You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

47 lines
1.4 KiB

  1. Description: disable session caching in the server (as opposed to in the
  2. config, which would be way harder to get right) to address
  3. https://security-tracker.debian.org/tracker/CVE-2017-9148
  4. Author: Michael Stapelberg <stapelberg@debian.org>
  5. Forwarded: not-needed
  6. Last-Update: 2017-05-30
  7. ---
  8. --- a/src/main/tls.c
  9. +++ b/src/main/tls.c
  10. @@ -594,7 +594,7 @@ tls_session_t *tls_new_session(TALLOC_CT
  11. *
  12. * FIXME: Also do it every N sessions?
  13. */
  14. - if (conf->session_cache_enable &&
  15. + if (/*conf->session_cache_enable*/0 &&
  16. ((conf->session_last_flushed + ((int)conf->session_timeout * 1800)) <= request->timestamp)){
  17. RDEBUG2("Flushing SSL sessions (of #%ld)", SSL_CTX_sess_number(conf->ctx));
  18. @@ -689,7 +689,7 @@ tls_session_t *tls_new_session(TALLOC_CT
  19. state->mtu = vp->vp_integer;
  20. }
  21. - if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */
  22. + if (/*conf->session_cache_enable*/0) state->allow_session_resumption = true; /* otherwise it's false */
  23. return state;
  24. }
  25. @@ -3277,7 +3277,7 @@ post_ca:
  26. /*
  27. * Callbacks, etc. for session resumption.
  28. */
  29. - if (conf->session_cache_enable) {
  30. + if (/*conf->session_cache_enable*/0) {
  31. /*
  32. * Cache sessions on disk if requested.
  33. */
  34. @@ -3347,7 +3347,7 @@ post_ca:
  35. /*
  36. * Setup session caching
  37. */
  38. - if (conf->session_cache_enable) {
  39. + if (/*conf->session_cache_enable*/0) {
  40. /*
  41. * Create a unique context Id per EAP-TLS configuration.
  42. */