New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set session id context while creating SSLContext #2633
Conversation
c45bccf
to
ddc2115
Compare
When using client certificates, session id context needs to be set. OpenSSL documentation covers it like this: If the session id context is not set on an SSL/TLS server and client certificates are used, stored sessions will not be reused but a fatal error will be flagged and the handshake will fail. Details: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_session_id_context.html Ruby OpenSSL wrapper conforms to this by setting the session id context to a random sequence of bytes whenever a context is created: http://github.com/ruby/openssl/blob/master/lib/openssl/ssl.rb#L493 I am open to suggestions about generating random bytes. I feel like there can be a better way than this.
ddc2115
to
6332949
Compare
Probably should just generate the randomness in C rather than get Ruby involved at all. Fancy taking a stab at fixing this in the Java extension as well? |
I had thought about generating the randomness in C, but using A useful option could have been using I can see two ways after eliminating these:
|
For Java implementation, I checked |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we clarify which versions of ruby Random::DEFAULT.bytes
was first introduced?
Works in ruby 2.0.0p648 (2015-12-16) [x64-mingw32] |
This is messy. I recall that TLSv1.3 may handle session reuse differently that older protocols. I haven't had time to review docs to see if that is correct.
Have you seen that happen with Puma? I don't think there are any tests dealing with multiple requests from one client connection where 'client certificates are used'... Haven't had time to create one locally... |
@MSP-Greg It happened with our backend using Puma and client cert authentication. This fixed solved the problem. |
It's in the docs on that ssl context id function @MSP-Greg - will hold on a release until you review though |
@onlined Thanks. I suspected as much, as you wouldn't really have a reason for the PR... @nateberkopec This is fine, but it will need to change to fix the deprecated warnings in Ruby 3. I haven't had time to look at it, maybe set the value (instance variable) in the Ruby code in This only happens when the server sockets/listeners are created, so 'ruby vs c' probably isn't critical. |
Replacing |
Oh this will actually warn on Ruby 3? Didn't realize that... we do need to fix that. |
Please have a look at PR #2642, which removes the warnings... |
* Actions - add Ruby 3.0 and 3.1 * .gitignore - add entry for local use * test_puma_server_ssl.rb - backport fix 888b0213f11 * minissl.c and extconf.rb - backport fixes Fixes from PR's: #2535 #2633 #2642
When using client certificates, session id context needs to be set. OpenSSL documentation covers it like this: If the session id context is not set on an SSL/TLS server and client certificates are used, stored sessions will not be reused but a fatal error will be flagged and the handshake will fail. Details: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_session_id_context.html Ruby OpenSSL wrapper conforms to this by setting the session id context to a random sequence of bytes whenever a context is created: http://github.com/ruby/openssl/blob/master/lib/openssl/ssl.rb#L493 I am open to suggestions about generating random bytes. I feel like there can be a better way than this.
When using client certificates, session id context needs to be set. OpenSSL documentation covers it like this:
Details: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_session_id_context.html
Ruby OpenSSL wrapper conforms to this by setting the session id context to a random sequence of bytes whenever a context is created:
http://github.com/ruby/openssl/blob/master/lib/openssl/ssl.rb#L493
I am open to suggestions about generating random bytes. I feel like there can be a better way than this.
[ci skip]
to the title of the PR.#issue
" to the PR description or my commit messages.