[ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)

From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2925 152afb58-edef-0310-8abb-c4023f1b3aa9
10 years ago · c8fbc16985
parent 18869bcfed
commit c8fbc16985
2 changed files with 9 additions and 0 deletions
--- a/1
+++ b/1
@ -11,6 +11,7 @@ NEWS
  * [stat-cache] FAM: fix use after free (CVE-2013-4560)
  * [stat-cache] fix FAM cleanup/fdevent handling
  * [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
+  * [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)

 - 1.4.33 - 2013-09-27
  * mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex)
--- a/src/network.c
+++ b/src/network.c
@ -741,6 +741,14 @@ int network_init(server *srv) {
 			return -1;
 		}

+		/* completely useless identifier; required for client cert verification to work with sessions */
+		if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
+			log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
+				"failed to set session context",
+				ERR_error_string(ERR_get_error(), NULL));
+			return -1;
+		}
+
 		if (s->ssl_empty_fragments) {
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 			ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;