|
 |
5fa452 |
From 4dd1bad726e993bcd43f16312acaf95596d35680 Mon Sep 17 00:00:00 2001
|
|
|
5fa452 |
From: "Alan T. DeKok" <aland@freeradius.org>
|
|
|
5fa452 |
Date: Mon, 8 May 2017 16:38:56 -0400
|
|
|
5fa452 |
Subject: [PATCH] disable internal OpenSSL cache
|
|
|
5fa452 |
|
|
|
5fa452 |
(cherry picked from commit af030bd4e19c9149e2ffd898ad0c4dfde78c29be)
|
|
|
5fa452 |
---
|
|
|
5fa452 |
raddb/mods-available/eap | 18 ++++++++----------
|
|
|
5fa452 |
raddb/sites-available/abfab-tls | 3 ++-
|
|
|
5fa452 |
raddb/sites-available/tls | 17 ++++++++---------
|
|
|
5fa452 |
src/main/tls.c | 4 ++--
|
|
|
5fa452 |
4 files changed, 20 insertions(+), 22 deletions(-)
|
|
|
5fa452 |
|
|
|
5fa452 |
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
|
|
5fa452 |
index 9659db1cd..bfbfe710e 100644
|
|
|
5fa452 |
--- a/raddb/mods-available/eap
|
|
|
5fa452 |
+++ b/raddb/mods-available/eap
|
|
|
5fa452 |
@@ -382,6 +382,13 @@ eap {
|
|
|
5fa452 |
# Enable it. The default is "no". Deleting the entire "cache"
|
|
|
5fa452 |
# subsection also disables caching.
|
|
|
5fa452 |
#
|
|
|
5fa452 |
+ # As of version 3.0.13-4 (upstream 3.0.14), the
|
|
|
5fa452 |
+ # session cache requires the use of the "name" and
|
|
|
5fa452 |
+ # "persist_dir" configuration items, below.
|
|
|
5fa452 |
+ #
|
|
|
5fa452 |
+ # The internal OpenSSL session cache has been permanently
|
|
|
5fa452 |
+ # disabled.
|
|
|
5fa452 |
+ #
|
|
|
5fa452 |
# You can disallow resumption for a particular user by adding the
|
|
|
5fa452 |
# following attribute to the control item list:
|
|
|
5fa452 |
#
|
|
|
5fa452 |
@@ -390,7 +397,7 @@ eap {
|
|
|
5fa452 |
# If "enable = no" below, you CANNOT enable resumption for just one
|
|
|
5fa452 |
# user by setting the above attribute to "yes".
|
|
|
5fa452 |
#
|
|
|
5fa452 |
- enable = yes
|
|
|
5fa452 |
+ enable = no
|
|
|
5fa452 |
|
|
|
5fa452 |
#
|
|
|
5fa452 |
# Lifetime of the cached entries, in hours. The sessions will be
|
|
|
5fa452 |
@@ -399,15 +406,6 @@ eap {
|
|
|
5fa452 |
lifetime = 24 # hours
|
|
|
5fa452 |
|
|
|
5fa452 |
#
|
|
|
5fa452 |
- # The maximum number of entries in the
|
|
|
5fa452 |
- # cache. Set to "0" for "infinite".
|
|
|
5fa452 |
- #
|
|
|
5fa452 |
- # This could be set to the number of users
|
|
|
5fa452 |
- # who are logged in... which can be a LOT.
