Apache 2.x : Terminate SSL Session from own module ?

Apache 2.x : Terminate SSL Session from own module ?

am 24.10.2006 15:53:17 von Serge Hauser

Hi all,

i try to terminate a session in my own module by setting the creation
time and flushing the cache, unfortunately by the next request from the
same client i get the same session again. (actually it seems to take it
from the cache (ignoring the openssl sessioncache attributes).

is there any way i can force mod_ssl to explicitly invalidate a session
so it will get deleted from the cache aswell ?

the code is use is basically:

r->connection->keepalive = -1;
ssl_sess = SSL_get_session(ssl);
ssl_ctx = SSL_get_SSL_CTX(ssl);
SSL_CTX_remove_session(ssl_ctx, ssl_sess);
SSL_SESSION_set_time(ssl_sess, 0);
SSL_CTX_flush_sessions(ssl_ctx, time(0));
ssl_sess->not_resumable = 1;


anyone has a hint for me what i am doing wrong or what i additionally
need to do to get rid of the session ?

thanks
Serge

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache 2.x : Terminate SSL Session from own module ?

am 26.10.2006 13:31:36 von Serge Hauser

Hi all,

nevermind, i m using ssl_scache_remove() now, to invalidate the session,
thats working perfectly.

mod_ssl stores a copy of the session in the cache, so any changes to the
session object are lost when it gets retrieved from the cache again. i
also noticed the openssl cacheoperation callback functions dont seem to
work. (openssl 0.97)

serge
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache 2.x : Terminate SSL Session from own module ?

am 27.04.2007 19:36:04 von Andrew.Hale.CTR

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C788B7.D9979090
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

I am trying to terminate a two-way SSL session after a user successfully
logs off. I need to terminate the SSL session on the server because the
client application is in a kiosk and the user cannot close the browser or
clear the SSL cache.

In Serge's response below he refers to 'my own module'. Is he modifying the
mod_ssl module and deploying that or can I directly make calls to the
mod_ssl module in a custom c module? Sorry I am not familiar with c modules
but am familiar with perl modules and have written authn and authz handlers.

I appreciate any help you can provide.

Andy Hale


Serge Hauser wrote:

Tue, 24 Oct 2006 06:53:50 -0700

Hi all,

i try to terminate a session in my own module by setting the creation time
and flushing the cache, unfortunately by the next request from the same
client i get the same session again. (actually it seems to take it from the
cache (ignoring the openssl sessioncache attributes).

is there any way i can force mod_ssl to explicitly invalidate a session so
it will get deleted from the cache aswell ?

the code is use is basically:

r->connection->keepalive = -1;
ssl_sess = SSL_get_session(ssl);
ssl_ctx = SSL_get_SSL_CTX(ssl);
SSL_CTX_remove_session(ssl_ctx, ssl_sess); SSL_SESSION_set_time(ssl_sess,
0); SSL_CTX_flush_sessions(ssl_ctx, time(0)); ssl_sess->not_resumable = 1;


anyone has a hint for me what i am doing wrong or what i additionally need
to do to get rid of the session ?

thanks
Serge

Andy Hale
Modis IT
DEERS/Defense Manpower Data Center
Phone: (831) 583-2500 Ext. 4719
Email: Andrew.Hale.CTR@osd.pentagon.mil

------=_NextPart_000_0005_01C788B7.D9979090
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIQgTCCA3Aw
ggJYoAMCAQICAQUwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCVVMxGDAW BgNVBAoTD1UuUy4g
R292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxFjAUBgNV BAMTDURvRCBSb290
IENBIDIwHhcNMDQxMjEzMTUwMDEwWhcNMjkxMjA1MTUwMDEwWjBbMQswCQYD VQQGEwJVUzEYMBYG
A1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsT A1BLSTEWMBQGA1UE
AxMNRG9EIFJvb3QgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMAswfaNO6z/
PzzWcb64dCIH7HBBFfyrQOMHqsHD2J/+2kw6vz/I2Ch7SzYBwKxFJcPSDgqP hRhkED0aE3Aqb47X
3I2Ts0EPOCHNravCPSoF01cRNw3NjFH5k+PMRkkhjhS0zcsUPjjNcjHuqxLy Zeo0LlZd/+5jdctt
upE0/J7z9C0cvlDEQt9ZiP9qs/qobD3LVnFxBZa7n4DlgEVZZ0Gw68OtYKSA dQYXnA70Q+CZDhv7
f/WzzLKBgrH9MsG4vkGkZLVgOlpRMIzO3kEsGUdcSRBkuXSph0GvfW66wbih v2UxOgRn+bW7jpKK
AGO4seaMOF+D/1DVO6Jda7IQzGMCAwEAAaM/MD0wHQYDVR0OBBYEFEl0uwxe unr+AlTve6DGlcYJ
gHCWMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB BQUAA4IBAQCYkY0/
ici79cBpcyk7Nay6swh2PXAJkumERCEBfRR2G+5RbB2NFTctezFp9JpEuK9G zDT6I8sDJxnSgyF1
K+fgG5km3IRAleio0sz2WFxm7z9KlxCCHboKot1bBiudp2RO6y4BNaS0PxOt VeTVc6hpmxHxmPIx
Hm9A1Ph4n46RoG9wBJBmqgYrzuF6krV94eDRluehOi3MsZ0fBUTth5nTTRpw OcEEDOV+2fGv1yAO
8SJ6JaRzmcw/pAcnlqiile2CuRbTnguHwsHyiPVi32jfx7xpUe2xXNxUVCkP CTmarAPB2wxNrm8K
ehZJ8b+R0jiU0/aVLLdsyUK2jcqQjYXZMIIEOjCCAyKgAwIBAgIBDDANBgkq hkiG9w0BAQUFADBb
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYD VQQLEwNEb0QxDDAK
BgNVBAsTA1BLSTEWMBQGA1UEAxMNRG9EIFJvb3QgQ0EgMjAeFw0wNjAxMDkx MzU0NDVaFw0xMjAx
MDgxMzU0NDVaMF0xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVy bm1lbnQxDDAKBgNV
BAsTA0RvRDEMMAoGA1UECxMDUEtJMRgwFgYDVQQDEw9ET0QgRU1BSUwgQ0Et MTIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAOMipu6KoqTRAUZ7UkNWpnsU8LTqgVNUzyts ai1+xI4quLLLY0ap
i8kp/wt5XfJO2crkWrNAQN3/RdQc1E5aiyLa8xJ/k7jpaYc3oqqsQxCZmGpa Ufya61LlTbGZ9V33
2rxW5Y6dHWKSWiG3S9cWgmKV1YaVyvAckEB0Wl9GvG0DAgMBAAGjggGJMIIB hTAOBgNVHQ8BAf8E
BAMCAYYwHwYDVR0jBBgwFoAUSXS7DF66ev4CVO97oMaVxgmAcJYwHQYDVR0O BBYEFNXDKYygd9wc
KAhOd0//6RMRY0EzMAwGA1UdJAQFMAOAAQAwDwYDVR0TAQH/BAUwAwEB/zAw BgNVHSAEKTAnMAsG
CWCGSAFlAgELBTALBglghkgBZQIBCwkwCwYJYIZIAWUCAQsKMIHhBgNVHR8E gdkwgdYwOqA4oDaG
NGh0dHA6Ly9jcmwuY2hhbWIuZGlzYS5taWwvZ2V0Y3JsP0RvRCUyMFJvb3Ql MjBDQSUyMDIwgZeg
gZSggZGGgY5sZGFwOi8vY3JsLmNoYW1iLmRpc2EubWlsL2NuJTNkRG9EJTIw Um9vdCUyMENBJTIw
MiUyY291JTNkUEtJJTJjb3UlM2REb0QlMmNvJTNkVS5TLiUyMEdvdmVybm1l bnQlMmNjJTNkVVMl
