Re: sessions reuse in openssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am working on memory analysis of openssl. One of the observation is the memory allocated by d2i_X509() API (returned in x) is not being freed after the connection is closed.. and this memory is stored as part of session.. i want to limit number of sessions which we cache for re-use.. or if possible completely avoid session caching.


Using TLS 1.3


-thanks

harish


        x = d2i_X509(NULL, &q, l); //// <<<<<<< memory allocated HERE (HVK)

        if (x == NULL) {

            al = SSL_AD_BAD_CERTIFICATE;

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);

            goto f_err;

        }

        if (q != (p + l)) {

            al = SSL_AD_DECODE_ERROR;

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,

                   SSL_R_CERT_LENGTH_MISMATCH);

            goto f_err;

        }

        if (!sk_X509_push(sk, x)) { ////// STORED IN LIST HERE (HVK)

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);

            goto err;

        }

        x = NULL;

        nc += l + 3;

        p = q;

    }


    i = ssl_verify_cert_chain(s, sk);

    if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)

#ifndef OPENSSL_NO_KRB5

        && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&

             (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))

#endif                          /* OPENSSL_NO_KRB5 */

        ) {

        al = ssl_verify_alarm_type(s->verify_result);

        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,

               SSL_R_CERTIFICATE_VERIFY_FAILED);

        goto f_err;

    }

    ERR_clear_error();          /* but we keep s->verify_result */


    sc = ssl_sess_cert_new();

    if (sc == NULL)

        goto err;


    if (s->session->sess_cert)

        ssl_sess_cert_free(s->session->sess_cert);

    s->session->sess_cert = sc;


    sc->cert_chain = sk; ///// (HVK) THE CHAIN IS STORED HERE.. as part of session struct.. not freed.

    /*

     * Inconsistency alert: cert_chain does include the peer's certificate,

     * which we don't include in s3_srvr.c

     */

    x = sk_X509_value(sk, 0);

    sk = NULL;


On Wed, Jan 20, 2021 at 10:26 AM Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Wed, Jan 20, 2021 at 08:55:13AM +0530, Harish Kulkarni wrote:

> For some experiments i want to stop session re-use in openssl.. is there a
> way to stop reusing of same session?.

Your question is not sufficiently specific.  Are you looking to not
reuse a session in an client or a server?  Is the server issuing
stateless session tickets or doing fully stateful resumption with
an in memory session cache?  Are you using TLS 1.2 or TLS 1.3?

Post a reasonable level of detail outlining where the decision
to reuse or not reuse the session is going to be made, and how
session resumption is performed when not disabled.

--
    Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux