X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=tlscommon.c;h=13a140a62a17df22f5c75eec9390994a7102e2ca;hb=9549f9973de75afd51cabb5b50d66ff9a2866fb0;hp=6d36ebbb5528fde6534d7865465b7a8baccbfcc3;hpb=eff1f8d633fa2b07396e1d1f82043823d6916ba2;p=libradsec.git

diff --git a/tlscommon.c b/tlscommon.c
index 6d36ebb..13a140a 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
+ * Copyright (C) 2010,2011 NORDUnet A/S
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -32,7 +33,6 @@
 #include <openssl/md5.h>
 #include <openssl/x509v3.h>
 #include "debug.h"
-#include "list.h"
 #include "hash.h"
 #include "util.h"
 #include "hostport.h"
@@ -203,6 +203,7 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
 static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
     SSL_CTX *ctx = NULL;
     unsigned long error;
+    long sslversion = SSLeay();
 
     switch (type) {
 #ifdef RADPROT_TLS
@@ -228,6 +229,15 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
 	return NULL;
     }
 
+    if (sslversion < 0x00908100L ||
+        (sslversion >= 0x10000000L && sslversion < 0x10000020L)) {
+        debug(DBG_WARN, "%s: %s seems to be of a version with a "
+	      "certain security critical bug (fixed in OpenSSL 0.9.8p and "
+	      "1.0.0b).  Disabling OpenSSL session caching for context %p.",
+	      __func__, SSLeay_version(SSLEAY_VERSION), ctx);
+        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+    }
+
     if (conf->certkeypwd) {
 	SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
 	SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);