From f0db61d2550918d8e59035546dcf15178d98ee46 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Wed, 17 Nov 2010 19:07:50 +0100 Subject: Disable OpenSSL session caching if OpenSSL version < 1.0.0b. (Closes RADSECPROXY-14.) --- tlscommon.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tlscommon.c b/tlscommon.c index 6d36ebb..b718ca2 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -227,6 +227,13 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); return NULL; } +#if OPENSSL_VERSION_NUMBER < 0x1000002f + debug(DBG_WARN, "%s: OpenSSL seems to be older than " + "1.0.0b -- disabling OpenSSL session caching for context %p " + "to avoid a TLS extension parsing race condition " + "(http://openssl.org/news/secadv_20101116.txt).", __func__, ctx); + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); +#endif if (conf->certkeypwd) { SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd); -- cgit v1.1