|
|
|
5fa452 |
- #
|
|
|
5fa452 |
- max_entries = 255
|
|
|
5fa452 |
-
|
|
|
5fa452 |
- #
|
|
|
5fa452 |
# Internal "name" of the session cache. Used to
|
|
|
5fa452 |
# distinguish which TLS context sessions belong to.
|
|
|
5fa452 |
#
|
|
|
5fa452 |
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
|
|
5fa452 |
index 79d74e6fc..5dbe143da 100644
|
|
|
5fa452 |
--- a/raddb/sites-available/abfab-tls
|
|
|
5fa452 |
+++ b/raddb/sites-available/abfab-tls
|
|
|
5fa452 |
@@ -24,7 +24,8 @@ listen {
|
|
|
5fa452 |
cache {
|
|
|
5fa452 |
enable = no
|
|
|
5fa452 |
lifetime = 24 # hours
|
|
|
5fa452 |
- max_entries = 255
|
|
|
5fa452 |
+ name = "abfab-tls"
|
|
|
5fa452 |
+# persist_dir = ${logdir}/abfab-tls
|
|
|
5fa452 |
}
|
|
|
5fa452 |
|
|
|
5fa452 |
require_client_cert = yes
|
|
|
5fa452 |
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
|
|
5fa452 |
index c9555e1c7..eb39c659e 100644
|
|
|
5fa452 |
--- a/raddb/sites-available/tls
|
|
|
5fa452 |
+++ b/raddb/sites-available/tls
|
|
|
5fa452 |
@@ -239,6 +239,14 @@ listen {
|
|
|
5fa452 |
# Deleting the entire "cache" subsection
|
|
|
5fa452 |
# Also disables caching.
|
|
|
5fa452 |
#
|
|
|
5fa452 |
+ #
|
|
|
5fa452 |
+ # As of version 3.0.13-4 (upstream 3.0.14), the session
|
|
|
5fa452 |
+ # cache requires the use of the "name" and
|
|
|
5fa452 |
+ # "persist_dir" configuration items, below.
|
|
|
5fa452 |
+ #
|
|
|
5fa452 |
+ # The internal OpenSSL session cache has been permanently
|
|
|
5fa452 |
+ # disabled.
|
|
|
5fa452 |
+ #
|
|
|
5fa452 |
# You can disallow resumption for a
|
|
|
5fa452 |
# particular user by adding the following
|
|
|
5fa452 |
# attribute to the control item list:
|
|
|
5fa452 |
@@ -259,15 +267,6 @@ listen {
|
|
|
5fa452 |
lifetime = 24 # hours
|
|
|
5fa452 |
|
|
|
5fa452 |
#
|
|
|
5fa452 |
- # The maximum number of entries in the
|
|
|
5fa452 |
- # cache. Set to "0" for "infinite".
|
|
|
5fa452 |
- #
|
|
|
5fa452 |
- # This could be set to the number of users
|
|
|
5fa452 |
- # who are logged in... which can be a LOT.
|
|
|
5fa452 |
- #
|
|
|
5fa452 |
- max_entries = 255
|
|
|
5fa452 |
-
|
|
|
5fa452 |
- #
|
|
|
5fa452 |
# Internal "name" of the session cache.
|
|
|
5fa452 |
# Used to distinguish which TLS context
|
|
|
5fa452 |
# sessions belong to.
|
|
|
5fa452 |
diff --git a/src/main/tls.c b/src/main/tls.c
|
|
|
5fa452 |
index a72be2b63..e992062dc 100644
|
|
|
5fa452 |
--- a/src/main/tls.c
|
|
|
5fa452 |
+++ b/src/main/tls.c
|
|
|
5fa452 |
@@ -2937,9 +2937,9 @@ post_ca:
|
|
|
5fa452 |
}
|
|
|
5fa452 |
|
|
|
5fa452 |
/*
|
|
|
5fa452 |
- * Cache it, and DON'T auto-clear it.
|
|
|
5fa452 |
+ * Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache.
|
|
|
5fa452 |
*/
|
|
|
5fa452 |
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);
|
|
|
5fa452 |
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL);
|
|
|
5fa452 |
|
|
|
5fa452 |
SSL_CTX_set_session_id_context(ctx,
|
|
|
5fa452 |
(unsigned char *) conf->session_context_id,
|
|
|
5fa452 |
--
|
|
|
5fa452 |
2.11.0
|
|
|
5fa452 |
|