Changeset 796d9a3 in mod_gnutls for src/gnutls_proxy.c


Ignore:
Timestamp:
Jun 6, 2020, 8:06:05 AM (6 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, master
Children:
4f39196
Parents:
e6d9e47
Message:

Cache session tickets for proxy connections only when using TLS 1.3

TLS 1.3 provides forward secrecy for resumed sessions, TLS 1.2 does
not. The check has to happen before the check for
GNUTLS_SFLAGS_SESSION_TICKET because that flag doesn't seem to get set
for TLS 1.2 sessions, which would lead to misleading error
messages. The check for a cache comes first because it is the most
simple one.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_proxy.c

    re6d9e47 r796d9a3  
    309309
    310310    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
     311
     312    /* No cache means we cannot cache tickets. */
     313    if (!ctxt->sc->cache_enable)
     314        return GNUTLS_E_SUCCESS;
     315
     316    if (gnutls_protocol_get_version(ctxt->session) != GNUTLS_TLS1_3)
     317    {
     318        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     319                      "%s: session tickets for proxy connections are used "
     320                      "only with TLS 1.3.", __func__);
     321        return GNUTLS_E_SUCCESS;
     322    }
     323
    311324    if (!(gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET))
    312325    {
     
    318331        return GNUTLS_E_SUCCESS;
    319332    }
    320 
    321     /* No cache means we cannot cache tickets. */
    322     if (!ctxt->sc->cache_enable)
    323         return GNUTLS_E_SUCCESS;
    324333
    325334    gnutls_datum_t ticket;
Note: See TracChangeset for help on using the changeset viewer.