Description: disable session caching in the server (as opposed to in the config, which would be way harder to get right) to address https://security-tracker.debian.org/tracker/CVE-2017-9148 Author: Michael Stapelberg Forwarded: not-needed Last-Update: 2020-04-28 --- --- a/src/main/tls.c +++ b/src/main/tls.c @@ -675,7 +675,7 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU state->mtu = vp->vp_integer; } - if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */ + if (/*conf->session_cache_enable*/0) state->allow_session_resumption = true; /* otherwise it's false */ return state; } @@ -3332,7 +3332,7 @@ post_ca: /* * Callbacks, etc. for session resumption. */ - if (conf->session_cache_enable) { + if (/*conf->session_cache_enable*/0) { /* * Cache sessions on disk if requested. */ @@ -3402,7 +3402,7 @@ post_ca: /* * Setup session caching */ - if (conf->session_cache_enable) { + if (/*conf->session_cache_enable*/0) { /* * Create a unique context Id per EAP-TLS configuration. */ @@ -3571,7 +3571,7 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs) goto error; } - if (conf->session_cache_enable) { + if (/*conf->session_cache_enable*/0) { CONF_SECTION *subcs; CONF_ITEM *ci;