From: Eric Wong <e@80x24.org>
To: yahns-public@yhbt.net
Subject: [PATCH] ssl: ensure is session_id_context is always set
Date: Mon, 29 Feb 2016 05:45:14 +0000
Message-ID: <20160229054514.GA8344@dcvr.yhbt.net> (raw)
When a client attempts to reuse a session, we must have a
session_id_context set or else handshakes fail. This problem
manifests only with clients which attempt to reuse stored
sessions. This is irrespective of any session caching
configured (even if explicitly disabled) in the server.
The SSL_set_session_id_context(3SSL) manpage states:
If the session id context is not set on an SSL/TLS server and
client certificates are used, stored sessions will not be reused
but a fatal error will be flagged and the handshake will fail.
---
lib/yahns/server.rb | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/yahns/server.rb b/lib/yahns/server.rb
index d6a03f3..ba2066b 100644
--- a/lib/yahns/server.rb
+++ b/lib/yahns/server.rb
@@ -386,6 +386,13 @@ def fdmap_init
env['HTTPS'] = 'on' # undocumented, but Rack::Request uses this
env['rack.url_scheme'] = 'https'
+ # avoid "session id context uninitialized" errors when a client
+ # attempts to reuse a cached SSL session. Server admins may
+ # configure their own cache and session_id_context if desired.
+ # 32 bytes is SSL_MAX_SSL_SESSION_ID_LENGTH and has been since
+ # the SSLeay days
+ ssl_ctx.session_id_context ||= OpenSSL::Random.random_bytes(32)
+
# call OpenSSL::SSL::SSLContext#setup explicitly here to detect
# errors and avoid race conditions. We avoid calling this in the
# parent process since
--
EW
reply other threads:[~2016-02-29 5:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/yahns/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160229054514.GA8344@dcvr.yhbt.net \
--to=e@80x24.org \
--cc=yahns-public@yhbt.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
yahns Ruby server user/dev discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://yhbt.net/yahns-public
git clone --mirror http://ou63pmih66umazou.onion/yahns-public
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V1 yahns-public yahns-public/ https://yhbt.net/yahns-public \
yahns-public@yhbt.net yahns-public@rubyforge.org
public-inbox-index yahns-public
Example config snippet for mirrors.
Newsgroups are available over NNTP:
nntp://news.public-inbox.org/inbox.comp.lang.ruby.yahns
nntp://ou63pmih66umazou.onion/inbox.comp.lang.ruby.yahns
note: .onion URLs require Tor: https://www.torproject.org/
code repositories for the project(s) associated with this inbox:
../../yahns.git
AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git