Corrupted ssl session id

olivier.szika@xxxxxxxxxxxxxx (Olivier SZIKA) · Tue, 7 Apr 2015 12:31:55 +0200 (CEST)

Hi all,

I use openssl library in a daemon, and there are a lot of crashes around ssl session management.
A crash happens when ssl sessions are flushed via SSL_CTX_flush_sessions(), because they could have bad session id.

Here, the life of one session: 

ptr_addr:      refcount: type[session_id] (function:line)
0x807807600:   1:SSL_SESSION [0x0] (SSL_SESSION_new:205)
0x807807600:   1:--> SSL_SESSION CHECK BEFORE [0x0] (ssl3_get_new_session_ticket:2236)
0x807807600:   1:--> SSL_SESSION CHECK AFTER [0xaa685c61] (ssl3_get_new_session_ticket:2244)
0x807807600:   2:SSL_SESSION [0xaa685c61] (SSL_CTX_add_session:673)
0x807807600:   3:SSL_SESSION [0xaa685c61] (ssl_update_cache:2456)
0x807807600:   2:SSL_SESSION_FREE [0xaa685c61] (SSL_free:559)
0x807807600:   3:SSL_SESSION [0xaa685c61] (SSL_set_session:855)
0x807807600:   3:--> SSL_SESSION CHECK BEFORE [0xaa685c61] (ssl3_client_hello:731)
0x807807600:   3:--> SSL_SESSION CHECK AFTER [0xaa685c61] (ssl3_client_hello:733)
0x807807600:   3:--> SSL_SESSION CHECK BEFORE [0xaa685c61] (ssl3_get_new_session_ticket:2236)
0x807807600:   3:--> SSL_SESSION CHECK AFTER [0xe47912b1] (ssl3_get_new_session_ticket:2244)
0x807807600:   2:SSL_SESSION_FREE [0xe47912b1] (SSL_free:559)
...

The server requests new session ticket (SSL3_ST_CR_SESSION_TICKET_[AB]),
but the session id is already initialized.

To fix it, I thought to free the old ssl session and to create a new one in ssl3_connect(), in case SSL3_ST_CR_SESSION_TICKET_[AB],
before ssl3_get_new_session_ticket() call, but I'm not sure it's a good fix.

Could you help me? Do you need more details about my issue?

Thanks,

Olivier