diff options
| author | Eric Wong <e@80x24.org> | 2016-02-29 05:20:47 +0000 |
|---|---|---|
| committer | Eric Wong <e@80x24.org> | 2016-02-29 05:50:01 +0000 |
| commit | 5fff94f35928feeb9d6bf91087ee7cdbe97ecdb7 (patch) | |
| tree | c894d40ce1ba1e4e020e1afc569434b2c1fa271a | |
| parent | 3aba6b86a127954fdcd1c1c51ce66b5731176e50 (diff) | |
| download | yahns-5fff94f35928feeb9d6bf91087ee7cdbe97ecdb7.tar.gz | |
When a client attempts to reuse a session, we must have a session_id_context set or else handshakes fail. This problem manifests only with clients which attempt to reuse stored sessions. This is irrespective of any session caching configured (even if explicitly disabled) in the server. The SSL_CTX_set_session_id_context(3SSL) manpage states: If the session id context is not set on an SSL/TLS server and client certificates are used, stored sessions will not be reused but a fatal error will be flagged and the handshake will fail.
| -rw-r--r-- | lib/yahns/server.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/yahns/server.rb b/lib/yahns/server.rb index d6a03f3..ba2066b 100644 --- a/lib/yahns/server.rb +++ b/lib/yahns/server.rb @@ -386,6 +386,13 @@ class Yahns::Server # :nodoc: env['HTTPS'] = 'on' # undocumented, but Rack::Request uses this env['rack.url_scheme'] = 'https' + # avoid "session id context uninitialized" errors when a client + # attempts to reuse a cached SSL session. Server admins may + # configure their own cache and session_id_context if desired. + # 32 bytes is SSL_MAX_SSL_SESSION_ID_LENGTH and has been since + # the SSLeay days + ssl_ctx.session_id_context ||= OpenSSL::Random.random_bytes(32) + # call OpenSSL::SSL::SSLContext#setup explicitly here to detect # errors and avoid race conditions. We avoid calling this in the # parent process since |