diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-03-17 06:11:00 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-03-26 07:33:42 -0400 |
commit | d50d4dc0e557d582a0da4f3116ef1c4ab7a0bd78 (patch) | |
tree | a95ce2aa75f47e8129f479933cab8a683c6cd32f /src/mod_mbedtls.c | |
parent | dde9df431088697b0a29b71b1f4b68023118468f (diff) | |
download | lighttpd-git-d50d4dc0e557d582a0da4f3116ef1c4ab7a0bd78.tar.gz |
[TLS] init STEK even if time is 1970 (fixes #3075)
(thx DamienT)
x-ref:
"TLS 1.3 with SessionTicket fail for the first 8 hours of 1970"
https://redmine.lighttpd.net/issues/3075
Diffstat (limited to 'src/mod_mbedtls.c')
-rw-r--r-- | src/mod_mbedtls.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c index 6352c733..e29f040f 100644 --- a/src/mod_mbedtls.c +++ b/src/mod_mbedtls.c @@ -361,7 +361,9 @@ mod_mbedtls_session_ticket_key_check (plugin_data *p, const time_t cur_ts) mbedtls_cipher_get_key_bitlen(&key->ctx), MBEDTLS_ENCRYPT); if (0 != rc) { /* expire key immediately if error occurs */ - key->generation_time = cur_ts - ctx->ticket_lifetime - 1; + key->generation_time = cur_ts > ctx->ticket_lifetime + ? cur_ts - ctx->ticket_lifetime - 1 + : 0; ctx->active = 1 - ctx->active; } mbedtls_platform_zeroize(stek, sizeof(tlsext_ticket_key_t)); |