[TLS] reset stek_rotate_ts if clock moves backward

reset stek_rotate_ts if clock moves backwards > 28800 seconds x-ref: "Lighttpd 1.4.58 SSL connections stop working if system time of lighttpd server is changed to future one (+12h or even days)" https://redmine.lighttpd.net/issues/3080
2021-05-25 08:17:51 -04:00 · 2021-05-25 08:17:51 -04:00 · 66626315ba
parent f8bd028dc0
commit 66626315ba
3 changed files with 15 additions and 0 deletions
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@ -371,6 +371,11 @@ mod_gnutls_session_ticket_key_file (const char *fn)
 static void
 mod_gnutls_session_ticket_key_check (server *srv, const plugin_data *p, const time_t cur_ts)
 {
+    static time_t detect_retrograde_ts;
+    if (detect_retrograde_ts > cur_ts && detect_retrograde_ts - cur_ts > 28800)
+        stek_rotate_ts = 0;
+    detect_retrograde_ts = cur_ts;
+
    if (p->ssl_stek_file) {
        struct stat st;
        if (0 == stat(p->ssl_stek_file, &st) && st.st_mtime > stek_rotate_ts
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@ -440,6 +440,11 @@ mod_openssl_session_ticket_key_file (const char *fn)
 static void
 mod_openssl_session_ticket_key_check (const plugin_data *p, const time_t cur_ts)
 {
+    static time_t detect_retrograde_ts;
+    if (detect_retrograde_ts > cur_ts && detect_retrograde_ts - cur_ts > 28800)
+        stek_rotate_ts = 0;
+    detect_retrograde_ts = cur_ts;
+
    int rotate = 0;
    if (p->ssl_stek_file) {
        struct stat st;
--- a/src/mod_wolfssl.c
+++ b/src/mod_wolfssl.c
@ -425,6 +425,11 @@ mod_openssl_session_ticket_key_file (const char *fn)
 static void
 mod_openssl_session_ticket_key_check (const plugin_data *p, const time_t cur_ts)
 {
+    static time_t detect_retrograde_ts;
+    if (detect_retrograde_ts > cur_ts && detect_retrograde_ts - cur_ts > 28800)
+        stek_rotate_ts = 0;
+    detect_retrograde_ts = cur_ts;
+
    int rotate = 0;
    if (p->ssl_stek_file) {
        struct stat st;