Major Description
While this sounds bad, it is only a performance issue. It is not a security issue. Openssl will not allow the expired sessions to be used.
Here are the details.
When you use the ATS version of the ssl session cache, ATS registers
callbacks to handle creating new sessions, getting existing sessions,
and removing old sessions. While debugging the new session plugin API,
I saw that the new sessions and get session callbacks were being
triggered but the remove session callback was never being triggered.
At first I was concerned that we were never removing sessions from the
cache and reusing them forever. I poked through the openssl 1.0.1 (and
briefly the 1.0.2) code and set some break points, and verified that the
stale sessions are being rejected but the code only tries to remove it
from the openssl internal cache implementation (which failed and so the
remove callback was never triggered).
So I think this is only a performance problem. The old session cache is
never removed from the ATS session cache until we run out of space and
the old values are evicted.
Attachments
Issue Links
- breaks
-
TS-3710 Crash in TLS with 6.0.0, related to the session cleanup additions
-
- Closed
-