Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3125

SSL ctx is set to a constant allowing for potential inappropriate session reuse.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.2.0
    • Component/s: Core, SSL
    • Labels:
      None

      Description

      We have the following chunk of code in TS

          // XXX I really don't think that this is a good idea. We should be setting this a some finer granularity,
          // possibly per SSL CTX. httpd uses md5(host:port), which seems reasonable.
          session_id_context = 1;
          SSL_CTX_set_session_id_context(ctx, (const unsigned char *) &session_id_context, sizeof(session_id_context));
      

      This is 100% broken and needs to be fixed. I believe James Peach raised concerns about this in the past, after reading OpenSSL documentation this is completely broken.

        Attachments

        1. ssl-session-ctx-id.patch
          3 kB
          Brian Geffon

          Activity

            People

            • Assignee:
              briang Brian Geffon
              Reporter:
              briang Brian Geffon
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: