[openssl-users] Corrupted ssl session id
Olivier SZIKA
olivier.szika at stormshield.eu
Tue Apr 7 10:31:55 UTC 2015
Hi all,
I use openssl library in a daemon, and there are a lot of crashes around ssl session management.
A crash happens when ssl sessions are flushed via SSL_CTX_flush_sessions(), because they could have bad session id.
Here, the life of one session:
ptr_addr: refcount: type[session_id] (function:line)
0x807807600: 1:SSL_SESSION [0x0] (SSL_SESSION_new:205)
0x807807600: 1:--> SSL_SESSION CHECK BEFORE [0x0] (ssl3_get_new_session_ticket:2236)
0x807807600: 1:--> SSL_SESSION CHECK AFTER [0xaa685c61] (ssl3_get_new_session_ticket:2244)
0x807807600: 2:SSL_SESSION [0xaa685c61] (SSL_CTX_add_session:673)
0x807807600: 3:SSL_SESSION [0xaa685c61] (ssl_update_cache:2456)
0x807807600: 2:SSL_SESSION_FREE [0xaa685c61] (SSL_free:559)
0x807807600: 3:SSL_SESSION [0xaa685c61] (SSL_set_session:855)
0x807807600: 3:--> SSL_SESSION CHECK BEFORE [0xaa685c61] (ssl3_client_hello:731)
0x807807600: 3:--> SSL_SESSION CHECK AFTER [0xaa685c61] (ssl3_client_hello:733)
0x807807600: 3:--> SSL_SESSION CHECK BEFORE [0xaa685c61] (ssl3_get_new_session_ticket:2236)
0x807807600: 3:--> SSL_SESSION CHECK AFTER [0xe47912b1] (ssl3_get_new_session_ticket:2244)
0x807807600: 2:SSL_SESSION_FREE [0xe47912b1] (SSL_free:559)
...
The server requests new session ticket (SSL3_ST_CR_SESSION_TICKET_[AB]),
but the session id is already initialized.
To fix it, I thought to free the old ssl session and to create a new one in ssl3_connect(), in case SSL3_ST_CR_SESSION_TICKET_[AB],
before ssl3_get_new_session_ticket() call, but I'm not sure it's a good fix.
Could you help me? Do you need more details about my issue?
Thanks,
Olivier
More information about the openssl-users
mailing list