From 21f2bb507bd34d263059595802f773481af5416e Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 1 Mar 2016 01:38:05 +0000
Subject: yahns 1.12.2 - minor doc and TLS fixes

This release ensures OpenSSL::SSL::SSLContext#session_id_context
is always set for OpenSSL users.  It won't overwrite existing
settings, but setting it to a random value is necessary to
ensure clients do not get aborted connections when attempting to
use a session cache.

No need to actually upgrade if you're on 1.12.1, you may add the
following to your yahns_config(5) file where
OpenSSL::SSL::SSLContext is configured:

	# recommended, not required.  This sets safer defaults
	# provided by Ruby on top of what OpenSSL gives:
	ssl_ctx.set_params

	# required, and done by default in v1.12.2:
	ssl_ctx.session_id_context ||= OpenSSL::Random.random_bytes(32)

yahns gives you full control of of how OpenSSL::SSL::SSLContext is
configured.  To avoid bugs, yahns only ensures
OpenSSL::SSL::SSLContext#session_id_context is set (if not previously
set by the user) and calls OpenSSL::SSL::SSLContext#setup before
spawning threads to avoid race conditions.  yahns itself does not and
will not enforce any opinion on the compatibility/performance/security
trade-offs regarding TLS configuration.

Note: keep in mind using an SSL session cache may be less useful
with yahns because HTTP/1.1 persistent connections may live
forever :)

3 bug/doc fixes on top of v1.12.1:
      document OpenSSL::SSL::SSLContext#set_params use
      ssl: ensure is session_id_context is always set
      test/*: fix mktmpdir usage for 1.9.3
---
 Documentation/yahns_config.pod | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'Documentation')

diff --git a/Documentation/yahns_config.pod b/Documentation/yahns_config.pod
index aadd691..1b2595b 100644
--- a/Documentation/yahns_config.pod
+++ b/Documentation/yahns_config.pod
@@ -452,6 +452,14 @@ An example which seems to work is:
     listen 443, ssl_ctx: ssl_ctx
   end
 
+yahns gives you full control of of how OpenSSL::SSL::SSLContext is
+configured.  To avoid bugs, yahns only ensures
+OpenSSL::SSL::SSLContext#session_id_context is set (if not previously
+set by the user) and calls OpenSSL::SSL::SSLContext#setup before
+spawning threads to avoid race conditions.  yahns itself does not and
+will not enforce any opinion on the compatibility/performance/security
+trade-offs regarding TLS configuration.
+
 =item umask: MODE
 
 Sets the file mode creation mask for UNIX sockets.  If specified,
-- 
cgit v1.2.3-24-ge0c7