new_ssl: Fix Session ID Reuse

Wil Tan <>
Wed Jan 6 17:36:52 CET 2010


Hello,

Thanks for including my previous patch in the "pu" branch.

Here's another one which fixes the session ID reuse scenario. From the
commit message:

    When an SSL client presents a previous session ID, the server should
    either honour the request to reuse the parameters previously negotiated
    for the given session ID, or ignore the request and generate a new
    session ID.

    In this situation, new_ssl tries to complete the handshake by sending
    the client a "Finished" handshake message, which violates the SSL/TLS
    specs. It should instead send a ChangeCipherSpec message before sending
    the FInished message. This patch fixes it.

To pull:
  $ git fetch git://github.com/wil/otp.git ssl_resume_session


To test this using openssl client, use the "-reconnect" argument to
"s_client" to make it connect with a fresh session ID, disconnects,
and then immediately connect again with the same session ID.

$ openssl s_client -connect localhost:65494 -CAfile certs/cacert.pem
-key certs/client.key -cert certs/client.pem -msg -reconnect

An alternative way is to use the "-sess_out" or "-sess_in" parameter
to make it save the session ID to or load from a file:

# first connect, should work
$ openssl s_client -connect localhost:65494 -CAfile certs/cacert.pem
-key certs/client.key -cert certs/client.pem -msg -sess_out
session.dat

# second connect, it reports "got a fin before a ccs" before the patch.
# After patch, it should connect with a much shorter handshake.
$ openssl s_client -connect localhost:65494 -CAfile certs/cacert.pem
-key certs/client.key -cert certs/client.pem -msg -sess_in session.dat


Thanks.

-- 
Wil Tan
CTO
Cloud Registry <http://www.cloudregistry.net>


More information about the erlang-patches mailing list