                                                         -*- coding: utf-8 -*-
Changes with Apache 2.2.30

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]

  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
     VirtualHosts (matching 2.4 default configuration). [William Rowe]
+0 −18
Original line number Diff line number Diff line
@@ -108,24 +108,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     ylavic: trunk/2.4.x not concerned, 2.2.x only.
     +1: ylavic, jkaluza, wrowe

   * mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]
     trunk patch: http://svn.apache.org/r1200040
                  http://svn.apache.org/r1200372
                  http://svn.apache.org/r1200374
                  http://svn.apache.org/r1213380
     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-SSLSessionTicketKeyFile.patch
     +1: ylavic, wrowe, rjung
     rjung: Minor nits you can IMHO apply as CTR:
            - in mod_ssl.c the info string for SessionTicketKeyFile contains
              '/path/to/file', whereas existing directives use `/path/to/file'.
              The first quotation mark is of different style.
            - enhance docs note about frequent key file rotation by info that one also needs
              to restart the web server in order for the changed file to take effect
              (either gracefully or not). Would be useful for 2.4/trunk as well
            - mention RFC 5077 in CHANGES

   * mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
+36 −0
Original line number Diff line number Diff line
@@ -1947,4 +1947,40 @@ forward secrecy.</p>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>SSLSessionTicketKeyFile</name>
<description>Persistent encryption/decryption key for TLS session tickets</description>
<syntax>SSLSessionTicketKeyFile <em>file-path</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.2.30 and later, if using OpenSSL 0.9.8h or later</compatibility>
 
<usage>
<p>Optionally configures a secret key for encrypting and decrypting
TLS session tickets, as defined in
<a href="http://www.ietf.org/rfc/rfc5077.txt">RFC 5077</a>.
Primarily suitable for clustered environments where TLS sessions information
should be shared between multiple nodes. For single-instance httpd setups,
it is recommended to <em>not</em> configure a ticket key file, but to
rely on (random) keys generated by mod_ssl at startup, instead.</p>
<p>The ticket key file must contain 48 bytes of random data,
preferrably created from a high-entropy source. On a Unix-based system,
a ticket key file can be created as follows:</p>

<example>
dd if=/dev/random of=/path/to/file.tkey bs=1 count=48
</example>

<p>Ticket keys should be rotated (replaced) on a frequent basis,
as this is the only way to invalidate an existing session ticket -
OpenSSL currently doesn't allow to specify a limit for ticket lifetimes.</p>

<note type="warning">
<p>The ticket key file contains sensitive keying material and should
be protected with file permissions similar to those used for
<directive module="mod_ssl">SSLCertificateKeyFile</directive>.</p>
</note>
</usage>
</directivesynopsis>

</modulesynopsis>
+5 −0
Original line number Diff line number Diff line
@@ -114,6 +114,11 @@ static const command_rec ssl_config_cmds[] = {
    SSL_CMD_SRV(CertificateChainFile, TAKE1,
                "SSL Server CA Certificate Chain file "
                "(`/path/to/file' - PEM encoded)")
#ifdef HAVE_TLS_SESSION_TICKETS
    SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
                "TLS session ticket encryption/decryption key file (RFC 5077) "
                "('/path/to/file' - file with 48 bytes of random data)")
#endif
    SSL_CMD_ALL(CACertificatePath, TAKE1,
                "SSL CA Certificate path "
                "(`/path/to/dir' - contains PEM encoded files)")
+30 −0
Original line number Diff line number Diff line
@@ -110,6 +110,10 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
    mctx->pks                 = NULL;
    mctx->pkp                 = NULL;

#ifdef HAVE_TLS_SESSION_TICKETS
    mctx->ticket_key          = NULL;
#endif

    mctx->protocol            = SSL_PROTOCOL_ALL;

    mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
@@ -158,6 +162,10 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
    mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));

    /* mctx->pks->... certs/keys are set during module init */

#ifdef HAVE_TLS_SESSION_TICKETS
    mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));
#endif
}

static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
@@ -257,6 +265,10 @@ static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base,

    cfgMergeString(pks->ca_name_path);
    cfgMergeString(pks->ca_name_file);

#ifdef HAVE_TLS_SESSION_TICKETS
    cfgMergeString(ticket_key->file_path);
#endif
}

/*
@@ -874,6 +886,24 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd,
    return NULL;
}

#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
                                            void *dcfg,
                                            const char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    const char *err;

    if ((err = ssl_cmd_check_file(cmd, &arg))) {
        return err;
    }

    sc->server->ticket_key->file_path = arg;

    return NULL;
}
#endif

#define NO_PER_DIR_SSL_CA \
    "Your ssl library does not have support for per-directory CA"

Loading