[openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache
Viktor Dukhovni
openssl-users at dukhovni.org
Sun May 31 06:06:03 UTC 2015
On Sat, May 30, 2015 at 09:48:15AM +0200, Short, Todd via RT wrote:
> Hello OpenSSL Org:
>
> This is a change that Akamai has made to its implementation of OpenSSL.
>
> Version: master branch
> Description: Add IPv4/IPv6:port-based client cache
>
> Update client cache to use IPv4/v6 addresses via sockaddr_storage.
> Add unit tests for client cache
>
> (Documentation is in the source files, not a .pod)
Do you have code to produce usable manpages from the embedded
documentation? We can't ask users to read the source.
Perhaps a ".pod" could be generated?
>
> Github link:
>
> https://github.com/akamai/openssl/commit/6bac97c07d7f6eb3015a2b5fe2869b0560a9594a
Apart from documentation, I have two major issues:
* The copyright notice does not refer to any license that would allow
inclusion in OpenSSL.
* The cache is indexed by "ip & port", but the same TCP endpoint
can serve multiple domains via SNI. It is wrong to reuse a
session obtained for one SNI name (server certificate) with
a different SNI name (different server certificate).
* The use of the session cache hash function appears to be
wrong. The session hash is based on the session id, but
the session used for lookup has just ex_data with the ip/port,
which don't get used at all.
* Perhaps other issues too, but this is far from ready it seems.
--
Viktor.
More information about the openssl-dev
mailing list