Bug 8572

Summary: This URL is too long for mod_ssl to have as the name of a website
Product: Apache httpd-2 Reporter: bernard.l.dubreuil
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P3    
Version: 2.0.35   
Target Milestone: ---   
Hardware: All   
OS: All   
URL: https://microlith.crrel.usace.army.mil:443

Description bernard.l.dubreuil 2002-04-26 22:26:14 UTC 
This is the session contextid too long problem which apparently has already 
been fixed by the mod_ssl folks.  I'm fixing it temporarily by summarily 
truncating the name since my understanding is that the key just needs to be 
unique and does not have to match the name of the website.  mod_ssl has a more 
elegant solution using an md5 hash.  I'm requesting that you incorporate their 
current version of mod_ssl with apache 2.0.35 or 2.0.36 or whatever or please 
explain why it isn't there already.

Thanks!
Comment 1 Cliff Woolley 2002-04-29 23:02:12 UTC 
Apache 2.0.35 was already mostly up-to-date with respect to mod_ssl 2.8.8-1.3.24.  Apache 
2.0.36 will contain the remaining changes.  Is the patch you refer to present in 2.8.8?  
If so, this should be fixed now in Apache 2.0.36.  If not, where is this patch?
Comment 2 bernard.l.dubreuil 2002-04-30 14:50:35 UTC 
If I look at the source code for mod_ssl 2.8.8-1.3.24 it does look like the md5 
change is in ssl_engine_kernel.c.  This ssl_engine_kernel.c was last changed on 
March 27, 2002 which is over a month ago.  So I'll accept your assertion that 
the fix will be in Apache 2.0.36.  Thanks!
Comment 3 Cliff Woolley 2002-04-30 16:31:23 UTC 
Can you give me a specific line number?  I still can't find the change you're talking 
about in modssl 2.8.8 to be sure it's in Apache 2.0.36. 
Thanks!
Comment 4 Cliff Woolley 2002-04-30 16:39:32 UTC 
AHA!  Found it.  And it's not in yet for some strange reason.  Hmph.  Okay, well, I'll get 
the change committed today and *hopefully* it will be in 2.0.36, but the schedule is 
pretty tight on that.
Comment 5 Cliff Woolley 2002-04-30 17:10:46 UTC 
So apparently this is not NEW functionality in modssl 2.8.8, which is why I didn't find  
it before.  It's functionality that was removed between Apache 2.0.33 and 2.0.34 as a  
"minor performance improvement", obviously unaware of this unintended side-effect.  The  
following patch reverts to the MD5 behavior.  That change has been reverted.  Thanks for 
using Apache!
Comment 6 Cliff Woolley 2002-04-30 17:12:21 UTC 
===================================================================  
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.c,v  
retrieving revision 1.63  
retrieving revision 1.64  
diff -u -r1.63 -r1.64  
--- httpd-2.0/modules/ssl/mod_ssl.c	2002/04/07 03:37:35	1.63  
+++ httpd-2.0/modules/ssl/mod_ssl.c	2002/04/30 17:10:12	1.64  
@@ -279,6 +279,7 @@  
     SSLSrvConfigRec *sc = mySrvConfig(c->base_server);  
     SSL *ssl;  
     SSLConnRec *sslconn = myConnConfig(c);  
+    char *vhost_md5;  
     modssl_ctx_t *mctx;  
  
     /*  
@@ -334,12 +335,13 @@  
         return DECLINED; /* XXX */  
     }  
  
-    if (!SSL_set_session_id_context(ssl,  
-                                    (unsigned char *)sc->vhost_id,  
-                                    sc->vhost_id_len))  
+    vhost_md5 = ap_md5_binary(c->pool, sc->vhost_id, sc->vhost_id_len);  
+  
+    if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,  
+                                    MD5_DIGESTSIZE*2))  
     {  
         ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,  
-                "Unable to set session id context to `%s'", sc->vhost_id);  
+                "Unable to set session id context to `%s'", vhost_md5);  
  
         c->aborted = 1;
Comment 7 bernard.l.dubreuil 2002-05-01 17:45:02 UTC 
Well, at least I know what to do if it is not in 2.0.36.
Thanks!
Comment 8 Cliff Woolley 2002-05-01 18:01:43 UTC 
It got tagged in to 2.0.36 today, so it _will_ be a part of that release.