From c76016d3b8051f8e4f55cd547d29d4ac9ec33062 Mon Sep 17 00:00:00 2001

From: "Alan T. DeKok" <aland@freeradius.org>

Date: Mon, 8 May 2017 16:38:56 -0400

Subject: [PATCH] disable internal OpenSSL cache

(cherry picked from commit af030bd4e19c9149e2ffd898ad0c4dfde78c29be)

---

 raddb/mods-available/eap  | 18 ++++++++----------

 raddb/sites-available/tls | 17 ++++++++---------

 src/main/tls.c            |  4 ++--

 3 files changed, 18 insertions(+), 21 deletions(-)

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap

index 95ef66619..e51860ac2 100644

--- a/raddb/mods-available/eap

+++ b/raddb/mods-available/eap

@@ -352,6 +352,13 @@ eap {

 			#  Deleting the entire "cache" subsection

 			#  also disables caching.

 			#

+			#  As of version 3.0.4-8 (upstream 3.0.14), the

+			#  session cache requires the use of the "name" and

+			#  "persist_dir" configuration items, below.

+			#

+			#  The internal OpenSSL session cache has been

+			#  permanently disabled.

+			#

 			#  You can disallow resumption for a

 			#  particular user by adding the following

 			#  attribute to the control item list:

@@ -362,7 +369,7 @@ eap {

 			#  enable resumption for just one user

 			#  by setting the above attribute to "yes".

 			#

-			enable = yes

+			enable = no

 			#

 			#  Lifetime of the cached entries, in hours.

@@ -372,15 +379,6 @@ eap {

 			lifetime = 24 # hours

 			#

-			#  The maximum number of entries in the

-			#  cache.  Set to "0" for "infinite".

-			#

-			#  This could be set to the number of users

-			#  who are logged in... which can be a LOT.

-			#

-			max_entries = 255

-

-			#

 			#  Internal "name" of the session cache.

 			#  Used to distinguish which TLS context

 			#  sessions belong to.

diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls

index 1ba876745..df687584e 100644

--- a/raddb/sites-available/tls

+++ b/raddb/sites-available/tls

@@ -231,6 +231,14 @@ listen {

 		      #  Deleting the entire "cache" subsection

 		      #  Also disables caching.

 		      #

+		      #

+		      #  As of version 3.0.4-8 (upstream 3.0.14), the session

+		      #  cache requires the use of the "name" and

+		      #  "persist_dir" configuration items, below.

+		      #

+		      #  The internal OpenSSL session cache has been

+		      #  permanently disabled.

+		      #

 		      #  You can disallow resumption for a

 		      #  particular user by adding the following

 		      #  attribute to the control item list:

@@ -251,15 +259,6 @@ listen {

 		      lifetime = 24 # hours

 		      #

-		      #  The maximum number of entries in the

-		      #  cache.  Set to "0" for "infinite".

-		      #

-		      #  This could be set to the number of users

-		      #  who are logged in... which can be a LOT.

-		      #

-		      max_entries = 255

-

-		      #

 		      #  Internal "name" of the session cache.

 		      #  Used to distinguish which TLS context

 		      #  sessions belong to.

diff --git a/src/main/tls.c b/src/main/tls.c

index 42b538c4c..b790d2dc1 100644

--- a/src/main/tls.c

+++ b/src/main/tls.c

@@ -2489,9 +2489,9 @@ post_ca:

 		}

 		/*

-		 *	Cache it, and DON'T auto-clear it.

+		 *	Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache.

 		 */

-		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);

+		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL);

 		SSL_CTX_set_session_id_context(ctx,

 					       (unsigned char *) conf->session_context_id,

-- 

2.11.0