GNOME Bugzilla – Bug 745099
TLS session resume doesn't work properly with TLS Session tickets
Last modified: 2015-03-10 17:50:03 UTC
From http://lists.gnutls.org/pipermail/gnutls-help/2015-February/003760.html: glib-networking (which uses gnutls) has a session cache such that after a connection handshake completes, it uses gnutls_session_get_data2 to retrieve and keep the session data. When another connection begins, it uses gnutls_session_set_data to reuse the data. However, this does not work properly with TLS tickets. After a session is resumed, the TLS tickets get stored in "resumed session data" which is not subsequently packed into the TLS session data again. Because of this, the third connection to a particular server is not properly resumed because the session data is missing the TLS tickets.
Created attachment 297788 [details] [review] tls: Only cache session data if a session was not resumed As per the upstream discussion [1], session data should only be stored when the session is not resumed. This affects resuming sessions when using TLS tickets, since they are not stored in the session data after a save/resume cycle. [1] http://lists.gnutls.org/pipermail/gnutls-help/2015-February/003760.html
Created attachment 298046 [details] [review] tls: Only cache session data if a session was not resumed As per the upstream discussion [1], session data should only be stored when the session is not resumed. This affects resuming sessions when using TLS tickets, since they are not stored in the session data after a save/resume cycle. [1] http://lists.gnutls.org/pipermail/gnutls-help/2015-February/003760.html
Comment on attachment 298046 [details] [review] tls: Only cache session data if a session was not resumed It would be better to rearrange the code so that we don't call gnutls_session_get_data2() if the session is resumed (so that we don't then have to call gnutls_free(session_datum.data))
Created attachment 298843 [details] [review] tls: Only cache session data if a session was not resumed As per the upstream discussion [1], session data should only be stored when the session is not resumed. This affects resuming sessions when using TLS tickets, since they are not stored in the session data after a save/resume cycle. [1] http://lists.gnutls.org/pipermail/gnutls-help/2015-February/003760.html
(In reply to Dan Winship from comment #3) > Comment on attachment 298046 [details] [review] [review] > tls: Only cache session data if a session was not resumed > > It would be better to rearrange the code so that we don't call > gnutls_session_get_data2() if the session is resumed (so that we don't then > have to call gnutls_free(session_datum.data)) OK, done!
Comment on attachment 298843 [details] [review] tls: Only cache session data if a session was not resumed Pushed to master as da9c6df0e7c0a9e565b07492ef859be878bae42f. Thanks for the review.