[ovs-dev] [PATCH 1/3] stream-ssl: Set a session context ID string on our SSL_CTX.

Justin Pettit jpettit at nicira.com
Wed Jan 26 00:43:52 UTC 2011


Looks good.

--Justin


On Jan 25, 2011, at 3:47 PM, Ben Pfaff wrote:

> In the finest OpenSSL tradition of putting important documentation only in
> code comments, ssl/ssl_sess.c in the OpenSSL tree has the following comment
> inside ssl_get_prev_session():
> 
>   /* We can't be sure if this session is being used out of
>    * context, which is especially important for SSL_VERIFY_PEER.
>    * The application should have used SSL[_CTX]_set_session_id_context.
>    *
>    * For this error case, we generate an error instead of treating
>    * the event like a cache miss (otherwise it would be easy for
>    * applications to effectively disable the session cache by
>    * accident without anyone noticing).
>    */
> 
> This meant that ovs-controller couldn't effectively cache SSL server
> sessions and we got a weird error whenever ovs-vswitchd tried.
> 
> Bug #4448.
> CC: David Tsai <dtsai at nicira.com>
> CC: Jeremy Stribling <strib at nicira.com>
> ---
> lib/stream-ssl.c |   11 +++++++++++
> 1 files changed, 11 insertions(+), 0 deletions(-)
> 
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index 6baf88f..ca3d218 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -1011,6 +1011,17 @@ do_ssl_init(void)
>     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
>                        NULL);
> 
> +    /* We have to set a session context ID string in 'ctx' because OpenSSL
> +     * otherwise refuses to use a cached session on the server side when
> +     * SSL_VERIFY_PEER is set.  And it not only refuses to use the cached
> +     * session, it actually generates an error and kills the connection.
> +     * According to a comment in ssl_get_prev_session() in OpenSSL's
> +     * ssl/ssl_sess.c, this is intentional behavior.
> +     *
> +     * Any context string is OK, as long as one is set. */
> +    SSL_CTX_set_session_id_context(ctx, (const unsigned char *) PACKAGE,
> +                                   strlen(PACKAGE));
> +
>     return 0;
> }
> 
> -- 
> 1.7.1
> 
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org





More information about the dev mailing list