radsecproxy-1.6.5.

[radsecproxy.git] / tlscommon.c

diff --git a/tlscommon.c b/tlscommon.c
index 6d36ebb..13a140a 100644 (file)
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
+ * Copyright (C) 2010,2011 NORDUnet A/S
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -32,7 +33,6 @@
 #include <openssl/md5.h>
 #include <openssl/x509v3.h>
 #include "debug.h"
-#include "list.h"
 #include "hash.h"
 #include "util.h"
 #include "hostport.h"
@@ -203,6 +203,7 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
 static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
     SSL_CTX *ctx = NULL;
     unsigned long error;
+    long sslversion = SSLeay();
 
     switch (type) {
 #ifdef RADPROT_TLS
@@ -228,6 +229,15 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
        return NULL;
     }
 
+    if (sslversion < 0x00908100L ||
+        (sslversion >= 0x10000000L && sslversion < 0x10000020L)) {
+        debug(DBG_WARN, "%s: %s seems to be of a version with a "
+             "certain security critical bug (fixed in OpenSSL 0.9.8p and "
+             "1.0.0b).  Disabling OpenSSL session caching for context %p.",
+             __func__, SSLeay_version(SSLEAY_VERSION), ctx);
+        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+    }
+
     if (conf->certkeypwd) {
        SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
        SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);