ovsdb-server's SSL context does not call SSL_CTX_set_session_id_context(). When a TLS client attempts session resumption, by sending a cached session ticket, OpenSSL rejects it with:
SSL_accept: error:0A000115:SSL routines::session id context uninitialized Per SSL_CTX_set_session_id_context(3): "If the session id context is not set on an SSL/TLS server and client certificates are used, stored sessions will not be reused but a fatal error will be flagged and the handshake will fail." This patch calls SSL_CTX_set_session_id_context() to fix the issue. Signed-off-by: Mykola Yurchenko <[email protected]> --- AUTHORS.rst | 1 + lib/stream-ssl.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/AUTHORS.rst b/AUTHORS.rst index 037851ad1..8bb716739 100644 --- a/AUTHORS.rst +++ b/AUTHORS.rst @@ -362,6 +362,7 @@ Miro Tomaska [email protected] Mohammad Heib [email protected] Moshe Levi [email protected] Murphy McCauley [email protected] +Mykola Yurchenko [email protected] Natasha Gude Neal Shrader [email protected] Neil McKee [email protected] diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index c8eb26b2a..c573479f2 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1080,6 +1080,9 @@ do_ssl_init(void) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + + /* Required by SSL_CTX_set_session_id_context(3) when SSL_VERIFY_PEER is set. */ + SSL_CTX_set_session_id_context(ctx, (const unsigned char *)"ovs", 3); SSL_CTX_set_cipher_list(ctx, "DEFAULT:@SECLEVEL=2"); return 0; -- 2.51.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
