[ovs-dev] [PATCH 2/2] stream-ssl: Only set SSL client session once.

Ethan Jackson ethan at nicira.com
Mon Feb 28 22:30:09 UTC 2011


Looks fine to me.

Ethan

On Fri, Jan 28, 2011 at 3:33 PM, Ben Pfaff <blp at nicira.com> wrote:
> Attempting to call SSL_set_session() on every trip through the SSL
> connection state machine seems like it could cause the session to be
> re-set to the cached one even after the server has told us which session
> is actually to be used.
>
> In testing, this change didn't make any difference, but it seems seems like
> the right thing to do.
>
> Bug #4448.
> ---
>  lib/stream-ssl.c |   16 +++++++---------
>  1 files changed, 7 insertions(+), 9 deletions(-)
>
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index 5a67da8..f7112c3 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -280,6 +280,13 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
>     if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
>         SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
>     }
> +    if (type == CLIENT) {
> +        /* Grab SSL session information from the cache. */
> +        SSL_SESSION *session = shash_find_data(&client_sessions, name);
> +        if (session && SSL_set_session(ssl, session) != 1) {
> +            interpret_queued_ssl_error("SSL_set_session");
> +        }
> +    }
>
>     /* Create and return the ssl_stream. */
>     sslv = xmalloc(sizeof *sslv);
> @@ -511,15 +518,6 @@ ssl_connect(struct stream *stream)
>                                 MSG_PEEK);
>         }
>
> -        /* Grab SSL session information from the cache. */
> -        if (sslv->type == CLIENT) {
> -            SSL_SESSION *session = shash_find_data(&client_sessions,
> -                                                   stream_get_name(stream));
> -            if (session) {
> -                SSL_set_session(sslv->ssl, session);
> -            }
> -        }
> -
>         retval = (sslv->type == CLIENT
>                    ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl));
>         if (retval != 1) {
> --
> 1.7.1
>
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
>




More information about the dev mailing list