yahns Ruby server user/dev discussion
 help / color / Atom feed
* [PATCH] ssl: ensure is session_id_context is always set
@ 2016-02-29  5:45 Eric Wong
  0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2016-02-29  5:45 UTC (permalink / raw)
  To: yahns-public

When a client attempts to reuse a session, we must have a
session_id_context set or else handshakes fail.  This problem
manifests only with clients which attempt to reuse stored
sessions.   This is irrespective of any session caching
configured (even if explicitly disabled) in the server.

The SSL_set_session_id_context(3SSL) manpage states:

  If the session id context is not set on an SSL/TLS server and
  client certificates are used, stored sessions will not be reused
  but a fatal error will be flagged and the handshake will fail.
---
 lib/yahns/server.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/yahns/server.rb b/lib/yahns/server.rb
index d6a03f3..ba2066b 100644
--- a/lib/yahns/server.rb
+++ b/lib/yahns/server.rb
@@ -386,6 +386,13 @@ def fdmap_init
         env['HTTPS'] = 'on' # undocumented, but Rack::Request uses this
         env['rack.url_scheme'] = 'https'
 
+        # avoid "session id context uninitialized" errors when a client
+        # attempts to reuse a cached SSL session.  Server admins may
+        # configure their own cache and session_id_context if desired.
+        # 32 bytes is SSL_MAX_SSL_SESSION_ID_LENGTH and has been since
+        # the SSLeay days
+        ssl_ctx.session_id_context ||= OpenSSL::Random.random_bytes(32)
+
         # call OpenSSL::SSL::SSLContext#setup explicitly here to detect
         # errors and avoid race conditions.  We avoid calling this in the
         # parent process since
-- 
EW


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-29  5:45 [PATCH] ssl: ensure is session_id_context is always set Eric Wong

yahns Ruby server user/dev discussion

Archives are clonable:
	git clone --mirror https://yhbt.net/yahns-public
	git clone --mirror http://ou63pmih66umazou.onion/yahns-public

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.lang.ruby.yahns
	nntp://ou63pmih66umazou.onion/inbox.comp.lang.ruby.yahns

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox