Formatting changes.

[radsecproxy.git] / tlscommon.c

diff --git a/tlscommon.c b/tlscommon.c
index 40ea180..109cef0 100644 (file)
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -1,10 +1,6 @@
-/*
- * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- */
+/* Copyright (c) 2006-2010, UNINETT AS
+ * Copyright (c) 2010-2012, NORDUnet A/S */
+/* See LICENSE for licensing information. */
 
 #if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
 #include <signal.h>
@@ -32,7 +28,6 @@
 #include <openssl/md5.h>
 #include <openssl/x509v3.h>
 #include "debug.h"
-#include "list.h"
 #include "hash.h"
 #include "util.h"
 #include "hostport.h"
@@ -203,6 +198,7 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
 static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
     SSL_CTX *ctx = NULL;
     unsigned long error;
+    long sslversion = SSLeay();
 
     switch (type) {
 #ifdef RADPROT_TLS
@@ -228,6 +224,15 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
        return NULL;
     }
 
+    if (sslversion < 0x00908100L ||
+        (sslversion >= 0x10000000L && sslversion < 0x10000020L)) {
+        debug(DBG_WARN, "%s: %s seems to be of a version with a "
+             "certain security critical bug (fixed in OpenSSL 0.9.8p and "
+             "1.0.0b).  Disabling OpenSSL session caching for context %p.",
+             __func__, SSLeay_version(SSLEAY_VERSION), ctx);
+        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+    }
+
     if (conf->certkeypwd) {
        SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
        SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
@@ -635,3 +640,7 @@ int addmatchcertattr(struct clsrvconf *conf) {
 static void tlsdummy() {
 }
 #endif
+
+/* Local Variables: */
+/* c-file-style: "stroustrup" */
+/* End: */