[ovs-dev] [PATCH 1/3] stream-ssl: Set a session context ID string on our SSL_CTX.
Ben Pfaff
blp at nicira.com
Tue Jan 25 23:47:40 UTC 2011
In the finest OpenSSL tradition of putting important documentation only in
code comments, ssl/ssl_sess.c in the OpenSSL tree has the following comment
inside ssl_get_prev_session():
/* We can't be sure if this session is being used out of
* context, which is especially important for SSL_VERIFY_PEER.
* The application should have used SSL[_CTX]_set_session_id_context.
*
* For this error case, we generate an error instead of treating
* the event like a cache miss (otherwise it would be easy for
* applications to effectively disable the session cache by
* accident without anyone noticing).
*/
This meant that ovs-controller couldn't effectively cache SSL server
sessions and we got a weird error whenever ovs-vswitchd tried.
Bug #4448.
CC: David Tsai <dtsai at nicira.com>
CC: Jeremy Stribling <strib at nicira.com>
---
lib/stream-ssl.c | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 6baf88f..ca3d218 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1011,6 +1011,17 @@ do_ssl_init(void)
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
+ /* We have to set a session context ID string in 'ctx' because OpenSSL
+ * otherwise refuses to use a cached session on the server side when
+ * SSL_VERIFY_PEER is set. And it not only refuses to use the cached
+ * session, it actually generates an error and kills the connection.
+ * According to a comment in ssl_get_prev_session() in OpenSSL's
+ * ssl/ssl_sess.c, this is intentional behavior.
+ *
+ * Any context string is OK, as long as one is set. */
+ SSL_CTX_set_session_id_context(ctx, (const unsigned char *) PACKAGE,
+ strlen(PACKAGE));
+
return 0;
}
--
1.7.1
More information about the dev
mailing list