-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stateful session resumption #369
Conversation
RFC 5077 is indeed obsolete since RFC 8446. But the RFC that obsoleted it is about TLS 1.3, whereas we support (D)TLS 1.2. So generally speaking supporting session resumption based on session ID is not unreasonable for us to have. DTLS 1.3 also still has some support for it in the form of the With respect to your PR: we can't accept this addition of functionality without tests that verify it works as intended. This will also ensure we don't break this feature in the future. This is especially important for features we don't expect to be used/exercised regularly by users of the library. On a personal note; we have made it this far without it, and I am a little frustrated by the idea of supporting this b/c a company with resources like Cisco can't be bothered to follow an RFC and implement PSK support. However, that should not stop us from supporting session resumption in general. |
Very cool project! Would love to help get this merged :) 100% agree with @daenney we need tests. Also DTLS resumption has been known to cause security issues so want to be especially careful with this change! |
this pr just make some basic feature which will be needed to implement session resume. If it will be accepted, i will try my best to add the test case. |
I don't have strong objections to it. I'd be inclined to accept the PR seeing it purely implements session resumption. |
Anybody is here? |
We're here. But please keep in mind we are open source maintainers, doing this work in our free time. We can't always respond within hours, and review will take time. |
Hi @daenney There are nobody expecting hourly respond. I do understand most contributors make contributions in their free time. However, I made this PR three days ago and asked yesterday. I just want to make sure there are maintainers who have interest in this PR. And it will be great encouragement to me if some maintainers could make some response or put this MR review in their plan. Thank you. |
This PR only implements the session ID based session resumption which requires the server to save the session info (https://datatracker.ietf.org/doc/html/rfc5246#appendix-F.1.4). It doesn't implement the session ticket based session resumption: https://datatracker.ietf.org/doc/html/rfc5077 |
This PR was originally designed for Cisco's AnyConnect VPN protocol, which used session resumption to establish DTLS session. And according @daenney 's advice, the full stateful session resumption has been implemented. If the ticket based session resumption feature is required, it may be a little better to implement it in a dedicate PR. This depends on the maintainers' requirement. However, it seems no maintainer has time to make a review or give any feedback. It needs to wait the maintainers' bandwidth. |
How does this PR prevent data replay attack of the resumed "ClientHello" packet? |
@grokker001 |
I don't have the time to review this right now. In general I'm OK with having this code. But it's going to be a while before I personally have time to give it the review it needs before it goes in. |
@daenney thank you for reply. Waiting for your free time. |
Hi @daenney almost 6 months has past. I not intend to press you make action. But would you like put this MR into your schedule? Or make any clue for your following plan? Thanks. |
I honestly don't know. I'm not particularly invested in getting session support in here myself since I don't have any need for it in practice. It's also a big change and once we accept it something we'll need to keep supporting going forwards. Idk if other maintainers like @Sean-Der, @at-wat or @backkem might have time to review this. Coincidentally, the tests for this thing haven't run yet. Can you rebase and push this again and see if that unblocks it? |
It seems the workflows will not run without approval. @daenney |
I'll review the code tomorrow |
Yeah, but for some reason GitHub wasn't showing the approval buttons. It did after you pushed, so I've OKed them to run now. |
838c4bd
to
a8ce745
Compare
@daenney thanks. But please approve again. In order to pass the git message lint, I have squashed all the commits. |
This PR only implements the session ID based session resumption which requires the server to save the session info https://datatracker.ietf.org/doc/html/rfc5246#appendix-F.1.4 It doesn't implement the session ticket based session resumption: https://datatracker.ietf.org/doc/html/rfc5077
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Main logic of the handshake with resumption looks good!
Added some more comments.
As the server could serve for different names on the same port, the client should restore the session according to both serverName and remoteAddr.
Make it clear that which flights will be used in session resumption. And fix some other comments.
d44813b
to
0068ae0
Compare
hi @at-wat , do you have time to review the latest changes? |
We need to delete the stored session when any fatal errors occurs. This operation should be taken in the Conn.notify function.
@at-wat please check again, all the issues have been fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM:+1:
Nothing left for you to do. If @at-wat is happy with it, then I think we can go ahead and merge it. Since a lot of work on this PR happened during the winter holidays when a lot of us were probably not keeping track of this I'll let it soak for another week so other maintainers have a chance to comment. If nothing shows up, I'll merge it on the 10th of January. |
Hi @daenney , as there is no further comment, would you like to merge this PR? |
Released as v2.1.0 |
Thank you @daenney And thank you @at-wat for your detailed review and mentor. Is is a great pleasant procedure to corporate with you and you make me learn a lot. Thank you. By the way, @Sean-Der, @at-wat, @backkem, @daenney, @at-wat is there any roadmap to support connection id for dtls 1.2 and the dtls 1.3? |
There isn't, no. We don't really have a roadmap. It's a volunteer driven project so people contribute features if and when the need arises for whatever use case they're facing. |
Please forgive me if I am asking some stupid question: |
Add session resumption support.
You could use the examples/listen/psk/main.go and openssl to test this feature.
First you need to change the server's config and run the server.
And then, run openssl one time to store the session data.
Finally, run openssl in the resumption mode.