[openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption

Zi Lin zi.lin.cs at gmail.com
Wed Jan 6 06:14:33 UTC 2016


Hi Matt,

thanks for your time. I am glad to see the big efforts done to make
OpenSSL code better in the master branch (and v1.1.0+). I will find a
way to start working on the master branch. A quick glance into the
master branch state machine: the get_prev_session call happens in
process_message "phase", and dealing with cert_cb happens in
post_process_message "phase". Moving get_prev_session into
post_processing_message "phase" seems non trivial as all those cipher
check are in the process_messaage "phase", depending on resumed
session.

Further, I see this comment. Can you clarify what that means?
https://github.com/openssl/openssl/blob/master/ssl/statem/statem_srvr.c#L1150
Only session ticket and further TLS1.3 session resumption are
supported in v1.1+?

Best,

Zi

On Tue, Jan 5, 2016 at 9:37 PM, Matt Caswell <matt at openssl.org> wrote:
> On 05/01/16 22:44, Zi Lin wrote:
>> Hi OpenSSL devs,
>>
>> I want to propose a patch that makes OpenSSL compatible with
>> asynchronous session lookup during session resumption. Currently, the
>> session lookup expects the session callback to return immediately with
>> success or failure. Now consider a cluster of hosts that want to pool
>> the ssl session together to improve session resumption, we would like
>> the session lookup callback to adopt the asynchronous paradigm of
>> "cert_cb", i.e. cert_cb can be called repeatedly until cert_cb
>> finished its job.
>> https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/s3_srvr.c#L916
>>
>> Piotr Sikora initiated this project with ideas borrowed from BoringSSL
>> code base,
>> and since we have put some efforts to make sure no bug is introduced.
>>
>> Hence this attached patch to enable "get_session_cb" to return a fake
>> session pointer that signals the pending session lookup, and the SSL
>> state machines will adopts such signal to resume the client hello
>> processing instead of err-out. It's not a small patch since we have
>> touched multiple aspects of the SSL state machine. But this patch has
>> been verified in CloudFlare's heavy traffic production environment for quite a
>> while and we consider it is stable to be used by upstream.
>
> Hi Zi
>
> That is an interesting idea and something we may consider looking at.
> However your patch in its current form cannot be accepted because it
> targets 1.0.2. Such a change would be considered a new feature. The
> 1.0.2 branch only receives bug fixes. New features should target the
> master branch.
>
> If you take a look at master you will see that there have been
> substantial and fundamental changes to the state machine code so your
> patch would need significant work to bring it into line.
>
> BTW, please email any future submissions to rt at openssl.org so that they
> can be properly tracked.
>
> Thanks
>
> Matt
>
>


More information about the openssl-dev mailing list