[ovs-dev] [PATCH 2/3] stream-ssl: Only cache SSL sessions after they shut down.

Justin Pettit jpettit at nicira.com
Wed Jan 26 00:48:02 UTC 2011 

Clearly no one would ever want to pipeline multiple requests through different sockets...

Looks fine.

--Justin


On Jan 25, 2011, at 3:47 PM, Ben Pfaff wrote:

> A cached SSL session may only be used for new connections after the initial
> connection has shut down.  As far as I can tell, nothing in the OpenSSL
> documentation actually comes out and says this, but it is implied by
> various examples found around the web and doing it this way makes caching
> work much more reliably in my testing.
> 
> Bug #4448.
> ---
> lib/stream-ssl.c |   22 +++++++---------------
> 1 files changed, 7 insertions(+), 15 deletions(-)
> 
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index ca3d218..84c1a11 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -1,5 +1,5 @@
> /*
> - * Copyright (c) 2008, 2009, 2010 Nicira Networks.
> + * Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks.
>  *
>  * Licensed under the Apache License, Version 2.0 (the "License");
>  * you may not use this file except in compliance with the License.
> @@ -463,12 +463,6 @@ ssl_cache_session(struct stream *stream)
>     struct ssl_stream *sslv = ssl_stream_cast(stream);
>     SSL_SESSION *session;
> 
> -    /* Statistics. */
> -    COVERAGE_INC(ssl_session);
> -    if (SSL_session_reused(sslv->ssl)) {
> -        COVERAGE_INC(ssl_session_reused);
> -    }
> -
>     /* Get session from stream. */
>     session = SSL_get1_session(sslv->ssl);
>     if (session) {
> @@ -490,12 +484,6 @@ ssl_cache_session(struct stream *stream)
>                 }
>             }
>         }
> -    } else {
> -        /* There is no new session.  This doesn't really make sense because
> -         * this function is only called upon successful connection and there
> -         * should always be a new session in that case.  But I don't trust
> -         * OpenSSL so I'd rather handle this case anyway. */
> -        ssl_flush_session(stream);
>     }
> }
> 
> @@ -575,8 +563,10 @@ ssl_connect(struct stream *stream)
>             VLOG_ERR("rejecting SSL connection during bootstrap race window");
>             return EPROTO;
>         } else {
> -            if (sslv->type == CLIENT) {
> -                ssl_cache_session(stream);
> +            /* Statistics. */
> +            COVERAGE_INC(ssl_session);
> +            if (SSL_session_reused(sslv->ssl)) {
> +                COVERAGE_INC(ssl_session_reused);
>             }
>             return 0;
>         }
> @@ -598,6 +588,8 @@ ssl_close(struct stream *stream)
>      * background. */
>     SSL_shutdown(sslv->ssl);
> 
> +    ssl_cache_session(stream);
> +
>     /* SSL_shutdown() might have signaled an error, in which case we need to
>      * flush it out of the OpenSSL error queue or the next OpenSSL operation
>      * will falsely signal an error. */
> -- 
> 1.7.1
> 
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org

More information about the dev mailing list