new_ssl: Fix Session ID Reuse
Wil Tan
wil@REDACTED
Wed Jan 6 17:36:52 CET 2010
Hello,
Thanks for including my previous patch in the "pu" branch.
Here's another one which fixes the session ID reuse scenario. From the
commit message:
When an SSL client presents a previous session ID, the server should
either honour the request to reuse the parameters previously negotiated
for the given session ID, or ignore the request and generate a new
session ID.
In this situation, new_ssl tries to complete the handshake by sending
the client a "Finished" handshake message, which violates the SSL/TLS
specs. It should instead send a ChangeCipherSpec message before sending
the FInished message. This patch fixes it.
To pull:
$ git fetch git://github.com/wil/otp.git ssl_resume_session
To test this using openssl client, use the "-reconnect" argument to
"s_client" to make it connect with a fresh session ID, disconnects,
and then immediately connect again with the same session ID.
$ openssl s_client -connect localhost:65494 -CAfile certs/cacert.pem
-key certs/client.key -cert certs/client.pem -msg -reconnect
An alternative way is to use the "-sess_out" or "-sess_in" parameter
to make it save the session ID to or load from a file:
# first connect, should work
$ openssl s_client -connect localhost:65494 -CAfile certs/cacert.pem
-key certs/client.key -cert certs/client.pem -msg -sess_out
session.dat
# second connect, it reports "got a fin before a ccs" before the patch.
# After patch, it should connect with a much shorter handshake.
$ openssl s_client -connect localhost:65494 -CAfile certs/cacert.pem
-key certs/client.key -cert certs/client.pem -msg -sess_in session.dat
Thanks.
--
Wil Tan
CTO
Cloud Registry <http://www.cloudregistry.net>
More information about the erlang-patches
mailing list