Re: Contract of d2i_SSL_SESSION ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 16/12/2021 08:58, Jesper Pedersen wrote:

Hi,
I have a use-case where I need to reuse the SSL session in another process that created it. So, it looks like 

Process 1:
  * Create SSL_CTX
  * Create SSL
  * Use SSL
  * i2d_SSL_SESSION into shared memory [1] -- this works
  * Free SSL (no SSL_shutdown as I need socket descriptor as well)
  * Transfer socket descriptor to parent process

Process 2:
  * Create SSL_CTX
  * Create SSL
  * Attach SSL_SESSION through d2i_SSL_SESSION [2]
  * Associate the socket descriptor (as its number may have changed)
 * Call SSL_connect (same result as SSL_set_connect_state + SSL_do_handshake)
After the SSL_connect call SSL_pending [3] will show 19 0-bytes in the buffer which leads to 

AFTER CONNECT: 19
00000000000000000000000000000000000000
???????????????????
SSL_ERROR_SSL: FD 15
error:140940F4:SSL routines:ssl3_read_bytes:unexpected message
SSL routines
unexpected message

so I must be missing something in the contract of d2i_SSL_SESSION.
The SSL session cache is SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE.
It's not 100% clear to me what you are trying to achieve or what you expected to happen - but it sounds like you are trying to transfer an active SSL connection from one process to another. This capability is not supported although it has been asked for from time to time.
All SSL_SESSION allows you to do is to *resume* a session based on an old connection, i.e. a new connection is created based on parameters negotiated from an old connection. 

Matt




Using OpenSSL 1.1.1l
[1] https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634#diff-b0ad697326050bb80fb89068786852d7b974e1f648103fe382acea69097fd152R3446 [2] https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634#diff-b0ad697326050bb80fb89068786852d7b974e1f648103fe382acea69097fd152R5857 [3] https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634#diff-b0ad697326050bb80fb89068786852d7b974e1f648103fe382acea69097fd152R5899
Full patch: https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634 

Upstream project: https://github.com/agroal/pgagroal
Thanks in advance for questions, suggestions, hints or comments on the current code ! 

Best regards,
  Jesper
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux