- Description: disable session caching in the server (as opposed to in the
- config, which would be way harder to get right) to address
- https://security-tracker.debian.org/tracker/CVE-2017-9148
- Author: Michael Stapelberg <stapelberg@debian.org>
- Forwarded: not-needed
- Last-Update: 2020-01-24
-
- ---
-
- --- a/src/main/tls.c
- +++ b/src/main/tls.c
- @@ -675,7 +675,7 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU
- state->mtu = vp->vp_integer;
- }
-
- - if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */
- + if (/*conf->session_cache_enable*/0) state->allow_session_resumption = true; /* otherwise it's false */
-
- return state;
- }
- @@ -3292,7 +3292,7 @@ post_ca:
- /*
- * Callbacks, etc. for session resumption.
- */
- - if (conf->session_cache_enable) {
- + if (/*conf->session_cache_enable*/0) {
- /*
- * Cache sessions on disk if requested.
- */
- @@ -3362,7 +3362,7 @@ post_ca:
- /*
- * Setup session caching
- */
- - if (conf->session_cache_enable) {
- + if (/*conf->session_cache_enable*/0) {
- /*
- * Create a unique context Id per EAP-TLS configuration.
- */
- @@ -3531,7 +3531,7 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs)
- goto error;
- }
-
- - if (conf->session_cache_enable) {
- + if (/*conf->session_cache_enable*/0) {
- CONF_SECTION *subcs;
- CONF_ITEM *ci;
-
|