[ovs-dev] [PATCH 2/2] stream-ssl: Only set SSL client session once.

Ben Pfaff blp at nicira.com
Fri Jan 28 23:33:21 UTC 2011


Attempting to call SSL_set_session() on every trip through the SSL
connection state machine seems like it could cause the session to be
re-set to the cached one even after the server has told us which session
is actually to be used.

In testing, this change didn't make any difference, but it seems seems like
the right thing to do.

Bug #4448.
---
 lib/stream-ssl.c |   16 +++++++---------
 1 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 5a67da8..f7112c3 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -280,6 +280,13 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
     if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
         SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
     }
+    if (type == CLIENT) {
+        /* Grab SSL session information from the cache. */
+        SSL_SESSION *session = shash_find_data(&client_sessions, name);
+        if (session && SSL_set_session(ssl, session) != 1) {
+            interpret_queued_ssl_error("SSL_set_session");
+        }
+    }
 
     /* Create and return the ssl_stream. */
     sslv = xmalloc(sizeof *sslv);
@@ -511,15 +518,6 @@ ssl_connect(struct stream *stream)
                                 MSG_PEEK);
         }
 
-        /* Grab SSL session information from the cache. */
-        if (sslv->type == CLIENT) {
-            SSL_SESSION *session = shash_find_data(&client_sessions,
-                                                   stream_get_name(stream));
-            if (session) {
-                SSL_set_session(sslv->ssl, session);
-            }
-        }
-
         retval = (sslv->type == CLIENT
                    ? SSL_connect(sslv->ssl) : SSL_accept(sslv->ssl));
         if (retval != 1) {
-- 
1.7.1





More information about the dev mailing list