[openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption

[Matt Caswell]

On 05/01/16 22:44, Zi Lin wrote:
> Hi OpenSSL devs,
> 
> I want to propose a patch that makes OpenSSL compatible with
> asynchronous session lookup during session resumption. Currently, the
> session lookup expects the session callback to return immediately with
> success or failure. Now consider a cluster of hosts that want to pool
> the ssl session together to improve session resumption, we would like
> the session lookup callback to adopt the asynchronous paradigm of
> "cert_cb", i.e. cert_cb can be called repeatedly until cert_cb
> finished its job.
> https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/s3_srvr.c#L916
> 
> Piotr Sikora initiated this project with ideas borrowed from BoringSSL
> code base,
> and since we have put some efforts to make sure no bug is introduced.
> 
> Hence this attached patch to enable "get_session_cb" to return a fake
> session pointer that signals the pending session lookup, and the SSL
> state machines will adopts such signal to resume the client hello
> processing instead of err-out. It's not a small patch since we have
> touched multiple aspects of the SSL state machine. But this patch has
> been verified in CloudFlare's heavy traffic production environment for quite a
> while and we consider it is stable to be used by upstream.

Hi Zi

That is an interesting idea and something we may consider looking at.
However your patch in its current form cannot be accepted because it
targets 1.0.2. Such a change would be considered a new feature. The
1.0.2 branch only receives bug fixes. New features should target the
master branch.

If you take a look at master you will see that there have been
substantial and fundamental changes to the state machine code so your
patch would need significant work to bring it into line.

BTW, please email any future submissions to rt at openssl.org so that they
can be properly tracked.

Thanks

Matt