You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 2005/07/05 19:32:54 UTC

[PATCH] Allow for internal OpenSSL Session Cache

I've run into this with some "broken" browsers. Basically, they
require a non-null SessionID in the SSL transaction. If, for whatever
reason, we disable the external SSL Session Cache, these
browsers reports errors when connecting to the SSL vhost.

This adds a new argument to SSLSessionCache which says "disable any
external session cache, but use OpenSSL's internal one" which makes
OpenSSL send the SessionID parameter again.


Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h    (revision 209297)
+++ modules/ssl/ssl_private.h    (working copy)
@@ -259,7 +259,8 @@
      SSL_SCMODE_NONE  = 0,
      SSL_SCMODE_DBM   = 1,
      SSL_SCMODE_SHMCB = 3,
-    SSL_SCMODE_DC    = 4
+    SSL_SCMODE_DC    = 4,
+    SSL_SCMODE_OPENSSL_INTERNAL = 5
} ssl_scmode_t;
/*
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c    (revision 209297)
+++ modules/ssl/ssl_engine_init.c    (working copy)
@@ -466,9 +466,20 @@
{
      SSL_CTX *ctx = mctx->ssl_ctx;
      SSLModConfigRec *mc = myModConfig(s);
-    long cache_mode = SSL_SESS_CACHE_OFF;
-
-    if (mc->nSessionCacheMode != SSL_SCMODE_NONE) {
+    long cache_mode;
+    if (mc->nSessionCacheMode == SSL_SCMODE_NONE) {
+        cache_mode = SSL_SESS_CACHE_OFF;
+    }
+    else if (mc->nSessionCacheMode == SSL_SCMODE_OPENSSL_INTERNAL) {
+          /* Special case where we disable any external caches
+           * but allow for OpenSSLs internal cache. The reason
+           * is that by using SSL_SESS_CACHE_OFF disables
+           * OpenSSL from sending a session ID, which causes problems
+           * for some browsers.
+           */
+        cache_mode = SSL_SESS_CACHE_SERVER;
+    }
+    else {
          /* SSL_SESS_CACHE_NO_INTERNAL will force OpenSSL
           * to ignore process local-caching and
           * to always get/set/delete sessions using mod_ssl's  
callbacks.
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c    (revision 209297)
+++ modules/ssl/ssl_engine_config.c    (working copy)
@@ -1001,6 +1001,10 @@
          mc->nSessionCacheMode      = SSL_SCMODE_NONE;
          mc->szSessionCacheDataFile = NULL;
      }
+    else if (strcEQ(arg, "justinternal")) {
+        mc->nSessionCacheMode      = SSL_SCMODE_OPENSSL_INTERNAL;
+        mc->szSessionCacheDataFile = NULL;
+    }
      else if ((arglen > 4) && strcEQn(arg, "dbm:", 4)) {
          mc->nSessionCacheMode      = SSL_SCMODE_DBM;
          mc->szSessionCacheDataFile = ap_server_root_relative(mc- 
 >pPool, arg+4);
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c    (revision 209297)
+++ modules/ssl/mod_ssl.c    (working copy)
@@ -83,7 +83,7 @@
                  "or `exec:/path/to/cgi_program')")
      SSL_CMD_SRV(SessionCache, TAKE1,
                  "SSL Session Cache storage "
-                "(`none', `dbm:/path/to/file')")
+                "(`none', `justinternal', `dbm:/path/to/file')")
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
      SSL_CMD_SRV(CryptoDevice, TAKE1,
                  "SSL external Crypto Device usage "

Re: [PATCH] Allow for internal OpenSSL Session Cache

Posted by Jim Jagielski <ji...@jaguNET.com>.

On Jul 5, 2005, at 1:41 PM, Paul Querna wrote:

> Jim Jagielski wrote:
>
>
>> I've run into this with some "broken" browsers. Basically, they
>> require a non-null SessionID in the SSL transaction. If, for whatever
>> reason, we disable the external SSL Session Cache, these
>> browsers reports errors when connecting to the SSL vhost.
>>
>> This adds a new argument to SSLSessionCache which says "disable any
>> external session cache, but use OpenSSL's internal one" which makes
>> OpenSSL send the SessionID parameter again.
>>
>>
>
> How about "internal" instead of "justinternal"?
>

Yeah, I'm not too happy with 'justinternal'... but a shared memory cache
could be considered "internal"... How about "nonshared" or "openssl"
or whatever :)

> I assume this session cache is local to the SSL Context?
>
> Any browser which requires an SSL Session to work is quite broken.   
> Do you have a list of browsers that we could add to the documentation?

Mostly seen in, no surprise, some MSIE browsers, as well as some Java
HTTPS clients. I'll try to get the list.

Re: [PATCH] Allow for internal OpenSSL Session Cache

Posted by Paul Querna <ch...@force-elite.com>.

Jim Jagielski wrote:

> I've run into this with some "broken" browsers. Basically, they
> require a non-null SessionID in the SSL transaction. If, for whatever
> reason, we disable the external SSL Session Cache, these
> browsers reports errors when connecting to the SSL vhost.
>
> This adds a new argument to SSLSessionCache which says "disable any
> external session cache, but use OpenSSL's internal one" which makes
> OpenSSL send the SessionID parameter again.
>

How about "internal" instead of "justinternal"?

I assume this session cache is local to the SSL Context?

Any browser which requires an SSL Session to work is quite broken.  Do 
you have a list of browsers that we could add to the documentation?

Re: [PATCH] Allow for internal OpenSSL Session Cache

Posted by Joe Orton <jo...@redhat.com>.

On Tue, Jul 05, 2005 at 01:32:54PM -0400, Jim Jagielski wrote:
> I've run into this with some "broken" browsers. Basically, they
> require a non-null SessionID in the SSL transaction. If, for whatever
> reason, we disable the external SSL Session Cache, these
> browsers reports errors when connecting to the SSL vhost.
> 
> This adds a new argument to SSLSessionCache which says "disable any
> external session cache, but use OpenSSL's internal one" which makes
> OpenSSL send the SessionID parameter again.

Is the session cache in this mode bounded in memory use, i.e. does it
handle session expiry properly?  The memory leaks in the shm* caches
that got fixed a while back were caused by the internal session cache
which was never getting purged and just grew in size indefinitely.

But, anyway, it's very well known that MSIE barfs if you turn off the 
SSL session cache, that's why you don't do that.  The question is 
begged... why were you turning off the session cache?

This seems a bit like a shot-yourself-in-the-foot situation.  Adding 
*more* config options as a response to people setting config options 
incorrectly in the first place doesn't seem very sensible to me.

Regards,

joe