static int openssl_ssl_ctx_flush_sessions(lua_State*L) { SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx"); long tm = luaL_checkinteger(L, 2); SSL_CTX_flush_sessions(ctx, tm); return 0; }
void SSLContext::flushSessionCache() { assert(_usage == SERVER_USE); Timestamp now; SSL_CTX_flush_sessions(_sslContext, static_cast<long>(now.epochTime())); }
void Context::flushSessionCache() { poco_assert (isForServerUse()); Poco::Timestamp now; SSL_CTX_flush_sessions(_pSSLContext, static_cast<long>(now.epochTime())); }
H2O_NORETURN static void *cache_cleanup_thread(void *_contexts) { SSL_CTX **contexts = _contexts; while (1) { size_t i; for (i = 0; contexts[i] != NULL; ++i) SSL_CTX_flush_sessions(contexts[i], time(NULL)); sleep(conf.lifetime / 4); } }
/* clear fds, close old ports */ void unbind_ports(void) { SERVICE_OPTIONS *opt; #ifdef HAVE_STRUCT_SOCKADDR_UN struct stat sb; /* buffer for stat */ #endif s_poll_init(fds); s_poll_add(fds, signal_pipe[0], 1, 0); for(opt=service_options.next; opt; opt=opt->next) { s_log(LOG_DEBUG, "Closing service [%s]", opt->servname); if(opt->option.accept && opt->fd!=INVALID_SOCKET) { if(opt->fd<(SOCKET)listen_fds_start || opt->fd>=(SOCKET)(listen_fds_start+systemd_fds)) closesocket(opt->fd); s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)", opt->servname, opt->fd); opt->fd=INVALID_SOCKET; #ifdef HAVE_STRUCT_SOCKADDR_UN if(opt->local_addr.sa.sa_family==AF_UNIX) { if(lstat(opt->local_addr.un.sun_path, &sb)) sockerror(opt->local_addr.un.sun_path); else if(!S_ISSOCK(sb.st_mode)) s_log(LOG_ERR, "Not a socket: %s", opt->local_addr.un.sun_path); else if(unlink(opt->local_addr.un.sun_path)) sockerror(opt->local_addr.un.sun_path); else s_log(LOG_DEBUG, "Socket removed: %s", opt->local_addr.un.sun_path); } #endif } else if(opt->exec_name && opt->connect_addr.names) { /* create exec+connect services */ /* FIXME: this is just a crude workaround */ /* is it better to kill the service? */ opt->option.retry=0; } /* purge session cache of the old SSL_CTX object */ /* this workaround won't be needed anymore after */ /* delayed deallocation calls SSL_CTX_free() */ if(opt->ctx) SSL_CTX_flush_sessions(opt->ctx, (long)time(NULL)+opt->session_timeout+1); s_log(LOG_DEBUG, "Service [%s] closed", opt->servname); } }
/* * call-seq: * ctx.flush_sessions(time | nil) -> self * */ static VALUE ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self) { VALUE arg1; SSL_CTX *ctx; time_t tm = 0; rb_scan_args(argc, argv, "01", &arg1); Data_Get_Struct(self, SSL_CTX, ctx); if (NIL_P(arg1)) { tm = time(0); } else if (rb_obj_is_instance_of(arg1, rb_cTime)) { tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0)); } else { rb_raise(rb_eArgError, "arg must be Time or nil"); } SSL_CTX_flush_sessions(ctx, (long)tm); return self; }
/* * Send an initial eap-tls request to the peer. * * Frame eap reply packet. * len = header + type + tls_typedata * tls_typedata = flags(Start (S) bit set, and no data) * * Once having received the peer's Identity, the EAP server MUST * respond with an EAP-TLS/Start packet, which is an * EAP-Request packet with EAP-Type=EAP-TLS, the Start (S) bit * set, and no data. The EAP-TLS conversation will then begin, * with the peer sending an EAP-Response packet with * EAP-Type = EAP-TLS. The data field of that packet will * be the TLS data. * * Fragment length is Framed-MTU - 4. * * http://mail.frascone.com/pipermail/public/eap/2003-July/001426.html */ static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler) { int status; tls_session_t *ssn; eap_tls_t *inst; VALUE_PAIR *vp; int client_cert = TRUE; int verify_mode = 0; REQUEST *request = handler->request; inst = (eap_tls_t *)type_arg; handler->tls = TRUE; handler->finished = FALSE; /* * Manually flush the sessions every so often. If HALF * of the session lifetime has passed since we last * flushed, then flush it again. * * FIXME: Also do it every N