[openssl-dev] [openssl.org #3808] BUG: corrupted ssl session id
Olivier SZIKA via RT
rt at openssl.org
Fri Apr 17 10:24:10 UTC 2015
Hi all,
I use openssl library in a daemon (as ssl client), and there are a lot
of crashes around ssl session management. A crash happens when ssl
sessions are flushed via SSL_CTX_flush_sessions(), because they
could have bad session id.
> openssl version on FreeBSD
OpenSSL 1.0.1m 19 Mar 2015
The client cache is enable with:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT)
Moreover, I also use:
SSL_CTX_sess_set_new_cb(ctx, new_ssl_session_cb);
SSL_CTX_sess_set_remove_cb(ctx, remove_ssl_session_cb);
So, when server requests new session ticket (SSL3_ST_CR_SESSION_TICKET_[AB]),
the session can have more references than once. But in function
ssl3_get_new_session_ticket(), session_id is changed without checks on
session->references. If session_id is changed then cache access is wrong!
To solve this problem, I used a new ssl session, created with i2d/d2i (and
release one reference from old ssl session).
What do you think?
Olivier
--
Olivier Szika
R&D System Engineer
Stormshield - Stormshield Network Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-ssl-session
Type: text/x-patch
Size: 1630 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150417/f6a65230/attachment.bin>
More information about the openssl-dev
mailing list