[ovs-dev] [PATCH 1/3] stream-ssl: Set a session context ID string on our SSL_CTX.
Justin Pettit
jpettit at nicira.com
Wed Jan 26 00:43:52 UTC 2011
Looks good.
--Justin
On Jan 25, 2011, at 3:47 PM, Ben Pfaff wrote:
> In the finest OpenSSL tradition of putting important documentation only in
> code comments, ssl/ssl_sess.c in the OpenSSL tree has the following comment
> inside ssl_get_prev_session():
>
> /* We can't be sure if this session is being used out of
> * context, which is especially important for SSL_VERIFY_PEER.
> * The application should have used SSL[_CTX]_set_session_id_context.
> *
> * For this error case, we generate an error instead of treating
> * the event like a cache miss (otherwise it would be easy for
> * applications to effectively disable the session cache by
> * accident without anyone noticing).
> */
>
> This meant that ovs-controller couldn't effectively cache SSL server
> sessions and we got a weird error whenever ovs-vswitchd tried.
>
> Bug #4448.
> CC: David Tsai <dtsai at nicira.com>
> CC: Jeremy Stribling <strib at nicira.com>
> ---
> lib/stream-ssl.c | 11 +++++++++++
> 1 files changed, 11 insertions(+), 0 deletions(-)
>
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index 6baf88f..ca3d218 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -1011,6 +1011,17 @@ do_ssl_init(void)
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
> NULL);
>
> + /* We have to set a session context ID string in 'ctx' because OpenSSL
> + * otherwise refuses to use a cached session on the server side when
> + * SSL_VERIFY_PEER is set. And it not only refuses to use the cached
> + * session, it actually generates an error and kills the connection.
> + * According to a comment in ssl_get_prev_session() in OpenSSL's
> + * ssl/ssl_sess.c, this is intentional behavior.
> + *
> + * Any context string is OK, as long as one is set. */
> + SSL_CTX_set_session_id_context(ctx, (const unsigned char *) PACKAGE,
> + strlen(PACKAGE));
> +
> return 0;
> }
>
> --
> 1.7.1
>
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
More information about the dev
mailing list