Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get rid of missing SSL context errors #970

Merged
merged 4 commits into from Feb 25, 2015

Conversation

Projects
None yet
3 participants
@rix0rrr
Copy link
Contributor

commented Jan 28, 2015

This occurs a lot when using client cetificates, and then connections
are dropped a couple of times before they are succesfully estbalished:

[0B573E01:0B613C01 2015.01.28 17:11:07.064 WRN] Handling of
connection failed: Failed to accept SSL tunnel: error:140D9115:SSL
routines:SSL_GET_PREV_SESSION:session id context uninitialized
(336433429)

Assigning the local hostname as a context ID fixes this error.

As per OpenSSL documentation:

https://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html

Get rid of missing SSL context errors
This occurs a lot when using client cetificates, and then connections
are dropped a couple of times before they are succesfully estbalished:

    [0B573E01:0B613C01 2015.01.28 17:11:07.064 WRN] Handling of
    connection failed: Failed to accept SSL tunnel: error:140D9115:SSL
    routines:SSL_GET_PREV_SESSION:session id context uninitialized
    (336433429)

Assigning the local hostname as a context ID fixes this error.
@schuetzm

This comment has been minimized.

Copy link
Contributor

commented Feb 22, 2015

Can't comment on the content, but your indentation is off (see the diff view https://github.com/rejectedsoftware/vibe.d/pull/970/files).

rix0rrr added some commits Feb 23, 2015

@rix0rrr

This comment has been minimized.

Copy link
Contributor Author

commented Feb 23, 2015

Updated indentation.

This is very required when doing client cert authentication,
otherwise many connections will go aborted.
*/
void setContextID()

This comment has been minimized.

Copy link
@s-ludwig

s-ludwig Feb 23, 2015

Member

Since it is called in the constructor already, does this method have to be public? If yes, I'd change the name to setSessionIDContext to match the semantics more closely. What I didn't understand yet when reading the documentation of SSL_CTX_set_session_id_context is if using the host name as the context name is the right choice. From the description it sounds like it should rather be an application specific string, which would have to be passed as a parameter.

This comment has been minimized.

Copy link
@rix0rrr

rix0rrr Feb 24, 2015

Author Contributor

I wanted to pick a sane default so it will Just Work if you don't care about the particular value. It has to be unique within a group of servers behind a load balancer, so the protocol can tell it doesn't have a cached session on that particular server and do the handshake again.

BUT, it also has to be configurable for client code in case someone wants to go to the trouble to configure a session pool. Apparently, "tickets" will be better in any case, but not necessarily supported by every client and adding a lot more complexity.

You're right about the name change, will fix.

This comment has been minimized.

Copy link
@rix0rrr

rix0rrr Feb 24, 2015

Author Contributor

And you know what, I totally forgot what I actually implemented.

You're right, this function doesn't need to be public.

@s-ludwig

This comment has been minimized.

Copy link
Member

commented Feb 25, 2015

Okay, thanks. Merging.

s-ludwig added a commit that referenced this pull request Feb 25, 2015

Merge pull request #970 from rix0rrr/ssl-session-context
Get rid of missing SSL context errors

@s-ludwig s-ludwig merged commit 1f9c5cd into vibe-d:master Feb 25, 2015

1 check failed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.