- Description: disable session caching in the server (as opposed to in the
- config, which would be way harder to get right) to address
- https://security-tracker.debian.org/tracker/CVE-2017-9148
- Author: Michael Stapelberg <stapelberg@debian.org>
- Forwarded: not-needed
- Last-Update: 2017-05-30
-
- ---
-
- --- a/src/main/tls.c
- +++ b/src/main/tls.c
- @@ -594,7 +594,7 @@ tls_session_t *tls_new_session(TALLOC_CT
- *
- * FIXME: Also do it every N sessions?
- */
- - if (conf->session_cache_enable &&
- + if (/*conf->session_cache_enable*/0 &&
- ((conf->session_last_flushed + ((int)conf->session_timeout * 1800)) <= request->timestamp)){
- RDEBUG2("Flushing SSL sessions (of #%ld)", SSL_CTX_sess_number(conf->ctx));
-
- @@ -689,7 +689,7 @@ tls_session_t *tls_new_session(TALLOC_CT
- state->mtu = vp->vp_integer;
- }
-
- - if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */
- + if (/*conf->session_cache_enable*/0) state->allow_session_resumption = true; /* otherwise it's false */
-
- return state;
- }
- @@ -3277,7 +3277,7 @@ post_ca:
- /*
- * Callbacks, etc. for session resumption.
- */
- - if (conf->session_cache_enable) {
- + if (/*conf->session_cache_enable*/0) {
- /*
- * Cache sessions on disk if requested.
- */
- @@ -3347,7 +3347,7 @@ post_ca:
- /*
- * Setup session caching
- */
- - if (conf->session_cache_enable) {
- + if (/*conf->session_cache_enable*/0) {
- /*
- * Create a unique context Id per EAP-TLS configuration.
- */
|