From c8fbc16985e95f14c2a269073324f9b455584c6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= Date: Wed, 13 Nov 2013 17:18:39 +0000 Subject: [PATCH] [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Stefan Bühler git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2925 152afb58-edef-0310-8abb-c4023f1b3aa9 --- NEWS | 1 + src/network.c | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/NEWS b/NEWS index 69b01e64..747bcc15 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,7 @@ NEWS * [stat-cache] FAM: fix use after free (CVE-2013-4560) * [stat-cache] fix FAM cleanup/fdevent handling * [core] check success of setuid,setgid,setgroups (CVE-2013-4559) + * [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken) - 1.4.33 - 2013-09-27 * mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex) diff --git a/src/network.c b/src/network.c index 4b8f75f6..14f2ebdb 100644 --- a/src/network.c +++ b/src/network.c @@ -741,6 +741,14 @@ int network_init(server *srv) { return -1; } + /* completely useless identifier; required for client cert verification to work with sessions */ + if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) { + log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:", + "failed to set session context", + ERR_error_string(ERR_get_error(), NULL)); + return -1; + } + if (s->ssl_empty_fragments) { #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;