From b5beaca19879c2b662fdb136262c81bf22f747da Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Tue, 25 Jan 2011 15:17:32 -0800 Subject: [PATCH] stream-ssl: Set a session context ID string on our SSL_CTX. In the finest OpenSSL tradition of putting important documentation only in code comments, ssl/ssl_sess.c in the OpenSSL tree has the following comment inside ssl_get_prev_session(): /* We can't be sure if this session is being used out of * context, which is especially important for SSL_VERIFY_PEER. * The application should have used SSL[_CTX]_set_session_id_context. * * For this error case, we generate an error instead of treating * the event like a cache miss (otherwise it would be easy for * applications to effectively disable the session cache by * accident without anyone noticing). */ This meant that ovs-controller couldn't effectively cache SSL server sessions and we got a weird error whenever ovs-vswitchd tried. Bug #4448. CC: David Tsai CC: Jeremy Stribling --- lib/stream-ssl.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 6baf88ff1..ca3d218bf 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1011,6 +1011,17 @@ do_ssl_init(void) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + /* We have to set a session context ID string in 'ctx' because OpenSSL + * otherwise refuses to use a cached session on the server side when + * SSL_VERIFY_PEER is set. And it not only refuses to use the cached + * session, it actually generates an error and kills the connection. + * According to a comment in ssl_get_prev_session() in OpenSSL's + * ssl/ssl_sess.c, this is intentional behavior. + * + * Any context string is OK, as long as one is set. */ + SSL_CTX_set_session_id_context(ctx, (const unsigned char *) PACKAGE, + strlen(PACKAGE)); + return 0; } -- 2.43.0