From f01eb73ccfb9816dc879deb2add69d33a96ed56c Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Tue, 25 Jan 2011 15:23:31 -0800
Subject: [PATCH] stream-ssl: Only cache SSL sessions after they shut down.

A cached SSL session may only be used for new connections after the initial
connection has shut down.  As far as I can tell, nothing in the OpenSSL
documentation actually comes out and says this, but it is implied by
various examples found around the web and doing it this way makes caching
work much more reliably in my testing.

Bug #4448.
---
 lib/stream-ssl.c | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index ca3d218bf..84c1a1157 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2009, 2010 Nicira Networks.
+ * Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -463,12 +463,6 @@ ssl_cache_session(struct stream *stream)
     struct ssl_stream *sslv = ssl_stream_cast(stream);
     SSL_SESSION *session;
 
-    /* Statistics. */
-    COVERAGE_INC(ssl_session);
-    if (SSL_session_reused(sslv->ssl)) {
-        COVERAGE_INC(ssl_session_reused);
-    }
-
     /* Get session from stream. */
     session = SSL_get1_session(sslv->ssl);
     if (session) {
@@ -490,12 +484,6 @@ ssl_cache_session(struct stream *stream)
                 }
             }
         }
-    } else {
-        /* There is no new session.  This doesn't really make sense because
-         * this function is only called upon successful connection and there
-         * should always be a new session in that case.  But I don't trust
-         * OpenSSL so I'd rather handle this case anyway. */
-        ssl_flush_session(stream);
     }
 }
 
@@ -575,8 +563,10 @@ ssl_connect(struct stream *stream)
             VLOG_ERR("rejecting SSL connection during bootstrap race window");
             return EPROTO;
         } else {
-            if (sslv->type == CLIENT) {
-                ssl_cache_session(stream);
+            /* Statistics. */
+            COVERAGE_INC(ssl_session);
+            if (SSL_session_reused(sslv->ssl)) {
+                COVERAGE_INC(ssl_session_reused);
             }
             return 0;
         }
@@ -598,6 +588,8 @@ ssl_close(struct stream *stream)
      * background. */
     SSL_shutdown(sslv->ssl);
 
+    ssl_cache_session(stream);
+
     /* SSL_shutdown() might have signaled an error, in which case we need to
      * flush it out of the OpenSSL error queue or the next OpenSSL operation
      * will falsely signal an error. */
-- 
2.43.0