Browse Source

[TLS] init STEK even if time is 1970 (fixes #3075)

(thx DamienT)

x-ref:
  "TLS 1.3 with SessionTicket fail for the first 8 hours of 1970"
  https://redmine.lighttpd.net/issues/3075
master
Glenn Strauss 9 months ago
parent
commit
d50d4dc0e5
  1. 3
      src/mod_gnutls.c
  2. 4
      src/mod_mbedtls.c
  3. 2
      src/mod_openssl.c
  4. 2
      src/mod_wolfssl.c

3
src/mod_gnutls.c

@ -407,7 +407,8 @@ mod_gnutls_session_ticket_key_check (server *srv, const plugin_data *p, const ti
if (stek->expire_ts < cur_ts)
mod_gnutls_session_ticket_key_free();
}
else if (cur_ts - 86400 >= stek_rotate_ts) { /*(24 hours)*/
else if (cur_ts - 86400 >= stek_rotate_ts /*(24 hours)*/
|| 0 == stek_rotate_ts) {
mod_gnutls_session_ticket_key_rotate(srv);
stek_rotate_ts = cur_ts;
}

4
src/mod_mbedtls.c

@ -361,7 +361,9 @@ mod_mbedtls_session_ticket_key_check (plugin_data *p, const time_t cur_ts)
mbedtls_cipher_get_key_bitlen(&key->ctx),
MBEDTLS_ENCRYPT);
if (0 != rc) { /* expire key immediately if error occurs */
key->generation_time = cur_ts - ctx->ticket_lifetime - 1;
key->generation_time = cur_ts > ctx->ticket_lifetime
? cur_ts - ctx->ticket_lifetime - 1
: 0;
ctx->active = 1 - ctx->active;
}
mbedtls_platform_zeroize(stek, sizeof(tlsext_ticket_key_t));

2
src/mod_openssl.c

@ -446,7 +446,7 @@ mod_openssl_session_ticket_key_check (const plugin_data *p, const time_t cur_ts)
rotate = mod_openssl_session_ticket_key_file(p->ssl_stek_file);
tlsext_ticket_wipe_expired(cur_ts);
}
else if (cur_ts - 28800 >= stek_rotate_ts) /*(8 hours)*/
else if (cur_ts - 28800 >= stek_rotate_ts || 0 == stek_rotate_ts)/*(8 hrs)*/
rotate = mod_openssl_session_ticket_key_generate(cur_ts, cur_ts+86400);
if (rotate) {

2
src/mod_wolfssl.c

@ -432,7 +432,7 @@ mod_openssl_session_ticket_key_check (const plugin_data *p, const time_t cur_ts)
rotate = mod_openssl_session_ticket_key_file(p->ssl_stek_file);
tlsext_ticket_wipe_expired(cur_ts);
}
else if (cur_ts - 28800 >= stek_rotate_ts) /*(8 hours)*/
else if (cur_ts - 28800 >= stek_rotate_ts || 0 == stek_rotate_ts)/*(8 hrs)*/
rotate = mod_openssl_session_ticket_key_generate(cur_ts, cur_ts+86400);
if (rotate) {

Loading…
Cancel
Save