M2ZjZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0JTNiYmluYXJ5MA0GCSqGSIb3 DQEBBQUAA4IBAQAq
Hwqddw7lm/rkkc1tqF2eng0WP83QoU9Ubb5rlu4hjV8TszREYoAQwt60DIcc MEaZvni9YUhy6CZQ
m2aTHugiE/FL/y3r5Z8/iKUv3XtXtmCyBnxnC39dzqcbONSo5N7GPbKSlwf3 BGrFWJdS4aiNtbIV
FEeAeDLDBTv6LECiSXLfZbv1rJZtGAXakoozRwPRSYhOxNc4C6QI9e6Qf2FK 3pnB0vaG3ojd5IAH
1PhPpDworgMX3kYzSUNDrQaQJ6aPQbeeZuhvJOEturlhndxDfA4t8kN6VPNz iqGfMtwpVx4uW59z
WoL0Yx3rHWMQzmZA5Cnf14reZ3q/nI3Qx7foMIIEPjCCA6egAwIBAgIDG1di MA0GCSqGSIb3DQEB
BQUAMF0xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQx DDAKBgNVBAsTA0Rv
RDEMMAoGA1UECxMDUEtJMRgwFgYDVQQDEw9ET0QgRU1BSUwgQ0EtMTIwHhcN MDcwMTE5MDAwMDAw
WhcNMDcxMTI0MjM1OTU5WjB5MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5T LiBHb3Zlcm5tZW50
MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTETMBEGA1UECxMKQ09OVFJB Q1RPUjEfMB0GA1UE
AxMWSEFMRS5BTkRZLlQuMTI3MjY4MjMyODCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA2UED
QipSEgA2NOSNzKwPiP2CvXF0QrnaEn1K+VFlNEp2rXfdGqDVlV3FpBHoezwh AEJH+uJ7iJ0EsBD+
B4NkD+kbRdM9fmZR2qkO70rQW9aVTRgzxAkTTxGoqgt+WAK38VkOtdYEMZOx UxvqiDs75xaGip1W
KIU8LypKp0f4voECAwEAAaOCAe4wggHqMA4GA1UdDwEB/wQEAwIFIDArBgNV HREEJDAigSBBbmRy
ZXcuSGFsZS5DVFJAb3NkLnBlbnRhZ29uLm1pbDAfBgNVHSMEGDAWgBTVwymM oHfcHCgITndP/+kT
EWNBMzAdBgNVHQ4EFgQUDd1/k+xirV7U7xOqPL35Vc5P8HcwFgYDVR0gBA8w DTALBglghkgBZQIB
CwkwcwYIKwYBBQUHAQEEZzBlMEEGCCsGAQUFBzAChjVodHRwOi8vY3JsLmNo YW1iLmRpc2EubWls
L2dldHNpZ24/RE9EJTIwRU1BSUwlMjBDQS0xMjAgBggrBgEFBQcwAYYUaHR0 cDovL29jc3AuZGlz
YS5taWwwgd0GA1UdHwSB1TCB0jA6oDigNoY0aHR0cDovL2NybC5jaGFtYi5k aXNhLm1pbC9nZXRj
cmw/RE9EJTIwRU1BSUwlMjBDQS0xMjCBk6CBkKCBjYaBimxkYXA6Ly9jcmwu Y2hhbWIuZGlzYS5t
aWwvY24lM2RET0QlMjBFTUFJTCUyMENBLTEyJTJjb3UlM2RQS0klMmNvdSUz ZERvRCUyY28lM2RV
LlMuJTIwR292ZXJubWVudCUyY2MlM2RVUz9jZXJ0aWZpY2F0ZXJldm9jYXRp b25saXN0O2JpbmFy
eTANBgkqhkiG9w0BAQUFAAOBgQBSQsRcomJ/Bi69zBFYzsTo9z17zQpQySt6 /s3wdhA8m+UvVM6e
1ge83RcHTg0by6zttdj+DgcMim8JVPoNfJIHtpKeqLuHbkHtQxdfSHhTqXsm k0CTZRxBwBSmqB5N
rduxeVgZ6tRzQFK8tYE0BaHhZaSc981RLeB8aDUi5Z4UcjCCBIkwggPyoAMC AQICAxtXZTANBgkq
hkiG9w0BAQUFADBdMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zl cm5tZW50MQwwCgYD
VQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEYMBYGA1UEAxMPRE9EIEVNQUlMIENB LTEyMB4XDTA3MDEx
OTAwMDAwMFoXDTA3MTEyNDIzNTk1OVoweTELMAkGA1UEBhMCVVMxGDAWBgNV BAoTD1UuUy4gR292
ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxEzARBgNVBAsT CkNPTlRSQUNUT1Ix
