From c76016d3b8051f8e4f55cd547d29d4ac9ec33062 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 8 May 2017 16:38:56 -0400
Subject: [PATCH] disable internal OpenSSL cache

(cherry picked from commit af030bd4e19c9149e2ffd898ad0c4dfde78c29be)
---
 raddb/mods-available/eap  | 18 ++++++++----------
 raddb/sites-available/tls | 17 ++++++++---------
 src/main/tls.c            |  4 ++--
 3 files changed, 18 insertions(+), 21 deletions(-)

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 95ef66619..e51860ac2 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -352,6 +352,13 @@ eap {
 			#  Deleting the entire "cache" subsection
 			#  also disables caching.
 			#
+			#  As of version 3.0.4-8 (upstream 3.0.14), the
+			#  session cache requires the use of the "name" and
+			#  "persist_dir" configuration items, below.
+			#
+			#  The internal OpenSSL session cache has been
+			#  permanently disabled.
+			#
 			#  You can disallow resumption for a
 			#  particular user by adding the following
 			#  attribute to the control item list:
@@ -362,7 +369,7 @@ eap {
 			#  enable resumption for just one user
 			#  by setting the above attribute to "yes".
 			#
-			enable = yes
+			enable = no
 
 			#
 			#  Lifetime of the cached entries, in hours.
@@ -372,15 +379,6 @@ eap {
 			lifetime = 24 # hours
 
 			#
-			#  The maximum number of entries in the
-			#  cache.  Set to "0" for "infinite".
-			#
-			#  This could be set to the number of users
-			#  who are logged in... which can be a LOT.
-			#
-			max_entries = 255
-
-			#
 			#  Internal "name" of the session cache.
 			#  Used to distinguish which TLS context
 			#  sessions belong to.
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 1ba876745..df687584e 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -231,6 +231,14 @@ listen {
 		      #  Deleting the entire "cache" subsection
 		      #  Also disables caching.
 		      #
+		      #
+		      #  As of version 3.0.4-8 (upstream 3.0.14), the session
+		      #  cache requires the use of the "name" and
+		      #  "persist_dir" configuration items, below.
+		      #
+		      #  The internal OpenSSL session cache has been
+		      #  permanently disabled.
+		      #
 		      #  You can disallow resumption for a
 		      #  particular user by adding the following
 		      #  attribute to the control item list:
@@ -251,15 +259,6 @@ listen {
 		      lifetime = 24 # hours
 
 		      #
-		      #  The maximum number of entries in the
-		      #  cache.  Set to "0" for "infinite".
-		      #
-		      #  This could be set to the number of users
-		      #  who are logged in... which can be a LOT.
-		      #
-		      max_entries = 255
-
-		      #
 		      #  Internal "name" of the session cache.
 		      #  Used to distinguish which TLS context
 		      #  sessions belong to.
diff --git a/src/main/tls.c b/src/main/tls.c
index 42b538c4c..b790d2dc1 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2489,9 +2489,9 @@ post_ca:
 		}
 
 		/*
-		 *	Cache it, and DON'T auto-clear it.
+		 *	Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache.
 		 */
-		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);
+		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL);
 
 		SSL_CTX_set_session_id_context(ctx,
 					       (unsigned char *) conf->session_context_id,
-- 
2.11.0