You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Brian Geffon (JIRA)" <ji...@apache.org> on 2014/10/10 01:48:34 UTC

[jira] [Updated] (TS-3125) SSL ctx is set to a constant allowing for potential inappropriate session reuse.

     [ https://issues.apache.org/jira/browse/TS-3125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Geffon updated TS-3125:
-----------------------------
    Attachment: ssl-session-ctx-id.patch

> SSL ctx is set to a constant allowing for potential inappropriate session reuse.
> --------------------------------------------------------------------------------
>
>                 Key: TS-3125
>                 URL: https://issues.apache.org/jira/browse/TS-3125
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core, SSL
>            Reporter: Brian Geffon
>            Assignee: Brian Geffon
>         Attachments: ssl-session-ctx-id.patch
>
>
> We have the following chunk of code in TS
> {code}
>     // XXX I really don't think that this is a good idea. We should be setting this a some finer granularity,
>     // possibly per SSL CTX. httpd uses md5(host:port), which seems reasonable.
>     session_id_context = 1;
>     SSL_CTX_set_session_id_context(ctx, (const unsigned char *) &session_id_context, sizeof(session_id_context));
> {code}
> This is 100% broken and needs to be fixed. I believe [~jpeach@apache.org] raised concerns about this in the past, after reading OpenSSL documentation this is completely broken.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)