SSL: adjusted session id context with dynamic certificates.

Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical.
author: Maxim Dounin <mdounin@mdounin.ru> 2019-02-25 16:42:54 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2019-02-25 16:42:54 +0300
commit: ecfab06cb20959219c9aadc2ef59507488e4fa99 (patch)
tree: 1a8a5da9c30639700d006f56851f69f77cd1fff2 /src/http
parent: fbcb0c8a33c7168aad3b1474d4cd8cde3486e155 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 3134f0ec8..3bf122acb 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -817,7 +817,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     }
 
     if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
-                              conf->builtin_session_cache,
+                              conf->certificates, conf->builtin_session_cache,
                               conf->shm_zone, conf->session_timeout)
         != NGX_OK)
     {
author	Maxim Dounin <mdounin@mdounin.ru>	2019-02-25 16:42:54 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2019-02-25 16:42:54 +0300
commit	ecfab06cb20959219c9aadc2ef59507488e4fa99 (patch)
tree	1a8a5da9c30639700d006f56851f69f77cd1fff2 /src/http
parent	fbcb0c8a33c7168aad3b1474d4cd8cde3486e155 (diff)