HzAdBgNVBAMTFkhBTEUuQU5EWS5ULjEyNzI2ODIzMjgwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJ
AoGBAKpbfrISl9BPSHoDAubZW5yLVqW1GgcM6quQlxiw4M9yhpEEIfNoQXcm ggvZ8MQyZ1aKSNG9
ZmERcunE3QkT2cQXel5duxj1re1xDKDXKgzdgdNn2goKU0B9iobpuuhEzZxO 646aeG3pwRzPvS7s
wKiaFmbKgt+SOD0rwp5TCWSBAgMBAAGjggI5MIICNTAOBgNVHQ8BAf8EBAMC BsAwHwYDVR0jBBgw
FoAU1cMpjKB33BwoCE53T//pExFjQTMwHQYDVR0OBBYEFDgkCE9O9CJdps+e +9d6EfFTRTaDMBYG
A1UdIAQPMA0wCwYJYIZIAWUCAQsJMHMGCCsGAQUFBwEBBGcwZTBBBggrBgEF BQcwAoY1aHR0cDov
L2NybC5jaGFtYi5kaXNhLm1pbC9nZXRzaWduP0RPRCUyMEVNQUlMJTIwQ0Et MTIwIAYIKwYBBQUH
MAGGFGh0dHA6Ly9vY3NwLmRpc2EubWlsMIHdBgNVHR8EgdUwgdIwOqA4oDaG NGh0dHA6Ly9jcmwu
Y2hhbWIuZGlzYS5taWwvZ2V0Y3JsP0RPRCUyMEVNQUlMJTIwQ0EtMTIwgZOg gZCggY2GgYpsZGFw
Oi8vY3JsLmNoYW1iLmRpc2EubWlsL2NuJTNkRE9EJTIwRU1BSUwlMjBDQS0x MiUyY291JTNkUEtJ
JTJjb3UlM2REb0QlMmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVM/ Y2VydGlmaWNhdGVy
ZXZvY2F0aW9ubGlzdDtiaW5hcnkwKQYDVR0lBCIwIAYKKwYBBAGCNxQCAgYI KwYBBQUHAwQGCCsG
AQUFBwMCMEsGA1UdEQREMEKBIEFuZHJldy5IYWxlLkNUUkBvc2QucGVudGFn b24ubWlsoB4GCisG
AQQBgjcUAgOgEAwOMTI3MjY4MjMyOEBtaWwwDQYJKoZIhvcNAQEFBQADgYEA MQUk/HkfVDp/IKDa
HN83WUYMXVXD0uY8HhXQpKVx+SBypk2pVKBgdtbjNN8i2k0hjnUyuuKslpjP 7i5tdmKwF9vm+56e
3BTnpNPDCtK9hKT3fOoUDvqWN3TMbY3qRKU9RTZ5QaQSLRGk9RK56gL+HQpp D5a3jEDeX0ker6B0
cOMxggLAMIICvAIBATBkMF0xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMu IEdvdmVybm1lbnQx
DDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRgwFgYDVQQDEw9ET0QgRU1B SUwgQ0EtMTICAxtX
ZTAJBgUrDgMCGgUAoIIBsjAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEP
Fw0wNzA0MjcxNzM2MDFaMCMGCSqGSIb3DQEJBDEWBBR7o2MFe6QjVaeWsKrq NnZy9QOHvjBnBgkq
hkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAH
BgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTBz BgkrBgEEAYI3EAQx
ZjBkMF0xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQx DDAKBgNVBAsTA0Rv
RDEMMAoGA1UECxMDUEtJMRgwFgYDVQQDEw9ET0QgRU1BSUwgQ0EtMTICAxtX YjB1BgsqhkiG9w0B
CRACCzFmoGQwXTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJu bWVudDEMMAoGA1UE
CxMDRG9EMQwwCgYDVQQLEwNQS0kxGDAWBgNVBAMTD0RPRCBFTUFJTCBDQS0x MgIDG1diMA0GCSqG
SIb3DQEBAQUABIGAiYf/uumxDuYbMh1xTjt6M/E0UimyGEyqjeea1fAPeKzX I76OMOnuFqEzvDVs
XIOMdkxsnX7KA1gKPA6uXxEUS4WRmIYBjG4YSpHdK2fy/diUidLc+6veHNH7 +bFriZAQi/GZ47Fq
cb+YCbtzZ2nAgk1pXaWu3cyweCxUzN8N6ZMAAAAAAAA=

------=_NextPart_000_0005_01C788B7.D9979090--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org