sessions? */ if (inst->conf->session_cache_enable && ((inst->conf->session_last_flushed + (inst->conf->session_timeout * 1800)) <= request->timestamp)) { RDEBUG2("Flushing SSL sessions (of #%ld)", SSL_CTX_sess_number(inst->ctx)); SSL_CTX_flush_sessions(inst->ctx, request->timestamp); inst->conf->session_last_flushed = request->timestamp; } /* * If we're TTLS or PEAP, then do NOT require a client * certificate. * * FIXME: This should be more configurable. */ if (handler->eap_type != PW_EAP_TLS) { vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0); if (!vp) { client_cert = FALSE; } else { client_cert = vp->vp_integer; } } /* * Every new session is started only from EAP-TLS-START. * Before Sending EAP-TLS-START, open a new SSL session. * Create all the required data structures & store them * in Opaque. So that we can use these data structures * when we get the response */ ssn = eaptls_new_session(inst->ctx, client_cert); if (!ssn) { return 0; } /* * Verify the peer certificate, if asked. */ if (client_cert) { RDEBUG2("Requiring client certificate"); verify_mode = SSL_VERIFY_PEER; verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; verify_mode |= SSL_VERIFY_CLIENT_ONCE; } SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify); /* * Create a structure for all the items required to be * verified for each client and set that as opaque data * structure. * * NOTE: If we want to set each item sepearately then * this index should be global. */ SSL_set_ex_data(ssn->ssl, 0, (void *)handler); SSL_set_ex_data(ssn->ssl, 1, (void *)inst->conf); #ifdef HAVE_OPENSSL_OCSP_H SSL_set_ex_data(ssn->ssl, 2, (void *)inst->store); #endif ssn->length_flag = inst->conf->include_length; /* * We use default fragment size, unless the Framed-MTU * tells us it's too big. Note that we do NOT account * for the EAP-TLS headers if conf->fragment_size is * large, because that config item looks to be confusing. * * i.e. it should REALLY be called MTU, and the code here * should figure out what that means for TLS fragment size. * asking the administrator to know the internal details * of EAP-TLS in order to calculate fragment sizes is * just too much. */ ssn->offset = inst->conf->fragment_size; vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU, 0); if (vp && ((vp->vp_integer - 14) < ssn->offset)) { /* * Discount the Framed-MTU by: * 4 : EAPOL header * 4 : EAP header (code + id + length) * 1 : EAP type == EAP-TLS * 1 : EAP-TLS Flags * 4 : EAP-TLS Message length * (even if conf->include_length == 0, * just to be lazy). * --- * 14 */ ssn->offset = vp->vp_integer - 14; } handler->opaque = ((void *)ssn); handler->free_opaque = session_free; RDEBUG2("Initiate"); /* * Set up type-specific information. */ switch (handler->eap_type) { case PW_EAP_TLS: default: ssn->prf_label = "client EAP encryption"; break; case PW_EAP_TTLS: ssn->prf_label = "ttls keying material"; break; /* * PEAP-specific breakage. */ case PW_EAP_PEAP: /* * As it is a poorly designed protocol, PEAP uses * bits in the TLS header to indicate PEAP * version numbers. For now, we only support * PEAP version 0, so it doesn't matter too much. * However, if we support later versions of PEAP, * we will need this flag to indicate which * version we're currently dealing with. */ ssn->peap_flag = 0x00; /* * PEAP version 0 requires 'include_length = no', * so rather than hoping the user figures it out, * we force it here. */ ssn->length_flag = 0; ssn->prf_label = "client EAP encryption"; break; } if (inst->conf->session_cache_enable) { ssn->allow_session_resumption = 1; /* otherwise it's zero */ } /* * TLS session initialization is over. Now handle TLS * related handshaking or application data. */ status = eaptls_start(handler->eap_ds, ssn->peap_flag); RDEBUG2("Start returned %d", status); if (status == 0) return 0; /* * The next stage to process the packet. */ handler->stage = AUTHENTICATE; return 1; }