Set session id context while creating SSLContext (#2633)

When using client certificates, session id context needs to be set. OpenSSL documentation covers it like this: If the session id context is not set on an SSL/TLS server and client certificates are used, stored sessions will not be reused but a fatal error will be flagged and the handshake will fail. Details: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_session_id_context.html Ruby OpenSSL wrapper conforms to this by setting the session id context to a random sequence of bytes whenever a context is created: http://github.com/ruby/openssl/blob/master/lib/openssl/ssl.rb#L493 I am open to suggestions about generating random bytes. I feel like there can be a better way than this.
puma · Jun 4, 2021 · ef1a9f5 · ef1a9f5
1 parent 32852f7
commit ef1a9f5
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/ext/puma_http11/mini_ssl.c b/ext/puma_http11/mini_ssl.c
@@ -208,7 +208,7 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
 #endif
   int ssl_options;
   VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
-    verification_flags;
+    verification_flags, session_id_bytes;
   DH *dh;
 
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
@@ -309,6 +309,14 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   } else {
     SSL_CTX_set_verify(ctx, NUM2INT(verify_mode), engine_verify_callback);
   }
+
+  session_id_bytes = rb_funcall(rb_const_get(rb_cRandom, rb_intern_const("DEFAULT")),
+                                rb_intern_const("bytes"),
+                                1, ULL2NUM(SSL_MAX_SSL_SESSION_ID_LENGTH));
+  SSL_CTX_set_session_id_context(ctx,
+                                 (unsigned char *) RSTRING_PTR(session_id_bytes),
+                                 SSL_MAX_SSL_SESSION_ID_LENGTH);
+
   // printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));
   rb_obj_freeze(self);
   return self;