Project

General

Profile

Actions

Bug #10398

closed

Server Name Indication support broken when reusing a (dead) session

Added by a.holstvoogd (Arthur Holstvoogd) over 7 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
[ruby-core:65789]

Description

RFC3546 recommend that the client includes the server_name in each client hello message when possible.

The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures.

This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug.

I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out.

Steps to reproduce

When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message.
I used the following few lines of code to test:

uri = URI('https://www.example.com/')
req = Net::HTTP::Get.new uri.request_uri
con = Net::HTTP.new uri.host, uri.port
con.use_ssl = true
con.start
con.finish
con.start # Produces a certificate error if the session is lost by the server

Related issues 2 (0 open2 closed)

Related to Ruby master - Bug #10533: HTTP reconnection with SNI does not send correct hostnameCloseddrbrain (Eric Hodel)Actions
Related to Ruby master - Bug #11724: SNIでsessionが無効だったときにhostnameがサーバに送られないClosedActions
Actions #2

Updated by naruse (Yui NARUSE) almost 7 years ago

  • Related to Bug #10533: HTTP reconnection with SNI does not send correct hostname added
Actions #3

Updated by zzak (Zachary Scott) over 6 years ago

  • Assignee changed from MartinBosslet (Martin Bosslet) to 7150
Actions #5

Updated by rhenium (Kazuki Yamaguchi) almost 6 years ago

  • Related to Bug #11724: SNIでsessionが無効だったときにhostnameがサーバに送られない added

Updated by rhenium (Kazuki Yamaguchi) almost 6 years ago

  • Status changed from Open to Closed

This should have been fixed by r52682 (in [Bug #11401], as Michiel suggests), and the root cause was also fixed by r55191 (in [Bug #11724]).

Actions

Also available in: Atom PDF