|
|
|
|
@ -401,8 +401,10 @@ static void mod_mbedtls_free_mbedtls (void)
|
|
|
|
|
{ |
|
|
|
|
if (!ssl_is_init) return; |
|
|
|
|
|
|
|
|
|
#ifdef MBEDTLS_SSL_SESSION_TICKETS |
|
|
|
|
mbedtls_platform_zeroize(session_ticket_keys, sizeof(session_ticket_keys)); |
|
|
|
|
stek_rotate_ts = 0; |
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
plugin_data * const p = plugin_data_singleton; |
|
|
|
|
mbedtls_ctr_drbg_free(&p->ctr_drbg); |
|
|
|
|
@ -1395,8 +1397,14 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p)
|
|
|
|
|
"ssl.openssl.ssl-conf-cmd = (\"MinProtocol\" => \"SSLv3\")"); |
|
|
|
|
break; |
|
|
|
|
case 10:/* ssl.stek-file */ |
|
|
|
|
#ifdef MBEDTLS_SSL_SESSION_TICKETS |
|
|
|
|
if (!buffer_is_empty(cpv->v.b)) |
|
|
|
|
p->ssl_stek_file = cpv->v.b->ptr; |
|
|
|
|
#else |
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__, "MTLS: " |
|
|
|
|
"ssl.stek-file ignored; mbedtls library not built with " |
|
|
|
|
"support for SSL session tickets"); |
|
|
|
|
#endif |
|
|
|
|
break; |
|
|
|
|
default:/* should not happen */ |
|
|
|
|
break; |
|
|
|
|
@ -2039,11 +2047,13 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_accept)
|
|
|
|
|
* overlap, and so renegotiation setting is not reset upon connection close. |
|
|
|
|
* Once enabled, renegotiation will remain so for this mbedtls_ssl_config. |
|
|
|
|
* mbedtls defaults to disable client renegotiation |
|
|
|
|
* (MBEDTLS_SSL_RENEGOTIATION_DISABLED) |
|
|
|
|
* (MBEDTLS_LEGACY_SSL_RENEGOTIATION_DISABLED) |
|
|
|
|
* and it is recommended to leave it disabled (lighttpd mbedtls default) */ |
|
|
|
|
#ifdef MBEDTLS_LEGACY_SSL_RENEGOTIATION_ENABLED |
|
|
|
|
if (!hctx->conf.ssl_disable_client_renegotiation) |
|
|
|
|
mbedtls_ssl_conf_renegotiation(s->ssl_ctx, |
|
|
|
|
MBEDTLS_SSL_RENEGOTIATION_ENABLED); |
|
|
|
|
mbedtls_legacy_ssl_conf_renegotiation(s->ssl_ctx, |
|
|
|
|
MBEDTLS_LEGACY_SSL_RENEGOTIATION_ENABLED); |
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON; |
|
|
|
|
} |
|
|
|
|
|
